CN102833240A - Malicious code capturing method and system - Google Patents
Malicious code capturing method and system Download PDFInfo
- Publication number
- CN102833240A CN102833240A CN201210294945XA CN201210294945A CN102833240A CN 102833240 A CN102833240 A CN 102833240A CN 201210294945X A CN201210294945X A CN 201210294945XA CN 201210294945 A CN201210294945 A CN 201210294945A CN 102833240 A CN102833240 A CN 102833240A
- Authority
- CN
- China
- Prior art keywords
- malicious code
- apocrypha
- information
- mail data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Abstract
The invention relates to malicious code capturing method and system. The malicious code capturing method includes acquiring email data from various email data sources; analyzing the email data, recording files, which cannot be eliminated according to set false negative rate, as suspicious files, and storing the suspicious files to suspicious file database; and detecting the suspicious files by malicious code feature database and manual detection; and storing the suspicious files with unusual detection results to malicious code sample database. The malicious code capturing method and system are applicable to a related honeypot and honeynet system, coverage range of captured objects can be increased, and capability of capturing malicious codes is improved.
Description
Technical field
The present invention relates to the network information security technology field, relate in particular to a kind of malicious code catching method and system.
Background technology
Malicious codes such as network worm, Trojan Horse, Botnet emerge in an endless stream, and have brought significant damage to the network information security.In order to analyze and the detection of malicious code better, the defender at first should study the method for obtaining malicious code in a large amount of the Internets, and honey jar and sweet network technology arise at the historic moment, progressively rise.The honey jar technology is meant that the defender through providing virtual or real main frame, server and other intelligent terminals, perhaps simulates related service, is used for victim scanning, invasion, and then reaches the purpose of obtaining relevant malicious code.The network with certain topological structure that the honey net is made up of several correlative honey jars, it can be counted as the honey pot system of large-scale distributed deployment.In general; Honey jar does not use as normal main frame, server and other intelligent terminals, and it is mainly used in and attracts assailant's invasion, comes analyzing and testing according to the attack information of catching; And then the relevant defence policies of design, and then prevention or weakening assailant's harm.
Traditional honey jar can be divided three classes: virtual honey jar, virtual machine honey jar and physics honey jar.Virtual honey jar is to wait through analog network topology, operating system and network service to inveigle the assailant to invade.Though it is few that this type honey jar takies resource, interaction capabilities is low, can only catch low mutual malicious code, like the subnetwork worm.The virtual machine honey jar is through some leak of virtual machine design or weakness, inveigles the assailant to invade.The advantage of this type honey jar is to save resource, and supports certain alternately, and can obtain more complete attack information, but victim utilizes the virtual machine detection technique to find easily, loses the effect of catching malicious code.The physics honey jar is through using real equipment, design some leak or weakness, inveigle the assailant to invade, and this type honey jar can carry out highly alternately with the assailant, and difficult quilt is discovered, but physics honey jar cost is very high, unsuitable large scale deployment.
In honey jar and sweet network technology, are one of its key problems how, and this problem and malicious code communication means have substantial connection at the more malicious codes of unit interval IT.In general, the communication means of malicious code can be divided into two big types: one type is to utilize leak to propagate, and another kind of is to utilize social engineering to propagate.Leak is propagated and need do not carried out alternately with the victim, and traditional honey jar technology is many based on this type of communication means design.It is through weakness such as victim's natural reaction, curiosity, trust, greediness being carried out analysis and utilization, reach the purpose of deception invasion that social engineering is propagated, and its communication process needs user's participation.Along with network service and application and development, social engineering is propagated and to be presented variation, complicated trend.In recent years, increasing malicious code adopted this type of communication means (being that social engineering is propagated), like Koobface, shake net (Stuxnet), Zues etc.
Existing honey jar can be caught the malicious code of propagating based on leak well, and for some based on the malicious code that social engineering is propagated, also lack catching method efficiently, especially based on the malicious code that utilizes social engineering to propagate of Email network.This type of malicious code is propagated along the train of thought of Email network; The trap mail push that will have malicious code or have its access mode is to subscriber mailbox; Lure that the victim carries out the malicious code in the trap mail into; Perhaps visit (downloading) malicious code and execution, and then reach the purpose of invasion victim computer like web page interlinkage according to its mode that provides.This type of malicious code often utilizes victim's mailbox to send the Email good friend that the trap mail is given the victim, and then infects more Email user.
Can find out that above-mentioned malicious code possibly utilize in the Email network trusting relationship between the user to propagate.The Email network be a kind of by mailbox user through the social networks that mail contact forms, also be a kind of important application type of complex network.The researcher is abstracted into figure with complex network usually and analyzes; For above-mentioned Email network; Each subscriber mailbox representes that with " point " mail between the user and quantity are represented (if do not have mail between certain two user, then corresponding point-to-point transmission is boundless) with " limit " and " weights ".In social networks, the network average distance is less, and convergence factor is bigger, and node degree presents exponential distribution.
Yet existing honey jar and sweet network technology do not take into full account the malicious code of propagating based on Email network utilisation social engineering as yet, and do not utilize above-mentioned social networks characteristic to design, to catch the malicious code of more Spread type.It is thus clear that existing honey jar and sweet network technology can not effectively be caught the malicious code of propagating based on Email network utilisation social engineering on a large scale.
Summary of the invention
Technical problem to be solved by this invention provides a kind of malicious code catching method and system, improves the capture ability to the malicious code of propagating based on Email network utilisation social engineering.
For solving the problems of the technologies described above, the present invention proposes a kind of malicious code catching method, comprising:
From multiple e-mail data source, obtain mail data;
Resolve said mail data, be apocrypha with the file logging that can't get rid of according to the rate of failing to report of setting in the said mail data, and this apocrypha is saved in the apocrypha database;
Utilizing malicious code property data base and manual detection that said apocrypha is detected, is that unusual apocrypha is saved in said malicious code sample database with testing result.
Further, above-mentioned malicious code catching method also can have following characteristics, also comprises:
From said malicious code sample database, obtain malicious code sample, this malicious code sample of operation writes down the characteristic information of this malicious code sample and is saved in said malicious code property data base in sandbox.
Further, above-mentioned malicious code catching method also can have following characteristics, said from multiple e-mail data source, obtain mail data before, also comprise:
Adopt the selection of the virtual honey jar of e-mail terminal and dispose the use that algorithm distributes and optimize virtual honey jar resource; The selection of the virtual honey jar of said e-mail terminal with the deployment algorithm is: with the abstract social networks cum rights directed graph model with worldlet aspect of model that is with point and limit composition of the electronic mail network of malicious code propagation; Wherein, Email accounts of some expression, the communication mail between the email accounts is represented on the limit, the weights on limit are represented the quantity of communication mail in the certain hour; The in-degree of point is represented sender's quantity of this point in the certain hour, and out-degree is represented addressee's quantity of this point in the certain hour.
