CN103428195A - Unknown virus detecting method - Google Patents
Unknown virus detecting method Download PDFInfo
- Publication number
- CN103428195A CN103428195A CN2012105780547A CN201210578054A CN103428195A CN 103428195 A CN103428195 A CN 103428195A CN 2012105780547 A CN2012105780547 A CN 2012105780547A CN 201210578054 A CN201210578054 A CN 201210578054A CN 103428195 A CN103428195 A CN 103428195A
- Authority
- CN
- China
- Prior art keywords
- file
- extension
- data message
- message
- server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
- Information Transfer Between Computers (AREA)
Abstract
The invention discloses an unknown virus detecting method. Based on the characteristics of file formatted storage and the characteristics of network file transmission, through capturing bi-directional network flows in the same connection, a system extracts file extension names in requests which are transmitted to a server by a client respectively and analyzes file header contents in data which are responded by the server to the client; and whether file types of the file extension names and the file header contents are matched with each other are contrasted, if the file types of the file extension names and the file header contents are matched with each other, it is considered as normality, otherwise, it is considered as abnormality, and alarms can be emitted. With the unknown virus detecting method adopted, approaches of virus transmission by using camouflage can be blocked under the situation that conventional anti-virus software is incapable of effectively dealing with unknown viruses.
Description
Technical field
The present invention relates to the detection technique of the unknown virus of network data, be applicable to non-one-way flow network, find in time the unknown virus of particular type in viral fast-changing situation.
Background technology
Current computer application environment be unable to do without network mostly, and numerous netizens spend plenty of time surfing on the internet.Because the common computer user does not possess professional network security knowledge, lack the protection to self, None-identified carrys out the threat of automatic network.
Virus author and disseminator utilizes this situation just, cheats explorer and the browser of computer by simple change file extension, allows its virus takeed for after the change file extension be other harmless files, thereby inveigles the user to download execution; Simultaneously, by the mode of release quickly virus, escape the killing of antivirus software.
By above-mentioned means, cause a large amount of computer users to infect virus, the speed that simultaneously current antivirus software upgrades can't be caught up with when proviral renewal speed, can't this type of be threatened significant surface.
In order to resolve conveniently, the file of most of type generally has relatively-stationary file header form, and we can pass through Study document head content like this, just can identify most file format; While storing on computers, generally with file extension, carry out the identification document type, the explorer of computer can not need the resolution file content only by the file extension in filename, to identify fast its file type like this.
At network, in common FTP and http protocol, usually use following communication flow to visit network file: the user end to server in subscriber computer sends URL request, the catalogue at include file place and filename in request; After server receives request, by the corresponding file reverse client of feeding.The user browses, carries out on the computer at client place.
Summary of the invention
The present invention is directed to the characteristics of document formatting storage and the characteristics of network file transmission, by catching the bilateral network flow of same connection, extract respectively the file extension of user end to server in sending request, and Analysis server is to the file header content in the client reply data: whether the file type that contrasts both is complementary.If coupling, think normal; Otherwise think abnormal, can send warning, even can take further analysis means to confirm the particular type threatened.Can, in the situation that conventional anti-viral software can't successfully manage unknown virus, block the approach of this class utilization camouflage transmitted virus like this.
Particularly, the invention provides a kind of method of unknown virus detection, comprising:
S01: the sample file of the known file type of analysis;
S02: the file header feature of extracting various file types;
S03: the mapping table of setting up file header feature and file extension;
More than be operating as operation in advance, then following step is only detection method of the present invention:
S04: catch network packet;
S05: the data message of catching is carried out to protocol-decoding, isolate FTP and http data message, processed respectively for two kinds of agreements afterwards;
S06: analyze the transmission direction of data message, find that transmission direction is that server transmits data to client, enter S10;
S07: isolate the request msg message that sends URL;
S08: protocol-decoding, extract the filename comprised in the URL in request;
S09: judge whether filename comprises effective extension name, if do not comprise, enter S15, finish the detection of current connection; Otherwise the log file extension name, and enter S04, obtain the next one bag of current connection;
S10: check whether current connection associated the effective document extension name, if be not associated with the effective document extension name, enter S04, obtain the next one bag of current connection;
S11: protocol-decoding, the initial position of location response data File content;
S12: searched for for the initial content of file, check and whether can be complementary with known file head feature, if can not, enter S15, finish the detection of current connection;
S13: the corresponding file type according to the file header feature, from file extension---search the respective file extension name file header Feature Mapping table, save as extension name set 2;
S14: compare each extension name in extension name 1 and extension name set 2, if there is any one all inconsistent, report finds that unknown the threat enters;
S15: finish the detection of current connection.
