CN102333313A - Feature code generation method and detection method of mobile botnet - Google Patents
Feature code generation method and detection method of mobile botnet Download PDFInfo
- Publication number
- CN102333313A CN102333313A CN201110315580A CN201110315580A CN102333313A CN 102333313 A CN102333313 A CN 102333313A CN 201110315580 A CN201110315580 A CN 201110315580A CN 201110315580 A CN201110315580 A CN 201110315580A CN 102333313 A CN102333313 A CN 102333313A
- Authority
- CN
- China
- Prior art keywords
- botnet
- condition code
- main frame
- character strings
- moved
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The invention provides a method for generating feature codes of a mobile botnet. The method comprises the following steps: capturing network flow of a suspicious host group; partitioning a network flow data packet based on contents, and obtaining identical character strings; carrying out statistical analysis on the identical character strings, calculating the popularity of the character strings, and extracting the character strings the popularity of which exceeds a certain threshold value; and filtering the character strings the popularity of which exceeds a certain threshold value, excluding the common character strings, and taking the residual character strings as the feature codes. The invention further provides a method for detecting the mobile botnet by the generated feature codes. The method comprises the following steps of: capturing network flow of a host group to be detected, wherein, the network flow is a data packet, the data packet is provided with a packet header and an effective load, and the packet header and the effective load are a series of character strings; matching the character strings by virtue of the feature codes; determining the successfully matched flow as a bot program for a mobile phone, and recording information; and discharging the unsuccessfully matched flow.
Description
Technical field
The present invention relates to mobile Internet safe practice field, particularly a kind of mobile Botnet characteristic code generating method and mobile Botnet detection method.
Background technology
Along with the development of mobile Internet, the popularizing gradually of smart mobile phone; Because more powerful computing ability and network insertion approach more easily that smart mobile phone has gradually are for the generation and the development of moving Botnet provides the foundation.
Mobile Botnet is the development of Botnet on portable terminal, refers to the controlled portable terminal colony that the assailant sets up through the mobile phone bot program.Similar with the Botnet on the computer platform, move the Botnet assailant and can carry out harmful acts such as note flooding attacks, transmission spam, order great number SP service through portable terminal such as smart mobile phone.These behaviors are threatening mobile phone user's privacy and property safety greatly.Present mobile Botnet is mainly realized order control based on http protocol mostly, and Fig. 1 is a Botnet structural representation under the mobile Internet.
Have been found that the Botnet on several cell phone platforms at present.First mobile phone Botnet SYMBOS_YXES.B to the Symbian platform came to light in July, 2009, and the mobile phone that infects bot program can be collected user's personal information, cellphone information, the network information etc. and these information uploadings are arrived specified server.Can send a large amount of refuse messages in addition and give the contact person who is infected the user, short message content is provided by effector's server.In November, 2009, first Ikee.B mobile phone Botnet to the iPhone that escapes from prison has appearred.Bot program can be collected sensitive information economic relevant in the mobile phone and upload to given server after infecting the user, and can obtain and fill order through this server.Along with the release and the development of Android system, use the user of Android system mobile phone increasing.Because the opening of Android system, its safety problem is the emphasis that people relatively are concerned about always.A large amount of mobile phone Malwares occurred on the Android platform at present, the some of them Malware has had the characteristic of mobile phone Botnet.In 2010, first mobile phone Botnet Geinimi to the Android system occurred.
Appearance to above mobile Botnet brings safety problem to mobile Internet; Needing to do some corresponding defensive measures resists; But very few to the defence research of moving Botnet at present, and the research of moving Botnet detection this respect is not almost also had.So, need a kind of mobile Botnet detection method in the industry.
Summary of the invention
The technical problem that the present invention will solve provides a kind of mobile Botnet characteristic code generating method and mobile Botnet detection method.
According to an aspect of the present invention, a kind of condition code method that moves Botnet that generates is provided, comprises: step 1, the network traffics of catching suspicious main frame crowd; Step 2, said network traffics packet is done content-based cutting apart, obtain the identical characters string; Step 3, said identical characters string is carried out statistical analysis, calculate its popularity, extract the character string that popularity exceeds certain threshold value; With step 4, filter the character string that said popularity exceeds certain threshold value, character string commonly used is got rid of, remaining character string is as condition code.
