CN102045220A - Wooden horse monitoring and auditing method and system thereof - Google Patents
Wooden horse monitoring and auditing method and system thereof Download PDFInfo
- Publication number
- CN102045220A CN102045220A CN 201010596416 CN201010596416A CN102045220A CN 102045220 A CN102045220 A CN 102045220A CN 201010596416 CN201010596416 CN 201010596416 CN 201010596416 A CN201010596416 A CN 201010596416A CN 102045220 A CN102045220 A CN 102045220A
- Authority
- CN
- China
- Prior art keywords
- wooden horse
- network
- session
- behavior
- horse
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The invention discloses a wooden horse monitoring and auditing method and a system thereof, wherein the method comprises the following steps: acquiring a network data packet in real time; determining the current session, checking whether the network data packet belongs to the established network session, if so, inserting the network data packet into the established session, and otherwise, establishing new session; judging whether the current session is wooden horse communication session, if so, recording the content of wooden horse network communication session when the current session belongs to the wooden horse network communication session; according to the recorded content of the wooden horse network communication session, detecting whether the content is wooden horse network operation behavior, if so, recording and monitoring the wooden horse network operation behavior. According to the invention, not only the type of the wooden horse can be recognized, but also the network behavior of the wooden horse can be monitored.
Description
Technical field
The present invention relates to the information technology network security fields, relate in particular to a kind of wooden horse monitor audit method and system.
Background technology
The extent of injury of the traditional relatively virus of trojan horse program is higher, it not only can destroy host computer system, make the host computer system paralysis, and controlled target main frame fully, by remote control terminal to destination host implement any can be in the operation of this locality, also the file in the local destination host can be downloaded on the wooden horse control end simultaneously and upload new trojan horse program or other Virus.And at present to the detection of wooden horse and protection mainly be adopt based on checking and killing virus, desktop initiatively defend, products such as the viral gateway of safety, fire compartment wall, the technology that is adopted of these products mainly contains three classes:
The first kind is based on the static nature identification wooden horse of trojan horse program.By trojan horse program is carried out static analysis, extract the feature string that can be used for discerning trojan horse program, feature database as identification, detection virus, checking and killing virus, desktop initiatively defend, the viral gateway of safety adopts this technology substantially, initiatively defends software etc. as this basic anti-virus software of kappa, 360 antivirus software and desktop.
Second class, the connection of exceptional communication behavior blocking way blocking-up wooden horse Network Based communication.By configurating filtered rule on fire compartment wall, only allow normal network communication session stream to pass through, as the session of application protocols such as http, email, other network communication session is then blocked it communicate to connect, thereby blocked the network service of trojan horse program.
The 3rd class, communication behavior feature identification wooden horse Network Based.This technology is by the limited joint research of the industrial information audit systems technology of Information Technology Safety Research Center, PLA and national capital, and applied for patent, its number of patent application is 20091010157268.5, and the core of this technology is by the network service behavioural characteristic of trojan horse program in the process of network service come wooden horse is discerned and detected.Used the network behavior monitoring technology.The advantage of this technology is the influence that is not subjected to trojan horse program to add shell, add flower, make a variation, and does not rely on the host computer system environment.
From the technical Analysis that wooden horse is detected, can be summed up as two classes to the identification and the detection technique of wooden horse, a class is based on static nature, is exactly the feature that trojan horse program itself is possessed, and an other class is based on the network service behavioural characteristic, also is behavioral characteristics.By to trojan horse program when carrying out network service, the session stream of its network service is analyzed, extract its feature, as identification wooden horse foundation.
At present wooden horse identification, detection technique, its shortcoming mainly comprises following several respects:
1) utilizes static trojan horse program feature identification wooden horse, can discern known wooden horse, but, must reanalyse, extract its new feature, join in the wooden horse feature database adding shell, making a variation, add colored trojan horse program and then can not discern.Along with add shell, to add popularizing with related software of colored technology more and more, a large amount of mutation wooden horses spread unchecked on network, have not only increased the workload that wooden horse is analyzed, and have also caused the frequent updating of feature database.
2) discern, detect not only and can cause the detection performance decrease, and can influence the performance of destination host system based on the static nature mode, will take increasing CPU, internal memory, disk resource along with the increase of feature database quantity is more and more huger; Need the regular hour owing to analyze new feature in addition, also can cause the hysteresis quality of response, this technological approaches can't determine that whether trojan horse program moved, and did the operation of what type etc.
3) to the dependence of operating system, most of wooden horse detection and Protection Product all are based on the host computer system exploitation, need be installed in the operating system of destination host, as: this base of kappa, 360, trend, promise pause etc. the virus killing of research and development, initiatively defend software product, all need to be installed in the system a plurality of different system versions of product.
4) along with the technology of climbing over the walls, the port bounce-back The Application of Technology of wooden horse are popularized, the validity that exceptional communication behavior blocking-up wooden horse Network Based communicates to connect is also more and more lower, a lot of trojan horse programs have adopted the network service port of standard when carrying out network service, as 80 ports, and adopt reverse interconnection technique, initiatively gone to connect with the control end program by 80 ports by the Agent of controlled terminal wooden horse, this mode can cause fire compartment wall to think by mistake to be one to connect based on of web access normally and let pass.This technology is not carried out Detection ﹠ Controling to concrete wooden horse, the network service content is not carried out Treatment Analysis, can't determine whether it is that genuine wooden horse is being communicated by letter, and can't know the content of wooden horse communication and the content of transfer files.
5) communication behavior feature identification wooden horse Network Based, just identify its wooden horse type, and the network activity of the key of its wooden horse communication is not further analyzed as network behavior and the content of obtaining system information, revising system configuration, deleted file, file in download, upload file etc. by its network service behavioural characteristic.
Summary of the invention
The object of the present invention is to provide a kind of wooden horse monitor audit method and system.Based on the present invention, not only can discern the type of wooden horse, and can monitor the network behavior of wooden horse.
The invention discloses a kind of wooden horse monitor audit method, comprising: acquisition step, collection network packet in real time; The current sessions determining step checks whether network packet belongs to the BlueDrama of having set up, if then be inserted in the session of having set up, otherwise set up new session; Described session of having set up or described new session are as current sessions; The session content recording step, whether detect current sessions is the wooden horse network communication session; If, the content of record wooden horse network communication session; The behavior of wooden horse network operation detects step, and whether according to the content of the wooden horse network communication session that writes down, detecting is the behavior of wooden horse network operation, if, record and the behavior of monitoring wooden horse network operation; Wherein, the type of wooden horse network operation behavior comprises: wooden horse file operation, wooden horse screen operator, wooden horse command operation and process/service operations.
