A kind of malware detection system and method thereof based on Transparent Proxy
Technical field
The present invention relates to a kind of malware detection system and method thereof, belong to information security field, relate to transparent proxy equipment based on Transparent Proxy.
Background technology
Spyware is a kind of Malware, can install on computers, and under their unwitting situation, collect relevant user's information.Spyware is hidden and is installed and operation, and the user is difficult to detect.Spyware monitored for prolonged periods of time user's computer, and collect a large amount of computerized informations, like online custom, visit network address, shopping custom or the like, but also may interference user to the control of computer, as extra software and redirected Web browser homepage or the like are installed.
For the reply spyware occurs, some companies have developed relevant Rogue Anti-Spyware.Especially the computer run Rogue Anti-Spyware of Windows has become quite general on computers.Subscriber computer generally can infect a plurality of and spyware, infects the computer of spyware and often finds that systematic function descends, and too high like CPU usage, disk is taken and network blockage or the like in a large number.
Many programmers have issued special deletion with some commercial companies or have stoped the product of spyware.The Rogue Anti-Spyware program generally only is used to detect and remove the spyware that has been installed to computer.The user can arrange every day, weekly or every month scanning computer, detects and any spyware that deletion has been installed on computers.Such Rogue Anti-Spyware scans the content in the windows registry on computers, operating system file and installation procedure, and provide one to threaten inventory, let the user select delete still and keep.
This type of Rogue Anti-Spyware is discerned Malware according to known spyware tabulation with signature, and is the same with antivirus software, needs real-time update spyware storehouse to keep its detectability.Usually spyware occurs after also a large amount of the propagation, and its sample is reported Rogue Anti-Spyware company, and companies to its research, make its " signature " that can be detected perhaps " definition " again, and therefore this testing mechanism usually lags behind.
At present by the solution of extensive employing this type of Host Based Rogue Anti-Spyware just; But this kind scheme faces following several kinds of problems: the first, be similar to virus base, and spyware needs real-time update; And requirement has minimum rate of failing to report and rate of false alarm; But this type of Rogue Anti-Spyware is all done well inadequately at present, phenomenons such as normal software mistake deletion can occur detecting lagging behind.The second, it is not independent operating that a lot of spyware are arranged, and often is packetized in music player or the download tool as a program assembly, more be as the plug-in unit of a browser in operation, this type of spyware is difficult to thoroughly removed.The 3rd, Host Based Rogue Anti-Spyware is easy to destroyed by Malware, and root-kits level spy software is more and more; It is a kind of special Malware; Basically be can't be detected, therefore, Host Based Rogue Anti-Spyware be insecure under many circumstances.
A kind of in addition scheme that is used to discern Malware is to utilize the network packet catcher, comprises siniffer, wireshark, Tcpdump, and whether this kind tool can be analyzed a network and infected.But this kind tool need grasp the lot of data bag, and neither be very effectively on the identification Malware, its be used for more Rogue Anti-Spyware find machine infected after forensics analysis perhaps be used for the phase-split network fault.
Summary of the invention
The object of the invention is exactly in order to address the above problem, and a kind of malware detection system and control method thereof based on Transparent Proxy is provided.This no client malware detection scheme is deployed in network gateway or router place, the connection of the network of coming in and going out is detected discern Malware, and this kind scheme is effective and easy to implement, and uses the Transparent Proxy technology to realize.
For realizing above-mentioned purpose, the present invention realizes through following technical scheme:
A kind of malware detection system based on Transparent Proxy, this system comprises a data control module, it is connected with monitoring module and sends data to monitoring module; Said monitoring module sends the data to the protocol detection module and generates protocol type; Said protocol detection module is connected with a challenge generation module, and the challenge generation module links to each other with the Data Control module; Said system also comprises a response processing module, and this module is connected with monitoring module and Data Control module.
Described system is between terminating machine and remote server and accomplish communicating by letter between terminating machine and the server; Terminating machine sends the data to server through the Data Control module, and the Data Control module sends to monitoring module with all data; Said Data Control module receives the result of response processing module.
The protocol type that said challenge generation module is generated based on the agreement generation module generates challenge and challenge is sent to the terminal.