Optional, step 1 comprises: step 0-1, on Network Access Point, catch network traffics and flow information noted down; Step 0-2, the flow information of record is carried out cluster analysis, to divide the main frame crowd; With step 0-3, according to the space-time similitude, confirm the suspicious main frame crowd among the said main frame crowd.
Optional, Network Access Point described in the step 0-1 comprises the GPRS access point.
Optional, the form that writes down described in the step 0-1 is: < source IP address, target ip address, source port, target port, agreement, time, connect hours >.
Optional, cluster analysis described in the step 0-2 comprises the X-MEANS method.
Optional, the condition code method that Botnet is moved in described generation also comprises before step 0-2: basic filtering, with the exclusive segment data; Said basic filtering comprises and filters out all Intranets to the communication of outer net and the bag of not exclusively setting up link.
Optional, the condition code method that Botnet is moved in described generation also comprises before step 0-2: white list filters, with the exclusive segment data; The IP and the domain name that comprise well-known web server in the said white list.
Optional, step 0-2 comprises: the related streams to gained is classified, and aggregates into a collective flow with the network flow that will have the same alike result value; With multi-C vector from collective flow extraction Feature Mapping to the multi-C vector space; The dimension in said multi-C vector space is identical with characteristic.
Optional, step 0-2 also comprises: a plurality of multi-C vectors are carried out the secondary cluster; Said secondary cluster comprises cluster and the cluster second time for the first time; Said cluster use first time X-MEANS clustering algorithm reduces the characteristic variable number, and the set that is about to a plurality of multi-C vectors is divided into a plurality of first set; Said cluster use second time X-MEDOIDS clustering algorithm is divided the result that the first time, cluster produced once more, obtains a plurality of second set.
According to a further aspect of the present invention, also provide a kind of condition code of utilizing said method to generate to detect the method that moves the corpse net, comprising: the network traffics of catching main frame crowd to be detected; Said network traffics are packet, and said packet has packet header and pay(useful) load, and said packet header and pay(useful) load are a series of character strings; Utilize condition code to carry out string matching; To mating successful flow, confirm as the mobile phone bot program, recorded information; With to mating unsuccessful flow, this flow of letting pass.
With compare in the prior art, the invention has the advantages that:
(1) method provided by the invention is utilized the space-time similitude, does not rely on to move Botnet order and agreement and the structure controlled;
(2) this detection method can be found the mobile phone bot program in real time, effectively, and rate of false alarm is low;
(3) on the Network Access Point of this detection method operation (on the GPRS access point), can not receive the influence of battery of mobile phone power consumption.
Description of drawings
Fig. 1 is the Botnet structural representation under the mobile Internet in the prior art;
Fig. 2 is that bot program sends and the space-time similitude sketch map of response message in the example;
Fig. 3 is that the mobile Botnet condition code that provides in the one embodiment of the invention generates method flow diagram;
Fig. 4 is a method sketch map of cutting apart the network traffics packet in the one embodiment of the invention;
Fig. 5 is the sketch map that in the one embodiment of the invention a plurality of D dimensional vectors is carried out the secondary cluster;
Fig. 6 is the mobile Botnet detection method flow chart that provides in the one embodiment of the invention.
Embodiment
In order to make the object of the invention, technical scheme and advantage clearer, below in conjunction with accompanying drawing, to according to the mobile Botnet detection method further explain that provides in the embodiments of the invention.Should be appreciated that specific embodiment described herein only in order to explanation the present invention, and be not used in qualification the present invention.
In order to detect Botnet, at first need understand the characteristics of Botnet.The inventor is through studying discovery for a long period of time, and Botnet has following characteristics: because the respondent behavior that bot program is controlled order is when programming, to be determined, the bot program behavior in the identical Botnet has the space-time similitude.Wherein, the space-time similitude refers to a large amount of bot programs and when keeping connection, transmitting-receiving control command and carrying out strike mission, often shows concertedness, makes a plurality of bot programs carry out the communication of similar content at one time in the window.Utilize the HTTP order and the mobile Botnet of control protocol that have occurred at mobile Internet also meet this characteristic.For example, with reference to figure 2, wherein corpse (bot) 210,220,230 sends in the identical time period 201,202,203 and response message has similitude.
So, if above-mentioned space-time similitude is solidified, represent with certain condition code, utilize this condition code to mate to come so flow monitored and just can realize that Botnet detects.Wherein, condition code can be one group of character string, and said character string is the common character string of from the data on flows bag, extracting, identical behavior (connect identical purpose IP, destination interface, comprise control command) in the expression bot communication process.
In one embodiment of the invention, a kind of condition code method that moves Botnet that generates is provided.This method comprises confirms suspicious main frame crowd and the process that generates its condition code, as shown in Figure 3, comprising:
S110, communication are caught, and obtain flow information.Carrying out IP scanning on the Network Access Point on like the GPRS access point, obtain network traffics, flow information (being network packet) is noted down.The information content and form are following: < source IP address, target ip address, source port, target port, agreement, time, connect hours >.
S120, communication cluster generate the main frame crowd.The flow information that from communication is caught, obtains carries out cluster and obtains similar communication pattern, and the algorithm of use comprises clustering algorithms such as X-MEANS; Because clustering method had division to the main frame crowd, new main frame is communicated pattern matching after, this main frame can be classified among the corresponding main frame crowd.
Packet that new main frame produces and existing main frame crowd packet characteristic coupling, as such packet size, the purpose IP in this packet is the same with port.Main frame crowd's packet size is the same, and purpose IP address, source destination interface are the same.
S130, confirm suspicious main frame crowd.In a period of time, can draw the suspicious main frame crowd among the main frame crowd according to the space-time similitude, finally obtain the suspicious main frame crowd of similar behavior.So far, confirmed suspicious main frame crowd.
S140:, catch flow to suspicious main frame crowd monitoring.Be respectively the main frame crowd of similar behavior among each set A i, these main frames crowd is carried out flow monitoring, and catch its flow.
S150: cut apart the network traffics packet, obtain the identical characters string.According to the space-time similitude, between these main frames crowd or the main frame crowd all identical behavior can be arranged with communication between the Control Server, so the corresponding network traffics packet of these main frames is done the analysis of cutting apart based on the load content, thereby obtain the identical characters string.These identical character strings possibly comprise the information of order and control.
In an alternative embodiment of the invention, can also do based on the cutting apart of known common character string the flow packet, for example, with reference to figure 4, the flow packet cut apart with ' 0008 ', cutting apart the e1 that obtains is identical character string in two streams with e2.Wherein, ' 0008 ' is a kind of known common character string.
S160: the character string that statistical analysis gets access to, promptly these identical characters strings are carried out statistical analysis, calculate popularity, extract the character string that popularity exceeds certain threshold value.
S170: blacklist filters.The character string that obtains is filtered through blacklist, and character string commonly used is placed into blacklist, and remaining character string is put into feature database as condition code.So far, generated condition code.
Preferably; In step S110; Because generally adopt the method for GPRS at Chinese surfing Internet with cell phone; So on the GPRS access point, detect, can not only prevent that the mobile phone bot program from impacting whole cell phone network to make the cellular service cisco unity malfunction or influence harmful act such as privacy of user, and can contain the propagation of mobile phone bot program fast.
In addition, the mobile phone to the GPRS online does not have public network IP; So can not be to Mobile Phone Locating, specify but can blur suspicious mobile phone crowd: the IP of mobile phone is the IP of certain base station, is not public network IP; So the mobile phone of same geographic location is enjoyed identical IP, this IP is base station IP; Like this, identical mobile phone IP is a set, and just can locate should set.
The flow of catching among the above-mentioned steps S110 is very big.In order to reduce data, the raising treatment effeciency that needs processing in the subsequent step, as shown in Figure 3, in an alternative embodiment of the invention, step S120 further comprises:
S201: basic filtering, exclusive segment data.Basic filtering done in the convection current record; Filter out communication and the incomplete bag of setting up link of all Intranets exactly to outer net; Stay suspicious data, shake hands and send to confirm the situation of bag not accomplishing TCP such as a main frame, this situation generally can occur in the scanning activity.
S202: white list filters, the exclusive segment data.Gather the IP and the domain name of each big well-known web server, list it in white list.