Above-mentioned wooden horse monitor audit method, preferably when the type of described wooden horse network operation behavior is wooden horse file operation or wooden horse command operation, described wooden horse network operation behavior also is provided with after detecting step: reduction step, according to the feature of wooden horse network operation behavior content of operation is reduced.
Above-mentioned wooden horse monitor audit method, preferred described wooden horse network operation behavior also is provided with after detecting step: wooden horse network operation audit steps, report to the police and/or postaudit is provided based on wooden horse network operation behavioural trait.
Above-mentioned wooden horse monitor audit method, whether in the preferred described session content recording step, detecting current sessions by the mode that protocol type, communication port numbers and the data load of wooden horse communication behavior feature database and described network packet are mated is the wooden horse network communication session; And, under the situation that is the wooden horse network communication session, send warning message.
Above-mentioned wooden horse monitor audit method between preferred described acquisition step and the described current sessions determining step, also includes: analyzing step, described network packet is carried out the parsing of link protocol, procotol, transport layer protocol, application layer protocol; Effectively the bag verification step based on analysis result, is determined described network packet is filtered, and is under the situation of invalid bag in network packet, abandons this network packet.
Above-mentioned wooden horse monitor audit method in the preferred described acquisition step, based on the memory-mapped technology, is mapped to the collection of carrying out network packet on user's attitude memory cache space with the memory cache district of kernel mode acquisition interface driver.
Above-mentioned wooden horse monitor audit method, preferred described analyzing step comprise the data load of extracting MAC Address, IP address, network protocol type, communication port numbers and application layer.
Above-mentioned wooden horse monitor audit method in the preferred described current sessions determining step, adopts the Hash table to set up the data structure of described new conversational list, utilizes five-tuple to calculate hash value, carries out map addresses.
Above-mentioned wooden horse monitor audit method in the preferred described reduction step, based on TCP stream recombinant technique, is reduced to the content of wooden horse operation behavior transmission information; When the end of transmission, the content of output reduction is to disk.
Above-mentioned wooden horse monitor audit method, in the preferred described session content recording step, described wooden horse communication behavior feature database upgrades according to following method: step a, collection wooden horse sample program, and set up the network analog environment, trojan horse program is installed on the main process equipment of simulated environment; Step b, operation trojan horse program, and carry out the feature operation that the wooden horse control end provides; Step c, the network packet of wooden horse communication is gathered and preserved by the network packet gripping tool; The network packet that steps d, analysis are grasped is extracted its network service behavioural characteristic from network packet, comprise reach the standard grade behavioural characteristic and network operation behavioural characteristic; Step e, the feature of extracting is joined in the existing feature database, and allow the probe module of native system reload new wooden horse communication behavior feature database; Step f, set up the closed loop test verification environment, and dispose the testing authentication environment; Repeating step b, whether the system of checking has warning message, if do not have warning message or wrong report, then forwards steps d to, extracts feature again, and continues follow-up work, otherwise forward step h to, carries out the open-loop test checking; Step h, set up the open-loop test verification environment, and be deployed to the testing authentication environment; Application on step I, the access internet, whether the system of checking has the wrong report incident, if having, then forwards steps d to; Wooden horse sample program at different repeats as above a-i process; When the wooden horse signature analysis and the extraction of all collections finishes, issue new wooden horse communication behavior feature database.
On the other hand, the invention also discloses a kind of wooden horse monitor audit system, it is characterized in that comprise probe module, described probe module comprises: acquisition module is used for real-time collection network packet; The current sessions determination module is used to check whether network packet belongs to the BlueDrama of having set up, if then be inserted in the session of having set up, otherwise set up new session; Described session of having set up or described new session are as current sessions; The session content logging modle is used to judge whether current sessions is the wooden horse communication session, if, be when belonging to the wooden horse network communication session then at current sessions, the content of record wooden horse network communication session; Wooden horse network operation behavior detection module is used for the content according to the wooden horse network communication session of record, and whether detect is the behavior of wooden horse network operation, if, record and the behavior of monitoring wooden horse network operation; Wherein, the type of wooden horse network operation behavior comprises: wooden horse file operation, wooden horse screen operator, wooden horse command operation and process/service operations.
Above-mentioned wooden horse monitor audit system, preferably when the type of described wooden horse network operation behavior is wooden horse file operation or wooden horse command operation, described wooden horse network operation behavior detection module also is connected with: recovery module, be used to judge whether content of described wooden horse network operation behavior, if then reduce the content of network operation.
Above-mentioned wooden horse monitor audit system also is connected with behind the preferred described wooden horse network operation behavior detection module: wooden horse network operation audit module is used for reporting to the police and/or postaudit being provided based on wooden horse network operation behavioural trait.
Above-mentioned wooden horse monitor audit system, whether in the preferred described session content logging modle, detecting current sessions by the mode that protocol type, communication port numbers and the data load of wooden horse communication behavior storehouse and described network packet are mated is the wooden horse network communication session; And, under the situation that is the wooden horse network communication session, send warning message.
Above-mentioned wooden horse monitor audit system, between preferred described acquisition module and the described current sessions determination module, also be connected with: parsing module is used for described network packet is carried out the parsing of link protocol, procotol, transport layer protocol, application layer protocol; Effectively the bag authentication module is used for based on analysis result, determines described network packet is filtered, and is under the situation of invalid bag in network packet, abandons this network packet.