Said system also comprises a sort module, and this sort module is connected with a Reports module.This detection method may further comprise the steps:
Step1: the application program that operates on the terminating machine is sent initial data through the Data Control module in this detection system to remote server;
Step2: the Data Control module sends to monitoring module with initial data, and monitoring module sends the data to the agreement generation module;
Step3: the agreement generation module utilizes the agreement fingerprint to discern the protocol type of initial data, and this protocol type is sent to the challenge generation module;
Step4: the challenge generation module is that application program generates a challenge based on protocol type, and through the digital data control module challenge is sent to the application program on the terminal;
Step5: the application response on the terminal should be challenged, and response message sends to monitoring module through the Data Control module, is transferred to response processing module then;
Step6: response processing module receives the response of application program, makes effectively perhaps invalid judged result of response, and the result is sent to the Data Control module;
Step7: the Data Control module is made the judgement that whether continues to connect remote server according to the response judged result; Allow when effective application program to continue to connect remote server when detecting response, when detecting invalid response, the Data Control module can be reported and detect Malware and stop application program to continue to connect remote server.
The Data Control module can be suspended by the terminal and sends initial data to remote server among the said Step1.
The invention has the beneficial effects as follows: traditional method that signature mechanism detects known malware of passing through of comparing, method proposed by the invention can be confirmed the validity of the BlueDrama that all are gone out based on the network behavior of program.This method has two main points: the one, and the network characterization of application program can be confirmed based on the mode of agreement fingerprint recognition by the Transparent Proxy that is deployed in the enterprise network border.The 2nd, Transparent Proxy produces initiatively content challenge and distinguishes legal software and Malware.This method is the normal operation of interference program not, is transparent to the user.
Based on network Transparent Proxy can be deployed in the enterprise network outlet and detect all flows that flow out from enterprise.Transparent Proxy also can be disposed and be front on work station or the notebook computer, only needs inspection sending out on work station or the notebook computer that the data that spread out of are arranged.The flow that Transparent Proxy is gone out through analysis, can distinguish different browsers (Internet Explorer, Firefox, Opera, Chrome).
Malware to existing with browser (for example IE) assembly form also can be detected by this method.Transparent Proxy also can be discerned the Malware through the VOIP protocol communication, comprises Session Initiation Protocol, Session Description Protocol (SDP), RTCP Real-time Transport Control Protocol (RTCP), RTP (Transparent Proxy RTP) or the like.
This kind Transparent Proxy solution has been compared different as follows with Host Based scheme:
1, because client need be installed, avoided and the conflicting of other client softwares such as antivirus software, guarantee the availability of subscriber computer.
2, need not upgrade signature, also possibly need signature in some embodiments, but signature only is used to improve the known malware discrimination.Signature only need upgrade on Transparent Proxy, implements convenient.
3, because Transparent Proxy need not be installed on each computer, it can not destroyed by the Malware that the use process hiding on Rootkit or other main frames is escaped technology or disturb.On the contrary, when Malware is attempted outside communication, can be monitored by Transparent Proxy, and can under a kind of controlled environment, Malware further be analyzed.
Description of drawings
Fig. 1 is a structural representation of the present invention;
Fig. 2 is a Transparent Proxy Malware flow chart of the present invention;
Fig. 3 is the present invention's concrete network architecture diagram of using in an enterprise network;
Fig. 4 is the present invention's concrete Organization Chart of using in notebook computer or work station;
Fig. 5 is a Transparent Proxy Malware message flow diagram of the present invention;
Fig. 6 is the another kind of working method flow chart of Transparent Proxy Malware of the present invention;
Fig. 7 is the another kind of working method message flow diagram of Transparent Proxy Malware of the present invention;
Fig. 8 is the message flow diagram of the present invention and the Web browser malware detection when mutual.
Embodiment
Below in conjunction with accompanying drawing and embodiment the utility model is further specified.