S203: taxonomic clustering.After basic filtering and white list, we will classify to the related streams of gained.The network flow that will have the same alike result value is divided into one type.Suppose a time period, such as one day, the network flow that will have identical agreement, source IP address, target ip address and port aggregated into a collective flow C (set, the element of set the inside is a network flow).
Extract the vector space of Feature Mapping to a D dimension then from collective flow C, the dimension of said D gt is identical with characteristic.After handling so again cluster can reduce rate of failing to report.Different such as the purpose IP of two network flows, but possibly be that same Botnet has used different DNS, if it is do not shine upon, will be because of the purpose IP in the C stream different and can be by cluster to one group.Traffic classification diminishes set, improves cluster efficient.The result of taxonomic clustering obtains a plurality of D dimensional vectors exactly.
Above-mentioned steps S201, S202, S203 can reduce data volume, improve cluster efficient, but the data type that reduces is different, is used in combination and can removes polytype uncorrelated data.In some embodiments of the invention, above-mentioned steps can not be used in combination yet.
But even in the medium big network, above-mentioned characteristic dimension space also is very big, and infected machine ratio in network is very little comparatively speaking, so need from C stream, isolate optimum and pernicious (optimum expression normal discharge).
For addressing the above problem, improve treatment effeciency, according to another embodiment of the invention, in above-mentioned steps S203, a plurality of D dimensional vectors are carried out the secondary cluster:
S2031: cluster will be used the X-MEANS clustering algorithm for the first time; Numerous characteristic variables are reduced to the less number that compares promptly will be divided into a plurality of small set Ai with big collection X (C stream is mapped to the D gt; So that the application algorithm, X representes the set of D gt here).
S2032: cluster will use the X-MEDOIDS clustering algorithm that the Ai as a result that the first time, cluster produced is divided once more for the second time, obtain more small set.
As shown in Figure 5, first step in big collection D, is classified earlier, obtains set A i and Aj, in each small set Ai, Aj, carries out little division once more, obtains littler set A i1, Ai2 and Aj1, Aj2.
According to the condition code of Botnet provided by the present invention, the communication monitoring system monitors flow.In the one embodiment of the invention, provide and move the Botnet detection method,, comprising referring to Fig. 6:
S401: utilize condition code to carry out string matching.If mate successfully, change S402 over to; If coupling is unsuccessful, change S403 over to; Institute's captured packets has packet header and pay(useful) load, no matter be that packet header or pay(useful) load all are a series of character strings;
S402: mate successfully be the mobile phone bot program, recorded information changes S401 over to;
S403: coupling is unsuccessful, and this flow of letting pass changes S401 over to.
Should be noted that and understand, under the situation that does not break away from the desired the spirit and scope of the present invention of accompanying Claim, can make various modifications and improvement the present invention of above-mentioned detailed description.Therefore, the scope of the technical scheme of requirement protection does not receive the restriction of given any specific exemplary teachings.
Claims (10)
1. one kind generates the condition code method that moves Botnet, comprising:
Step 1, the network traffics of catching suspicious main frame crowd;
Step 2, said network traffics packet is done content-based cutting apart, obtain the identical characters string;
Step 3, said identical characters string is carried out statistical analysis, calculate its popularity, extract the character string that popularity exceeds certain threshold value; With
Step 4, the said popularity of filtration exceed the character string of certain threshold value, and character string commonly used is got rid of, and remaining character string is as condition code.
2. the condition code method of Botnet is moved in generation according to claim 1, and step 1 comprises:
Step 0-1, on Network Access Point, catch network traffics and flow information noted down;
Step 0-2, the flow information of record is carried out cluster analysis, to divide the main frame crowd;
Step 0-3, according to the space-time similitude, confirm the suspicious main frame crowd among the said main frame crowd; With
Step 0-4, the network traffics of catching this suspicious main frame crowd.
3. the condition code method of Botnet is moved in generation according to claim 2, and Network Access Point described in the step 0-1 comprises the GPRS access point.
4. the condition code method of Botnet is moved in generation according to claim 2, and the form that writes down described in the step 0-1 is:
< source IP address, target ip address, source port, target port, agreement, time, connect hours >.
5. the condition code method of Botnet is moved in generation according to claim 2, and cluster analysis described in the step 0-2 comprises the X-MEANS method.