Further, above-mentioned malicious code catching method also can have following characteristics, saidly from multiple e-mail data source, obtains mail data and comprises:
First configuration information according to preset obtains e-mail data source information; And extract the kind in e-mail data source, the kind in said e-mail data source be e-mail terminal, volunteer's email accounts or associated mechanisms that automation is applied for the registration of provide remove the privacy information mail data;
If the e-mail data source is e-mail terminal or volunteer's email accounts that automation is applied for the registration of; Then then at the polling cycle in this e-mail data source; Obtain the pending mail in this e-mail data source; The mail data of this pending mail is write magnanimity mail original information data storehouse, summary info, the source code text of pending mail and the accessible file of pending mail that said mail data comprises the header information of pending mail source code, generates according to this header information;
If the e-mail data source is an associated mechanisms provide remove the privacy information mail data; Then the data in this e-mail data source are carried out standardization; Remove the privacy information of pending mail; The mail data of pending mail is write magnanimity mail original information data storehouse, summary info, the source code text of pending mail and the accessible file of pending mail that said mail data comprises the header information of pending mail source code, generates according to this header information.
Further; Above-mentioned malicious code catching method also can have following characteristics, and the header information of said pending mail source code comprises languages, type of coding, type of attachment, sender IP address information, addressee IP address information, IP-based mail routing iinformation.
Further, above-mentioned malicious code catching method also can have following characteristics, and the content of said summary info comprises the addressee of Email, sender, theme, text length, has or not annex, e-mail data Source Type.
Further; Above-mentioned malicious code catching method also can have following characteristics; Resolve said mail data, be apocrypha with the file logging that can't get rid of according to the rate of failing to report of setting in the said mail data, and this apocrypha is saved in the apocrypha database; Comprise:
Second configuration information according to preset carries out initialization;
Header information and source code text to said pending mail source code are resolved, and unusual header information and/or source code text are saved in the malicious code sample database;
Rate of failing to report according to said setting filters said pending mail accessible file, gets rid of normal file, and the file that can't get rid of is saved in the apocrypha database as apocrypha.
Further, above-mentioned malicious code catching method also can have following characteristics, utilizes malicious code feature database and manual detection that said apocrypha is detected, and is that unusual apocrypha is saved in said malicious code sample database and comprises with testing result:
Second configuration information according to preset carries out initialization;
Malicious code characteristic information according to preserving in the malicious code property data base detects said apocrypha, and the apocrypha that will comprise said malicious code characteristic information is saved in the malicious code sample database;
For the apocrypha that can't detect according to said malicious code characteristic information; Expert system according to preset is carried out manual detection, and the new feature information that apocrypha produced that is judged to be malicious code in the manual detection process is saved in the malicious code property data base.
For solving the problems of the technologies described above, the invention allows for a kind of malicious code capture systems, comprising:
Acquisition module is used for obtaining mail data from multiple e-mail data source;
Parsing module is used to resolve the mail data that said acquisition module obtains, and is apocrypha with the file logging that can't get rid of according to the rate of failing to report of setting in the said mail data, and this apocrypha is saved in the apocrypha database;
Detection module, the apocrypha that is used to utilize malicious code property data base and manual detection that said parsing module is exported detects, and is that unusual apocrypha is saved in said malicious code sample database with testing result.
Further, above-mentioned malicious code capture systems also can have following characteristics, also comprises:
The sandbox module is used for obtaining malicious code sample from said malicious code sample database, and this malicious code sample of operation writes down the characteristic information of this malicious code sample and is saved in said malicious code property data base in sandbox.
Further, above-mentioned malicious code capture systems also can have following characteristics, also comprises linking to each other with said acquisition module:
Algorithm is selected module; Be used to adopt the selection of the virtual honey jar of e-mail terminal and dispose the use that algorithm distributes and optimize virtual honey jar resource; The selection of the virtual honey jar of said e-mail terminal with the deployment algorithm is: with the abstract social networks cum rights directed graph model with worldlet aspect of model that is with point and limit composition of the electronic mail network of malicious code propagation; Wherein, Email accounts of some expression, the communication mail between the email accounts is represented on the limit, the weights on limit are represented the quantity of communication mail in the certain hour; The in-degree of point is represented sender's quantity of this point in the certain hour, and out-degree is represented addressee's quantity of this point in the certain hour.
Further, above-mentioned malicious code capture systems also can have following characteristics, and said acquisition module comprises:
Extraction unit; Be used for obtaining e-mail data source information according to the first preset configuration information; And extract the kind in e-mail data source, the kind in said e-mail data source is the e-mail data that e-mail terminal, volunteer's email accounts or the associated mechanisms of automation application for registration provides;
First acquiring unit; When being used in the e-mail data source being the automation e-mail terminal of applying for the registration of or volunteer's email accounts; At the polling cycle in this e-mail data source then; Obtain the new mail in this e-mail data source; The mail data of pending mail is write magnanimity mail original information data storehouse, the accessible file of summary info, pending mail source code text and pending mail that said mail data comprises the header information of pending mail source code, generate according to this header information;
Second acquisition unit; Be used in the e-mail data source be associated mechanisms provide e-mail data the time; Data to this e-mail data source are carried out standardization; Remove the privacy information of pending mail, the mail data of pending mail is write magnanimity mail original information data storehouse, the accessible file of summary info, pending mail source code text and pending mail that said mail data comprises the header information of pending mail source code, generate according to this header information.
Further; Above-mentioned malicious code capture systems also can have following characteristics, and the header information of said pending mail source code comprises languages, type of coding, type of attachment, sender IP address information, addressee IP address information, IP-based mail routing iinformation.
Further, above-mentioned malicious code capture systems also can have following characteristics, and the content of said summary info comprises the addressee of Email, sender, theme, text length, has or not annex, e-mail data Source Type.
Further, above-mentioned malicious code capture systems also can have following characteristics, and said parsing module comprises:
First initialization unit is used for carrying out initialization according to the second preset configuration information;
Resolution unit is used for the header information and the source code text of said pending mail source code are resolved, and unusual header information and/or source code text are saved in the malicious code sample database;
Filter element is used for according to the rate of failing to report of said setting the accessible file of said pending mail being filtered, and gets rid of normal file, and the file that can't get rid of is saved in the apocrypha database as apocrypha.
