WO2010031288A1 - Botnet inspection method and system - Google Patents

Botnet inspection method and system Download PDF

Info

Publication number
WO2010031288A1
WO2010031288A1 PCT/CN2009/073338 CN2009073338W WO2010031288A1 WO 2010031288 A1 WO2010031288 A1 WO 2010031288A1 CN 2009073338 W CN2009073338 W CN 2009073338W WO 2010031288 A1 WO2010031288 A1 WO 2010031288A1
Authority
WO
WIPO (PCT)
Prior art keywords
botnet
module
controller
message
monitoring
Prior art date
Application number
PCT/CN2009/073338
Other languages
French (fr)
Chinese (zh)
Inventor
李安坤
Original Assignee
成都市华为赛门铁克科技有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 成都市华为赛门铁克科技有限公司 filed Critical 成都市华为赛门铁克科技有限公司
Publication of WO2010031288A1 publication Critical patent/WO2010031288A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Debugging And Monitoring (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

A botnet inspection method and system are disclosed in the network communication security field. The method includes the following steps: receiving a communication message from the network to be tested; picking up botnet message information of the communication message according to the communication message; picking up bot host IP and controller IP according to the botnet message information; inquiring about the account numbers corresponding to the bot host IP and the controller IP according to the picked bot host IP and the controller IP. The system comprises the following parts: network probe, monitoring and analysis center, and authentication server. The botnet inspection method inspects the botnet in real time, and can also respond to the botnet in real time, thereby solves the problem in prior art about the unavailability of realtime detection and response caused by the ex post analysis, avoids the harm caused by the botnet, and makes the network communications more secure.