Above-mentioned wooden horse monitor audit system, in the preferred described session content logging modle, described wooden horse communication behavior storehouse is upgraded according to following method: step a, collection wooden horse sample program, and set up the network analog environment, trojan horse program is installed on the main process equipment of simulated environment; Step b, operation trojan horse program, and carry out the feature operation that the wooden horse control end provides; Step c, the network packet of wooden horse communication is gathered and preserved by the network packet gripping tool; The network packet that steps d, analysis are grasped is extracted its network service behavioural characteristic from network packet, comprise reach the standard grade behavioural characteristic and network operation behavioural characteristic; Step e, the feature of extracting is joined in the existing feature database, and allow the probe module of native system reload new wooden horse communication behavior storehouse; Step f, set up the closed loop test verification environment, and dispose the testing authentication environment; Repeating step b, whether the system of checking has warning message, if do not have warning message or wrong report, then forwards steps d to, extracts feature again, and continues follow-up work, otherwise forward step h to, carries out the open-loop test checking; Step h, set up the open-loop test verification environment, and be deployed to the testing authentication environment; Application on step I, the access internet, whether the system of checking has the wrong report incident, if having, then forwards steps d to; Wooden horse sample program at different repeats as above a-i process; When the wooden horse signature analysis and the extraction of all collections finishes, issue new wooden horse communication behavior storehouse.
Advantage of the present invention is:
The first, the present invention adopts the mode of monitor bypass to adopt the session on the network to flow in real time, do not take the communication resource of user network, do not influence the performance of user network, any software need be installed in user's host system yet, as long as utilize equipment such as switch mirror image, hub, shunt to switch on the acquisition interface of native system probe the data flow of monitored network, just can realize real-time monitoring to wooden horse network service.
The second, the present invention can grasp the active situation of wooden horse timely, accurately locatees the position of controlled object, control end.Real-time monitoring by the diverse network operation behavior of wooden horse being reached the standard grade and goal systems being implemented when finding have wooden horse to reach the standard grade and carrying out network activity, sends the monitoring control desk of warning message timely.By the network communication address of wooden horse communication is followed the tracks of and located, can determine the physical location of controlled object, control end accurately.
Three, the present invention can in time find new trojan horse program.Wooden horse be in order to control " fryer " for a long time, and the antivirus software that prevents to be installed by host computer system, wooden horse special anti-virus tool etc. detect and remove, and constantly the trojan horse program of redaction can be uploaded to controlled terminal.If can in time monitor the new trojan horse program of uploading, can take measures fast, as file deletion that will upload, or as the sample of wooden horse signature analysis etc.;
Four, the present invention can make the user find the behavior and the content of wooden horse operation timely, monitor the various operation behaviors of wooden horse on network in real time, as: the process operation of checking system resource, activity, the operation of browsing, delete, create directory, the uploading of file, down operation can carry out profound analysis to the network operation behavior of wooden horse, after the wooden horse security incident takes place, can adopt remedial measures fast according to security classification, the significance level of the information of being stolen, loss is dropped to minimum.
Five, complete, the detailed record of the present invention the diverse network operation behavior incident of wooden horse and the session content of communication, and the network communication session content of key reduced; Regularly generate the security incident report and issue the user, make the user can understand the security postures of user network.
Description of drawings
Fig. 1 is the operation principle schematic diagram of wooden horse in the prior art;
Fig. 2 is the flow chart of steps of an embodiment of wooden horse method for supervising of the present invention;
Fig. 3 is the flow chart of steps of an embodiment of wooden horse method for supervising of the present invention;
Fig. 4 is in the wooden horse method for supervising of the present invention, the step of updating flow chart of feature database;
The network analog environment schematic diagram that Fig. 5 installs for trojan horse program;
Fig. 6 is a closed loop test verification environment schematic diagram;
Fig. 7 is an open-loop test verification environment schematic diagram;
Fig. 8 is the logical construction schematic diagram of wooden horse monitor audit system;
Fig. 9 is in the wooden horse monitor audit of the present invention system, the structural representation of probe module;
Figure 10 is in the wooden horse monitor audit of the present invention system, the structural representation of probe module;
Figure 11 is the design flow diagram of server module
Figure 12 is the deployment schematic diagram of wooden horse monitor audit system.
Embodiment
For above-mentioned purpose of the present invention, feature and advantage can be become apparent more, the present invention is further detailed explanation below in conjunction with the drawings and specific embodiments.
At first introduce the notion and the operation principle of wooden horse:
Wooden horse is a kind of connection of setting up between remote computer, make the remote computer can be by the program of network control local computer, ICP/IP protocol is abideed by in its operation, because it slips into user's computer as the spy, for the back door is opened in other people attack, quite similar with " wooden horse " tactics in the war, thereby the trojan horse program of gaining the name.
Trojan horse program is made of two parts, and a part is the Agent that is mounted in the system that is implanted to controlled main frame, and a part is the control end program in addition.After the operation of wooden horse Agent, need set up network with control end and be connected (forward connects or oppositely connects), after successful connection, receive the various command that control end sends, as: what disk partition check has in the system, obtain the list of drivers of goal systems OS Type, current system loads, the filename tabulation under the file catalogue etc., the result is returned to control end, control end is according to the information of returning, carry out the operation of other type again, as obtain interested or valuable information etc.Be a kind of workflow diagram of wooden horse of reverse connected mode below:
With reference to Fig. 1, wooden horse network service flow process generally experiences three phases:
The wooden horse control end is connected establishment stage with the controlled terminal network, and the connected mode difference that this stage connects at different trojan horse programs, a kind of mode are the Agents that wooden horse control end program initiatively connects controlled terminal, makes forward connect; Another is that the controlled terminal Agent initiatively connects the control end program, cries oppositely to connect, as (1), (2), (3) of Fig. 1.
The wooden horse control end be connected with controlled terminal set up successfully after, send various control commands to controlled terminal by control end, controlled terminal is according to the order that sends, carry out corresponding operation, as check disk partition, browing system catalogue of goal systems etc., as (4), (5) of Fig. 1, step (4) and (5) execution that can repeat, circulate.
Behind the wooden horse sign off, send the connection interrupt requests by control end, the controlled terminal response connects interrupt requests, and the wooden horse communication session finishes, as (6), (7) of Fig. 1.
Method embodiment
With reference to Fig. 2, Fig. 2 comprises the steps: acquisition step S210 for the flow chart of steps of an embodiment of wooden horse method for supervising of the present invention, in real time the collection network packet; Current sessions determining step S220 checks whether network packet belongs to the BlueDrama of having set up, if then be inserted in the session of having set up, otherwise set up new session; Described session of having set up or described new session are as current sessions; Session content recording step S230 judges whether current sessions is the wooden horse communication session, if, be to belong under the prerequisite of wooden horse network operation behavior then at current sessions, record wooden horse network communication session content; The wooden horse operation behavior detects step S240, and whether according to the content of the wooden horse network communication session that writes down, detecting is the behavior of wooden horse network operation, if, record and the behavior of monitoring wooden horse network operation.