Further, above-mentioned malicious code capture systems also can have following characteristics, and said detection module comprises:
Second initialization unit is used for carrying out initialization according to the second preset configuration information;
First detecting unit, the malicious code characteristic information that is used for preserving according to the malicious code property data base detects said apocrypha, and the apocrypha that will comprise said malicious code characteristic information is saved in the malicious code sample database;
Second detecting unit; Be used for the apocrypha that can't detect for according to said malicious code characteristic information; Expert system according to preset is carried out manual detection, and the new feature information that apocrypha produced that is judged to be malicious code in the manual detection process is saved in the malicious code property data base.
In honey jar that malicious code catching method of the present invention and system can be applied to be correlated with and the sweet net system, can increase the coverage of capture object, promote the capture ability of malicious code.
Description of drawings
Fig. 1 is the flow chart of the obtaining step of malicious code catching method in the embodiment of the invention;
Fig. 2 is the flow chart of the analyzing step of malicious code catching method in the embodiment of the invention;
Fig. 3 is the flow chart of the detection step of malicious code catching method in the embodiment of the invention;
Fig. 4 is the structure chart of malicious code capture systems in the embodiment of the invention.
Embodiment
Below in conjunction with accompanying drawing principle of the present invention and characteristic are described, institute gives an actual example and only is used to explain the present invention, is not to be used to limit scope of the present invention.
The present invention has adopted the selection of the virtual honey jar in Email terminal and has disposed the use that algorithm distributes and optimize virtual honey jar resource.The abstract social networks cum rights directed graph model with worldlet aspect of model (being designated as G=< V, E >) that is with point and limit composition of Email network that this algorithm (being the selection and deployment algorithm of the virtual honey jar in Email terminal, down together) is propagated malicious code.Wherein, point (is designated as v
i) Email number of the account of expression, the limit (is designated as e
k) represent the communication mail between the Email number of the account, the weights on limit (are designated as w (e
k)) expression certain hour in communication mail quantity, the in-degree of point (is designated as id (v
i)) this sender's quantity in the expression certain hour, out-degree (is designated as od (v
i)) this addressee's quantity in the expression certain hour.The main thought of this algorithm is: the Email network is carried out cluster analysis; Find out and on average gather the higher subnet of coefficient in the network; Obtain available Email account in the subnet; According to the in-degree, liveness (sending the mail number in the unit interval) of point with gather three standard weighted calculation of coefficient and go out comprehensive evaluation index (weights are by administrator configurations and adjustment); By the above-mentioned Email account of desired value descending, extract the Email account of predetermined quantity (by administrator configurations and adjustment), add virtual honey jar set.For example, the keeper can be according to the attributive character of actual Email network, select in-degree, liveness and gather the higher node of coefficient (such as, three indexs are preceding 30% terminal), calculate comprehensive evaluation index.
The present invention proposes a kind of malicious code catching method, this method comprises the steps:
Step 1 is obtained mail data from multiple e-mail data source;
Step 1 is called obtaining step.
Wherein, the kind in e-mail data source can comprise three kinds: Email terminal, volunteer Email number of the account and the associated mechanisms (for example mail service merchant) that automation is applied for the registration of provides removes the privacy mail data.Preceding two types can be classified as the Email account information, and last class is called the coordination mail data." remove privacy information " and be meant basic satisfy obtain under the prerequisite of apocrypha, relevant informations such as the real people that possibly relate to mail data and thing carry out automation or semi-automatic replacement is handled, and protect individual privacy and sensitive information.
Adopt the Email terminal as virtual honey jar, and utilize the worldlet network characterization of Email network to dispose virtual honey jar, form a virtual sweet net, and then can catch more malicious code more effectively with special topological structure." worldlet network " is a kind of graph type in the dynamics network, can form communication link through other nodes of minority between the most of node among this type of figure.The worldlet network characterization mainly comprises: gather coefficient, average path length and node degree and distribute.
In the embodiment of the invention, summary info, Email source code text and Email accessible file that mail data can comprise the header information of Email source code, generate according to this header information.Wherein, the Email accessible file is meant the annex that can directly from Email, extract, but for example the hyperlink file in download in the embedded picture of Email Body, the Email, the attachment files of Email.Summary info is the abstract of whole mail, and the content of summary info can comprise mail number of words, Email attachment size, Email attachment memory location etc.
Fig. 1 is the flow chart of the obtaining step of malicious code catching method in the embodiment of the invention.As shown in Figure 1, in embodiments of the present invention, obtaining step (being step 1) can specifically comprise following substep:
Step 101 is obtained e-mail data source information;
Particularly, can obtain e-mail data source information, and extract the kind (Email account information or coordination mail data) in e-mail data source according to first configuration information.。Wherein, first configuration information is predefined by the keeper.The content of first configuration information is suspicious to comprise address, magnanimity mail original information data storehouse, visit account password, the account information tabulation of Email terminal etc.
Step 102 judges whether the account information into Email, if execution in step 103, otherwise execution in step 111;
Step 103 is obtained the target number of the account last visit time;
Here, the target number of the account refers to the Email number of the account in the step 102.
Step 104 judges whether to reach the polling cycle of target number of the account, if execution in step 105, otherwise execution in step 109;
Step 106 judges whether the target number of the account also has new mail, if execution in step 107 is arranged, otherwise execution in step 109;
The new mail of target number of the account is the targeted mails that hereinafter is mentioned, and also is pending mail.
Targeted mails is pending mail, down together.
Step 108 writes magnanimity mail original information data storehouse with the source code text and the summary info of targeted mails;
Simultaneously, also can the targeted mails accessible file be deposited in the relevant file system of database, and the file path of targeted mails accessible file is write magnanimity mail original information data storehouse.
Step 109 judges whether to be last target number of the account, if execution in step 118, otherwise execution in step 110;
Step 110 navigates to next number of the account, execution in step 103;
Step 111 judges whether to be the coordination mail data, if execution in step 112, otherwise execution in step 118;
Step 112 is carried out standardization to the multi-source mail data;
Here, " standardization " is meant that the mail data to the different mail data source carries out Unified Treatment, extracts and generate consolidation form and the discernible mail source code of system (for example eml file format).
Step 113 navigates to targeted mails;
Step 114 is removed the targeted mails privacy information;
The content of summary info is suspicious comprise Email addressee, sender, theme, text length, have or not annex, e-mail data Source Type etc.
Step 116 writes magnanimity mail original information data storehouse with targeted mails and summary info;
Step 117 has judged whether the mail that is untreated, if execution in step 113, otherwise execution in step 118;
Step 118 finishes.
Step 1 utilizes multiple e-mail data source to import as system, can capture the malicious code based on the Email Internet communication on a large scale.