6. the condition code method of Botnet is moved in generation according to claim 2, before step 0-2, also comprises:
Filter out communication and the incomplete bag of setting up link of all Intranets, with the exclusive segment data to outer net.
7. the condition code method of Botnet is moved in generation according to claim 2, before step 0-2, also comprises:
White list filters, with the exclusive segment data; The IP and the domain name that comprise well-known web server in the said white list.
8. the condition code method of Botnet is moved in generation according to claim 2, and step 0-2 comprises:
Related streams to gained is classified, and aggregates into a collective flow with the network flow that will have the same alike result value; With
Extract the multi-C vector of Feature Mapping from collective flow to the multi-C vector space; The dimension in said multi-C vector space is identical with characteristic.
9. the condition code method of Botnet is moved in generation according to claim 8, and step 0-2 also comprises:
Use the X-MEANS clustering algorithm, reduce the characteristic variable number, the set that is about to a plurality of multi-C vectors is divided into a plurality of first set;
Use the X-MEDOIDS clustering algorithm that first set is divided once more, obtain a plurality of second set.
10. any condition code that is generated detects the method that moves Botnet in utilization such as the claim 1~9, comprising:
Catch main frame crowd's to be detected network traffics; Said network traffics are packet, and said packet has packet header and pay(useful) load, and said packet header and pay(useful) load are a series of character strings;
Utilize condition code to carry out string matching;
According to matching result, confirm whether main frame crowd to be detected is Botnet.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110315580A CN102333313A (en) | 2011-10-18 | 2011-10-18 | Feature code generation method and detection method of mobile botnet |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110315580A CN102333313A (en) | 2011-10-18 | 2011-10-18 | Feature code generation method and detection method of mobile botnet |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN102333313A true CN102333313A (en) | 2012-01-25 |
Family
ID=45484888
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201110315580A Pending CN102333313A (en) | 2011-10-18 | 2011-10-18 | Feature code generation method and detection method of mobile botnet |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102333313A (en) |
Cited By (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102882739A (en) * | 2012-09-07 | 2013-01-16 | 中国科学院信息工程研究所 | Communication behavior detection method and device |
| CN103297433A (en) * | 2013-05-29 | 2013-09-11 | 中国科学院计算技术研究所 | HTTP botnet detection method and system based on net data stream |
| CN103746982A (en) * | 2013-12-30 | 2014-04-23 | 中国科学院计算技术研究所 | Automatic generation method and system for HTTP (Hyper Text Transport Protocol) network feature code |
| CN103916288A (en) * | 2013-12-27 | 2014-07-09 | 哈尔滨安天科技股份有限公司 | Botnet detection method and system on basis of gateway and local |
| WO2014180293A1 (en) * | 2013-05-07 | 2014-11-13 | Li Dongge | Method and device for matching signatures on the basis of motion signature information |
| CN105072045A (en) * | 2015-08-10 | 2015-11-18 | 济南大学 | Wireless router capable of discovering malicious software network behaviors |
| CN105978897A (en) * | 2016-06-28 | 2016-09-28 | 南京南瑞继保电气有限公司 | Detection method of electricity secondary system botnet |
| CN106850571A (en) * | 2016-12-29 | 2017-06-13 | 北京奇虎科技有限公司 | The recognition methods of Botnet family and device |
| CN107592312A (en) * | 2017-09-18 | 2018-01-16 | 济南互信软件有限公司 | A kind of malware detection method based on network traffics |
| CN109150859A (en) * | 2018-08-02 | 2019-01-04 | 北京北信源信息安全技术有限公司 | A kind of Botnet detection method flowing to similitude based on network flow |
| CN109788079A (en) * | 2017-11-15 | 2019-05-21 | 瀚思安信(北京)软件技术有限公司 | DGA domain name real-time detection method and device |
| US10390373B2 (en) | 2013-05-07 | 2019-08-20 | Hangzhou Zhileng Technology Co. Ltd. | Method, apparatus and system for establishing connection between devices |
| CN110825924A (en) * | 2019-11-01 | 2020-02-21 | 深圳市前海随手数据服务有限公司 | Data detection method, device and storage medium |
| CN111163071A (en) * | 2019-12-20 | 2020-05-15 | 杭州九略智能科技有限公司 | Unknown industrial protocol recognition engine |
| CN111182002A (en) * | 2020-02-19 | 2020-05-19 | 北京亚鸿世纪科技发展有限公司 | Zombie network detection device based on HTTP (hyper text transport protocol) first question-answer packet clustering analysis |
| CN112839018A (en) * | 2019-11-25 | 2021-05-25 | 华为技术有限公司 | Degree value generation method and related equipment |
| CN113271303A (en) * | 2021-05-13 | 2021-08-17 | 国家计算机网络与信息安全管理中心 | Botnet detection method and system based on behavior similarity analysis |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101404658A (en) * | 2008-10-31 | 2009-04-08 | 北京锐安科技有限公司 | Method and system for detecting bot network |
| CN102035793A (en) * | 2009-09-28 | 2011-04-27 | 成都市华为赛门铁克科技有限公司 | Botnet detecting method, device and network security protective equipment |
| CN102130920A (en) * | 2011-04-19 | 2011-07-20 | 成都梯度科技有限公司 | Botnet discovery method and system thereof |
-
2011
- 2011-10-18 CN CN201110315580A patent/CN102333313A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101404658A (en) * | 2008-10-31 | 2009-04-08 | 北京锐安科技有限公司 | Method and system for detecting bot network |
| CN102035793A (en) * | 2009-09-28 | 2011-04-27 | 成都市华为赛门铁克科技有限公司 | Botnet detecting method, device and network security protective equipment |
| CN102130920A (en) * | 2011-04-19 | 2011-07-20 | 成都梯度科技有限公司 | Botnet discovery method and system thereof |
Cited By (27)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102882739B (en) * | 2012-09-07 | 2016-05-11 | 中国科学院信息工程研究所 | Communication behavior detection method and device |
| CN102882739A (en) * | 2012-09-07 | 2013-01-16 | 中国科学院信息工程研究所 | Communication behavior detection method and device |
| WO2014180293A1 (en) * | 2013-05-07 | 2014-11-13 | Li Dongge | Method and device for matching signatures on the basis of motion signature information |
| US10779337B2 (en) | 2013-05-07 | 2020-09-15 | Hangzhou Zhileng Technology Co. Ltd. | Method, apparatus and system for establishing connection between devices |
| US10390373B2 (en) | 2013-05-07 | 2019-08-20 | Hangzhou Zhileng Technology Co. Ltd. | Method, apparatus and system for establishing connection between devices |
| US10509946B2 (en) | 2013-05-07 | 2019-12-17 | Hangzhou Zhileng Technology Co. Ltd. | Method and device for matching signatures on the basis of motion signature information |
| CN103297433A (en) * | 2013-05-29 | 2013-09-11 | 中国科学院计算技术研究所 | HTTP botnet detection method and system based on net data stream |
| CN103297433B (en) * | 2013-05-29 | 2016-03-30 | 中国科学院计算技术研究所 | The HTTP Botnet detection method of data flow Network Based and system |
| CN103916288B (en) * | 2013-12-27 | 2017-11-28 | 哈尔滨安天科技股份有限公司 | A kind of Botnet detection methods and system based on gateway with local |
| CN103916288A (en) * | 2013-12-27 | 2014-07-09 | 哈尔滨安天科技股份有限公司 | Botnet detection method and system on basis of gateway and local |
| CN103746982A (en) * | 2013-12-30 | 2014-04-23 | 中国科学院计算技术研究所 | Automatic generation method and system for HTTP (Hyper Text Transport Protocol) network feature code |
| CN103746982B (en) * | 2013-12-30 | 2017-05-31 | 中国科学院计算技术研究所 | A kind of http network condition code automatic generation method and its system |
| CN105072045B (en) * | 2015-08-10 | 2018-12-18 | 济南大学 | A kind of wireless router with Malware network behavior ability of discovery |
| CN105072045A (en) * | 2015-08-10 | 2015-11-18 | 济南大学 | Wireless router capable of discovering malicious software network behaviors |
| CN105978897A (en) * | 2016-06-28 | 2016-09-28 | 南京南瑞继保电气有限公司 | Detection method of electricity secondary system botnet |
| CN106850571A (en) * | 2016-12-29 | 2017-06-13 | 北京奇虎科技有限公司 | The recognition methods of Botnet family and device |
| CN107592312A (en) * | 2017-09-18 | 2018-01-16 | 济南互信软件有限公司 | A kind of malware detection method based on network traffics |
| CN107592312B (en) * | 2017-09-18 | 2021-04-30 | 济南互信软件有限公司 | Malicious software detection method based on network flow |
| CN109788079A (en) * | 2017-11-15 | 2019-05-21 | 瀚思安信(北京)软件技术有限公司 | DGA domain name real-time detection method and device |
| CN109150859A (en) * | 2018-08-02 | 2019-01-04 | 北京北信源信息安全技术有限公司 | A kind of Botnet detection method flowing to similitude based on network flow |
| CN109150859B (en) * | 2018-08-02 | 2021-03-19 | 北京北信源信息安全技术有限公司 | Botnet detection method based on network traffic flow direction similarity |
| CN110825924A (en) * | 2019-11-01 | 2020-02-21 | 深圳市前海随手数据服务有限公司 | Data detection method, device and storage medium |
| CN110825924B (en) * | 2019-11-01 | 2022-12-06 | 深圳市卡牛科技有限公司 | Data detection method, device and storage medium |
| CN112839018A (en) * | 2019-11-25 | 2021-05-25 | 华为技术有限公司 | Degree value generation method and related equipment |
| CN111163071A (en) * | 2019-12-20 | 2020-05-15 | 杭州九略智能科技有限公司 | Unknown industrial protocol recognition engine |
| CN111182002A (en) * | 2020-02-19 | 2020-05-19 | 北京亚鸿世纪科技发展有限公司 | Zombie network detection device based on HTTP (hyper text transport protocol) first question-answer packet clustering analysis |
| CN113271303A (en) * | 2021-05-13 | 2021-08-17 | 国家计算机网络与信息安全管理中心 | Botnet detection method and system based on behavior similarity analysis |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102333313A (en) | Feature code generation method and detection method of mobile botnet | |
| CN101087196B (en) | Multi-layer honey network data transmission method and system | |
| CN111277587A (en) | Malicious encrypted traffic detection method and system based on behavior analysis | |
| KR101070614B1 (en) | Malicious traffic isolation system using botnet infomation and malicious traffic isolation method using botnet infomation | |
| CN102833240B (en) | A kind of malicious code catching method and system | |
| CN1160899C (en) | Distributed dynamic network security protecting system | |
| CN103297433B (en) | The HTTP Botnet detection method of data flow Network Based and system | |
| CN103532957B (en) | A kind of long-range shell behavioral values device and method of wooden horse | |
| CN110933060B (en) | Excavation Trojan detection system based on flow analysis | |
| CN108259472A (en) | Dynamic joint defence mechanism based on attack analysis realizes system and method | |
| Alzahrani et al. | SMS mobile botnet detection using a multi-agent system: research in progress | |
| CN111147489B (en) | Link camouflage-oriented fishfork attack mail discovery method and device | |
| CN104091122A (en) | Detection system of malicious data in mobile internet | |
| CN102130920A (en) | Botnet discovery method and system thereof | |
| CN102026199B (en) | The apparatus and method of a kind of WiMAX system and defending DDoS (Distributed Denial of Service) attacks thereof | |
| Xing et al. | Research on the defense against ARP spoofing attacks based on Winpcap | |
| CN107426159A (en) | APT based on big data analysis monitors defence method | |
| CN106209902A (en) | A kind of network safety system being applied to intellectual property operation platform and detection method | |
| CN109474510B (en) | Mailbox safety cross audit method, system and storage medium | |
| Teng et al. | A cooperative intrusion detection model for cloud computing networks | |
| CN111641951A (en) | 5G network APT attack tracing method and system based on SA architecture | |
| Yang et al. | Design and implementation of distributed intrusion detection system based on honeypot | |
| CN107493258A (en) | A kind of intruding detection system based on network security | |
| KR101488271B1 (en) | Apparatus and method for ids false positive detection | |
| CN102571796A (en) | Protection method and protection system for corpse Trojans in mobile Internet |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20120125 |