The invention has the beneficial effects as follows: the present invention is directed to the characteristics of document formatting storage and the characteristics of network file transmission, by catching the bilateral network flow of same connection, extract respectively the file extension of user end to server in sending request, and Analysis server is to the file header content in the client reply data: whether the file type that contrasts both is complementary.If coupling, think normal; Otherwise think abnormal.When conventional anti-viral software can't detect most current virus, can effectively resist the camouflage of virus change extension name like this, stop potential threat.。
The accompanying drawing explanation
In order to be illustrated more clearly in the present invention or technical scheme of the prior art, below will the accompanying drawing of required use in embodiment or description of the Prior Art be briefly described, apparently, the accompanying drawing the following describes is only some embodiment that put down in writing in the present invention, for those of ordinary skills, under the prerequisite of not paying creative work, can also obtain according to these accompanying drawings other accompanying drawing.
Fig. 1 is the method flow diagram that the present invention sets up the file extent list of file names;
Fig. 2 is method of unknown virus detection flow chart of the present invention.
Embodiment
In order to make those skilled in the art person understand better the technical scheme in the embodiment of the present invention, and above-mentioned purpose of the present invention, feature and advantage can be become apparent more, below in conjunction with accompanying drawing, technical scheme in the present invention is described in further detail.
At first, as shown in Figure 1, the method flow diagram for the present invention sets up the file extent list of file names comprises:
S101: the sample file of the known file type of analysis;
Collect in advance the paper sample of various file types, check that the file in sample file starts the content at position;
S102: the file header feature of extracting various file types;
The file that extracts the identical file type starts the common ground at position, if all find identical string of binary characters in a plurality of files of identical file type, and its common ground length is greater than 1 character, extracts the file header feature string no longer than 8 bytes, and join in feature database;
S103: the mapping table of setting up file header feature and file extension;
If the file header feature of the successful extraction document type of energy, set up mapping table by the file extension of file type (possible file extension has a plurality of) and the file header feature of respective file type, so that follow-up query manipulation;
If corresponding file type is clear text file (including but not limited to the files such as htm, html, txt, css, js), have no idea to extract fixing file header feature, this type of file type is used empty file header feature and its file extension to set up mapping table, i.e. the file extent list of file names;
As shown in Figure 2, be method of unknown virus detection flow chart of the present invention, comprising:
S104: catch network packet;
Concrete packet capture mode can be used pcap to catch that bag, zero-copy are caught bag, special-purpose network interface card is caught bag;
The data message of catching is carried out to protocol-decoding, isolate FTP and http data message;
FTP and http protocol identified in the initial keyword (as: pasv, port, stor, retr, get, post, http etc.) that can be whether FTP and HTTP according to the initial content of the port information of Transmission Control Protocol or transport layer load, thereby isolate FTP and http data message;
The transmission direction of S105, analysis data message, find that transmission direction is that server transmits data to client, enters S109;
When connection is set up, follow the tracks of the TCP handshake message, the target ip address of SYN message and the source IP address of response ACK-SYN message will be sent, be defined as server ip address, another IP address definition is client ip address, in follow-up FTP and http protocol message, can belong to server ip address according to which IP address and determine transmission direction, the data message of the address that source IP address is server is server and transmits data message to client.