Step 2 is resolved mail data, is apocrypha with the file logging that can't get rid of according to the rate of failing to report of setting in the mail data, and this apocrypha is saved in the apocrypha database;
Step 2 is called analyzing step.
Fig. 2 is the flow chart of the analyzing step of malicious code catching method in the embodiment of the invention.As shown in Figure 2, in embodiments of the present invention, analyzing step (being step 2) can specifically comprise following substep:
Step 201 is according to the second configuration information initialization;
Initialization in this step is meant the initialization of parameter, resource etc.
Second configuration information is predefined by the keeper.The content of second configuration information can comprise the parsing number of mail, can arrange number of servers, database address information etc.Also having a content in second configuration information is " crawlers quantity ", and among the present invention, crawlers quantity is greater than 1, and therefore, used in the present invention is parallel crawler technology.
Step 202 is resolved mail header information;
Mail header information can comprise contents such as languages, type of coding, type of attachment, sender IP address information, addressee IP address information, IP-based mail routing iinformation.
Step 203 judges whether header information is unusual, if execution in step 204, otherwise execution in step 205;
Particularly, according to the mail protocol reference format, the mail that all header format are not inconsistent all is regarded as unusual.It is varied to judge that the unusual situation of head has, and for example, can judge whether header information is unusual according to following header information abnormal conditions.The unusual situation of header information comprises: exist spurious, sender IP to be distorted in the header information, sender address is distorted, sender's name is distorted or the like.
Step 205 is resolved Mail Contents information;
Mail Contents also is a message body.
Step 206 judges whether to exist the link of accessible file, if execution in step 209, otherwise execution in step 207;
Wherein, but accessible file comprises the file in the embedded picture of message body, hyperlink file in download, the annex etc.
Step 207 judges whether Mail Contents is unusual, if execution in step 208, otherwise execution in step 213;
The unusual situation of Mail Contents comprises that text has spurious, annex that spurious etc. is arranged.The unusual situation of Mail Contents mainly is divided into text forges and the annex forgery, and text is forged and comprised the forgery of mail header information, the forgery of email body content information; It is a lot of that annex is forged kind, comprises utilizing attachment files binding executable file, latently write invalid data, distorting normal file form etc.
Step 209 is extracted or is climbed and gets accessible file;
Visible by above step 206, step 207 and step 209, the acquisition mode among the present invention is to support mutual active acquisition mode.
This step is tentatively filtered accessible file, can get rid of normal file with higher rate of failing to report.The file that can not get rid of is suspicious file.These apocryphas might be malicious codes, need further detect." rate of failing to report " is provided with in configuration by the keeper, and the span of rate of failing to report is (0,1), and the rate of failing to report of operated by rotary motion more than 50% is to guarantee to try one's best low rate of false alarm.
Step 211 stores the apocrypha database into, execution in step 213;
Step 213 finishes.
Embodiment shown in Figure 2; Based on parallel crawler technology and magnanimity mail analytic technique; To support mutual active acquisition mode to obtain suspicious malicious code sample from relevant Email terminal; Remedy honey jar and the passive deficiency of obtaining malicious code of honey jar technology in the prior art, strengthened the dynamics of catching." parallel crawler technology " is meant and moves several crawlers on the station server simultaneously, starts many such servers simultaneously, with enjoying a database.And " supporting mutual active collection " is meant that the behavior that can simulate Email user obtains the malicious code that utilizes social engineering to propagate, such as: the hyperlink in the identification mail and visit associated documents, obtain apocrypha etc. alternately with the malice source of sending.
Step 3 utilizes malicious code property data base and manual detection that the apocrypha of step 2 gained is detected, and is that unusual apocrypha is saved in the malicious code sample database with testing result;
Step 3 is called the detection step.
Fig. 3 is the flow chart of the detection step of malicious code catching method in the embodiment of the invention.As shown in Figure 3, in embodiments of the present invention, detect step (being step 3) and can specifically comprise following substep:
Step 301 is according to the 3rd configuration information initialization;
Initialization in this step is meant the initialization of parameter, resource etc.
The 3rd configuration information is predefined by the keeper.The content of the 3rd configuration information can comprise that configuration merger treatment progress number, malicious code detect the analyzing and testing time of number of servers, expert system etc.
Step 302, the apocrypha merger is handled;
Here, the merger processing is the abbreviation that " conclude, merge " handles.Merger handle to be adopted to the merging of similar documents and is handled, and relatively goes to overlap and means such as processing based on the file of hash (Hash) algorithm, to reduce memory space, saves the subsequent calculations expense.
Step 303 is based on the feature database malicious code detection of (referring to the malicious code property data base, down together);
The concrete mode that detects based on feature database can be: if contain the condition code in the malicious code property data base in the apocrypha; Then apocrypha is a malicious code; If do not contain the condition code in the malicious code property data base in the apocrypha, then apocrypha is not a malicious code.
Step 304 judges whether apocrypha can be judged, if execution in step 305, otherwise execution in step 307;
Step 305 judges whether file destination is malicious code, if execution in step 306, otherwise execution in step 312;
Step 306, storage file to malicious code sample database;
In this step, the file that is stored to the malicious code sample database is meant the apocrypha that is judged as malicious code based on the malicious code property data base.
Step 307 is based on the analyzing and testing of expert system;
" expert system " that the present invention mentioned is the amplification of traditional sense expert system; The security expert of malicious code analysis experience is arranged is core with some for it; With the apocrypha of this method as input; Conversed analysis technology, behavioral analysis technology through manual work is participated in are carried out the malicious code judgement, and then remedy the deficiency of automation detection means, find the unknown malicious code that the automation detection means can't detect.
Step 308 judges whether file destination is malicious code, if execution in step 309, otherwise execution in step 312;
Step 309, storage file to malicious code sample database;
Step 310 has judged whether the malicious code new feature, if execution in step 311, otherwise execution in step 312;
Step 311 is optimized the malicious code property data base, execution in step 303;
If in based on the expert system testing process, the target malicious code produces the new feature sign indicating number, then deposits this new feature sign indicating number in the malicious code property data base, to optimize the malicious code property data base, improves accuracy of detection and efficient.
Step 312 finishes.
Step 4 is obtained malicious code sample from said malicious code sample database, this malicious code sample of operation writes down the characteristic information of this malicious code sample and is saved in said malicious code property data base in sandbox.
The sandbox of mentioning in the step 4 can be any sandbox.In a preferred embodiment of the invention, can adopt the lightweight sandbox.The lightweight sandbox can be saved computational resource to a certain extent.