In Fig. 1, a kind of malware detection system based on Transparent Proxy, this system comprises a data control module, it is connected with monitoring module and sends data to monitoring module; Monitoring module with send the data to the protocol detection module and generate protocol type; Detection module is connected with a challenge generation module, and the challenge generation module links to each other with the Data Control module; This system also comprises a response processing module, and this module is connected with monitoring module and Data Control module.This system is between terminating machine and remote server and accomplish communicating by letter between terminating machine and the server; Terminating machine sends the data to server through the Data Control module, and the Data Control module sends to monitoring module with all data; The Data Control module receives the result of response processing module.
Fig. 3 has shown that one is used this enterprise network based on the malware detection system of Transparent Proxy, comprises work station and notebook computer.Framework is fully transparent, the agreement and the data of turnover is not made any modification, can support variety of protocol, comprises HTTP, and HTTPS and VoIP agreement can be handled all and encrypt and non-encrypted flow.
Fig. 4 shows transparency and acts on behalf of the concrete application at a notebook computer or work station, and notebook computer or work station and remote server communicate through Transparent Proxy.The network traffics analytical technology has been used in this invention, but this technology is not directly to be used to discern Malware, and it is used to discern the application program of sending data.Data head information through to the data intercepted and captured is analyzed, and comprises sequential, source/destination address, port etc.In addition, " HTTP head " instruction and special HTTP leader will possibly be utilized to discern known browser application, confirm that these programs belong to known program, captive Malware or unknown flow.
In Fig. 1, Transparent Proxy comprises the interface that receives and send application rs traffic and remote server flow.Transparent Proxy possibly be deployed in network boundary, checks out the flow of network.
The application program of moving on all computers of monitoring module inspection is to the transfer of data of remote server.Application program is waited for the remote server response.Application program comprises: Web browser, VoIP program, point-to-point application program, database client, database server or the like.Monitoring module flows to the protocol detection module to the data traffic that receives through data-interface.
The data that protocol detection module analysis application program is sent also utilize the agreement fingerprint to confirm to carry the protocol type of data.。Protocol type possibly be one of following: http protocol, VoIP agreement, Session Description Protocol, Session initiation Protocol, RTCP Real-time Transport Control Protocol or the like.
The challenge generation module is that application program produces challenge based on protocol type, and this challenge is sent to application program, and between data and challenge, keeps a state table.When the detection generation module can further respond based on the state of application program, it was first transfer of data.Challenge does not influence the normal operation of application program, and is transparent to the user.For instance, application program is a Web browser, and challenge is the page reorientation request through coding, and this request is received and handles by objective browser.
Whether the challenge generation module challenges to application program, and response processing module receives the response of application program to this challenge, respond then and effectively handle.The response of application program does not relate to the end user.
When response when being effective, the Data Control module can allow data to be transferred to remote server through interface and interface.When response when being invalid, the Data Control module can stop data to be transferred to remote server through interface and interface.
The Data Control flow process can realize that also the Data Control module at first allows data to be passed to remote server with other a kind of mode, and when response when being effective, the Data Control module allows remote server to communicate through interface and application program; When response when being invalid, the Data Control module stops remote server to communicate through interface and application program.
This system also comprises the sort module of a Malware, is used to discern the Malware that moves on the computer, also comprises a Reports module, generates the Malware form.Malware is confirmed in first data, application type and nonreciprocal application response automatically through analysis application is sent.Whether response processing module responds effectively handles; And confirm thus whether application program is Malware; And export to sort module to the result, sort module writes down detected application program relevant parameter, and is included into relevant classification; And further export to Reports module to the result, be used to export relevant form.
Fig. 5 shows transparency and acts on behalf of the malware detection message flow.Application program attempts sending data through Transparent Proxy to remote server.The flow that all application of Transparent Proxy monitoring are sent is also analyzed employed protocol type when sending application program transmission information.The protocol type that Transparent Proxy uses according to application program produces an initiatively content challenge.The inherent attribute of concrete agreement capable of using produces challenge.