S106: isolate the request msg message that sends URL;
For the http protocol message, isolate the data message that http header comprises the URI field;
For the File Transfer Protocol message, isolate the data message that FTP sends stor or retr order;
S107: protocol-decoding, extract the filename comprised in the URL in request;
For the http protocol message, protocol-decoding extracts the URI field of http header, according to the filename in the grammar extraction field of URI;
For the File Transfer Protocol message, protocol-decoding extracts the filename that stor or retr order are carried;
S108: judge whether filename comprises effective extension name, if do not comprise, enter S115, finish the detection of current connection; Otherwise log file expansion extension name 1 by name, and enter S104, obtain the next one bag of current connection;
For the http protocol message, due to the difference of network service, the filename obtained might not the tape file extension name.If its extension name can be at corresponding file extension---find in file header Feature Mapping table, be judged as its expansion effectively by name; If effectively extension name records its file extension, and with current TCP join dependency connection (the source/destination IP address that can be connected by TCP, source/destination port numbers four-tuple identify a TCP connection);
For File Transfer Protocol, the filename obtained should be the title of the file that can access.If its extension name can be at corresponding file extension---find in file header Feature Mapping table, be judged as its expansion effectively by name; If effectively extension name records its file extension, and join with ensuing file transfer TCP join dependency, it is as follows that file transfer TCP connects concrete identification method:
1. aggressive mode: the IP address of current server is recorded as to file transfer TCP and connects client ip address, the IP address of active client is file transfer TCP connection server address, follow the tracks of follow-up port command message, isolate the server source port, this tlv triple identifies ensuing file transfer TCP and connects;
2. Passive Mode: the IP address of current server is recorded as to file transfer TCP connection server IP address, the IP address of active client is that file transfer TCP connects client address, follow the tracks of follow-up port command message, isolate the server source port, this tlv triple identifies ensuing file transfer TCP and connects;
S109: check whether current connection associated the effective document extension name, if be not associated with the effective document extension name, enter S104, obtain the next one bag of current connection;
For the http protocol message, source/destination IP address, the source/destination port numbers four-tuple by current TCP message finds out corresponding TCP and connects.
For the File Transfer Protocol message, the server/customer end IP address by current TCP message finds out corresponding TCP with server port numbers tlv triple and is connected certificate;
If can find corresponding TCP, connect, and this TCP to be connected with corresponding file extension corresponding with it, think that this connects to be associated with effective file extension;
S111: protocol-decoding, the initial position of location response data File content;
For the http protocol message, isolate the server ip address message consistent with the source IP of message according to the IP address of server, in these messages, further isolate again the message of the http header of discovery server response, if also have data in the http header back, the end position that original position of file content is http header; Otherwise the TCP load of the message that the original position of file is next same transmission direction.
For the File Transfer Protocol message, be divided into four kinds of situations and carry out extraction document content original position:
1. the file of aggressive mode is uploaded behavior: the original position of the TCP load of the TCP message of first carrying file data that server transmits to client is the file content original position;
2. the file of aggressive mode is downloaded behavior: the original position of the TCP load of the TCP message of first carrying file data that user end to server transmits is the file content original position;
3. the file of Passive Mode is uploaded behavior: the original position of the TCP load of the TCP message of first carrying file data that user end to server transmits is the file content original position;
4. the file of Passive Mode is downloaded behavior: the original position of the TCP load of the TCP message of first carrying file data that server transmits to client is the file content original position;
S112: searched for for the initial content of file, check and whether can be complementary with known file head feature, if can not, enter S15, finish the detection of current connection;
S113: the corresponding file type according to the file header feature, from file extension---search the respective file extension name file header Feature Mapping table, save as extension name set 2;
Because a file extension can not uniquely represent a kind of file type, so the corresponding a plurality of file extensions of file header feature possibility, these extension name form an extension name set and shine upon mutually with the file header feature.
S114: compare each extension name in extension name 1 and extension name set 2, if there is any one all inconsistent, report finds that unknown the threat enters;
S115: finish the detection of current connection.
Although described the present invention by embodiment, those of ordinary skills know, the present invention has many distortion and variation and do not break away from spirit of the present invention, wish that appended claim comprises these distortion and variation and do not break away from spirit of the present invention.
Claims (5)
1. a method of unknown virus detection, is characterized in that, comprising:
Step a, catch network packet and carry out protocol-decoding, obtaining the data message of described packet;
Step b, analyze the transmission direction of described data message, if described transmission direction is not from the server to client end, forward step c to; Otherwise forward step e to;
Step c, isolate the request msg message of the URL in described data message and carry out protocol-decoding, extracting the filename comprised in the URL asked in described data message;
Whether steps d, the extension name that judges described filename are stored and are in the file extension list, if it is be recorded as described URL effective extension name and with current join dependency connection, then proceed to step a and continue to obtain next packet; Otherwise finish the detection of current connection; Described file extension list storage the file header feature of known file type and corresponding file extension; Described current connection refers to that the TCP of described packet connects;
Step e, judge whether associated effectively extension name of current connection, if it is save as the first extension name; Otherwise proceed to step a and continue to obtain next packet;
Step f, described data message is carried out to protocol-decoding, from the original position of the file data of described data message, searched for, with the file header feature in the file extent list of file names, mated, if the match is successful record file extent corresponding to described file header feature second section extension name by name, otherwise detection of end;
If step g, contrast described the first extension name and the second extension name Bu Tong the file that judges described data packet transmission for threatening file, otherwise finish the detection of current connection.
2. the method for claim 1, it is characterized in that, file header feature in described file extent list of file names comprises: the beginning position content of checking the file of known file type, if have length to be greater than the identical string of binary characters of 1 character in two above files of identical file type, extract and be not more than the identical string of binary characters of 8 byte lengths as file header feature string.
3. method as claimed in claim 2, is characterized in that, if described file type is clear text file, uses empty file header feature.
4. the method for claim 1, is characterized in that, step a comprises: catch network packet and carry out protocol-decoding, isolating the data message of File Transfer Protocol and http protocol.
5. the method for claim 1, it is characterized in that, the transmission direction of the described data message of described analysis comprises, follow the tracks of the handshake data newspaper that current TCP connects, the source IP address of the target ip address of SYN message or ACK-SYN message is server ip address, judges the transmission direction of described data message according to server ip address.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210578054.7A CN103428195B (en) | 2012-12-27 | 2012-12-27 | A kind of method of unknown virus detection |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210578054.7A CN103428195B (en) | 2012-12-27 | 2012-12-27 | A kind of method of unknown virus detection |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103428195A true CN103428195A (en) | 2013-12-04 |
| CN103428195B CN103428195B (en) | 2016-09-07 |
Family
ID=49652375
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210578054.7A Active CN103428195B (en) | 2012-12-27 | 2012-12-27 | A kind of method of unknown virus detection |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103428195B (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106506630A (en) * | 2016-10-27 | 2017-03-15 | 中国科学院信息工程研究所 | A kind of hostile network behavior based on HTTP content consistencies finds method |
| CN107766505A (en) * | 2017-10-20 | 2018-03-06 | 维沃移动通信有限公司 | A kind of file management method and terminal |
| CN108540480A (en) * | 2018-04-19 | 2018-09-14 | 中电和瑞科技有限公司 | A kind of gateway and the file access control method based on gateway |
| CN112367210A (en) * | 2021-01-12 | 2021-02-12 | 武汉思普崚技术有限公司 | Method for rapidly checking configuration change |
| CN113779580A (en) * | 2021-09-14 | 2021-12-10 | 展讯通信(天津)有限公司 | File identification method and electronic terminal equipment |
| CN113922992A (en) * | 2021-09-18 | 2022-01-11 | 成都安恒信息技术有限公司 | Attack detection method based on HTTP session |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030131259A1 (en) * | 2002-01-10 | 2003-07-10 | Barton Christopher Andrew | Transferring data via a secure network connection |
| CN1960246A (en) * | 2006-09-18 | 2007-05-09 | 白杰 | Method for filtering out harmfulness data transferred between terminal and destination host in network |
| CN101350745A (en) * | 2008-08-15 | 2009-01-21 | 北京启明星辰信息技术股份有限公司 | Intrude detection method and device |
| CN101382984A (en) * | 2007-09-05 | 2009-03-11 | 江启煜 | Method for scanning and detecting generalized unknown virus |
| CN102801740A (en) * | 2012-08-30 | 2012-11-28 | 苏州山石网络有限公司 | Trojan horse virus prevention method and equipment |
-
2012
- 2012-12-27 CN CN201210578054.7A patent/CN103428195B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030131259A1 (en) * | 2002-01-10 | 2003-07-10 | Barton Christopher Andrew | Transferring data via a secure network connection |
| CN1960246A (en) * | 2006-09-18 | 2007-05-09 | 白杰 | Method for filtering out harmfulness data transferred between terminal and destination host in network |
| CN101382984A (en) * | 2007-09-05 | 2009-03-11 | 江启煜 | Method for scanning and detecting generalized unknown virus |
| CN101350745A (en) * | 2008-08-15 | 2009-01-21 | 北京启明星辰信息技术股份有限公司 | Intrude detection method and device |
| CN102801740A (en) * | 2012-08-30 | 2012-11-28 | 苏州山石网络有限公司 | Trojan horse virus prevention method and equipment |
Non-Patent Citations (1)
| Title |
|---|
| 张润峰: "基于特征标识的文件类型识别与匹配", 《计算机安全》 * |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106506630A (en) * | 2016-10-27 | 2017-03-15 | 中国科学院信息工程研究所 | A kind of hostile network behavior based on HTTP content consistencies finds method |
| CN107766505A (en) * | 2017-10-20 | 2018-03-06 | 维沃移动通信有限公司 | A kind of file management method and terminal |
| CN108540480A (en) * | 2018-04-19 | 2018-09-14 | 中电和瑞科技有限公司 | A kind of gateway and the file access control method based on gateway |
| CN112367210A (en) * | 2021-01-12 | 2021-02-12 | 武汉思普崚技术有限公司 | Method for rapidly checking configuration change |
| CN112367210B (en) * | 2021-01-12 | 2021-04-02 | 武汉思普崚技术有限公司 | Method for rapidly checking configuration change |
| CN113779580A (en) * | 2021-09-14 | 2021-12-10 | 展讯通信(天津)有限公司 | File identification method and electronic terminal equipment |
| CN113922992A (en) * | 2021-09-18 | 2022-01-11 | 成都安恒信息技术有限公司 | Attack detection method based on HTTP session |
| CN113922992B (en) * | 2021-09-18 | 2024-06-07 | 成都安恒信息技术有限公司 | Attack detection method based on HTTP session |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103428195B (en) | 2016-09-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP5003556B2 (en) | Communication detection device, communication detection method, and communication detection program | |
| CN103428195A (en) | Unknown virus detecting method | |
| CN102810138B (en) | A kind of restorative procedure of user side file and system | |
| CN101291323B (en) | Using partly determination finite automatic mode matching for network attack detection | |
| CN107454109A (en) | A kind of network based on HTTP flow analyses is stolen secret information behavioral value method | |
| Shin et al. | Malware prevalence in the KaZaA file-sharing network | |
| CN104378283A (en) | Sensitive email filtering system and method based on client/server mode | |
| CN101834866A (en) | CC (Communication Center) attack protective method and system thereof | |
| US9866583B2 (en) | Fuzzing server responses to malicious client devices | |
| CN112383546A (en) | Method for processing network attack behavior, related device and storage medium | |
| CN104396220A (en) | Method and device for secure content retrieval | |
| CN109922062B (en) | Source code leakage monitoring method and related equipment | |
| JP6524789B2 (en) | Network monitoring method, network monitoring program and network monitoring device | |
| CN102404741A (en) | Method and device for detecting abnormal online of mobile terminal | |
| JP5752642B2 (en) | Monitoring device and monitoring method | |
| WO2013010394A1 (en) | Internet virus detection method, apparatus thereof and system thereof | |
| CN112019516A (en) | Access control method, device, equipment and storage medium for shared file | |
| KR101487476B1 (en) | Method and apparatus to detect malicious domain | |
| CN116107846A (en) | Linux system event monitoring method and device based on EBPF | |
| WO2022166166A1 (en) | Function verification method and apparatus for security component | |
| CN114172726A (en) | Access control method and system based on container environment | |
| CN102761535A (en) | Virus monitoring method and equipment | |
| CN112424778A (en) | Information processing device, information processing method, and information processing program | |
| Small et al. | To Catch a Predator: A Natural Language Approach for Eliciting Malicious Payloads. | |
| CN101662357A (en) | Method for accessing secure gateway client |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address |
Address after: 100080 Beijing city Haidian District minzhuang Road No. 3, Tsinghua Science Park Building 1 Yuquan Huigu a Patentee after: Beijing ahtech network Safe Technology Ltd Address before: 100080 Haidian District City, Zhongguancun, the main street, No. 1 Hailong building, room 1415, room 14 Patentee before: Beijing Antiy Electronic Installation Co., Ltd. |
|
| CP03 | Change of name, title or address | ||
| PE01 | Entry into force of the registration of the contract for pledge of patent right |
Denomination of invention: Unknown virus detecting method Effective date of registration: 20190719 Granted publication date: 20160907 Pledgee: Bank of Longjiang, Limited by Share Ltd, Harbin Limin branch Pledgor: Beijing ahtech network Safe Technology Ltd Registration number: 2019230000008 |
|
| PE01 | Entry into force of the registration of the contract for pledge of patent right | ||
| PC01 | Cancellation of the registration of the contract for pledge of patent right |
Date of cancellation: 20210810 Granted publication date: 20160907 Pledgee: Bank of Longjiang Limited by Share Ltd. Harbin Limin branch Pledgor: BEIJING ANTIY NETWORK TECHNOLOGY Co.,Ltd. Registration number: 2019230000008 |
|
| PC01 | Cancellation of the registration of the contract for pledge of patent right |