Malicious code catching method of the present invention can be realized with computer program; These programs can be used C/C++, Python exploitation; Use PHP, interface, JavaScript language development foreground; Use Mysql to build Relational database, and use self-defined document storage mode to deposit relevant big data message.
Malicious code catching method of the present invention has following beneficial effect:
1) chooses the Email terminal and form distributed virtual honey net, greatly reduce the honey net and make up and the cost of disposing, and can catch more Email network malicious code quickly and efficiently as virtual honey jar;
2) adopt based on mutual acquisition mode of the degree of depth of reptile and magnanimity mail parsing means, remedied the deficiency of honey jar and honey jar technology passive mode, and can capture complicated more Email network malicious code;
3) adopt and handle many mail datas source as input, can increase greatly the scope that captures Email network malicious code and catch comprehensive.
In honey jar that malicious code catching method of the present invention can be applied to be correlated with and the sweet net system, can increase the coverage of capture object, promote the capture ability of malicious code.
The invention allows for a kind of malicious code capture systems, in order to implement above-mentioned malicious code catching method.
Fig. 4 is the structure chart of malicious code capture systems in the embodiment of the invention.As shown in Figure 4, in the present embodiment, the malicious code capture systems comprises acquisition module 410, parsing module 420, detection module 430 and the sandbox module 440 that links to each other in order.Wherein, acquisition module 410 is used for obtaining mail data from multiple e-mail data source.Parsing module 420 is used to resolve the mail data that acquisition module 410 is obtained, and is apocrypha with the file logging that can't get rid of according to the rate of failing to report of setting in the mail data, and this apocrypha is saved in the apocrypha database.The apocrypha that detection module 430 is used to utilize malicious code property data base and manual detection that parsing module 420 is exported detects, and is that unusual apocrypha is saved in the malicious code sample database with testing result.Sandbox module 440 is used for obtaining malicious code sample from the malicious code sample database, and this malicious code sample of operation writes down the characteristic information of this malicious code sample and is saved in the malicious code property data base in sandbox.
In other embodiment of the present invention, can there be sandbox module 440 in the malicious code capture systems yet.
In other embodiment of the present invention; The algorithm that can also link to each other with acquisition module 410 in the malicious code capture systems is selected module; Be used to adopt the selection of the virtual honey jar of e-mail terminal and dispose the use that algorithm distributes and optimize virtual honey jar resource; The selection of the virtual honey jar of said e-mail terminal with the deployment algorithm is: with the abstract social networks cum rights directed graph model with worldlet aspect of model that is with point and limit composition of electronic mail network that malicious code is propagated, wherein, point is represented an email accounts; The communication mail between the email accounts is represented on the limit; The weights on limit are represented the quantity of communication mail in the certain hour, and the in-degree of point is represented sender's quantity of this point in the certain hour, and out-degree is represented addressee's quantity of this point in the certain hour.
Wherein, acquisition module 410 may further include extraction unit, first acquiring unit and second acquisition unit.Extraction unit is used for obtaining e-mail data source information according to the first preset configuration information; And extract the kind in e-mail data source, the kind in e-mail data source is the e-mail data that e-mail terminal, volunteer's email accounts or the associated mechanisms of automation application for registration provides.When first acquiring unit is used in the e-mail data source being the automation e-mail terminal of applying for the registration of or volunteer's email accounts; At the polling cycle in this e-mail data source then; Obtain the new mail in this e-mail data source; The mail data of pending mail is write magnanimity mail original information data storehouse, summary info, pending mail source code text and pending mail accessible file that mail data comprises the header information of pending mail source code, generates according to this header information.Second acquisition unit be used in the e-mail data source be associated mechanisms provide e-mail data the time; Data to this e-mail data source are carried out standardization; Remove the privacy information of pending mail; The mail data of pending mail is write magnanimity mail original information data storehouse, the accessible file of summary info, pending mail source code text and pending mail that mail data comprises the header information of pending mail source code, generate according to this header information.
Wherein, the header information of pending mail source code can comprise languages, type of coding, type of attachment, sender IP address information, addressee IP address information, IP-based mail routing iinformation etc.
Wherein, the content of summary info can comprise Email addressee, sender, theme, text length, have or not annex, e-mail data Source Type etc.
Parsing module 420 may further include first initialization unit, resolution unit and filter element.First initialization unit is used for carrying out initialization according to the second preset configuration information.Resolution unit is used to treat the handle postal matter header information and the source code text of source code resolves, and unusual header information and/or source code text are saved in the malicious code sample database.Filter element is used for treating the accessible file that handles postal matter according to the rate of failing to report of setting and filters, and gets rid of normal file, and the file that can't get rid of is saved in the apocrypha database as apocrypha.
The workflow of malicious code capture systems of the present invention repeats no more with aforementioned malicious code catching method of the present invention here.
The implication of each noun in the malicious code capture systems of the present invention is identical with the implication of the identical noun of malicious code catching method declaratives of the present invention, therefore no longer repetition of explanation is made in the noun that occurs in the malicious code capture systems.
Malicious code capture systems of the present invention has following beneficial effect:
1) chooses the Email terminal and form distributed virtual honey net, greatly reduce the honey net and make up and the cost of disposing, and can catch more Email network malicious code quickly and efficiently as virtual honey jar;
2) adopt based on mutual acquisition mode of the degree of depth of reptile and magnanimity mail parsing means, remedied the deficiency of honey jar and honey jar technology passive mode, and can capture complicated more Email network malicious code;
3) adopt and handle many mail datas source as input, can increase greatly the scope that captures Email network malicious code and catch comprehensive.
In honey jar that malicious code capture systems of the present invention can be applied to be correlated with and the sweet net system, can increase the coverage of capture object, promote the capture ability of malicious code.
The above is merely preferred embodiment of the present invention, and is in order to restriction the present invention, not all within spirit of the present invention and principle, any modification of being done, is equal to replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (16)
1. a malicious code catching method is characterized in that, comprising:
From multiple e-mail data source, obtain mail data;
Resolve said mail data, be apocrypha with the file logging that can't get rid of according to the rate of failing to report of setting in the said mail data, and this apocrypha is saved in the apocrypha database;
Utilizing malicious code property data base and manual detection that said apocrypha is detected, is that unusual apocrypha is saved in said malicious code sample database with testing result.
2. malicious code catching method according to claim 1 is characterized in that, also comprises:
From said malicious code sample database, obtain malicious code sample, this malicious code sample of operation writes down the characteristic information of this malicious code sample and is saved in said malicious code property data base in sandbox.