Initiatively the content challenge is that sightless it is relevant with application program to the user.Come the response contents challenge if application program is successfully sent effective information, Transparent Proxy can confirm that these data are produced by a normal application program.Malware is impossible active content challenge of structure meticulously of normal response.If the information of application response is invalid or in the set time, does not send response; Can assert that then this application program is a Malware; And stop these data to continue to be sent to remote server, and report on this machine and have Malware, shown in Fig. 5 scene 2.If Transparent Proxy is received an effective application program response, then can give remote server the data forwarding that receives and allow follow-up application program and the data communication between the server, as shown in Fig. 5 scene 1.
The end user need not participate in this process, and almost is directed against the user less than postponing, and favorable user experience can be provided.Even Malware is attempted being connected to again identical or other server is not allowed to.Therefore; This method is unsuccessful; For replacing through file; Modes such as thread injection are hidden self and are this kind of Malware method that flow is injected into normal procedure quite effective, and with respect to normal procedure, an effectively response can not correctly resolved and generate to the Malware of camouflage.
Fig. 2 is the malware detection flow chart of Transparent Proxy.The Transparent Proxy inspection is from arriving remote server to application's data and time-out transfer of data.Transparent Proxy identification protocol type and be that application program produces a challenge based on protocol type sends to application program to challenge then.State correspondence table between the challenge of Transparent Proxy storage detected data and generation.Transparent Proxy makes decisions according to the response of receiving, allows data to continue transmission if response is effectively, if the invalid continuation transmission of then blocking data.The state correspondence table is kept in the internal memory, and its record is trapped the data of detection and the corresponding relation of generate challenge, need determine the clearance of corresponding data perhaps to stop according to the response of challenge, and content is as shown in table 1,
Table 1 state correspondence table
Data 1 |
Challenge 1 |
Data 2 |
Challenge 2 |
Data 3 |
Challenge 3 |
…… |
…… |
Fig. 6 is the malware detection message flow of other a kind of Transparent Proxy.Application program sends data to remote server through Transparent Proxy.Transparent Proxy detects all data that spread out of, and the employed protocol type of application program of message is sent in identification.Produce the challenge of an active content then and send to application program.Whether Transparent Proxy allows remote server and application program to carry out transfer of data according to the response decision of application program.Fig. 7 is the malware detection flow chart relative with Fig. 6 that shows.
Fig. 8 has shown a Transparent Proxy at the malware detection message flow when mutual with Web browser, and Web browser is downloaded a page from Web server to page of Remote WEB server requests.The Hash that the Transparent Proxy utilization generates at random produces a challenge, and sends to Web browser to this challenge, and the challenge content utilizes the intrinsic characteristic of browser to construct, and comprises HTML, JAVASCRIPT, Flash etc.Challenge is a page reorientation request coding, is addressed to the WEB browser, and this coding can not show any content, and the user is invisible.Have only the browser of working as can correctly respond this redirect request, Web browser just is allowed to receive its initial page from remote server and obtains the request response.Malicious software program can not be made effective response or not make response within a certain period of time challenge, therefore can come to light.The detected Malware of Transparent Proxy can stop the remote server response and on certain computer, detect Malware.
The Transparent Proxy of this invention detects engine should formulate a framework, and this framework can be handled other protocol specification.This framework should be extendible, allows the third party to introduce New Deal and definition agreement behavior detection signature, and is the same as the definition http protocol.
The Transparent Proxy malware detection system of this invention can with one independently hardware device realize; It has the stable operating system of meticulous cutting; And the powerful processor of configuration performance, internal memory, network interface card etc., so that be applicable to a large-scale enterprise network.Each functional module can design separately, between module and the module communication interface is arranged.Module can realize with hardware, software and hardware combining body, firmware.Operable computer language such as C, C++, JAVA, Basic, Matlab or the like; Operable hardware such as computer; Microcontroller; Microprocessor; ASIC (Application Specific Integrated Circuit), FPGA (Field-Programmable Gate Array) field programmable gate array, CPLD (Complex Programmable Logic Device) CPLD etc.Computer can use programming languages such as C, C++ on the microcontroller; ASIC, FPGA, CPLD then use HDL (Hardware Description Language) hardware description language, comprise VHSIC Hardware Description Language VHDL or Verilog HDL (using hardware description language the most widely at present).Above-mentioned various technical combinations is used and can be realized the described various functions of the utility model.