Wherein, among the step S240, the behavior of wooden horse network operation comprises: 1) wooden horse file operation, as: file is uploaded, is downloaded, the establishment of catalogue, deletion and modification; 2) wooden horse screen operator: screen printing, keyboard record; 3) wooden horse command operation as, long-range fill order, is long-rangely restarted/closing device; 4) process/service operations is as remote browse, start, stop process.
Further, this embodiment can also comprise reduction step, and this step is judged whether content of described wooden horse network operation behavior, if then reduce the content of network operation.Here, wooden horse network operation content reduction, the content of operation of wooden horse network operation behavior of can reducing can reduce to content of operation according to the feature of wooden horse operation behavior, mainly comprises the reduction of two classes: the 1) content of wooden horse transfer files reduction; 2) content of wooden horse command operation reduction.
Further, this embodiment can also comprise wooden horse network operation audit steps, reports to the police and/or postaudit is provided based on wooden horse network operation behavioural trait.Postaudit comprises: 1) complete documentation wooden horse crawler behavior and content, assess for the loss that the wooden horse security incident produces, and provide foundation for tracing to the source of security incident simultaneously.
2) provide audit function based on conditions such as time range, event type, incident title, IP address, agreements.The export function of content of BlueDrama stream content, the reduction of incident correspondence is provided.
3) report output function.Self-timing generates security incident statistical analysis report, sends in user's the mailbox in the mode of mail, and report is divided into Days report, week report, month report.
With reference to Fig. 3, Fig. 3 is the flow chart of steps of an embodiment of wooden horse method for supervising of the present invention, specifies as follows:
A), real-time collection network packet.For can high performance collection network, native system has adopted the memory-mapped technology, the memory cache district of the acquisition interface driver of kernel mode is mapped on user's attitude memory cache space, reduce the frequent switching of system core attitude and user's attitude, thereby improved the acquisition performance of network packet.
B), the link protocol of network packet and procotol are resolved.The primitive network packets need of gathering is carried out protocol analysis, extract content, as data load of MAC Address, IP address, network protocol type, communication port numbers and application layer etc. from outgoing link layer protocol, network layer protocol, transport layer protocol, application layer protocol.
C), check the validity of bag.Based on the content that step b) is resolved, bag is filtered, as non-IP bag, broadcast packet etc., if invalid bag then abandons, and forward step a) to, otherwise forward step d) to.
D), check whether current bag is to belong in the BlueDrama of having set up, if, then be inserted in the conversational list of having set up, otherwise set up new session, different BlueDramas is to be determined by the five-tuple of network service, in order to improve search efficiency, when setting up the conversational list data structure, adopt the mode of Hash table, utilized five-tuple to calculate hash value, carried out map addresses.The identical hash value of different sessions then adopts the mode of doubly linked list.
E), judge whether current sessions is the wooden horse communication session, if not, then forward step f) to, if then forward step g) to.
F), utilize protocol type, communication port numbers, the data load of current bag to remove to mate wooden horse communication behavior feature database, check whether to be the wooden horse communication behavior.In order to improve the accuracy of detection, adopt the more rules pattern, be exactly identification to a wooden horse type, adopt a plurality of feature rules, have only in the BlueDrama and satisfied a plurality of features, could determine it is the wooden horse communication behavior.When feature database mates, adopted ripe fast pattern matching algorithm.This step may be carried out repeatedly according to rule.During the wooden horse communication behavior, then send warning message when discovered, and the session content of opening entry network service.Forward step a) to.
G), detect whether current data stream is the behavior of wooden horse network operation, if not, then forward step a) to, otherwise forward step h to).
H), utilize wooden horse network operation behavioural characteristic storehouse coupling current network operation behavior whether to belong to known wooden horse network operation behavior, if, recording and sending warning message then, and change step I over to), otherwise change over to step a)/
I), monitoring wooden horse network operation behavior content whether.If not, then forward step a) to, otherwise reduction network operation content.Based on TCP stream recombinant technique, the information transmitted content is reduced.When the end of transmission, the content of output reduction is to disk.And forward step a) to.
Detect whether current data stream is the behavior of wooden horse network operation, if not, then forward step a) to, otherwise forward step in running, constantly repeating as above, a realizes the monitoring to wooden horse to the step between the i.
At the foregoing description is that the feature database that relies on wooden horse is realized, for the assurance system can discern more wooden horse communication behavior, needs constantly to collect wooden horse sample program, analyzes, and extracts its feature, and is updated in the feature database.To the analysis and the Feature Extraction of a trojan horse program, can adopt following method: a, collect wooden horse sample program, and set up the network analog environment, trojan horse program is installed on the main process equipment of simulated environment, its network analog environment is as shown in Figure 5; B, operation trojan horse program, and carry out the various feature operations that the wooden horse control end provides; C, the network packet of wooden horse communication is gathered and preserved by the network packet gripping tool; The network packet that d, analysis are grasped is extracted its network service behavioural characteristic from network packet, comprise reach the standard grade behavioural characteristic and network operation behavioural characteristic; E, the feature of extracting is joined in the feature database, and allow the probe module of native system reload new feature database; F, set up the closed loop test verification environment, and native system is deployed in the testing authentication environment, as shown in Figure 6.G, repeating step b, and check by client whether system has warning message, if do not have warning message or wrong report, then forward steps d to, extract feature again, and continue follow-up work, otherwise forward step h to, carry out the open-loop test checking; H, set up the open-loop test verification environment, and native system is deployed in the testing authentication environment, as shown in Figure 7; I, the visit various application on can networking, as accessed web page, send and receive e-mail, file transfer, communication in time etc., whether the system of checking has the wrong report incident, if having, then forwards steps d to; J, at different wooden horse sample programs, repeat as above a-i process.When the wooden horse signature analysis of all collections, extract and finish, issue new wooden horse feature database.
Wooden horse monitor audit system embodiment
The thought of wooden horse monitor audit system design and principle are the network service activities that application network behavior monitoring technology is discerned various wooden horses and wooden horse.Wooden horse can be hidden killing based on trojan horse program static nature killing software by the method that adds shell, adds flower and mutation, upgrading, and the command context relative fixed of network application agreement that it adopted and transmission, can not change easily, because of the change of these contents will relate to the synchronous renewal of control end program, agency service program, need in the goal systems of having implanted, implant wooden horse agency service program again.Another benefit that adopts this technology is to discern known trojan horse program, also can discern unknown trojan horse program by adding shell, adding flower and make a variation, traditional relatively static nature storehouse quantity, the quantity of its feature database can significantly reduce, and can improve the detection efficiency of system.