3. malicious code catching method according to claim 1 is characterized in that, said from multiple e-mail data source, obtain mail data before, also comprise:
Adopt the selection of the virtual honey jar of e-mail terminal and dispose the use that algorithm distributes and optimize virtual honey jar resource; The selection of the virtual honey jar of said e-mail terminal with the deployment algorithm is: with the abstract social networks cum rights directed graph model with worldlet aspect of model that is with point and limit composition of the electronic mail network of malicious code propagation; Wherein, Email accounts of some expression, the communication mail between the email accounts is represented on the limit, the weights on limit are represented the quantity of communication mail in the certain hour; The in-degree of point is represented sender's quantity of this point in the certain hour, and out-degree is represented addressee's quantity of this point in the certain hour.
4. malicious code catching method according to claim 1 is characterized in that, saidly from multiple e-mail data source, obtains mail data and comprises:
First configuration information according to preset obtains e-mail data source information; And extract the kind in e-mail data source, the kind in said e-mail data source be e-mail terminal, volunteer's email accounts or associated mechanisms that automation is applied for the registration of provide remove the privacy information mail data;
If the e-mail data source is e-mail terminal or volunteer's email accounts that automation is applied for the registration of; Then then at the polling cycle in this e-mail data source; Obtain the pending mail in this e-mail data source; The mail data of this pending mail is write magnanimity mail original information data storehouse, summary info, the source code text of pending mail and the accessible file of pending mail that said mail data comprises the header information of pending mail source code, generates according to this header information;
If the e-mail data source is an associated mechanisms provide remove the privacy information mail data; Then the data in this e-mail data source are carried out standardization; Remove the privacy information of pending mail; The mail data of pending mail is write magnanimity mail original information data storehouse, summary info, the source code text of pending mail and the accessible file of pending mail that said mail data comprises the header information of pending mail source code, generates according to this header information.
5. malicious code catching method according to claim 4; It is characterized in that the header information of said pending mail source code comprises languages, type of coding, type of attachment, sender IP address information, addressee IP address information, IP-based mail routing iinformation.
6. malicious code catching method according to claim 4 is characterized in that, the content of said summary info comprises the addressee of Email, sender, theme, text length, has or not annex, e-mail data Source Type.
7. malicious code catching method according to claim 4; It is characterized in that; Resolve said mail data, be apocrypha with the file logging that can't get rid of according to the rate of failing to report of setting in the said mail data, and this apocrypha is saved in the apocrypha database; Comprise:
Second configuration information according to preset carries out initialization;
Header information and source code text to said pending mail source code are resolved, and unusual header information and/or source code text are saved in the malicious code sample database;
Rate of failing to report according to said setting filters said pending mail accessible file, gets rid of normal file, and the file that can't get rid of is saved in the apocrypha database as apocrypha.
8. malicious code catching method according to claim 1; It is characterized in that; Utilizing malicious code feature database and manual detection that said apocrypha is detected, is that unusual apocrypha is saved in said malicious code sample database and comprises with testing result:
Second configuration information according to preset carries out initialization;
Malicious code characteristic information according to preserving in the malicious code property data base detects said apocrypha, and the apocrypha that will comprise said malicious code characteristic information is saved in the malicious code sample database;
For the apocrypha that can't detect according to said malicious code characteristic information; Expert system according to preset is carried out manual detection, and the new feature information that apocrypha produced that is judged to be malicious code in the manual detection process is saved in the malicious code property data base.
9. a malicious code capture systems is characterized in that, comprising:
Acquisition module is used for obtaining mail data from multiple e-mail data source;
Parsing module is used to resolve the mail data that said acquisition module obtains, and is apocrypha with the file logging that can't get rid of according to the rate of failing to report of setting in the said mail data, and this apocrypha is saved in the apocrypha database;
Detection module, the apocrypha that is used to utilize malicious code property data base and manual detection that said parsing module is exported detects, and is that unusual apocrypha is saved in said malicious code sample database with testing result.
10. malicious code capture systems according to claim 9 is characterized in that, also comprises:
The sandbox module is used for obtaining malicious code sample from said malicious code sample database, and this malicious code sample of operation writes down the characteristic information of this malicious code sample and is saved in said malicious code property data base in sandbox.
11. malicious code capture systems according to claim 9 is characterized in that, also comprises linking to each other with said acquisition module:
Algorithm is selected module; Be used to adopt the selection of the virtual honey jar of e-mail terminal and dispose the use that algorithm distributes and optimize virtual honey jar resource; The selection of the virtual honey jar of said e-mail terminal with the deployment algorithm is: with the abstract social networks cum rights directed graph model with worldlet aspect of model that is with point and limit composition of the electronic mail network of malicious code propagation; Wherein, Email accounts of some expression, the communication mail between the email accounts is represented on the limit, the weights on limit are represented the quantity of communication mail in the certain hour; The in-degree of point is represented sender's quantity of this point in the certain hour, and out-degree is represented addressee's quantity of this point in the certain hour.
12. malicious code capture systems according to claim 9 is characterized in that, said acquisition module comprises:
Extraction unit; Be used for obtaining e-mail data source information according to the first preset configuration information; And extract the kind in e-mail data source, the kind in said e-mail data source is the e-mail data that e-mail terminal, volunteer's email accounts or the associated mechanisms of automation application for registration provides;
First acquiring unit; When being used in the e-mail data source being the automation e-mail terminal of applying for the registration of or volunteer's email accounts; At the polling cycle in this e-mail data source then; Obtain the new mail in this e-mail data source; The mail data of pending mail is write magnanimity mail original information data storehouse, the accessible file of summary info, pending mail source code text and pending mail that said mail data comprises the header information of pending mail source code, generate according to this header information;
Second acquisition unit; Be used in the e-mail data source be associated mechanisms provide e-mail data the time; Data to this e-mail data source are carried out standardization; Remove the privacy information of pending mail, the mail data of pending mail is write magnanimity mail original information data storehouse, the accessible file of summary info, pending mail source code text and pending mail that said mail data comprises the header information of pending mail source code, generate according to this header information.
13. malicious code capture systems according to claim 9; It is characterized in that the header information of said pending mail source code comprises languages, type of coding, type of attachment, sender IP address information, addressee IP address information, IP-based mail routing iinformation.
14. malicious code capture systems according to claim 9 is characterized in that, the content of said summary info comprises the addressee of Email, sender, theme, text length, has or not annex, e-mail data Source Type.
15. malicious code capture systems according to claim 9 is characterized in that, said parsing module comprises:
First initialization unit is used for carrying out initialization according to the second preset configuration information;
Resolution unit is used for the header information and the source code text of said pending mail source code are resolved, and unusual header information and/or source code text are saved in the malicious code sample database;
Filter element is used for according to the rate of failing to report of said setting the accessible file of said pending mail being filtered, and gets rid of normal file, and the file that can't get rid of is saved in the apocrypha database as apocrypha.