Description

一种僵尸网络的检测方法和系统  Method and system for detecting botnet
本申请要求于 2008 年 9 月 18 日提交中国专利局、 申请号为 200810149039.4、 发明名称为"一种僵尸网络的检测方法、 系统和设备"的中国 专利申请的优先权, 其全部内容通过引用结合在本申请中。  This application claims priority to Chinese Patent Application No. 200810149039.4, entitled "Detection Method, System and Apparatus for a Botnet", filed on September 18, 2008, the entire contents of which are incorporated by reference. In this application.
技术领域 Technical field
本发明涉及网络通信安全领域, 特别涉及一种僵尸网络的检测方法、 系统 和设备。  The present invention relates to the field of network communication security, and in particular, to a method, system and device for detecting a botnet.
背景技术 Background technique
僵尸网络(Botnet )是采用一种或多种传播手段使大量主机感染僵尸 Bot 程序 (僵尸工具), 从而在控制者和被感染主机(即僵尸主机)之间形成一个 可一对多控制的网络。 如图 1所示为 Botnet的基本网络结构, 攻击者通过控 制者对僵尸主机进行控制。  A botnet (Botnet) uses one or more means of communication to infect a large number of hosts with a zombie Bot program (bott tool), thereby forming a one-to-many network between the controller and the infected host (ie, the zombie host). . As shown in Figure 1, the basic network structure of Botnet allows the attacker to control the zombie host through the controller.
目前的僵尸网络主要有两种网络拓朴结构:  The current botnet has two main network topologies:
参见图 2, —种是多级控制的树状僵尸网络拓朴结构: 由受害者、 僵尸主 机、 控制者和攻击者组成。 其具体工作流程为: 控制者开放端口; 僵尸主机主 动向控制者的监听窗口发起连接, 向控制者通报自己;控制者主动连接上级控 制者的监听窗口, 向上级控制者通报自己; 控制者向僵尸主机发指令, 僵尸主 机执行控制指令, 发起攻击。 该僵尸网络拓朴结构的行为特征是: 多台僵尸主 机向同一台控制者的相同端口发起连接; 僵尸主机一般会定时向控制者通信。  See Figure 2, a multi-level tree botnet topology: consisting of victims, zombie hosts, controllers, and attackers. The specific workflow is: the controller opens the port; the zombie host initiates a connection to the controller's listening window, and notifies the controller; the controller actively connects to the upper controller's listening window, and the superior controller notifies itself; The zombie host sends an instruction, and the zombie host executes a control command to launch an attack. The behavioral characteristics of the botnet topology are: Multiple zombie hosts initiate connections to the same port of the same controller; zombie hosts typically communicate to the controller periodically.
参见图 3, 另一种 ^^于 IRC ( Internet Relay Chat, 因特网在线聊天)协议 实现的僵尸网络拓朴结构: 由受害者、 僵尸主机、 IRC服务器和攻击者组成。 其具体的工作流程为:控制者在 IRC服务器上创建通信频道;僵尸主机登陆 IRC 服务器后自动加入控制者所创建的通信频道, 等待控制者发起命令; 控制者在 IRC服务器上指定的通信频道上发命令; 僵尸主机收到命令, 执行命令, 发起 攻击。 该僵尸网络拓朴结构的行为特征: 僵尸主机一般会长时间在线; 僵尸主 机作为一个 IRC服务器的聊天用户在聊天频道内长时间不发言。  See Figure 3, another botnet topology implemented by the IRC (Internet Relay Chat) protocol: consisting of victims, zombie hosts, IRC servers, and attackers. The specific workflow is as follows: the controller creates a communication channel on the IRC server; the zombie host automatically joins the communication channel created by the controller after logging in to the IRC server, waiting for the controller to initiate a command; the controller is on the communication channel specified on the IRC server. Send a command; the zombie host receives the command, executes the command, and launches the attack. The behavioral characteristics of the botnet topology: Zombie hosts are generally online for a long time; the zombie host as a IRC server chat user does not speak for a long time in the chat channel.
僵尸网络构成了一个攻击平台, 利用这个平台可以有效地发起多种攻击行 为, 导致整个基础信息网络或重要应用系统瘫痪、 大量机密或个人隐私泄漏, 还被用来从事网络欺诈等违法犯罪活动。 常见的利用 Botnet发动的攻击行为如 DDOS ( Distributed Denial of Service, 分布式拒绝月良务攻击)、 发送垃圾邮件、 窃取秘密、 滥用资源, 对整个网络和用户都造成了严重的危害。 随着各种新的 攻击类型的出现, Botnet还可能被用来发起新的未知攻击。 The botnet constitutes an attack platform, which can effectively launch a variety of attacks, resulting in the disclosure of the entire basic information network or important application systems, a large number of confidential or personal privacy, and is also used to engage in illegal activities such as online fraud. Common attacks that use Botnet to launch DDOS (Distributed Denial of Service), sending spam, stealing secrets, and abusing resources have caused serious harm to the entire network and users. With the emergence of various new types of attacks, Botnet may also be used to launch new unknown attacks.
目前緩解僵尸网络攻击威胁的技术主要是提前预防或对攻击事件的事后 处理。通常是国家网络安全监测部门在发现了某个大型站点或重要网络受到僵 尸网络的攻击时, 才开始动员大量的人力及相关部门进行协查, 需要经过很长 时间才能真正找到僵尸网络的最终控制者即攻击者和主要涉案人员,但是这段 时间内所造成的经济损失是不可估量的。  The current technology to mitigate the threat of botnet attacks is mainly to prevent or deal with the after-effects of the attack. Usually, when the national cybersecurity monitoring department finds that a large site or an important network is attacked by a botnet, it starts to mobilize a large number of human resources and related departments to conduct an investigation. It takes a long time to truly find the ultimate controller of the botnet. That is, the attacker and the main involved, but the economic losses caused during this period are immeasurable.
目前对僵尸网络的检测主要有两种方法:  There are currently two main methods for detecting botnets:
一、 蜜糖技术: 通过蜜罐等手段获得 Bot程序样本, 采用逆向工程等恶意 代码分析手段, 获得隐藏在代码中的登陆 Botnet所需要的相关信息, 使用定制 的僵尸程序登录到僵尸网络中去, 进一步采用应对措施。  First, the honey technology: through the honeypot and other means to obtain the Bot program sample, using reverse engineering and other malicious code analysis means, to obtain the relevant information needed to log in to the Botnet hidden in the code, use a custom bot to log into the botnet , further adopt countermeasures.
二、 网络流量研究: 通过研究僵尸主机行为的网络流量变化(比如不同时 间段的流量大小) , 使用离线和在线的两种分析方法实现对僵尸网络的判断。  Second, network traffic research: By studying the network traffic changes of zombie host behavior (such as the traffic volume in different time periods), using offline and online two analysis methods to achieve the judgment of the botnet.
在对现有技术进行分析后, 发明人发现: 蜜糖技术不能实时地检测僵尸网 络的通信报文,也不能迅速而准确的定位僵尸网络及其操纵者; 网络流量研究 能实时地检测僵尸网络的通信报文但不能实时地对僵尸网络作出响应。  After analyzing the existing technology, the inventor found that: Honey technology can not detect botnet communication messages in real time, nor can it quickly and accurately locate botnets and their operators; network traffic research can detect botnets in real time. The communication message does not respond to the botnet in real time.
发明内容 Summary of the invention
为了能够实时地检测出僵尸网络并能实时地对僵尸网络作出响应, 本发明 实施例提供了一种僵尸网络的检测方法。 所述技术方案如下:  In order to be able to detect a botnet in real time and respond to the botnet in real time, an embodiment of the present invention provides a method for detecting a botnet. The technical solution is as follows:
一方面, 提供了一种僵尸网络的检测方法, 所述方法包括:  In one aspect, a method for detecting a botnet is provided, the method comprising:
接收待测网络的通信报文;  Receiving a communication message of the network to be tested;
根据所述通信报文提取所述通信报文的僵尸网络报文信息;  Extracting botnet message information of the communication packet according to the communication packet;
根据所述僵尸网络报文信息, 提取僵尸主机 IP和控制者 IP;  Extracting a zombie host IP and a controller IP according to the botnet message information;
根据所述提取的僵尸主机 IP和控制者 IP, 查询所述僵尸主机 IP和控制者 IP 对应的账号。  And querying, according to the extracted zombie host IP and the controller IP, the account corresponding to the zombie host IP and the controller IP.
一方面, 提供了一种僵尸网络的检测系统, 所述系统包括: 网络探针、 监 控分析中心和认证服务器;  In one aspect, a detection system for a botnet is provided, the system comprising: a network probe, a monitoring and analysis center, and an authentication server;
所述网络探针, 用于接收所述待测网络的通信报文, 根据所述通信报文提 取所述通信报文的僵尸网络报文信息; The network probe is configured to receive a communication packet of the network to be tested, and according to the communication packet Obtaining botnet message information of the communication message;
所述监控分析中心, 用于根据所述僵尸网络报文信息, 提取僵尸主机 IP和 控制者 IP;  The monitoring and analysis center is configured to extract a zombie host IP and a controller IP according to the botnet message information;
所述认证服务器, 用于根据所述僵尸主机 IP和控制者 IP查询所述请求中 IP 对应的账号。  The authentication server is configured to query an account corresponding to the IP in the request according to the zombie host IP and the controller IP.
另一方面, 提供了一种监控分析系统, 包括监控分析中心和认证服务器, 其中,  On the other hand, a monitoring and analysis system is provided, including a monitoring and analysis center and an authentication server, wherein
所述监控分析中心, 用于根据所述僵尸网络报文信息, 提取僵尸主机 IP 和控制者 IP;  The monitoring and analysis center is configured to extract a zombie host IP and a controller IP according to the botnet message information;
所述认证服务器,用于根据所述监控分析中心提取的僵尸主机 IP和控制者 The authentication server is configured to extract a zombie host IP and a controller according to the monitoring and analysis center
IP, 查询所述僵尸主机 IP和控制者 IP对应的账号。 IP, query the account corresponding to the zombie host IP and the controller IP.
本发明实施例提供的技术方案的有益效果是: 通过本发明提供的僵尸网络 的检测方法, 实时地检测出了僵尸网络, 也可以对僵尸网络实时地做出响应, 解决了现有技术中基于事后分析而不能实时检测和实时响应的问题,避免了僵 尸网络产生的危害, 使得网络通信更加安全。  The technical solution provided by the embodiment of the present invention has the beneficial effects that: the botnet detection method provided by the present invention detects the botnet in real time, and can also respond to the botnet in real time, which solves the problem in the prior art. The problem of post-analysis and real-time detection and real-time response avoids the harm caused by botnets and makes network communication more secure.
附图说明 DRAWINGS
为了更清楚地说明本发明实施例或现有技术中的技术方案, 下面将对实施 例或现有技术描述中所需要使用的附图作一筒单地介绍,显而易见地, 下面描 述中的附图仅仅是本发明的一些实施例,对于本领域普通技术人员来讲,在不 付出创造性劳动性的前提下, 还可以根据这些附图获得其他的附图。  In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings to be used in the embodiments or the description of the prior art will be briefly described below. Obviously, the following description will be attached. The drawings are only some of the embodiments of the present invention, and those skilled in the art can obtain other drawings based on these drawings without any inventive labor.