Wooden horse monitor audit system adopts the mode of monitor bypass to gather monitored online data flow, monitoring in real time is transmitted in each the BlueDrama stream on the network, and content analyzed, whether detect it is wooden horse network service behavior, if wooden horse network service behavior, then its content is further analyzed, judged that it is the network activity of what type, and the content of network activity is reduced.The Realtime Alerts function is provided simultaneously, has made the user in time find the network safety event that takes place.
With reference to Fig. 8, Fig. 8 is the logical construction schematic diagram of wooden horse monitor audit system.Wooden horse monitor audit system adopts three grades of frameworks (client layer-service layer-acquisition process layer) design and realizes, client layer and service layer adopt B/S (browser/server) mode, specifically are made up of probe module, server module and client modules three parts.Probe module is the nucleus module of system, the identification of collection, agreement, wooden horse type that it is responsible for network packet and the reduction of identification, wooden horse operation behavior and the content of network activity, function such as monitoring and logout in real time; Server module is mainly client modules provides the real-time monitoring of incident, statistics, audit and session content export function; Client modules is a Subscriber Interface Module SIM, the browser software that it utilizes system to install, functions such as the real-time monitoring that provides by Web mode access server, statistics, audit.
At first probe module is described below.
Real-time acquisition technique, network protocol analysis technology, BlueDrama reduction technique, TCP that probe module relates to network packet flow recombinant technique, mode-matching technique etc.With reference to Fig. 9, Fig. 9 is in the wooden horse auditing system of the present invention, and the structural representation of probe module comprises: acquisition module 90 is used for real-time collection network packet; Current sessions determination module 92 is used to check whether network packet belongs to the BlueDrama of having set up, if then be inserted in the session of having set up, otherwise set up new session; Described session of having set up or described new session are as current sessions; Session content logging modle 94 is used to judge whether current sessions is the wooden horse communication session, if, be to belong under the prerequisite of wooden horse network operation behavior then at current sessions, produce warning message, and record network communication session content; Wooden horse operation behavior detection module 96 is used for the described session content according to record, detects whether content of wooden horse network operation behavior.If then reduce the network operation content.Based on TCP stream recombinant technique, the information transmitted content is reduced.When the end of transmission, the content of output reduction is to disk.
And, in the described session content logging modle 94, if described current sessions is the wooden horse communication session,, whether then detect current sessions is the wooden horse communication behavior, if, then send warning message, and the session content of record network service; Wherein, described detection realizes by protocol type, communication port numbers and the data load of wooden horse communication behavior storehouse and described network packet are mated.
With reference to Figure 10, Figure 10 is in the wooden horse auditing system of the present invention, the structural representation of probe module.The characteristics of this embodiment are, between acquisition module 90 and current sessions determination module 92, also be connected with parsing module 91A and effectively wrap authentication module 91B, wherein: parsing module 91A is used for described network packet is carried out the parsing of link protocol, procotol, transport layer protocol, application layer protocol; Effectively bag authentication module 91B is used for based on analysis result, determines described network packet is filtered, and is under the situation of invalid bag in network packet, abandons this network packet.
Probe module is the nucleus module of native system, and it is responsible for the realization of following function:
1, the collection of network packet and session reduction.Collection network packet in real time from the monitored network, carry out the parsing of link protocol, procotol, filter out invalid network packet, five-tuple (source IP address, purpose IP address, source port, destination interface, host-host protocol) to the communication Network Based of effective network packet is set up the BlueDrama Track Table, and call wooden horse type and behavior identification module, whether detect current sessions is wooden horse communication.
2, the identification of wooden horse type and network behavior.Whether the identification current sessions is the wooden horse communication behavior, comprise wooden horse reach the standard grade behavior and other as the browing system catalogue, check process status, obtain system configuration, deltree or file, file in download, upload file etc.
3, wooden horse content of operation reduction.When identifying the wooden horse operation behavior, the content of wooden horse operation is reduced, and record in the disk.
4, monitoring in real time.When on finding detected network, the communication behavior of wooden horse being arranged, in time produce an alarm logging and record in the event table of database.The content of alert event comprises time that incident takes place, mailing address, event type, incident title etc.
5, wooden horse communication session record.With the session stream of communicating by letter between the form complete documentation control end of standard and the controlled terminal, be convenient to afterwards the communication behavior of wooden horse is further analyzed.
6, the tracking of wooden horse Controlling Source and location.Use the physical location at wooden horse Controlling Source place, IP location technology location, for crack network crime case, the tracking network suspect provides technological means.
Below server module is described.The present invention has adopted B/S (client/service) framework, and the benefit of this framework is exactly need any software be installed in user client, and the function of going the access services end to be provided by browser is provided, and just can finish system applies and management.Based on the function that native system provided, the statistics of the main realization event of management server module, audit, monitoring in real time, incident are safeguarded and configuration management function.With reference to Figure 11, Figure 11 is the design flow diagram of server module.
Server module has following function:
A) real time monitoring function.The security alarm incident of current generation in time is pushed to subscription client, points out the user to have new security incident to take place by emitting modes such as dwell window, sound.Alert event comprises: the time that incident takes place, the address of network service, port and agreement, event type, incident title etc.
B) incident statistical function.For the user provides statistical function based on conditions such as time range, event type, incident titles, and show statistics in the mode of form and figure.
C) incident audit function.For the user provides audit function based on conditions such as time range, event type, incident title, IP address, agreements.The export function of content of BlueDrama stream content, the reduction of incident correspondence is provided.
D) report output function.Self-timing generates security incident statistical analysis report, sends in user's the mailbox in the mode of mail, and report is divided into Days report, week report, month report.
E) incident maintenance function.Provide on-line maintenance and dump function to the security history logout of preserving.
F) configuration management function.Configuration management function comprises policy configurations, user management, system parameters configuration of system etc.
With reference to Figure 12, Figure 12 is the deployment schematic diagram of wooden horse monitor audit system, as can be seen, the present invention utilizes the mode of monitor bypass to realize monitor audit to wooden horse network service activity, as long as the data flow on the monitored network is linked into native system, need any software be installed on user's terminal, change the topological structure of user network, take user's network service resource by access devices such as switch mirror image, shunt, hubs.
To sum up, the present invention can be achieved as follows function:
The first, wooden horse identification, can mainly be Long-distance Control type wooden horse based on the known or unknown wooden horse of the network communication data flow feature identification of wooden horse, the influence that is not subjected to trojan horse program itself to add shell, add flower, make a variation can be located the host address of remote control terminal and user's controlled terminal and the network communication protocol of employing; Main recognition methods:
A), set up the BlueDrama Track Table.The five-tuple of communication Network Based (source IP address, purpose IP address, source port, destination interface, host-host protocol) founds the BlueDrama Track Table;
B), the BlueDrama bag is carried out characteristic matching, if satisfy the network communication data feature of certain wooden horse, then this network communication session belongs to wooden horse communication;
The second, wooden horse Content of Communication record, can complete documentation wooden horse control end with controlled terminal between the network data flow of communicating by letter, be convenient to the wooden horse Content of Communication is further analyzed afterwards.
Three, wooden horse diverse network operation behavior in the network service process can be discerned and monitor to wooden horse network operation behavior monitoring, mainly comprises following a few class:
A), the wooden horse file operation, as: file is uploaded, is downloaded, the establishment of catalogue, the deletion with the modification
B), wooden horse screen operator: screen printing, keyboard record
C), the wooden horse command operation, as, long-range fill order, long-rangely restart/closing device
D), process/service operations, as remote browse, start, stop process
Four, wooden horse network operation content reduction, the content of operation of wooden horse network operation behavior of can reducing can reduce to content of operation according to the feature of wooden horse operation behavior:
A), the content of wooden horse transfer files reduction
B), the content of wooden horse command operation reduction
Five, wooden horse network operation audit, the time range that support takes place based on the wooden horse incident, incident title, wooden horse operation behavior type, wooden horse content of operation etc. are formulated the alarm response strategy, can provide postaudit simultaneously.
More than a kind of wooden horse monitor audit method and system provided by the present invention are described in detail, used specific embodiment herein principle of the present invention and execution mode are set forth, the explanation of above embodiment just is used for helping to understand method of the present invention and core concept thereof; Simultaneously, for one of ordinary skill in the art, according to thought of the present invention, part in specific embodiments and applications all can change.In sum, this description should not be construed as limitation of the present invention.
Claims (16)
1. a wooden horse monitor audit method is characterized in that,
Acquisition step, collection network packet in real time;
The current sessions determining step checks whether network packet belongs to the BlueDrama of having set up, if then be inserted in the session of having set up, otherwise set up new session; Described session of having set up or described new session are as current sessions;
The session content recording step, whether detect current sessions is the wooden horse network communication session; If, the content of record wooden horse network communication session;
The behavior of wooden horse network operation detects step, and whether according to the content of the wooden horse network communication session that writes down, detecting is the behavior of wooden horse network operation, if, record and the behavior of monitoring wooden horse network operation;
Wherein, the type of wooden horse network operation behavior comprises: wooden horse file operation, wooden horse screen operator, wooden horse command operation and process/service operations.
2. according to the described a kind of wooden horse monitor audit method of claim 1, it is characterized in that when the type of described wooden horse network operation behavior was wooden horse file operation or wooden horse command operation, described wooden horse network operation behavior also was provided with after detecting step:
Reduction step is reduced to content of operation according to the feature of wooden horse network operation behavior.
3. according to the described a kind of wooden horse monitor audit method of claim 1, it is characterized in that described wooden horse network operation behavior also is provided with after detecting step:
Wooden horse network operation audit steps is reported to the police and/or postaudit is provided based on wooden horse network operation behavioural trait.
4. wooden horse monitor audit method according to claim 3 is characterized in that,
Whether in the described session content recording step, detecting current sessions by the mode that protocol type, communication port numbers and the data load of wooden horse communication behavior feature database and described network packet are mated is the wooden horse network communication session; And, under the situation that is the wooden horse network communication session, send warning message.
5. wooden horse monitor audit method according to claim 4 is characterized in that, between described acquisition step and the described current sessions determining step, also includes:
Analyzing step is carried out the parsing of link protocol, procotol, transport layer protocol, application layer protocol to described network packet;
Effectively the bag verification step based on analysis result, is determined described network packet is filtered, and is under the situation of invalid bag in network packet, abandons this network packet.
6. wooden horse monitor audit method according to claim 5 is characterized in that,
In the described acquisition step,, the memory cache district of kernel mode acquisition interface driver is mapped to the collection of carrying out network packet on user's attitude memory cache space based on the memory-mapped technology.
7. wooden horse monitor audit method according to claim 6 is characterized in that,
Described analyzing step comprises the data load of extracting MAC Address, IP address, network protocol type, communication port numbers and application layer.
8. wooden horse monitor audit method according to claim 7 is characterized in that, in the described current sessions determining step,
Adopt the Hash table to set up the data structure of described new conversational list, utilize five-tuple to calculate hash value, carry out map addresses.
9. wooden horse monitor audit method according to claim 8 is characterized in that, in the described reduction step, based on TCP stream recombinant technique, the content of wooden horse operation behavior transmission information is reduced; When the end of transmission, the content of output reduction is to disk.
10. wooden horse monitor audit method according to claim 9 is characterized in that, in the described session content recording step, described wooden horse communication behavior feature database upgrades according to following method:
Step a, collection wooden horse sample program, and set up the network analog environment, trojan horse program is installed on the main process equipment of simulated environment;
Step b, operation trojan horse program, and carry out the feature operation that the wooden horse control end provides;
Step c, the network packet of wooden horse communication is gathered and preserved by the network packet gripping tool;
The network packet that steps d, analysis are grasped is extracted its network service behavioural characteristic from network packet, comprise reach the standard grade behavioural characteristic and network operation behavioural characteristic;
Step e, the feature of extracting is joined in the existing feature database, and allow the probe module of native system reload new wooden horse communication behavior feature database;
Step f, set up the closed loop test verification environment, and dispose the testing authentication environment;
Repeating step b, whether the system of checking has warning message, if do not have warning message or wrong report, then forwards steps d to, extracts feature again, and continues follow-up work, otherwise forward step h to, carries out the open-loop test checking;
Step h, set up the open-loop test verification environment, and be deployed to the testing authentication environment;
Application on step I, the access internet, whether the system of checking has the wrong report incident, if having, then forwards steps d to;
Wooden horse sample program at different repeats as above a-i process; When the wooden horse signature analysis and the extraction of all collections finishes, issue new wooden horse communication behavior feature database.
11. a wooden horse monitor audit system is characterized in that, comprise probe module, described probe module comprises:
Acquisition module is used for real-time collection network packet;
The current sessions determination module is used to check whether network packet belongs to the BlueDrama of having set up, if then be inserted in the session of having set up, otherwise set up new session; Described session of having set up or described new session are as current sessions;
The session content logging modle is used to judge whether current sessions is the wooden horse communication session, if, be when belonging to the wooden horse network communication session then at current sessions, the content of record wooden horse network communication session;
Wooden horse network operation behavior detection module is used for the content according to the wooden horse network communication session of record, and whether detect is the behavior of wooden horse network operation, if, record and the behavior of monitoring wooden horse network operation;
Wherein, the type of wooden horse network operation behavior comprises: wooden horse file operation, wooden horse screen operator, wooden horse command operation and process/service operations.
12. according to the described a kind of wooden horse monitor audit of claim 11 system, it is characterized in that,
When the type of described wooden horse network operation behavior was wooden horse file operation or wooden horse command operation, described wooden horse network operation behavior detection module also was connected with:
Recovery module is used to judge whether content of described wooden horse network operation behavior, if then reduce the content of network operation.
13. according to the described a kind of wooden horse monitor audit of claim 12 system, it is characterized in that,
Also be connected with behind the described wooden horse network operation behavior detection module:
Wooden horse network operation audit module is used for reporting to the police and/or postaudit being provided based on wooden horse network operation behavioural trait.
14. wooden horse monitor audit according to claim 13 system is characterized in that,
Whether in the described session content logging modle, detecting current sessions by the mode that protocol type, communication port numbers and the data load of wooden horse communication behavior storehouse and described network packet are mated is the wooden horse network communication session; And, under the situation that is the wooden horse network communication session, send warning message.
15. wooden horse monitor audit according to claim 14 system is characterized in that, between described acquisition module and the described current sessions determination module, also is connected with:
Parsing module is used for described network packet is carried out the parsing of link protocol, procotol, transport layer protocol, application layer protocol;
Effectively the bag authentication module is used for based on analysis result, determines described network packet is filtered, and is under the situation of invalid bag in network packet, abandons this network packet.
16. wooden horse monitor audit according to claim 15 system is characterized in that, in the described session content logging modle, described wooden horse communication behavior storehouse is upgraded according to following method:
Step a, collection wooden horse sample program, and set up the network analog environment, trojan horse program is installed on the main process equipment of simulated environment;
Step b, operation trojan horse program, and carry out the feature operation that the wooden horse control end provides;
Step c, the network packet of wooden horse communication is gathered and preserved by the network packet gripping tool;
The network packet that steps d, analysis are grasped is extracted its network service behavioural characteristic from network packet, comprise reach the standard grade behavioural characteristic and network operation behavioural characteristic;
Step e, the feature of extracting is joined in the existing feature database, and allow the probe module of native system reload new wooden horse communication behavior storehouse;
Step f, set up the closed loop test verification environment, and dispose the testing authentication environment;
Repeating step b, whether the system of checking has warning message, if do not have warning message or wrong report, then forwards steps d to, extracts feature again, and continues follow-up work, otherwise forward step h to, carries out the open-loop test checking;
Step h, set up the open-loop test verification environment, and be deployed to the testing authentication environment;
Application on step I, the access internet, whether the system of checking has the wrong report incident, if having, then forwards steps d to;
Wooden horse sample program at different repeats as above a-i process; When the wooden horse signature analysis and the extraction of all collections finishes, issue new wooden horse communication behavior storehouse.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 201010596416 CN102045220A (en) | 2010-12-09 | 2010-12-20 | Wooden horse monitoring and auditing method and system thereof |
Applications Claiming Priority (3)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010581747 | 2010-12-09 | ||
| CN201010581747.2 | 2010-12-09 | ||
| CN 201010596416 CN102045220A (en) | 2010-12-09 | 2010-12-20 | Wooden horse monitoring and auditing method and system thereof |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN102045220A true CN102045220A (en) | 2011-05-04 |
Family
ID=43911032
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 201010596416 Pending CN102045220A (en) | 2010-12-09 | 2010-12-20 | Wooden horse monitoring and auditing method and system thereof |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102045220A (en) |
Cited By (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103607413A (en) * | 2013-12-05 | 2014-02-26 | 北京奇虎科技有限公司 | Method and device for detecting website backdoor program |
| CN104023075A (en) * | 2014-06-16 | 2014-09-03 | 南威软件股份有限公司 | Internet online secret acquisition system and method |
| CN104753955A (en) * | 2015-04-13 | 2015-07-01 | 成都双奥阳科技有限公司 | Interconnection auditing method based on rebound port Trojans |
| CN104836797A (en) * | 2015-04-14 | 2015-08-12 | 广东小天才科技有限公司 | Network data packet processing method and system |
| CN105117647A (en) * | 2015-08-18 | 2015-12-02 | 国家计算机网络与信息安全管理中心广东分中心 | Trojan behavior recovery method |
| CN105740396A (en) * | 2016-01-27 | 2016-07-06 | 广州酷狗计算机科技有限公司 | HTTP data processing method and device |
| CN106416171A (en) * | 2014-12-30 | 2017-02-15 | 华为技术有限公司 | Method and device for feature information analysis |
| CN106921529A (en) * | 2017-05-12 | 2017-07-04 | 成都锐帆网智信息技术有限公司 | Internet behavior analysis method based on bypass |
| CN107026767A (en) * | 2017-03-30 | 2017-08-08 | 上海七牛信息技术有限公司 | Service protocol achievement data collection method and system |
| CN107342969A (en) * | 2016-05-03 | 2017-11-10 | 阿里巴巴集团控股有限公司 | System, the method and apparatus of message identification |
| CN107395643A (en) * | 2017-09-01 | 2017-11-24 | 天津赞普科技股份有限公司 | A kind of source IP guard method based on scanning probe behavior |
| CN104660584B (en) * | 2014-12-30 | 2018-12-18 | 赖洪昌 | Analysis of Trojan Virus technology based on network session |
| CN109787964A (en) * | 2018-12-29 | 2019-05-21 | 北京零平数据处理有限公司 | Process behavior is traced to the source device and method |
| CN113722705A (en) * | 2021-11-02 | 2021-11-30 | 北京微步在线科技有限公司 | Malicious program clearing method and device |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101587456A (en) * | 2009-07-08 | 2009-11-25 | 腾讯科技(深圳)有限公司 | Protection processing method and apparatus of software operation |
| CN101605074A (en) * | 2009-07-06 | 2009-12-16 | 中国人民解放军信息技术安全研究中心 | The method and system of communication behavioural characteristic monitoring wooden horse Network Based |
-
2010
- 2010-12-20 CN CN 201010596416 patent/CN102045220A/en active Pending
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101605074A (en) * | 2009-07-06 | 2009-12-16 | 中国人民解放军信息技术安全研究中心 | The method and system of communication behavioural characteristic monitoring wooden horse Network Based |
| CN101587456A (en) * | 2009-07-08 | 2009-11-25 | 腾讯科技(深圳)有限公司 | Protection processing method and apparatus of software operation |
Cited By (20)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103607413A (en) * | 2013-12-05 | 2014-02-26 | 北京奇虎科技有限公司 | Method and device for detecting website backdoor program |
| CN103607413B (en) * | 2013-12-05 | 2017-01-18 | 北京奇虎科技有限公司 | Method and device for detecting website backdoor program |
| CN104023075A (en) * | 2014-06-16 | 2014-09-03 | 南威软件股份有限公司 | Internet online secret acquisition system and method |
| CN104660584B (en) * | 2014-12-30 | 2018-12-18 | 赖洪昌 | Analysis of Trojan Virus technology based on network session |
| CN106416171A (en) * | 2014-12-30 | 2017-02-15 | 华为技术有限公司 | Method and device for feature information analysis |
| CN104753955A (en) * | 2015-04-13 | 2015-07-01 | 成都双奥阳科技有限公司 | Interconnection auditing method based on rebound port Trojans |
| CN104836797A (en) * | 2015-04-14 | 2015-08-12 | 广东小天才科技有限公司 | Network data packet processing method and system |
| CN105117647A (en) * | 2015-08-18 | 2015-12-02 | 国家计算机网络与信息安全管理中心广东分中心 | Trojan behavior recovery method |
| CN105740396B (en) * | 2016-01-27 | 2019-12-10 | 广州酷狗计算机科技有限公司 | HTTP data processing method and device |
| CN105740396A (en) * | 2016-01-27 | 2016-07-06 | 广州酷狗计算机科技有限公司 | HTTP data processing method and device |
| CN107342969A (en) * | 2016-05-03 | 2017-11-10 | 阿里巴巴集团控股有限公司 | System, the method and apparatus of message identification |
| CN107342969B (en) * | 2016-05-03 | 2021-04-20 | 阿里巴巴集团控股有限公司 | Message identification system, method and device |
| CN107026767A (en) * | 2017-03-30 | 2017-08-08 | 上海七牛信息技术有限公司 | Service protocol achievement data collection method and system |
| CN107026767B (en) * | 2017-03-30 | 2019-10-18 | 上海七牛信息技术有限公司 | Service protocol achievement data collection method and system |
| CN106921529A (en) * | 2017-05-12 | 2017-07-04 | 成都锐帆网智信息技术有限公司 | Internet behavior analysis method based on bypass |
| CN106921529B (en) * | 2017-05-12 | 2020-04-28 | 成都锐帆网智信息技术有限公司 | Bypass-based internet surfing behavior analysis method |
| CN107395643A (en) * | 2017-09-01 | 2017-11-24 | 天津赞普科技股份有限公司 | A kind of source IP guard method based on scanning probe behavior |
| CN107395643B (en) * | 2017-09-01 | 2020-09-11 | 天津赞普科技股份有限公司 | Source IP protection method based on scanning probe behavior |
| CN109787964A (en) * | 2018-12-29 | 2019-05-21 | 北京零平数据处理有限公司 | Process behavior is traced to the source device and method |
| CN113722705A (en) * | 2021-11-02 | 2021-11-30 | 北京微步在线科技有限公司 | Malicious program clearing method and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102045220A (en) | Wooden horse monitoring and auditing method and system thereof | |
| CN107370755B (en) | Method for multi-dimensional deep detection of APT (active Power test) attack | |
| EP2566130B1 (en) | Automatic analysis of security related incidents in computer networks | |
| CN110730175B (en) | Botnet detection method and detection system based on threat information | |
| Ning et al. | Analyzing intensive intrusion alerts via correlation | |
| Lee et al. | A framework for constructing features and models for intrusion detection systems | |
| CN102761458B (en) | Detection method and system of rebound type Trojan | |
| CN103078864B (en) | A kind of Initiative Defense Ile repair method based on cloud security | |
| US7870612B2 (en) | Antivirus protection system and method for computers | |
| CN105187394B (en) | Proxy server and method with mobile terminal from malicious software action detectability | |
| CN101753377B (en) | p2p_botnet real-time detection method and system | |
| US20130167236A1 (en) | Method and system for automatically generating virus descriptions | |
| US20110154492A1 (en) | Malicious traffic isolation system and method using botnet information | |
| CN113691566B (en) | Mail server secret stealing detection method based on space mapping and network flow statistics | |
| CN110958257B (en) | Intranet permeation process reduction method and system | |
| CN105659245A (en) | Context-aware network forensics | |
| CN103634306A (en) | Security detection method and security detection server for network data | |
| CN111988339B (en) | Network attack path discovery, extraction and association method based on DIKW model | |
| CN112788043B (en) | Honeypot system service self-adaption method and self-adaption service honeypot system | |
| CN110035062A (en) | A kind of network inspection method and apparatus | |
| CN107644161A (en) | Safety detecting method, device and the equipment of sample | |
| CN114124516A (en) | Situation awareness prediction method, device and system | |
| Bolzoni et al. | ATLANTIDES: An Architecture for Alert Verification in Network Intrusion Detection Systems. | |
| KR20100070623A (en) | System for collecting / analysing bot and method therefor | |
| KR101048159B1 (en) | Botnet Detection and Blocking System and Method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20110504 |