16. malicious code capture systems according to claim 14 is characterized in that, said detection module comprises:
Second initialization unit is used for carrying out initialization according to the second preset configuration information;
First detecting unit, the malicious code characteristic information that is used for preserving according to the malicious code property data base detects said apocrypha, and the apocrypha that will comprise said malicious code characteristic information is saved in the malicious code sample database;
Second detecting unit; Be used for the apocrypha that can't detect for according to said malicious code characteristic information; Expert system according to preset is carried out manual detection, and the new feature information that apocrypha produced that is judged to be malicious code in the manual detection process is saved in the malicious code property data base.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210294945.XA CN102833240B (en) | 2012-08-17 | 2012-08-17 | A kind of malicious code catching method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210294945.XA CN102833240B (en) | 2012-08-17 | 2012-08-17 | A kind of malicious code catching method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102833240A true CN102833240A (en) | 2012-12-19 |
| CN102833240B CN102833240B (en) | 2016-02-03 |
Family
ID=47336211
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210294945.XA Active CN102833240B (en) | 2012-08-17 | 2012-08-17 | A kind of malicious code catching method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102833240B (en) |
Cited By (20)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103106573A (en) * | 2013-02-20 | 2013-05-15 | 中国科学院信息工程研究所 | Massive email analyzing method and system based on relational graph |
| CN105337993A (en) * | 2015-11-27 | 2016-02-17 | 厦门安胜网络科技有限公司 | Dynamic and static combination-based mail security detection device and method |
| CN105488408A (en) * | 2014-12-31 | 2016-04-13 | 中国信息安全认证中心 | Identification method and system of malicious sample type on the basis of characteristics |
| CN105656872A (en) * | 2015-07-17 | 2016-06-08 | 哈尔滨安天科技股份有限公司 | Attacker tracking method and system based on backbone network |
| CN105743876A (en) * | 2015-08-28 | 2016-07-06 | 哈尔滨安天科技股份有限公司 | Method and system for discovering targeted attack based on email source data |
| CN103825930B (en) * | 2013-11-12 | 2017-03-29 | 浙江省水文局 | A kind of real-time data synchronization method under distributed environment |
| CN106980787A (en) * | 2017-03-30 | 2017-07-25 | 杭州网蛙科技有限公司 | A kind of method and apparatus for recognizing malice feature |
| CN108197475A (en) * | 2018-01-11 | 2018-06-22 | 广州汇智通信技术有限公司 | A kind of malice so modules detection method and relevant apparatus |
| CN108959917A (en) * | 2017-05-25 | 2018-12-07 | 腾讯科技(深圳)有限公司 | A kind of method, apparatus, equipment and the readable storage medium storing program for executing of Email detection |
| CN109145601A (en) * | 2017-06-27 | 2019-01-04 | 英特尔公司 | Malware detection system attack prevents |
| CN109327451A (en) * | 2018-10-30 | 2019-02-12 | 深信服科技股份有限公司 | A kind of method, system, device and medium that the upload verifying of defence file bypasses |
| WO2019141091A1 (en) * | 2018-01-19 | 2019-07-25 | 论客科技(广州)有限公司 | Method, system, and device for mail monitoring |
| CN110138723A (en) * | 2019-03-25 | 2019-08-16 | 中国科学院信息工程研究所 | The determination method and system of malice community in a kind of mail network |
| CN110769008A (en) * | 2019-11-05 | 2020-02-07 | 长沙豆芽文化科技有限公司 | Data security protection method and device and service equipment |
| CN111405562A (en) * | 2020-03-11 | 2020-07-10 | 中国科学院信息工程研究所 | Mobile malicious user identification method and system based on communication behavior rules |
| CN112788065A (en) * | 2021-02-20 | 2021-05-11 | 苏州知微安全科技有限公司 | Internet of things zombie network tracking method and device based on honeypots and sandboxes |
| CN113630397A (en) * | 2021-07-28 | 2021-11-09 | 上海纽盾网安科技有限公司 | E-mail security control method, client and system |
| CN113794674A (en) * | 2021-03-09 | 2021-12-14 | 北京沃东天骏信息技术有限公司 | Method, device and system for detecting mail |
| CN114826670A (en) * | 2022-03-23 | 2022-07-29 | 国家计算机网络与信息安全管理中心 | Method for analyzing network flow and detecting large-scale malicious code propagation |
| CN116471123A (en) * | 2023-06-14 | 2023-07-21 | 杭州海康威视数字技术股份有限公司 | Intelligent analysis method, device and equipment for security threat of intelligent equipment |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101778059A (en) * | 2010-02-09 | 2010-07-14 | 成都市华为赛门铁克科技有限公司 | Mail processing method, gateway equipment and network system |
| CN101795267A (en) * | 2009-12-30 | 2010-08-04 | 成都市华为赛门铁克科技有限公司 | Method and device for detecting viruses and gateway equipment |
| CN101841523A (en) * | 2010-02-05 | 2010-09-22 | 中国科学院计算技术研究所 | Method for detecting network behavior of malicious code sample and system thereof |
| CN101930514A (en) * | 2010-08-12 | 2010-12-29 | 北京安天电子设备有限公司 | Method and device for capturing malicious code of mobile terminal |
| CN102024113A (en) * | 2010-12-22 | 2011-04-20 | 北京安天电子设备有限公司 | Method and system for quickly detecting malicious code |
-
2012
- 2012-08-17 CN CN201210294945.XA patent/CN102833240B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101795267A (en) * | 2009-12-30 | 2010-08-04 | 成都市华为赛门铁克科技有限公司 | Method and device for detecting viruses and gateway equipment |
| CN101841523A (en) * | 2010-02-05 | 2010-09-22 | 中国科学院计算技术研究所 | Method for detecting network behavior of malicious code sample and system thereof |
| CN101778059A (en) * | 2010-02-09 | 2010-07-14 | 成都市华为赛门铁克科技有限公司 | Mail processing method, gateway equipment and network system |
| CN101930514A (en) * | 2010-08-12 | 2010-12-29 | 北京安天电子设备有限公司 | Method and device for capturing malicious code of mobile terminal |
| CN102024113A (en) * | 2010-12-22 | 2011-04-20 | 北京安天电子设备有限公司 | Method and system for quickly detecting malicious code |
Cited By (27)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103106573A (en) * | 2013-02-20 | 2013-05-15 | 中国科学院信息工程研究所 | Massive email analyzing method and system based on relational graph |
| CN103825930B (en) * | 2013-11-12 | 2017-03-29 | 浙江省水文局 | A kind of real-time data synchronization method under distributed environment |