图 1是现有技术提供的僵尸网络的基本网络架构示意图;  1 is a schematic diagram of a basic network architecture of a botnet provided by the prior art;
图 2是现有技术提供的多级控制的树状僵尸网络拓朴结构示意图; 图 3是现有技术提供的基于 IRC协议的僵尸网络拓朴结构示意图; 图 4是本发明提供的僵尸网络检测系统架构示意图;  2 is a schematic diagram of a tree bot network topology structure of a multi-level control provided by the prior art; FIG. 3 is a schematic diagram of a botnet topology structure based on the IRC protocol provided by the prior art; FIG. 4 is a botnet detection method provided by the present invention. Schematic diagram of system architecture;
图 5是本发明实施例 1提供的一种僵尸网络的检测方法的流程示意图; 图 6是本发明实施例 2提供的一种僵尸网络的检测方法的流程示意图; 图 7是本发明实施例 3提供的一种僵尸网络的检测方法的流程示意图; 图 8是本发明实施例 4提供的一种僵尸网络的检测系统示意图;  5 is a schematic flowchart of a method for detecting a botnet according to Embodiment 1 of the present invention; FIG. 6 is a schematic flowchart of a method for detecting a botnet according to Embodiment 2 of the present invention; FIG. 8 is a schematic diagram of a detection system of a botnet according to Embodiment 4 of the present invention; FIG.
图 9是本发明实施例 4提供的一种僵尸网络的检测系统的具体示意图; 图 10是本发明实施例 4提供的一种僵尸网络的检测系统的另一具体示意 图; 9 is a schematic diagram of a detection system of a botnet according to Embodiment 4 of the present invention; FIG. 10 is another specific schematic diagram of a detection system of a botnet according to Embodiment 4 of the present invention; FIG.
图 11是本发明实施例 5提供的一种监控分析中心的示意图;  11 is a schematic diagram of a monitoring and analysis center according to Embodiment 5 of the present invention;
图 12是本发明实施例 5提供的一种监控分析中心的另一示意图。  FIG. 12 is another schematic diagram of a monitoring and analysis center according to Embodiment 5 of the present invention.
具体实施方式 detailed description
为使本发明的目的、 技术方案和优点更加清楚, 下面将结合附图对本发明 实施方式作进一步地详细描述。显然, 所描述的实施例仅仅是本发明一部分实 施例, 而不是全部的实施例。 基于本发明中的实施例, 本领域普通技术人员在 没有作出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范 围。  The embodiments of the present invention will be further described in detail below with reference to the accompanying drawings. It is apparent that the described embodiments are only a part of the embodiments of the invention, rather than all of the embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments of the present invention without creative efforts are within the scope of the present invention.
僵尸网络是多级控制的, 要追踪到幕后的攻击者, 首先要追踪给僵尸主机 发送指令的控制者, 然后通过监控该控制者找到上一级控制者, 一级一级的追 溯, 直到真正的攻击者。 本发明实施例提出的僵尸网络检测系统(BIS, Botnet Inspection System )可以实时地检测出已知或未知的僵尸网络的僵尸主机及其 控制者, 掌握僵尸网络的信息并实施监控,也可实时地对僵尸网络采取响应措 施。  The botnet is multi-level controlled. To track the attacker behind the scenes, first track the controller that sends the command to the zombie host, and then monitor the controller to find the upper-level controller, and trace the level one level until the real Attacker. The Botnet Inspection System (BIS) according to the embodiment of the present invention can detect a zombie host and its controller of a known or unknown botnet in real time, grasp the information of the botnet and implement monitoring, and can also perform real-time monitoring. Take action on the botnet.
参见图 4, 本发明实施例提供的僵尸网络检测系统架构示意图。 僵尸网络 检测系统包括: 网络探针 401、 设备管理中心 402、 监控分析中心 403、 数据 库 DB404、 WEB405和其他安全设备 406; 其中, 网络探针 401 , 对网络流量 进行实时检测并将检测结果报给监控分析中心 403; 设备管理中心 402, 对网 络探针 401、监控分析中心 403、数据库 DB404、 WEB405和其他安全设备 406 等设备进行管理、提供与防火墙的可靠连接以及设备间业务数据的交互;监控 分析中心 403, 对网络探针 401的检测结果进行汇总分析、 把网络探针 401的 检测结果以及监控分析中心 403 的分析结果存入数据库 DB404、 负责和系统 其他安全设备 406 比如防火墙、 其他僵尸网络检测系统进行通信; 数据库 DB404, 保存界面策略、 配置项、 僵尸网络信息及辅助检测结果; WEB405, 提供僵尸网络检测配置界面、 僵尸网络信息显示界面、设备管理界面; 其他安 全设备 406, 和僵尸网络检测系统联动, 将检测出来的僵尸主机或攻击 IP地 址告知监控分析中心 403, 比如防火墙、 其他僵尸网络检测系统等。 为了对本发明实施例提供的僵尸网络检测系统进行详细的阐述, 参见下述 各实施例。 实施例 1 Referring to FIG. 4, a schematic diagram of a botnet detection system architecture is provided by an embodiment of the present invention. The botnet detection system includes: a network probe 401, a device management center 402, a monitoring and analysis center 403, a database DB 404, a WEB 405, and other security devices 406. The network probe 401 detects real-time network traffic and reports the detection result to the bot. The monitoring and analysis center 403; the device management center 402 manages devices such as the network probe 401, the monitoring and analysis center 403, the database DB 404, the WEB 405, and other security devices 406, provides reliable connection with the firewall, and interacts with the service data between the devices; The analysis center 403 performs a summary analysis on the detection results of the network probe 401, stores the detection result of the network probe 401 and the analysis result of the monitoring analysis center 403 in the database DB 404, and is responsible for other security devices 406 such as a firewall and other botnets. The detection system communicates; the database DB404 saves the interface policy, the configuration item, the botnet information and the auxiliary detection result; WEB405, provides the botnet detection configuration interface, the botnet information display interface, the device management interface; the other security device 406, and the botnet Testing system Linkage, the detected bots attack or IP address to the monitoring and analysis center 403, such as firewalls, other botnet detection system. In order to elaborate the botnet detection system provided by the embodiment of the present invention, refer to the following embodiments. Example 1
本发明实施例提供了一种僵尸网络的检测方法, 该方法通过将通信报文与 存储在规则库中的规则进行规则匹配识别出僵尸网络报文,从而实现对僵尸网 络的检测。  The embodiment of the invention provides a method for detecting a botnet, which identifies a botnet message by matching a communication message with a rule stored in a rule base, thereby implementing detection of a botnet network.
僵尸网络检测系统在进行检测之前, 已经形成规则库存储在数据库中。 其 中, 规则库形成过程的步骤具体为:  The botnet detection system has formed a rule repository stored in the database before it is detected. The steps of the rule base formation process are as follows:
步骤 A: 僵尸网络检测系统分析已经检测出的或者是已有的僵尸网络中僵 尸主机与控制者的通信报文, 从通信报文中提取僵尸报文特征, 形成特征库; 其中, 通信报文中提取的僵尸报文特征具体为僵尸工具名、 协议类型、 僵 尸网络类型等。  Step A: The botnet detection system analyzes the communication message of the zombie host and the controller in the existing botnet, and extracts the zombie message feature from the communication message to form a feature database; wherein, the communication message The extracted zombie message features are specifically bot name, protocol type, botnet type, and the like.
步骤 B: 将该特征库转化为可以被计算机识别的规则库, 并将转化后的规 则库加密后存储到数据库 DB中。  Step B: Convert the signature database into a rule base that can be recognized by the computer, and encrypt the converted rule base and store it in the database DB.
该规则库中的僵尸网络报文的特征规则具体描述为:  The feature rules of botnet packets in the rule base are described as follows:
[-PROTO Protocol -SRVID SrvType -APPID id -APPNAME AppType -RET RetValue \ -ACTION ActionType -RELATE RelateType [-PROTO Protocol -SRVID SrvType -APPID id -APPNAME AppType -RET RetValue \ -ACTION ActionType -RELATE RelateType
-RULEID ruleid] -RULEID ruleid]
其中, PROTO: 协议类型, 如 tcp/udp/icmp等;  Among them, PROTO: protocol type, such as tcp/udp/icmp;
SRVID: 服务类型, 如 5-voip、 6-p2p、 97 -ftp等;  SRVID: Service type, such as 5-voip, 6-p2p, 97-ftp, etc.
APPID: 僵尸网络类型, 如 1代表树状僵尸网络, 2代表 IRC僵尸网络, 3代表 p2p僵尸网络;  APPID: botnet type, such as 1 for tree botnet, 2 for IRC botnet, 3 for p2p botnet;
APPNAME: 应用名称, 对应僵尸工具名;  APPNAME: App name, corresponding to the bot name;
RET: 返回值, 对应返回包的报文方向, 如 1-僵尸主机到控制者报文、 2- 控制者到僵尸主机的报文;  RET: Return value, corresponding to the packet direction of the returned packet, such as 1-zombie host to controller message, 2-controller to zombie host message;
ACTION: 匹配模式, 如单包匹配、 多包匹配、 端口匹配等;  ACTION: Matching mode, such as single packet matching, multi-packet matching, port matching, etc.;
RELATE: 关联, 多个特征是否关联;  RELATE: association, whether multiple features are associated;
RULEID: 规则序号, 即第几条规则。 根据上述对僵尸网络报文的特征规则描述, 举例说明。 比如上行僵尸, 僵 尸主机每隔 30秒主动向控制端发送长度为 6字节报文内容为: 4D 54 49 7A 0D OA的 TCP报文, 其规则如下: RULEID: The rule number, which is the first few rules. According to the above description of the feature rules of the botnet message, an example is illustrated. For example, an upstream zombie, the zombie host actively sends a message length of 6 bytes to the control terminal every 30 seconds: 4D 54 49 7A 0D OA TCP message, the rules are as follows:
-PROTO TCP -SRVID 16 -APPID 1 -APPNAME shangxing -RET 1 \  -PROTO TCP -SRVID 16 -APPID 1 -APPNAME shangxing -RET 1 \
-ACTION SINGLE—PKT -RELATE NO \  -ACTION SINGLE-PKT -RELATE NO \
-KEY  -KEY
0:LOAD_BEGIN:BIG_ENDIAN:6:EQUAL:BIN:4D54497A0D0A \  0: LOAD_BEGIN: BIG_ENDIAN: 6: EQUAL: BIN: 4D54497A0D0A \
-LOADLEN  -LOADLEN
0:LOAD_BEGIN:BIG_ENDIAN:0:EQUAL:BIN:0006  0: LOAD_BEGIN: BIG_ENDIAN: 0: EQUAL: BIN: 0006
上述详细介绍了数据库中存储的特征库的形成过程, 该规则库是僵尸网络 检测系统对僵尸网络进行特征检测的前提条件,下面描述形成规则库后僵尸网 络检测系统对僵尸网络进行检测的方法, 参见图 5, 具体步骤如下:  The above describes in detail the formation process of the feature library stored in the database. The rule base is a precondition for the botnet detection system to perform feature detection on the botnet. The following describes the method for detecting the botnet by the botnet detection system after forming the rule base. Referring to Figure 5, the specific steps are as follows:
步骤 501: 僵尸网络检测系统的网络探针接收待测网络的通信报文。  Step 501: The network probe of the botnet detection system receives the communication packet of the network to be tested.
步骤 502: 网络探针把接收到的通信报文与从规则库中获取的规则进行规 则匹配, 如果匹配成功, 则执行步骤 503; 否则, 结束;  Step 502: The network probe performs the rule matching the received communication message with the rule obtained from the rule base. If the matching is successful, step 503 is performed; otherwise, the process ends;
其中, 网络探针从规则库中获取规则的具体过程为: 僵尸网络检测系统启 动时, 网络探针自动向路由设备 SRS ( Service Route System )请求规则, SRS 读取数据库 DB中的规则, 并将其传给网络探针, 网络探针将获取的规则放入 自身的内存中, 当接收到通信报文时, 网络探针将接收到的通信报文与获取的 规则在自身的内存中进行规则匹配; 如果规则库有更新, 则网络探针又会重新 从数据库 DB中获取规则;  The specific process of the network probe acquiring the rule from the rule base is: When the botnet detection system starts, the network probe automatically requests the rule from the routing device SRS (Service Route System), and the SRS reads the rule in the database DB, and It is transmitted to the network probe, and the network probe puts the acquired rules into its own memory. When receiving the communication message, the network probe will receive the received communication message and the obtained rule in its own memory. Match; if the rule base has an update, the network probe will re-acquire the rules from the database DB;
上述规则匹配可以有多种匹配方式, 比如单包匹配、 多包匹配、 端口匹配 等;  The above rule matching can have multiple matching methods, such as single packet matching, multi-packet matching, port matching, and the like;
其中, 单包匹配是根据一个报文的特征即可匹配规则;  Wherein, the single packet matching is a matching rule according to the characteristics of a message;
多包匹配是根据多个报文的特征匹配一条规则;  Multi-packet matching is to match a rule according to the characteristics of multiple messages;
端口匹配是根据报文中的端口信息匹配规则;  Port matching is based on the port information matching rule in the packet.
上述规则匹配成功是指一条规则的所有参数(如协议类型、 服务类型、 僵 尸网络类型、 应用名称、 匹配模式等, 不同的规则其所携带的参数不同)一致 才能匹配成功。 步骤 503: 待测网络的通信报文规则匹配成功后, 网络探针提取通信报文 中的僵尸网络报文信息, 并发送该信息到僵尸网络检测系统的监控分析中心; 其中, 该步骤具体为: 网络探针根据匹配的规则, 返回匹配成功的规则中 的相应值, 比如 PROTO 、 SRVID 、 APPID, AppType, RET和数据流方向 等信息, 这些信息就是僵尸网络报文信息, 网络探针把该信息封装为消息包, 发送给监控分析中心。 If the matching of the above rules is successful, all the parameters of a rule (such as protocol type, service type, botnet type, application name, matching mode, etc., different parameters carry different parameters) are consistent. Step 503: After the communication packet rules of the network to be tested are successfully matched, the network probe extracts the botnet packet information in the communication packet, and sends the information to the monitoring and analysis center of the botnet detection system. The step is specifically : The network probe returns the corresponding values in the matching matching rules according to the matching rules, such as PROTO, SRVID, APPID, AppType, RET and data flow direction. The information is the botnet message information, and the network probe puts the information. The information is encapsulated into a message packet and sent to the monitoring and analysis center.
步骤 504: 监控分析中心接收到网络探针发来的僵尸网络报文信息后, 从 该信息中解析出僵尸网络信息, 将解析出的僵尸网络信息緩存起来, 并向 Radius月良务器发送查询僵尸主机 IP和控制者 IP的帐号请求; 查询 IP帐号请求中 携带所查询僵尸主机 IP和控制者 IP地址;  Step 504: After receiving the botnet message information sent by the network probe, the monitoring and analysis center parses the botnet information from the information, caches the parsed botnet information, and sends a query to the Radius server. The account request of the zombie host IP and the controller IP; the query IP account request carries the checked zombie host IP and the controller IP address;
从僵尸网络报文信息中解析出僵尸网络信息的具体为:  The specific analysis of botnet information from botnet message information is:
监控分析中心根据僵尸网络报文信息中的规则返回值 RET( RET:返回值, 对应返回包的报文方向, 如 1-僵尸主机到控制者报文、 2-控制者到僵尸主机的 报文)和数据流的传输方向(判断信息中数据流流入流出的方向 )的不同确定 本地 IP和远端 IP是僵尸主机还是控制者,从而获得僵尸主机 IP、僵尸主机 IP 端口、 控制者 IP、 控制者 IP端口等信息; 例如 A和 B之间的通信报文进行规 则匹配成功后形成的僵尸网络报文信息中, 如果数据流方向是从 A流向 B, RET值为 1 ( 1-僵尸主机到控制者报文), 则可以判定 A为僵尸主机, B为控 制者;  The monitoring and analysis center returns the value RET according to the rules in the botnet message information ( RET: return value, corresponding to the packet direction of the returned packet, such as 1-zombie host to controller message, 2-controller to zombie host message ) and the direction of the data stream transmission (determining the direction in which the data stream flows in and out) determines whether the local IP and the remote IP are zombie hosts or controllers, thereby obtaining the zombie host IP, the zombie host IP port, the controller IP, and the control. Information such as the IP port; for example, in the botnet message information formed after the communication packet between A and B is successfully matched, if the data flow direction is from A to B, the RET value is 1 (1-zombie host to The controller message), it can be determined that A is a zombie host, and B is a controller;
僵尸工具的类型从僵尸网络报文信息中的 APPID中直接得出, 如 1代表 树状僵尸网络, 2代表 IRC僵尸网络, 3代表 p2p僵尸网络;  The type of bot is directly derived from the APPID in the botnet message information, such as 1 for a tree botnet, 2 for an IRC botnet, and 3 for a p2p botnet;
僵尸工具的名称从僵尸网络报文信息中的 APPNAME中直接得出, 直接 存储无需分析;发现僵尸网络时间和更新僵尸网络时间 控分析中心直接获 取自己的机器时间;  The name of the bot is directly derived from the APPNAME in the botnet message information. Direct storage does not require analysis; the botnet time is updated and the botnet time control analysis center directly obtains its own machine time;
发现僵尸网络的方式在僵尸网络 4艮文信息中携带。  The way the botnet is discovered is carried in the botnet.
其中, 上述僵尸网络信息具体为: 僵尸主机 ΙΡ、 僵尸主机 IP端口、 控制 者 IP、 控制者 IP端口、 IRC服务器 IP、 IRC服务器端口、 僵尸工具、 发现僵 尸网络时间、 更新僵尸网络时间、 发现僵尸网络方式;  The above botnet information is specifically: zombie host ΙΡ, zombie host IP port, controller IP, controller IP port, IRC server IP, IRC server port, bots, bot time discovery, botnet time update, zombie discovery Network mode
上述的僵尸网络信息可以具体緩存在监控分析中心的内存中,等待查询僵 尸主机和控制者的 IP帐号过程。 The above botnet information can be specifically cached in the memory of the monitoring and analysis center, waiting for the query to be stiff. The IP account process of the corpse and the controller.
步骤 505: Radius服务器接收到该查询请求后, 在 Radius服务器中查询请求 中 IP对应的账号, 并将查到的 IP账号发给监控分析中心, 监控分析中心将緩存 的僵尸网络信息和查询到的 IP账号一起存入数据库;  Step 505: After receiving the query request, the Radius server queries the Radius server for the account corresponding to the IP in the request, and sends the found IP account to the monitoring and analysis center, and the monitoring and analysis center caches the botnet information and the queried information. The IP account is stored in the database together;
上述 Radius服务器是认证服务器, 比如拨号用户上网时需要先到 Radius 服务器, 认证其帐号、 密码、 权限以及余额等; 而在组网时 Radius服务器事 先知道当前用户的 IP对应的帐户名, 所以向其查询 IP的帐号, 这样可以 4巴动 态 IP归一 4匕;  The Radius server is an authentication server. For example, when dial-up users access the Internet, they need to go to the Radius server to authenticate their account, password, permissions, and balance. In the networking, the Radius server knows the account name of the current user's IP beforehand, so it Query the IP account number, so that the dynamic IP address of 4 bar can be reduced to 4;
监控分析中心和 Radius服务器是有接口的, 接口上有接口函数; 在 Radius服务器中查询请求中 IP对应的账号的具体步骤为: Radius服务 器接收到监控分析中心发来的上述查询请求后, 通过接口函数提取请求中的 IP, 并在 Radius服务器查询该 IP对应的的账号, 然后再通过接口函数将 IP及 其对应的帐号发送回监控分析中心。  The monitoring and analysis center and the Radius server have interfaces. The interface has an interface function. The specific steps for querying the account corresponding to the IP in the Radius server are as follows: After receiving the above query request from the monitoring and analysis center, the Radius server passes the interface. The function extracts the IP in the request, and queries the Radius server for the account corresponding to the IP, and then sends the IP and its corresponding account back to the monitoring and analysis center through the interface function.
另夕卜,整个系统可以有专门的数据库服务器, 上述各步骤中提到的数据库 可以设置在这些服务器上。  In addition, the entire system can have a dedicated database server, and the databases mentioned in the above steps can be set on these servers.
本发明实施例根据报文内容通过规则匹配进行僵尸网络的特征检测,实时 地检测出了僵尸网络,也可以对僵尸网络实时地做出响应,解决了现有技术中 基于事后分析而不能实时检测和实时响应的问题, 避免了僵尸网络产生的危 害, 使得网络通信更加安全。 实施例 2  In the embodiment of the present invention, the feature detection of the botnet is performed according to the content of the message, and the botnet is detected in real time, and the botnet can also respond in real time, which solves the problem in the prior art that cannot be detected in real time based on post-mortem analysis. And real-time response problems, avoiding the harm caused by botnets, making network communication more secure. Example 2
如果僵尸网络的通信报文是无特征的或加密后特征消失的,或者是一种新 的僵尸网络工具, 本发明实施例针对上述情况提供了一种僵尸网络的检测方 法。该方法是根据僵尸主机与控制者之间的网络行为与正常用户之间的网络行 为不同,识别出其中的僵尸主机和控制者, 并将它们之间的僵尸网络通信报文 保存起来, 用于人工提取报文特征, 完善实施例 1中的报文特征库。 参见图 6, 具体步骤如下:  If the botnet communication message is featureless or the cryptographic feature disappears, or is a new botnet tool, the embodiment of the present invention provides a botnet detection method for the above situation. The method identifies the zombie host and controller according to the network behavior between the zombie host and the controller and the normal user, and saves the botnet communication message between them. The message feature is manually extracted, and the message feature library in Embodiment 1 is improved. See Figure 6, the specific steps are as follows:
步骤 601: 僵尸网络检测系统的监控分析中心接收待检测的 IP地址列表, 并将该 IP地址列表发送给网络探针; 其中, 上述待检测的 IP地址列表, 具体为来自防火墙、 其它分布部署的僵 尸网络检测系统检测到的发动攻击的或者任何被怀疑的 IP地址列表; Step 601: The monitoring and analysis center of the botnet detection system receives the list of IP addresses to be detected, and sends the IP address list to the network probe. The foregoing list of IP addresses to be detected is specifically a list of IP addresses generated by a botnet detection system detected by a firewall or other distributed deployment, or any suspected IP address list;
由于发动攻击的 IP地址未必是僵尸主机, 所以需要对发动攻击的 IP地址进 行具体检测以便确认僵尸主机和控制者。  Since the IP address of the attack is not necessarily a zombie host, it is necessary to specifically detect the IP address of the attack to confirm the zombie host and controller.
步骤 602: 网络探针接收该 IP地址列表, 并对该 IP地址列表中的 IP地址进 行监控, 从源地址或目的地址为该 IP地址的通信报文中提取僵尸网络报文信 息, 并发送给监控分析中心;  Step 602: The network probe receives the IP address list, and monitors the IP address in the IP address list, and extracts botnet message information from the source address or the destination address for the communication message of the IP address, and sends the information to the botnet message. Monitoring and analysis center;
其中, 网络探针建有数据流表, 从数据流的相关信息提取僵尸网络报文 信息;  The network probe has a data flow table, and extracts botnet message information from related information of the data stream;
上述僵尸网络 4艮文信息具体指僵尸主机 IP、 端口、 通信对端 IP、 对端端 口、 报文协议类型、 报文方向、 报文数量、 报文字节数等。  The botnet information refers to the zombie host IP, the port, the communication peer IP, the peer port, the packet protocol type, the packet direction, the number of packets, and the number of packets.
步骤 603: 监控分析中心接收网络探针发来的僵尸网络报文信息, 对该信 息进行僵尸网络行为统计分析, 根据统计结果确定僵尸主机 IP和控制者 IP, 并 将该僵尸网络报文信息緩存起来, 向 Radius服务器发送查询僵尸主机和控制者 的 IP帐号请求; 其中, 对僵尸网络 "¾文信息进行统计分析具体为: 多台僵尸主 机向同一台控制者的相同端口发起连接; 僵尸主机会定时与控制者通信; 控制 者同一时间会向多台僵尸主机发相同指令;僵尸主机长时间在线但沉默不发言 等网络特征; 针对同端口多连接这个行为特征, 可以统计某段时间内连接同一 IP的攻击 IP数目, 如果超过阈值就说明被连接的 IP是控制者 IP, 这些攻击 IP是 僵尸主机的 IP, 这样就可以确定僵尸网络行为和控制者; 也即: 根据僵尸主机 与控制者的网络行为不同于正常用户的网络行为,从而识别出其中的僵尸主机 及其控制者;  Step 603: The monitoring and analysis center receives the botnet message information sent by the network probe, performs botnet behavior statistical analysis on the information, determines the zombie host IP and the controller IP according to the statistical result, and caches the botnet message information. Up, send a request to the Radius server to query the zombie host and the controller's IP account request; wherein, the statistical analysis of the botnet "3⁄4 text information" is: multiple zombie hosts initiate connections to the same port of the same controller; zombie host will Timing communicates with the controller at the same time; the controller sends the same command to multiple zombie hosts at the same time; the zombie host is online for a long time but silent and does not speak, etc.; for the same port multi-connection, this behavior feature can count the connection within a certain period of time The number of IP attack IPs. If the threshold is exceeded, the connected IP is the controller IP. These attack IPs are the IPs of the zombie hosts, so that the botnet behavior and controller can be determined. That is: According to the zombie host and controller Network behavior is different from normal user's network behavior, thus Wherein other bots and the controller;
查询 IP帐号请求中携带所查询僵尸主机和控制者的 IP地址。  The IP account request carries the IP address of the queried host and controller.
步骤 604: Radius服务器接收到该查询请求后,在 Radius服务器中查询请 求中 IP对应的账号, 并将查到的 IP账号发给监控分析中心, 监控分析中心将 緩存的僵尸网络报文信息和查询到的 IP账号一起存入数据库; 监控分析中心 和 Radius服务器是有接口的, 接口上有接口函数;  Step 604: After receiving the query request, the Radius server queries the Radius server for the account corresponding to the IP in the request, and sends the found IP account to the monitoring and analysis center, and the monitoring and analysis center caches the botnet message information and the query. The IP account is stored in the database together; the monitoring and analysis center and the Radius server have interfaces, and the interface has an interface function;
在 Radius服务器中查询请求中 IP对应的账号的具体步骤为: Radius服务 器接收到监控分析中心发来的上述查询请求后, 通过接口函数提取请求中的 IP, 并在 Radius服务器查询该 IP对应的的账号, 然后再通过接口函数将 IP及 其对应的帐号发送回监控分析中心。 The specific step of querying the account corresponding to the IP in the request in the Radius server is: After receiving the above query request sent by the monitoring and analysis center, the Radius server extracts the request through the interface function. IP, and query the account corresponding to the IP on the Radius server, and then send the IP and its corresponding account back to the monitoring and analysis center through the interface function.
另外,可以设置专门的数据库服务器, 上述各步骤中提到的数据库设置在 这些数据库服务器上。  In addition, a dedicated database server can be set up, and the databases mentioned in the above steps are set on these database servers.
另夕卜,僵尸网络报文信息存入数据库服务器后, 以便以后通过人工分析再 提取新的报文特征的,并将提取的新报文特征转化为新的规则,存入规则库中, 从而使规则库更加完善。  In addition, after the botnet message information is stored in the database server, the new message feature is extracted by manual analysis, and the extracted new message feature is converted into a new rule and stored in the rule base. Make the rule base more complete.
本发明实施例通过对僵尸网络的行为进行检测, 实时地检测出了僵尸网 络,也可以对僵尸网络实时地做出响应,解决了现有技术中基于事后分析而不 能实时检测和实时响应的问题,并将控制者和僵尸主机之间的僵尸网络通信报 文保存起来, 用于后续人工提取报文特征, 完善报文特征库, 避免了僵尸网络 产生的危害, 使得网络通信更加安全。 实施例 3  The embodiment of the invention detects the behavior of the botnet, detects the botnet in real time, and can respond to the botnet in real time, and solves the problem that the real-time detection and real-time response cannot be detected based on the post-mortem analysis in the prior art. And save the botnet communication message between the controller and the zombie host for subsequent manual extraction of the message feature, improve the message feature database, avoid the harm caused by the botnet, and make the network communication more secure. Example 3
为了更好的掌握僵尸网络的信息, 本发明实施例还提供两种辅助手段: 主 动检测和远程抓包, 用于对僵尸网络信息的确认; 其中, 这两种辅助手段又有 人工和自动化两种方式;下面具体描述使用这两种手段对僵尸网络进行检测的 具体实现步骤。  In order to better grasp the information of the botnet, the embodiment of the present invention further provides two auxiliary means: active detection and remote packet capture for confirming botnet information; wherein the two auxiliary means are manual and automatic Means; specific implementation steps for detecting botnets using these two methods are specifically described below.
(一)参见图 7, 主动检测的具体步骤如下:  (1) See Figure 7. The specific steps for active detection are as follows:
步骤 701: 僵尸网络检测系统模拟僵尸主机向怀疑为控制者的 IP发送僵尸 网络通信报文;  Step 701: The botnet detection system simulates that the zombie host sends a botnet communication message to the IP suspected of being the controller.
其中,僵尸网络检测系统提供的僵尸网络通信报文即为探测报文, 具有内 容被屏蔽的探测选项,在某些情况下允许用户自己构造探测报文, 让用户有更 大的自由度;  The botnet communication packet provided by the botnet detection system is a probe packet, and has a detection option that the content is blocked. In some cases, the user is allowed to construct a probe packet by itself, so that the user has greater freedom;
被怀疑为控制者的具体行为特征表现为: 有定时通信、 同端口多链接、 长 时间在线、 长时间不发言等行为特征。  The specific behavioral characteristics of the suspected controller are: timed communication, multi-link on the same port, long-term online, long-term non-speaking and other behavioral characteristics.
步骤 702: 对已发送的僵尸网络通信报文僵尸网络检测系统检测是否有回 应, 如果是, 执行步骤 703; 否则, 结束。  Step 702: Detecting whether there is a response to the sent botnet communication message botnet detection system, if yes, executing step 703; otherwise, ending.
步骤 703: 如果对发送的僵尸网络通信报文有回应, 则对回应的内容进行 特征检测或者行为检测, 判断是否是疑似控制者的回应报文, 如果是, 执行步 骤 704; 否则, 结束。 Step 703: If there is a response to the sent botnet communication message, the content of the response is performed. Feature detection or behavior detection, determining whether it is a response message of the suspect controller, if yes, executing step 704; otherwise, ending.
步骤 704: 如果检测回应的内容是疑似控制者的回应报文, 确定该主机是 控制者。  Step 704: If the content of the detected response is a response message of the suspect controller, it is determined that the host is a controller.
(二)远程抓包的具体步骤: 对某 IP地址的通信报文进行检测时, 把目的 地址或源地址为该 IP的通信报文保存起来进行分析;僵尸网络检测系统提供支 持五元组过滤条件的抓包, 即: 源 IP、 目的 IP、 源端口、 目的端口、 ^艮文协议。  (2) Specific steps for remote packet capture: When detecting the communication packet of an IP address, save the communication packet whose destination address or source address is the IP address for analysis; the botnet detection system provides support for quintuple filtering. Conditional packet capture, namely: source IP, destination IP, source port, destination port, and protocol.
本发明实施例通过对僵尸网络进行主动检测和远程抓包,实时地检测出了 僵尸网络,也可以对僵尸网络实时地做出响应,解决了现有技术中基于事后分 析而不能实时检测和实时响应的问题, 更好的掌握了僵尸网络的信息, 为僵尸 网络检测系统提供辅助手段, 而这两种辅助手段又有人工和自动化两种方式, 更加灵活,使得僵尸网络检测系统功能更加完善强大, 最大程度上避免了僵尸 网络产生的危害, 使得网络通信更加安全。 实施例 4  The embodiment of the present invention detects the botnet in real time by actively detecting and remotely capturing the botnet, and can also respond to the botnet in real time, and solves the problem in the prior art that cannot be detected in real time based on post-mortem analysis. Responsive problems, better grasp the information of the botnet, provide auxiliary means for the botnet detection system, and these two auxiliary means are artificial and automatic, more flexible, making the botnet detection system more complete and powerful. , to the greatest extent avoid the harm caused by botnets, making network communication more secure. Example 4
参见图 8, 本发明实施例提供了一种僵尸网络的检测系统, 系统包括: 网 络探针 801、 监控分析中心 802和认证服务器 803;  Referring to FIG. 8, an embodiment of the present invention provides a detection system for a botnet, and the system includes: a network probe 801, a monitoring and analysis center 802, and an authentication server 803;
网络探针 801 , 用于接收待测网络的通信报文, 根据通信报文提取通信报 文的僵尸网络报文信息;  The network probe 801 is configured to receive a communication packet of the network to be tested, and extract botnet packet information of the communication packet according to the communication packet;
监控分析中心 802,用于根据僵尸网络报文信息,提取僵尸主机 IP和控制者 Monitoring and Analysis Center 802, which is used to extract zombie host IP and controller based on botnet message information
IP; IP;
认证服务器 803, 用于根据提取的僵尸主机 IP和控制者 IP, 查询僵尸主机 IP 和控制者 IP对应的账号。  The authentication server 803 is configured to query the account corresponding to the zombie host IP and the controller IP according to the extracted zombie host IP and the controller IP.
(一)其中, 当进行特征检测时, 参见图 9, 网络探针 801包括: 接收模 块 8011、 匹配模块 8012和提取模块 8013;  (1) wherein, when performing feature detection, referring to FIG. 9, the network probe 801 includes: a receiving module 8011, a matching module 8012, and an extracting module 8013;
接收模块 8011 , 用于接收待测网络的通信报文;  The receiving module 8011 is configured to receive a communication packet of the network to be tested.
匹配模块 8012, 用于将接收模块 8011接收的待测网络的通信报文与规则 库中获取的规则进行规则匹配;  The matching module 8012 is configured to match the communication packet of the network to be tested received by the receiving module 8011 with the rule obtained in the rule base;
提取模块 8013 , 用于如果匹配模块 8012匹配成功, 则通信报文为僵尸网 络报文,提取僵尸网络报文中的僵尸网络报文信息; 该僵尸网络报文信息包括 PROTO 、 SRVID 、 APPID, AppType, 规则返回值 RET和数据流方向等信 相应地, 监控分析中心 802包括: 判断模块 8021; The extraction module 8013 is configured to: if the matching module 8012 matches successfully, the communication packet is a botnet. The packet is sent to extract botnet message information in the botnet message; the botnet message information includes PROTO, SRVID, APPID, AppType, rule return value RET, and data flow direction, etc., and the monitoring and analysis center 802 includes : judging module 8021;
判断模块 8021 , 用于从提 莫块 8013提取的僵尸网络报文信息中的规则返 回值 RET和数据流的传输方向的不同判断本地 IP和远端 IP是僵尸主机还是控 制者, 从而确定僵尸主机 IP和控制者 IP。  The determining module 8021 is configured to determine, according to the rule return value RET and the data transmission direction of the botnet message information extracted from the prompting block 8013, whether the local IP and the remote IP are zombie hosts or controllers, thereby determining the zombie host. IP and controller IP.
(二)其中, 当进行行为检测时, 参见图 10, 网络探针 801包括: 接收模 块 8014和提取模块 8015,  (2) wherein, when performing behavior detection, referring to FIG. 10, the network probe 801 includes: a receiving module 8014 and an extracting module 8015,
接收模块 8014, 用于接收待检测的 IP地址列表, 并对 IP地址列表中的 IP地 址进行监控, 获取源地址或目的地址为 IP地址的通信报文;  The receiving module 8014 is configured to receive a list of IP addresses to be detected, and monitor an IP address in the IP address list to obtain a communication packet whose source address or destination address is an IP address.
提取模块 8015, 用于确定通信报文为僵尸网络报文,通信报文的信息为僵 尸网络报文信息。  The extraction module 8015 is configured to determine that the communication message is a botnet message, and the information of the communication message is botnet message information.
相应地, 监控分析中心 802包括: 统计模块 8022和确定模块 8023;  Correspondingly, the monitoring and analysis center 802 includes: a statistics module 8022 and a determining module 8023;
统计模块 8022, 用于对所述僵尸网络报文信息进行僵尸网络行为统计分 确定模块 8023, 用于根据所述统计模块的统计结果, 确定僵尸主机 IP和 控制者 IP。  The statistic module 8022 is configured to perform botnet behavior statistic determination module 8023 for the botnet message information, and configured to determine a zombie host IP and a controller IP according to the statistics result of the statistic module.
进一步地, 监控分析中心还包括分析模块 8024;  Further, the monitoring and analysis center further includes an analysis module 8024;
分析模块 8024, 用于对僵尸网络报文信息进行分析, 提取新的报文特征, 并将提取的新报文特征转化为新的规则, 存入规则库中。  The analysis module 8024 is configured to analyze the botnet message information, extract new message features, and convert the extracted new message features into new rules, and store them in the rule base.
(三)其中, 当采用远程抓包时, 监控分析中心 802还包括获取模块; 获取模块, 用于根据源 IP、 目的 IP、 源端口、 目的端口、 报文协议通过远 程抓包获取待测网络中对应的通信报文。  (3) In the case of remote packet capture, the monitoring and analysis center 802 further includes an acquiring module, and the acquiring module is configured to acquire the network to be tested by remote packet capture according to the source IP address, the destination IP address, the source port, the destination port, and the packet protocol. Corresponding communication message.
或者, 当采用远程抓包时, 所述获耳 ^莫块还可以设置于网络探针 801中。 本发明实施例提供了一种僵尸网络的检测系统, 实时地检测出了僵尸网 络,也可以对僵尸网络实时地做出响应,解决了现有技术中基于事后分析而不 能实时检测和实时响应的问题,避免了僵尸网络产生的危害,使得网络通信更 力口安全。 实施例 5 Alternatively, when the remote packet capture is adopted, the obtained module may also be disposed in the network probe 801. The embodiment of the invention provides a detection system for a botnet, which detects a botnet in real time, and can also respond to the botnet in real time, and solves the problem that the prior art cannot detect and respond in real time based on post-mortem analysis. The problem is to avoid the harm caused by the botnet, making the network communication more secure. Example 5
本发明实施例提供了一种监控分析中心, 监控分析中心用于根据僵尸网络 报文信息, 提取僵尸主机 IP和控制者 IP, 根据僵尸主机 IP和控制者 IP查询 请求中 IP对应的账号。  The embodiment of the present invention provides a monitoring and analysis center. The monitoring and analysis center is configured to extract the zombie host IP and the controller IP according to the botnet message information, and query the account corresponding to the IP according to the zombie host IP and the controller IP.
(一)其中, 当进行特征检测时, 参见图 11 , 监控分析中心包括: 判断模 块 1101 ;  (1) wherein, when performing feature detection, referring to FIG. 11, the monitoring and analysis center includes: a judgment module 1101;
判断模块 1101 ,用于从僵尸网络报文信息中的规则返回值和数据流的传输 方向的不同判断本地 IP和远端 IP是僵尸主机还是控制者, 从而确定僵尸主机 IP和控制者 IP。  The judging module 1101 is configured to determine whether the local IP and the remote IP are zombie hosts or controllers from the rule return value in the botnet message information and the transmission direction of the data stream, thereby determining the zombie host IP and the controller IP.
(二)其中, 当进行行为检测时, 参见图 12, 监控分析中心包括: 统计模 块 1202和确定模块 1203;  (2) wherein, when performing behavior detection, referring to FIG. 12, the monitoring analysis center includes: a statistical module 1202 and a determining module 1203;
统计模块 1202, 用于对所述僵尸网络报文信息进行僵尸网络行为统计分 确定模块 1203, 用于根据所述统计模块 1202的统计结果, 确定僵尸主机 The statistic module 1202 is configured to perform a botnet behavior statistic determination module 1203 for the botnet message information, and configured to determine a zombie host according to the statistical result of the statistic module 1202.
IP和控制者 IP。 IP and controller IP.
进一步地, 监控分析中心具体还包括分析模块 1204;  Further, the monitoring and analysis center specifically includes an analysis module 1204;
分析模块 1204, 用于对僵尸网络报文信息进行分析, 提取新的报文特征, 并将提取的新报文特征转化为新的规则, 存入规则库中。  The analysis module 1204 is configured to analyze the botnet message information, extract new message features, and convert the extracted new message features into new rules, and store them in the rule base.
(三)其中, 当采用远程抓包时, 监控分析中心还包括获耳 ^莫块; 获取模块, 用于根据源 IP、 目的 IP、 源端口、 目的端口、 报文协议通过远 程抓包获取待测网络中对应的通信报文。  (3) In the case of remote packet capture, the monitoring and analysis center further includes an acquisition module, and an acquisition module is configured to acquire the packet by remote packet capture according to the source IP address, the destination IP address, the source port, the destination port, and the packet protocol. Measure the corresponding communication message in the network.
本发明实施例提供了一种监控分析中心, 实时地检测出了僵尸网络,也可 以对僵尸网络实时地做出响应,解决了现有技术中基于事后分析而不能实时检 测和实时响应的问题, 避免了僵尸网络产生的危害, 使得网络通信更加安全。  The embodiment of the present invention provides a monitoring and analysis center, which detects a botnet in real time, and can also respond to the botnet in real time, and solves the problem that the prior art cannot detect and respond in real time based on post-mortem analysis. It avoids the harm caused by botnets and makes network communication more secure.
综上所述, 本发明实施例提供了一种僵尸网络的检测方法对引入的网络流 量进行报文特征分析,识别出僵尸网络中的僵尸主机及其控制者,记录僵尸网 络信息并发出告警;本发明提供的一种僵尸网络的检测系统还可以同分布部署 的其他检测系统、 防火墙等网络安全设备联动, 获取攻击源的 IP地址重点监 控, 对引入网络流量的网络行为进行分析, 找出操控它们的控制者; 另外, 本 发明提供的一种僵尸网络的检测方法还提供主动检测和远程抓包等辅助检测 手段, 对僵尸网络信息进行确认, 确保该系统识别的准确度。 本领域普通技术人员可以理解实现上述实施例方法中的全部或部分流程, 是可以通过计算机程序来指令相关的硬件来完成,所述的程序可存储于一计算 机可读取存储介质中,该程序在执行时,可包括如上述各方法的实施例的流程。 其中,所述的存储介质可为磁碟、光盘、只读存储记忆体(Read-Only Memory, ROM )或随机存储记忆体(Random Access Memory, RAM )等。 In summary, the embodiment of the present invention provides a botnet detection method for analyzing packet characteristics of the introduced network traffic, identifying a zombie host and its controller in the botnet, recording botnet information, and issuing an alarm; The detection system of the botnet provided by the invention can also be linked with the network security devices such as other detection systems and firewalls distributed, and obtain the IP address of the attack source. Control, analyze the network behavior of the network traffic, and find out the controllers that control them. In addition, the botnet detection method provided by the present invention also provides an auxiliary detection means such as active detection and remote packet capture, and information about the botnet. Confirm to ensure the accuracy of the system identification. A person skilled in the art can understand that all or part of the process of implementing the above embodiment method can be completed by a computer program to instruct related hardware, and the program can be stored in a computer readable storage medium, the program When executed, the flow of an embodiment of the methods as described above may be included. The storage medium may be a magnetic disk, an optical disk, a read-only memory (ROM), or a random access memory (RAM).
以上所述仅为本发明的较佳实施例, 并不用以限制本发明, 凡在本发明的 精神和原则之内, 所作的任何修改、 等同替换、 改进等, 均应包含在本发明的 保护范围之内。  The above is only the preferred embodiment of the present invention, and is not intended to limit the present invention. Any modifications, equivalent substitutions, improvements, etc., which are within the spirit and scope of the present invention, should be included in the protection of the present invention. Within the scope.

Claims

权 利 要 求 Rights request
1、 一种僵尸网络的检测方法, 其特征在于, 所述方法包括:  A method for detecting a botnet, the method comprising:
接收待测网络的通信报文;  Receiving a communication message of the network to be tested;
根据所述通信报文提取所述通信报文的僵尸网络报文信息;  Extracting botnet message information of the communication packet according to the communication packet;
根据所述僵尸网络报文信息, 提取僵尸主机 IP和控制者 IP;  Extracting a zombie host IP and a controller IP according to the botnet message information;
根据所述提取的僵尸主机 IP和控制者 IP, 查询所述僵尸主机 IP和控制者 IP 对应的账号。  And querying, according to the extracted zombie host IP and the controller IP, the account corresponding to the zombie host IP and the controller IP.
2、 如权利要求 1 所述的方法, 其特征在于, 所述根据所述通信报文提取 所述通信报文的僵尸网络报文信息包括:  2. The method of claim 1, wherein the botnet message information for extracting the communication message according to the communication message comprises:
将所述通信报文与规则库中获取的规则进行规则匹配;  Matching the communication packet with a rule obtained in the rule base;
如果匹配成功, 所述通信报文为僵尸网络报文, 提取所述僵尸网络报文中 的僵尸网络报文信息。  If the matching is successful, the communication message is a botnet message, and the botnet message information in the botnet message is extracted.
3、 如权利要求 2所述的方法, 其特征在于, 所述根据所述僵尸网络报文信 息, 提取僵尸主机 IP和控制者 IP包括:  The method according to claim 2, wherein the extracting the zombie host IP and the controller IP according to the botnet message information comprises:
从所述僵尸网络报文信息中的规则返回值和数据流的传输方向的不同确 定本地 IP和远端 IP是僵尸主机还是控制者。  The difference between the rule return value and the data stream transmission direction in the botnet message information determines whether the local IP and the remote IP are zombie hosts or controllers.
4、 如权利要求 1所述的方法, 其特征在于, 所述接收待测网络的通信报文 包括:  The method of claim 1, wherein the receiving the communication message of the network to be tested comprises:
接收待检测的 IP地址列表;  Receiving a list of IP addresses to be detected;
对所述 IP地址列表中的 IP地址进行监控, 获取源地址或目的地址为所述 IP 地址的通信报文。  The IP address in the IP address list is monitored to obtain a communication packet whose source address or destination address is the IP address.
5、 如权利要求 4所述的方法, 其特征在于,  5. The method of claim 4, wherein
所述通信报文为僵尸网络报文, 所述通信报文的信息为僵尸网络报文信 相应地, 所述根据所述僵尸网络报文信息, 提取僵尸主机 IP和控制者 IP 包括:  The communication message is a botnet message, and the information of the communication message is a botnet message. Correspondingly, the extracting the zombie host IP and the controller IP according to the botnet message information includes:
对所述僵尸网络报文信息进行僵尸网络行为统计分析, 根据统计结果确定 僵尸主机 IP和控制者 IP。  The botnet behavior statistical analysis is performed on the botnet message information, and the zombie host IP and the controller IP are determined according to the statistical result.
6、 如权利要求 5所述的方法, 其特征在于, 所述方法还包括: 对所述僵尸网络报文信息进行分析, 提取新的报文特征, 并将提取的新报 文特征转化为新的规则, 存入规则库中。 The method of claim 5, wherein the method further comprises: The botnet message information is analyzed, new message features are extracted, and the extracted new message features are converted into new rules and stored in the rule base.
7、 如权利要求 1 所述的方法, 其特征在于, 所述接收待测网络的通信报 文包括:  The method according to claim 1, wherein the receiving the communication message of the network to be tested comprises:
根据源 IP、 目的 IP、 源端口、 目的端口、 报文协议通过远程抓包获取待测 网络中对应的通信 4艮文。  According to the source IP address, the destination IP address, the source port, the destination port, and the packet protocol, the corresponding communication in the network to be tested is obtained through remote packet capture.
8、 一种僵尸网络的检测系统, 其特征在于, 所述系统包括: 网络探针、 监控分析中心和认证服务器;  8. A detection system for a botnet, the system comprising: a network probe, a monitoring and analysis center, and an authentication server;
所述网络探针, 用于接收所述待测网络的通信报文, 根据所述通信报文提 取所述通信报文的僵尸网络报文信息;  The network probe is configured to receive a communication packet of the network to be tested, and extract botnet packet information of the communication packet according to the communication packet;
所述监控分析中心, 用于根据所述僵尸网络报文信息, 提取僵尸主机 IP和 控制者 IP;  The monitoring and analysis center is configured to extract a zombie host IP and a controller IP according to the botnet message information;
所述认证服务器, 用于根据所述监控分析中心提取的僵尸主机 IP和控制者 IP, 查询所述僵尸主机 IP和控制者 IP对应的账号。  The authentication server is configured to query an account corresponding to the zombie host IP and the controller IP according to the zombie host IP and the controller IP extracted by the monitoring and analysis center.
9、 如权利要求 8所述的系统, 其特征在于, 所述网络探针包括: 接收模 块、 匹配模块和提取模块;  9. The system of claim 8, wherein the network probe comprises: a receiving module, a matching module, and an extracting module;
所述接收模块, 用于接收所述待测网络的通信报文;  The receiving module is configured to receive a communication packet of the network to be tested;
所述匹配模块, 用于将所述接收模块接收的所述待测网络的通信报文与规 则库中获取的规则进行规则匹配;  The matching module is configured to perform a rule matching on a communication packet of the network to be tested received by the receiving module and a rule obtained in a rule base;
所述提取模块, 用于如果所述匹配模块匹配成功, 则所述通信报文为僵尸 网络报文, 提取所述僵尸网络报文中的僵尸网络报文信息。  The extracting module is configured to: if the matching module is successfully matched, the communication packet is a botnet packet, and extract botnet packet information in the botnet packet.
10、 如权利要求 9所述的系统, 其特征在于, 所述监控分析中心包括: 判 断模块;  10. The system of claim 9, wherein the monitoring and analysis center comprises: a determination module;
所述判断模块, 用于从所述僵尸网络报文信息中的规则返回值和数据流的 传输方向的不同判断本地 IP和远端 IP是僵尸主机还是控制者, 从而确定僵尸主 机 IP和控制者 IP。  The determining module is configured to determine, according to a difference between a rule return value and a data flow direction of the botnet message information, whether the local IP and the remote IP are a zombie host or a controller, thereby determining a zombie host IP and a controller. IP.
11、 如权利要求 8所述的系统, 其特征在于, 所述网络探针包括: 接收模 块和提取模块;  The system according to claim 8, wherein the network probe comprises: a receiving module and an extracting module;
所述接收模块, 用于接收待检测的 IP地址列表, 并对所述 IP地址列表中的 IP地址进行监控, 获取源地址或目的地址为所述 IP地址的通信报文; 所述提取模块, 用于确定所述通信报文为僵尸网络报文, 所述通信报文的 信息为僵尸网络 "¾文信息。 The receiving module is configured to receive a list of IP addresses to be detected, and in the list of IP addresses The IP address is monitored to obtain a communication packet whose source address or destination address is the IP address. The extraction module is configured to determine that the communication packet is a botnet packet, and the information of the communication packet is a botnet. "3⁄4 text information.
12、 如权利要求 11所述的系统, 其特征在于, 所述监控分析中心包括: 统 计模块和确定模块;  12. The system of claim 11, wherein the monitoring and analysis center comprises: a statistics module and a determining module;
所述统计模块, 用于对所述僵尸网络报文信息进行僵尸网络行为统计分 所述确定模块,用于根据所述统计模块的统计结果,确定僵尸主机 IP和控 制者 IP。  The statistic module is configured to perform botnet behavior statistics on the botnet message information, and the determining module is configured to determine a zombie host IP and a controller IP according to the statistics result of the statistic module.
13、 如权利要求 12所述的系统, 其特征在于, 所述监控分析中心还包括分 析模块;  13. The system of claim 12, wherein the monitoring and analysis center further comprises an analysis module;
所述分析模块, 用于对所述僵尸网络报文信息进行分析, 提取新的报文特 征, 并将提取的新报文特征转化为新的规则, 存入规则库中。  The analyzing module is configured to analyze the botnet message information, extract new packet features, and convert the extracted new message features into new rules, and store them in the rule base.
14、 如权利要求 8所述的系统, 其特征在于, 所述监控分析中心还包括获 块;  14. The system of claim 8, wherein the monitoring and analysis center further comprises an acquisition block;
所述获取模块, 用于根据源 IP、 目的 IP、 源端口、 目的端口、 报文协议通 过远程抓包获取待测网络中对应的通信报文。  The obtaining module is configured to obtain a corresponding communication packet in the network to be tested by remotely capturing packets according to the source IP address, the destination IP address, the source port, the destination port, and the packet protocol.
15、 如权利要求 8所述的系统, 其特征在于, 所述网络探针还包括获耳 ^莫 块;  The system according to claim 8, wherein the network probe further comprises an ear block;
所述获取模块, 用于根据源 IP、 目的 IP、 源端口、 目的端口、 ^艮文协议通 过远程抓包获取待测网络中对应的通信报文。  The obtaining module is configured to obtain, according to the source IP, the destination IP, the source port, the destination port, and the remote protocol packet, the corresponding communication packet in the network to be tested.
16、 一种监控分析系统, 其特征在于, 包括监控分析中心和认证服务器, 其中,  16. A monitoring and analysis system, comprising: a monitoring and analysis center and an authentication server, wherein
所述监控分析中心, 用于根据所述僵尸网络报文信息, 提取僵尸主机 IP 和控制者 IP;  The monitoring and analysis center is configured to extract a zombie host IP and a controller IP according to the botnet message information;
所述认证服务器,用于根据所述监控分析中心提取的僵尸主机 IP和控制者 IP, 查询所述僵尸主机 IP和控制者 IP对应的账号。  The authentication server is configured to query an account corresponding to the zombie host IP and the controller IP according to the zombie host IP and the controller IP extracted by the monitoring and analysis center.
17、 如权利要求 16所述的监控分析系统, 其特征在于, 所述监控分析中心 包括: 判断模块; 所述判断模块, 用于从所述僵尸网络报文信息中的规则返回值和数据流的 传输方向的不同判断本地 IP和远端 IP是僵尸主机还是控制者, 从而确定僵尸主 机 IP和控制者 IP。 The monitoring and analysis system according to claim 16, wherein the monitoring and analysis center comprises: a determining module; The determining module is configured to determine, according to a difference between a rule return value and a data flow direction of the botnet message information, whether the local IP and the remote IP are a zombie host or a controller, thereby determining a zombie host IP and a controller. IP.
18、 如权利要求 16所述的监控分析系统, 其特征在于, 所述监控分析中心 包括: 统计模块和确定模块;  The monitoring and analysis system according to claim 16, wherein the monitoring and analysis center comprises: a statistics module and a determining module;
所述统计模块, 用于对所述僵尸网络报文信息进行僵尸网络行为统计分 所述确定模块,用于根据所述统计模块的统计结果,确定僵尸主机 IP和控 制者 IP。  The statistic module is configured to perform botnet behavior statistics on the botnet message information, and the determining module is configured to determine a zombie host IP and a controller IP according to the statistics result of the statistic module.
19、 如权利要求 18所述的监控分析系统, 其特征在于, 所述监控分析中心 还包括分析模块;  The monitoring and analysis system according to claim 18, wherein the monitoring and analysis center further comprises an analysis module;
所述分析模块, 用于对所述僵尸网络报文信息进行分析, 提取新的报文特 征, 并将提取的新报文特征转化为新的规则, 存入规则库中。  The analyzing module is configured to analyze the botnet message information, extract new packet features, and convert the extracted new message features into new rules, and store them in the rule base.
20、 如权利要求 16所述的监控分析系统, 其特征在于, 所述监控分析中 心还包括获取模块;  The monitoring and analysis system according to claim 16, wherein the monitoring and analysis center further comprises an acquiring module;
所述获取模块, 用于根据源 IP、 目的 IP、 源端口、 目的端口、 报文协议 通过远程抓包获取待测网络中对应的通信报文。  The acquiring module is configured to obtain a corresponding communication packet in the network to be tested by remote packet capture according to the source IP address, the destination IP address, the source port, the destination port, and the packet protocol.
PCT/CN2009/073338 2008-09-18 2009-08-19 Botnet inspection method and system WO2010031288A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN200810149039.4 2008-09-18
CN2008101490394A CN101360019B (en) 2008-09-18 2008-09-18 Detection method, system and apparatus of zombie network

Publications (1)

Publication Number Publication Date
WO2010031288A1 true WO2010031288A1 (en) 2010-03-25

Family

ID=40332365

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2009/073338 WO2010031288A1 (en) 2008-09-18 2009-08-19 Botnet inspection method and system

Country Status (2)

Country Link
CN (1) CN101360019B (en)
WO (1) WO2010031288A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103973666A (en) * 2013-08-13 2014-08-06 哈尔滨理工大学 Spam botnet host detection method and device
CN111352801A (en) * 2020-02-26 2020-06-30 北京九州云动科技有限公司 Rest service monitoring method and system
CN115361182A (en) * 2022-08-08 2022-11-18 北京永信至诚科技股份有限公司 Botnet behavior analysis method and device, electronic equipment and medium

Families Citing this family (35)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101848197B (en) * 2009-03-23 2015-01-21 华为技术有限公司 Detection method and device and network with detection function
CN101621428B (en) * 2009-07-29 2012-02-22 成都市华为赛门铁克科技有限公司 Botnet detection method, botnet detection system and related equipment
CN102035793B (en) * 2009-09-28 2014-05-07 成都市华为赛门铁克科技有限公司 Botnet detecting method, device and network security protective equipment
CN102045214B (en) * 2009-10-20 2013-06-26 成都市华为赛门铁克科技有限公司 Botnet detection method, device and system
CN102045215B (en) * 2009-10-21 2013-04-24 成都市华为赛门铁克科技有限公司 Botnet detection method and device
CN102104506B (en) * 2009-12-17 2013-05-08 中国人民解放军国防科学技术大学 Training and testing method for botnet similarity measurement and corresponding system
CN101753562B (en) * 2009-12-28 2012-11-07 华为数字技术(成都)有限公司 Detection methods, device and network security protecting device for botnet
CN101741862B (en) * 2010-01-22 2012-07-18 西安交通大学 System and method for detecting IRC bot network based on data packet sequence characteristics
CN102298664B (en) * 2010-06-22 2015-07-15 精联电子股份有限公司 Sickbed calling system based on Internet protocol and control method
CN101986642B (en) * 2010-10-18 2012-12-26 中国科学院计算技术研究所 Detection system and method of Domain Flux data stream
CN102014025B (en) * 2010-12-06 2012-09-05 北京航空航天大学 Method for detecting P2P botnet structure based on network flow clustering
CN102291397A (en) * 2011-08-04 2011-12-21 中国科学院计算技术研究所 Bot network tracking method
CN103166942B (en) * 2011-12-19 2016-08-03 中国科学院软件研究所 A kind of procotol analytic method of malicious code
CN102437936B (en) * 2011-12-20 2013-12-18 东南大学 Detection method of high speed network bot message based on double-filtering mechanism
CN102571487B (en) * 2011-12-20 2014-05-07 东南大学 Distributed bot network scale measuring and tracking method based on multiple data sources
CN103457909B (en) * 2012-05-29 2016-12-14 中国移动通信集团湖南有限公司 A kind of Botnet detection method and device
CN103491060B (en) * 2012-06-13 2017-11-21 北京新媒传信科技有限公司 A kind of method, apparatus and system of defence Web attacks
CN102932373B (en) * 2012-11-22 2014-12-17 北京荣之联科技股份有限公司 Zombie network detection method and device
CN103916288B (en) * 2013-12-27 2017-11-28 哈尔滨安天科技股份有限公司 A kind of Botnet detection methods and system based on gateway with local
CN104796386B (en) * 2014-01-21 2020-02-11 腾讯科技(深圳)有限公司 Botnet detection method, device and system
CN103944901B (en) * 2014-04-18 2016-11-09 中国科学院信息工程研究所 Social Botnet controls detection method and the device of node
CN103997489B (en) * 2014-05-09 2017-02-22 北京神州绿盟信息安全科技股份有限公司 Method and device for recognizing DDoS bot network communication protocol
CN105656872A (en) * 2015-07-17 2016-06-08 哈尔滨安天科技股份有限公司 Attacker tracking method and system based on backbone network
CN105357065B (en) * 2015-10-08 2016-11-16 中国人民解放军国防科学技术大学 A kind of self adaptive network traffic sampling method based on P2P corpse node perceived
CN106921612A (en) * 2015-12-24 2017-07-04 阿里巴巴集团控股有限公司 It was found that the method and device of ddos attack
CN107306266B (en) * 2016-04-25 2020-08-04 阿里巴巴集团控股有限公司 Method and device for scanning central control server
CN105827627A (en) * 2016-04-29 2016-08-03 北京网康科技有限公司 Method and apparatus for acquiring information
CN105827630B (en) * 2016-05-03 2019-11-12 国家计算机网络与信息安全管理中心 Botnet attribute recognition approach, defence method and device
CN106209825B (en) * 2016-07-07 2019-01-22 中国电子科技集团公司第二十八研究所 A kind of customizable Botnet pilot system
CN107786531B (en) * 2017-03-14 2020-02-18 平安科技(深圳)有限公司 APT attack detection method and device
CN107395643B (en) * 2017-09-01 2020-09-11 天津赞普科技股份有限公司 Source IP protection method based on scanning probe behavior
CN108881255B (en) * 2018-06-29 2020-11-13 长扬科技(北京)有限公司 Method for detecting botnet based on C & C communication state conversion
CN110225064A (en) * 2019-07-02 2019-09-10 恒安嘉新(北京)科技股份公司 Monitor method, apparatus, equipment and the storage medium of Botnet attack
CN111541655A (en) * 2020-04-08 2020-08-14 国家计算机网络与信息安全管理中心 Network abnormal flow detection method, controller and medium
CN112134732B (en) * 2020-09-10 2021-10-26 南京大学 Evidence obtaining method and system for DDoS attack

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080005316A1 (en) * 2006-06-30 2008-01-03 John Feaver Method and apparatus for detecting zombie-generated spam

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080005316A1 (en) * 2006-06-30 2008-01-03 John Feaver Method and apparatus for detecting zombie-generated spam

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
CAI JUN ET AL.: "Study on the Botnet and the Program For Detecting the Botnet", PROCEEDINGS OF THE ANNUAL MEETING OF SICHUAN INSTITUTE OF COMMUNICATION, vol. 2007, pages 326 - 329 *
CAI JUN ET AL.: "Study on the Botnet Based on IRC and the Program For Detecting the Botnet", JOURNAL OF ZHONGYUAN UNIVERSITY OF TECHNOLOGY, vol. 19, no. 1, February 2008 (2008-02-01), pages 48 - 50 *

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103973666A (en) * 2013-08-13 2014-08-06 哈尔滨理工大学 Spam botnet host detection method and device
CN103973666B (en) * 2013-08-13 2017-07-14 哈尔滨理工大学 Spam zombie host detection method and device
CN111352801A (en) * 2020-02-26 2020-06-30 北京九州云动科技有限公司 Rest service monitoring method and system
CN115361182A (en) * 2022-08-08 2022-11-18 北京永信至诚科技股份有限公司 Botnet behavior analysis method and device, electronic equipment and medium
CN115361182B (en) * 2022-08-08 2024-02-09 永信至诚科技集团股份有限公司 Botnet behavior analysis method, device, electronic equipment and medium

Also Published As

Publication number Publication date
CN101360019A (en) 2009-02-04
CN101360019B (en) 2011-11-16

Similar Documents

Publication Publication Date Title
WO2010031288A1 (en) Botnet inspection method and system
US11075885B2 (en) Methods and systems for API deception environment and API traffic control and security
US8707440B2 (en) System and method for passively identifying encrypted and interactive network sessions
US8347383B2 (en) Network monitoring apparatus, network monitoring method, and network monitoring program
US8490190B1 (en) Use of interactive messaging channels to verify endpoints
US8042182B2 (en) Method and system for network intrusion detection, related network and computer program product
US8904532B2 (en) Method, apparatus and system for detecting botnet
Hofstede et al. SSH compromise detection using NetFlow/IPFIX
KR101424490B1 (en) Reverse access detecting system and method based on latency
Verba et al. Idaho national laboratory supervisory control and data acquisition intrusion detection system (SCADA IDS)
Izhikevich et al. {LZR}: Identifying unexpected internet services
US7646728B2 (en) Network monitoring and intellectual property protection device, system and method
KR102088299B1 (en) Apparatus and method for detecting drdos
CN102035793B (en) Botnet detecting method, device and network security protective equipment
JP2005506736A (en) A method and apparatus for providing node security in a router of a packet network.
EP2448211B1 (en) Method, system and equipment for detecting botnets
JP2009539271A (en) Computer network intrusion detection system and method
WO2005104476A1 (en) Self-propagating program detector apparatus, method, signals and medium
Jadhav et al. Detection and mitigation of ARP spoofing attack
Hoffstadt et al. Improved detection and correlation of multi-stage VoIP attack patterns by using a Dynamic Honeynet System
Nenovski et al. Real-world ARP attacks and packet sniffing, detection and prevention on windows and android devices
CN114745142A (en) Abnormal flow processing method and device, computer equipment and storage medium
KR20110040152A (en) Method for reverse tracking of attaker packet and system for the same
KR100862321B1 (en) Method and apparatus for detecting and blocking network attack without attack signature
KR20110010050A (en) Method and apparatus for protecting internal network using traffic analysis and dynamic network access control per flow

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 09814008

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1)EPC

122 Ep: pct application non-entry in european phase

Ref document number: 09814008

Country of ref document: EP

Kind code of ref document: A1