| CN105488408A (en) * | 2014-12-31 | 2016-04-13 | 中国信息安全认证中心 | Identification method and system of malicious sample type on the basis of characteristics |
| CN105656872A (en) * | 2015-07-17 | 2016-06-08 | 哈尔滨安天科技股份有限公司 | Attacker tracking method and system based on backbone network |
| CN105743876A (en) * | 2015-08-28 | 2016-07-06 | 哈尔滨安天科技股份有限公司 | Method and system for discovering targeted attack based on email source data |
| CN105337993A (en) * | 2015-11-27 | 2016-02-17 | 厦门安胜网络科技有限公司 | Dynamic and static combination-based mail security detection device and method |
| CN106980787A (en) * | 2017-03-30 | 2017-07-25 | 杭州网蛙科技有限公司 | A kind of method and apparatus for recognizing malice feature |
| CN108959917A (en) * | 2017-05-25 | 2018-12-07 | 腾讯科技(深圳)有限公司 | A kind of method, apparatus, equipment and the readable storage medium storing program for executing of Email detection |
| CN109145601A (en) * | 2017-06-27 | 2019-01-04 | 英特尔公司 | Malware detection system attack prevents |
| CN108197475A (en) * | 2018-01-11 | 2018-06-22 | 广州汇智通信技术有限公司 | A kind of malice so modules detection method and relevant apparatus |
| CN108197475B (en) * | 2018-01-11 | 2020-12-08 | 广州汇智通信技术有限公司 | Malicious so module detection method and related device |
| WO2019141091A1 (en) * | 2018-01-19 | 2019-07-25 | 论客科技(广州)有限公司 | Method, system, and device for mail monitoring |
| CN109327451A (en) * | 2018-10-30 | 2019-02-12 | 深信服科技股份有限公司 | A kind of method, system, device and medium that the upload verifying of defence file bypasses |
| CN110138723A (en) * | 2019-03-25 | 2019-08-16 | 中国科学院信息工程研究所 | The determination method and system of malice community in a kind of mail network |
| CN110138723B (en) * | 2019-03-25 | 2020-05-12 | 中国科学院信息工程研究所 | Method and system for determining malicious community in mail network |
| CN110769008A (en) * | 2019-11-05 | 2020-02-07 | 长沙豆芽文化科技有限公司 | Data security protection method and device and service equipment |
| CN110769008B (en) * | 2019-11-05 | 2020-04-03 | 长沙豆芽文化科技有限公司 | Data security protection method and device and service equipment |
| CN111405562A (en) * | 2020-03-11 | 2020-07-10 | 中国科学院信息工程研究所 | Mobile malicious user identification method and system based on communication behavior rules |
| CN111405562B (en) * | 2020-03-11 | 2021-05-28 | 中国科学院信息工程研究所 | Mobile malicious user identification method and system based on communication behavior rules |
| CN112788065A (en) * | 2021-02-20 | 2021-05-11 | 苏州知微安全科技有限公司 | Internet of things zombie network tracking method and device based on honeypots and sandboxes |
| CN113794674B (en) * | 2021-03-09 | 2024-04-09 | 北京沃东天骏信息技术有限公司 | Method, device and system for detecting mail |
| CN113794674A (en) * | 2021-03-09 | 2021-12-14 | 北京沃东天骏信息技术有限公司 | Method, device and system for detecting mail |
| CN113630397A (en) * | 2021-07-28 | 2021-11-09 | 上海纽盾网安科技有限公司 | E-mail security control method, client and system |
| CN114826670B (en) * | 2022-03-23 | 2024-03-29 | 国家计算机网络与信息安全管理中心 | Method for analyzing network traffic and detecting large-scale malicious code propagation |
| CN114826670A (en) * | 2022-03-23 | 2022-07-29 | 国家计算机网络与信息安全管理中心 | Method for analyzing network flow and detecting large-scale malicious code propagation |
| CN116471123A (en) * | 2023-06-14 | 2023-07-21 | 杭州海康威视数字技术股份有限公司 | Intelligent analysis method, device and equipment for security threat of intelligent equipment |
| CN116471123B (en) * | 2023-06-14 | 2023-08-25 | 杭州海康威视数字技术股份有限公司 | Intelligent analysis method, device and equipment for security threat of intelligent equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102833240B (en) | 2016-02-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102833240B (en) | A kind of malicious code catching method and system | |
| KR101010302B1 (en) | Security management system and method of irc and http botnet | |
| CN102801697B (en) | Malicious code detection method and system based on plurality of URLs (Uniform Resource Locator) | |
| CN105915532B (en) | A kind of recognition methods of host of falling and device | |
| Goseva-Popstojanova et al. | Characterization and classification of malicious Web traffic | |
| CN106101104A (en) | A kind of malice domain name detection method based on domain name mapping and system | |
| US20110153811A1 (en) | System and method for modeling activity patterns of network traffic to detect botnets | |
| CN105592017B (en) | The defence method and system of cross-site scripting attack | |
| CN104509034A (en) | Pattern consolidation to identify malicious activity | |
| CN102739647A (en) | High-interaction honeypot based network security system and implementation method thereof | |
| CN103634306A (en) | Security detection method and security detection server for network data | |
| CN106650436A (en) | Safety detecting method and device based on local area network | |
| CN102841990A (en) | Method and system for detecting malicious codes based on uniform resource locator | |
| CN108965349A (en) | A kind of method and system monitoring advanced duration network attack | |
| CN108183888A (en) | A kind of social engineering Network Intrusion path detection method based on random forests algorithm | |
| CN108134761A (en) | A kind of APT detection methods, system and device | |
| CN104580249A (en) | Botnet, Trojan horse and worm network analysis method and system based on logs | |
| CN110351237B (en) | Honeypot method and device for numerical control machine tool | |
| CN110210213A (en) | The method and device of filtering fallacious sample, storage medium, electronic device | |
| CN101588276B (en) | Method and device for detecting zombie network | |
| Ferretti et al. | Characterizing background noise in ICS traffic through a set of low interaction honeypots | |
| CN104486320A (en) | Intranet sensitive information disclosure evidence collection system and method based on honeynet technology | |
| Gupta | HoneyKube: designing a honeypot using microservices-based architecture | |
| CN108737332A (en) | A kind of man-in-the-middle attack prediction technique based on machine learning | |
| Moon et al. | Detection of botnets before activation: an enhanced honeypot system for intentional infection and behavioral observation of malware |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |