CN103997489A - Method and device for recognizing DDoS bot network communication protocol - Google Patents
Method and device for recognizing DDoS bot network communication protocol Download PDFInfo
- Publication number
- CN103997489A CN103997489A CN201410196838.2A CN201410196838A CN103997489A CN 103997489 A CN103997489 A CN 103997489A CN 201410196838 A CN201410196838 A CN 201410196838A CN 103997489 A CN103997489 A CN 103997489A
- Authority
- CN
- China
- Prior art keywords
- attack
- message
- byte
- server
- bot
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention relates to the technical field of computer network security, in particular to a method and device for recognizing a DDoS bot network communication protocol. The method for recognizing the DDoS bot network communication protocol includes the steps that command messages and communication messages communicated between a bot operating in a host and a server are acquired; attack attribute information of all classes of attacks conducted every time is determined from the acquired communication messages; attack command messages are determined from the acquired command messages according to the attack attribute information of all the classes of attacks conducted every time; characteristic information of the attack command messages is determined according to the attack command messages and/or the attack attribute information. The technical complexity is low, and the goal of giving an early warning for the emerging C&C protocol in time can be achieved.
Description
Technical field
The present invention relates to computer network security technology field, relate in particular to a kind of method and device of the DDoS of identification Botnet communication protocol.
Background technology
Botnet is our said Botnet namely, refers to and adopts one or more communication means, and a large amount of main frames are infected to bot (bot program), thus between effector and infected main frame a formed network of can one-to-many controlling.The assailant who controls Botnet conventionally utilize its botnet having with DDoS (Distribution Denial of Service, distributed denial of service) attack, the attack pattern such as bank card password is stolen, spam sends, sensitive information theft makes profit.
In order to find early the DDoS type attack based on botnet, often adopt active tracking technology that the DDoS type based on botnet is attacked and studied.Initiatively follow the tracks of and refer to the bot that pretends to be certain DDoS botnet, initiatively be connected to its C & C (Control & Command, control command) server, receive and resolve its instruction of sending but unactual execution, but the instruction after resolving is preserved and output with daily record form.
If need to certain botnet be followed the tracks of, need to understand its C & C agreement, and write corresponding trace routine, make it initiatively connect C & C server, can receive, resolve and preserve the other side's instruction.The conventional method that automatically parses C & C agreement has two kinds now, a kind of method is for to realize based on virtual machine emulated execution, this method shortcoming is that technology is very complicated, and catch in bot action process and can cause the execution speed of bot sample slack-off based on command simulation mode, just likely by botnet effector, detected, therefore actual feasibility is poor, causes making timely early warning to emerging C & C agreement.
Another method that automatically parses C & C agreement is that Direct Analysis C & C communication message-we are called C & C by communicating by letter between bot and C & C server and communicate by letter, and uses statistics and machine learning means automatically to analyze C & C agreement.The shortcoming of this technology is to need a large amount of C & C communication messages to be used as machine learning foundation, is difficult to meet in reality, causes making timely early warning to emerging C & C agreement.
In sum, in prior art scheme, exist the technical sophistication degree of parsing C & C agreement high, may be detected by botnet effector and need a large amount of C & C communication messages be used as the problems such as machine learning foundation, thereby cause making to emerging C & C agreement the problem of timely early warning.
Summary of the invention
The embodiment of the present invention provides a kind of method and device of the DDoS of identification Botnet communication protocol, in order to solve in prior art scheme, can not make to emerging C & C agreement the problem of timely early warning.
The concrete technical scheme that the embodiment of the present invention provides is as follows:
A method of identifying DDoS Botnet communication protocol, comprising:
Obtain command message and the communication message of between the bot program bot that moves in main frame and server, communicating by letter;
From the communication message obtaining, determine the attack attribute information that in each attack, every class is attacked;
According to the attack attribute information that in described each attack, every class is attacked, from the command message obtaining, determine strike order message;
According to described strike order message and described attack attribute information, determine and attack instruction message characteristic information.
Preferably, if there is not C & C communication, and determined C & C server, the message transmitting between described bot and C & C server is as command message, and the message transmitting between described bot and non-C & C server is as communication message;
If there is not C & C communication, and do not determine C & C server, using described bot with current server of communicating by letter as C & C server, and the message transmitting between described bot and described C & C server is as command message, the message transmitting between described bot and non-C & C server is as communication message;
If there is C & C communication, using object Internet protocol IP address in object Internet protocol IP address and destination interface and C & C communication message in the message transmitting between current described bot and server, the message identical with destination interface is as command message, and the message that object Internet protocol IP address in object Internet protocol IP address and destination interface and C & C communication message in the message transmitting between current described bot and server is not identical with destination interface is as communication message.
Preferably, the described command message that according to the attack attribute information that in each attack, every class is attacked, attack is started to receive for the last time is before defined as commence firing instruction;
The described command message of receiving for the last time before attack being stopped according to the attack attribute information that in each attack, every class is attacked is defined as attacking halt instruction;
Using described commence firing instruction and described attack halt instruction as strike order message.
Preferably, described attack instruction message characteristic information comprise in following message partly or entirely:
The skew of type of message field and coding;
The skew of attack type field and coding;
The skew of target of attack and peer-port field and coding;
The skew of particular attack type parameter and coding.
Preferably, determine in all commence firing instruction messages identical byte content in same byte offset, and the identical byte content of determining and corresponding byte offset are divided in commence firing set, and determine in all attack halt instruction messages identical byte content in same byte offset, and the identical byte content of determining and corresponding byte offset are divided in and are attacked in Stopping set;
Determine in the set of described commence firing and described attack Stopping set byte content different in same byte offset and the byte number of described different byte content, and the skew using definite described different byte content, the byte number of described different byte content and the byte offset of described different byte content as type of message field.
Preferably, determine in all commence firing instruction messages different byte content in same byte offset, and different byte content and the corresponding byte offset determined are divided in commence firing supplementary set;
By described attack attribute information according to attack type identical but target of attack difference sort out, determine that every class attacks in corresponding commence firing instruction and described commence firing supplementary set identical byte content in same byte offset, from described identical byte content, determine attack type field, by definite attack type field, the byte number of the byte offset of attack type field and attack type field is as skew and the coding of attack type field.
Preferably, determine byte offset in described commence firing instruction of target of attack and port and the byte number comprising, skew and coding using the byte offset of the described target of attack of determining and port and the byte number that comprises as target of attack and peer-port field;
Described target of attack and port comprise following part or all of:
Object internet protocol address; Destination interface; Internet protocol address, source; Source port.
The device of a kind of DDoS of identification Botnet communication protocol that the embodiment of the present invention provides, comprising:
Network behavior trapping module for obtaining command message and the communication message of communicating by letter between bot that main frame moves and server, is determined the attack attribute information that in each attack, every class is attacked from the communication message obtaining;
Relating module according to the attack attribute information that in described each attack, every class is attacked, is determined strike order message from the command message obtaining, and according to described strike order message and described attack attribute information, determines and attacks instruction message characteristic information.
Preferably, described network behavior trapping module specifically for: if there is C & C communication, and determined C & C server, the message transmitting between described bot and C & C server is as command message, and the message transmitting between described bot and non-C & C server is as communication message;
If there is not C & C communication, and do not determine C & C server, using described bot with current server of communicating by letter as C & C server, and the message transmitting between described bot and described C & C server is as command message, the message transmitting between described bot and non-C & C server is as communication message;
If there is C & C communication, using object Internet protocol IP address in object Internet protocol IP address and destination interface and C & C communication message in the message transmitting between current described bot and server, the message identical with destination interface is as command message, and the message that object Internet protocol IP address in object Internet protocol IP address and destination interface and C & C communication message in the message transmitting between current described bot and server is not identical with destination interface is as communication message.
Preferably, described network behavior trapping module specifically for: according to the communication message obtaining, in the quantity of determining the described specific communications message sending in the duration that described bot is setting, surpass threshold value, determine and attack, and after attack finishes, according to the specific communications message obtaining during attacking, determine the message attribute parameter of described specific communications message, wherein said specific communications message is that in the communication message obtaining, Internet protocol IP address, source is not the communication message of the IP address of current operation bot main frame;
According to the message attribute parameter of described specific communications message, determine the attack attribute information that in each attack, every class is attacked.
Preferably, described relating module specifically for: the described command message that the attack attribute information of attacking according to every class in each attack is received before attack is started is for the last time defined as commence firing instruction;
The described command message of receiving for the last time before attack being stopped according to the attack attribute information that in each attack, every class is attacked is defined as attacking halt instruction;
Using described commence firing instruction and described attack halt instruction as strike order message.
Preferably, described attack instruction message characteristic information comprise in following message partly or entirely:
The skew of type of message field and coding; The skew of attack type field and coding; The skew of target of attack and peer-port field and coding; The skew of particular attack type relevant parameter and coding.
Preferably, described relating module specifically for: determine in all commence firing instruction messages identical byte content in same byte offset, and the identical byte content of determining and corresponding byte offset are divided in commence firing set, and determine in all attack halt instruction messages identical byte content in same byte offset, and the identical byte content of determining and corresponding byte offset are divided in and are attacked in Stopping set;
Determine in the set of described commence firing and described attack Stopping set byte content different in same byte offset and the byte number of described different byte content, and the skew using definite described different byte content, the byte number of described different byte content and the byte offset of described different byte content as type of message field.
Preferably, described relating module specifically for: determine in all commence firing instruction messages different byte content in same byte offset, and different byte content and the corresponding byte offset determined be divided in commence firing supplementary set;
By described attack attribute information according to attack type identical but target of attack difference sort out, determine that every class attacks in corresponding commence firing instruction and described commence firing supplementary set identical byte content in same byte offset, from described identical byte content, determine attack type field, by definite attack type field, the byte number of the byte offset of attack type field and attack type field is as skew and the coding of attack type field.
Preferably, described relating module specifically for: determine byte offset in described commence firing instruction of target of attack and port and the byte number comprising, skew and coding using the byte offset of the described target of attack of determining and port and the byte number that comprises as target of attack and peer-port field;
Described target of attack and port comprise following part or all of:
Object internet protocol address; Destination interface; Internet protocol address, source; Source port.
The method providing according to the embodiment of the present invention, always with C & C there is binding relationship in instruction to the network behavior showing due to bot, it is the semanteme that bot network behavior has embodied C & C instruction, to the semantic understanding of C & C instruction, can be converted into the understanding to bot network behavior, by understanding the network behavior of bot, and then understand the semanteme of C & C instruction, thereby output C & C command message format character.In order to obtain the network behavior of bot, in main frame, move bot, then the communication behavior of bot and external server is controlled.When bot and C & C server communication, record order message; When bot and non-C & C server communication, to being defined as analyzing with the communication message of attack in the communication message of bot and non-C & C server communication, thereby when confirm to which under fire person carried out the attack of what type, communication message with attack is added up the attack attribute information that in being attacked, every class is attacked at every turn simultaneously after attack finishes.The attack attribute information of attacking according to every class determines that the strike order message in command message is last, associated strike order message and attack attribute information, and the different strike order messages of difference analysis are found its feature, and output is described the feature of command message form.
Accompanying drawing explanation
The method flow diagram of a kind of DDoS of identification Botnet communication protocol that Fig. 1 provides for the embodiment of the present invention one;
A kind of flow chart that obtains command message and communication message method that Fig. 2 provides for the embodiment of the present invention two;
The structure drawing of device of a kind of DDoS of identification Botnet communication protocol that Fig. 3 provides for the embodiment of the present invention three.
Embodiment
The embodiment of the present invention provides a kind of method and device of the DDoS of identification Botnet communication protocol, in order to realize by obtaining command message and the communication message of bot and extraneous server communication, to in communication message, with aggressive specific communications message, add up, obtain the attack attribute information of every class attack message, at the attack attribute information by every class attack message, confirm the strike order message in command message, the attack attribute information of associated strike order message and every class attack message, realizes the feature of command message form is described.
Below in conjunction with Figure of description, the embodiment of the present invention is described in further detail.
As shown in Figure 1, the method flow graph of a kind of DDoS of identification Botnet communication protocol that the embodiment of the present invention one provides, the method comprises:
Step 101: obtain command message and the communication message of communicating by letter between the bot program bot that moves in main frame and server;
Step 102: determine the attack attribute information in each attack from the communication message obtaining;
Step 103: according to the attack attribute information that in described each attack, every class is attacked, determine strike order message from the command message obtaining;
Step 104: according to described strike order message and/or described attack attribute information, determine and attack instruction message characteristic information.
In the command message and communication message process of communicating by letter between the bot program bot moving in obtaining main frame and server, because a large amount of messages is obtained in meeting, and wherein part message is normal message, do not need record, therefore in order to reduce the invalid packet quantity getting, a white list list can be set, so just can be in white list list pre-configured server address, the domain name of the websites such as input such as Google, Sohu, Sina, guarantees that bot can access them before C & C communication starts.When not detecting bot and communicate by letter with C & C server, the communication message of server in bot and white list list is directly let pass, and the behavior of letting pass is kept a record.Server address quantity in white list list can be self-defined, and the server address quantity in white list list can be zero certainly.General, can pre-configured 500 normal conventional station addresses in white list list.
, in order to control better the communication behavior of bot, bot can be operated in virtual machine simultaneously, make the bot can not random and extraneous server generation communication behavior.Be made with so a very large advantage, after bot receives strike order, can control the communication of bot, do not allow bot externally send attack message, can reduce victim's loss.In the message obtaining, there are two kinds of messages: command message and communication message.In the message process obtaining, can determine that the message transmitting between bot and server should be classified as command message or communication message according to predefined condition.
Preferably, obtain command message and the communication message of between the bot program bot that moves in main frame and server, communicating by letter, comprising:
If there is not C & C communication, and determined C & C server, the message transmitting between described bot and C & C server is as command message, and the message transmitting between described bot and non-C & C server is as communication message;
If there is not C & C communication, and do not determine C & C server, using described bot with current server of communicating by letter as C & C server, and the message transmitting between described bot and described C & C server is as command message, the message transmitting between described bot and non-C & C server is as communication message;
If there is C & C communication, using object Internet protocol IP address in object Internet protocol IP address and destination interface and C & C communication message in the message transmitting between current described bot and server, the message identical with destination interface is as command message, and the message that object Internet protocol IP address in object Internet protocol IP address and destination interface and C & C communication message in the message transmitting between current described bot and server is not identical with destination interface is as communication message.
Among the communication message obtaining, be not that each communication message is the message that needs utilization, in the embodiment of the present invention, need to utilize the message with attack, the message with attack that therefore need to will utilize from the communication message obtaining is determined.
In the communication message obtaining, filter out the specific communications message with attack, can adopt ddos attack behavioural characteristic storehouse to judge all communication messages.Ddos attack behavioural characteristic storehouse has comprised known various types of ddos attack behavioural characteristics, just can determine fast and accurately the specific communications message with attack like this according to ddos attack behavioural characteristic storehouse.In order to obtain the specific communications message with attack, also can adopt self-defining mode to remove to determine specific communications message.Adopt self-defining mode for the feature-set Rule of judgment of ddos attack behavior, such as detecting, whether the source IP address of message and the IP address of operation bot main frame that bot sends be consistent, and whether the message amount sending in the unit interval is over certain threshold value etc.These are all prior aries, and therefore this is no longer going to repeat them.
From the communication message obtaining, determine the attack attribute information that in each attack, every class is attacked, comprising:
According to the communication message obtaining, in the quantity of determining the described specific communications message sending in the duration that described bot is setting, surpass threshold value, determine and attack, and after attack finishes, according to the specific communications message obtaining during attacking, determine the message attribute parameter of described specific communications message, wherein said specific communications message is that in the communication message obtaining, Internet protocol IP address, source is not the communication message of the IP address of current operation bot main frame; According to the message attribute parameter of described specific communications message, determine the attack attribute information that in each attack, every class is attacked.
After the communication message of determining with attack, after each attack finishes, these messages are extracted to attack parameter according to dissimilar attack.
Attack parameter include but not limited in following partly or entirely: the information such as the source port of the time started of every type of attack, the duration of every type of attack, attack type, target of attack IP address, attacked port, use and source IP address.
The parameter that also comprises particular attack for some special attacks, such as, the universal resource identifier uri of HTTP extensive aggression and the average packet of User Datagram Protoco (UDP) extensive aggression are long etc., above partly or entirely parameter is added up to the attack attribute information that statistical information is attacked as every class.
Concrete, described attack attribute information include but not limited in following message partly or entirely:
The attack stream time started;
The attack stream end time;
The time started that every class is attacked;
The duration that every class is attacked;
Attack type;
Object IP address and destination interface;
Source port and source IP address;
The universal resource identifier uri of HTTP extensive aggression;
The average packet of User Datagram Protoco (UDP) extensive aggression is long.
After bot receives attack instruction, can be to target of attack offensive attack message, for fear of bot, target of attack is attacked, can also terminate to these attack messages, simulate the response that attack message that victim sends bot is made simultaneously, so just can avoid the behavior of monitoring bot communication to be found.
In command message, also comprise a lot of invalid messages, therefore the attack attribute information that in the each attack that need to determine according to specific communications message in communication message, every class is attacked is determined the strike order message in command message, and strike order message comprises commence firing instruction and attacks halt instruction.
Preferably, the described command message that according to the attack attribute information that in each attack, every class is attacked, attack is started to receive for the last time is before defined as commence firing instruction; The described command message of receiving for the last time before attack being stopped according to the attack attribute information that in each attack, every class is attacked is defined as attacking halt instruction; Using described commence firing instruction and described attack halt instruction as strike order message.
When record order message, meeting is the transmitting-receiving time of record order message simultaneously, the attack attribute information that in each attack of determining according to specific communications message in communication message, every class is attacked can comprise time commence firing and attack the end time, just can be defined as commence firing instruction according to hitting the command message of finally receiving before the time started, same is defined as attacking halt instruction according to attacking the command message of finally receiving before the end time.
According to described strike order message and/or described attack attribute information, determine and attack instruction message characteristic information, comprising:
Associate Command message after obtaining attacking attribute information, differentiation is resolved different command message and is found its feature, thereby obtains the description to command message format character.
Preferably, attack instruction message characteristic information comprise in following message partly or entirely:
The skew of type of message field and coding; The skew of attack type field and coding; The skew of target of attack and peer-port field and coding; The skew of particular attack type relevant parameter and coding.
After obtaining command message and each attack attribute information of attacking, just can analyze the feature of command message, concrete analytical procedure is as follows:
Message content to all commence firing instructions, compares to last byte from first byte, finds out identical byte, by identical byte content the byte offset of this byte in message carry out record.Structure to all message comparisons is added up, to byte content in the statistics obtaining, byte number and byte offset are exported with certain format, preferably to comprise: the isoparametric tabular form output of skew, the byte number in message and the content in message in message, is designated as range_list1.
Message content to all attack halt instructions, compares to last byte from first byte, finds out identical byte, by identical byte content the byte offset of this byte in message carry out record.Structure to all message comparisons is added up, to byte content in the statistics obtaining, byte number and byte offset are exported with certain format, preferably to comprise: the isoparametric tabular form output of skew, the byte number in message and the content in message in message, is designated as range_list2.
Utilization is mated range_list1 and range_list2, the scope that matches their byte offset is identical but part that byte content is different, using this part content as " type of message " field, the result obtaining is exported with certain format, preferably to comprise: the isoparametric tabular form of the skew in message, the byte number in message, the value in message and type of message is exported, and is designated as skew and the coding of type of message field.
Preferably, determine in all commence firing instruction messages identical byte content in same byte offset, and the identical byte content of determining and corresponding byte offset are divided in commence firing set, and determine in all attack halt instruction messages identical byte content in same byte offset, and the identical byte content of determining and corresponding byte offset are divided in and are attacked in Stopping set;
Determine in the set of described commence firing and described attack Stopping set byte content different in same byte offset and the byte number of described different byte content, and the skew using definite described different byte content, the byte number of described different byte content and the byte offset of described different byte content as type of message field.
Message content to all commence firing instructions, from first byte to last byte, find out not identical part, the result obtaining is exported with certain format, preferably to comprise: the isoparametric tabular form output of the displacement in message, the byte number in message and the content in message, is designated as range_list3.
The attack attribute information that the every class obtaining is attacked is sorted out according to the point-score of " attack type is identical but target of attack different ", the commence firing instruction of more every class being attacked searches out byte offset is identical and byte content is identical part as common factor in range_list3, then from the common factor of all classification, find out " attack type " field, the result obtaining is exported with certain format, preferably to comprise: the skew in message, byte number in message, the isoparametric tabular form output of value in message and attack type, be designated as skew and the coding of attack type field.
Preferably, determine in all commence firing instruction messages different byte content in same byte offset, and different byte content and the corresponding byte offset determined are divided in commence firing supplementary set;
By described attack attribute information according to attack type identical but target of attack difference sort out, determine that every class attacks in corresponding commence firing instruction and described commence firing supplementary set identical byte content in same byte offset, from described identical byte content, determine attack type field, by definite attack type field, the byte number of the byte offset of attack type field and attack type field is as skew and the coding of attack type field.
To all ddos attacks, from its commence firing instruction, add up the appearance situation of object IP, destination interface, source IP, source port etc., the result obtaining is exported with certain format, preferably to comprise: the isoparametric tabular form output of the displacement in message, the byte number in message and the field type in message target_list, again the target_list list of all ddos attacks is gathered, be designated as skew and the coding of target of attack and peer-port field.
Preferably, determine byte offset in described commence firing instruction of target of attack and port and the byte number comprising, skew and coding using the byte offset of the described target of attack of determining and port and the byte number that comprises as target of attack and peer-port field;
Described target of attack and port comprise following part or all of:
Object internet protocol address; Destination interface; Internet protocol address, source; Source port.
To the known ddos attack of application layer payload payload form, the particular attack type relevant parameter counting on is determined in continuation in commence firing instruction, such as field field in uri, http head etc., the result obtaining is exported with certain format, preferably to comprise: the isoparametric tabular form of the displacement in message, the byte number in message and the field type in message is exported, and is designated as skew and the coding of particular attack type relevant parameter.
Finally using the skew of type of message field obtaining and the skew of coding, the skew of attack type field and the skew of coding, target of attack and peer-port field and coding and particular attack type relevant parameter with encode as the description of command message format character, export above-mentioned part or all of result.
As shown in Figure 2, the embodiment of the present invention two provides a kind of method of definite command message and communication message.In order to obtain needed command message and communication message in the message in bot and the transmission of extraneous server, need to judge that according to different conditions the message of bot and the transmission of extraneous server is command message or communication message.When there is not C & C communication, to screen the message under different situations as command message or communication message, once communicate by letter and there is C & C, whether this communication objective IP of judgement communicates by letter identical with C & C with destination interface, if the same this is communicated by letter as command message, otherwise using this communication as communication message.
Idiographic flow is as follows:
Step 201: bot detected and initiate communication new, that follow extraneous server;
Step 202: before this time communication of judgement, whether C & C communication has occurred, if there is not C & C communication, forwarded step 203 to, otherwise forward step 204 to;
Step 203: while there is not C & C communication before this communication, judge whether to determine C & C server, if do not determine C & C server, forward step 205 to, otherwise forward step 206 to;
Step 204: the message between bot and C & C server is as command message, using all the other messages as communication message;
Step 205: when not determining C & C server, using with the current server of communicating by letter of bot as C & C server, and the message between bot and C & C server is as command message, using all the other messages as communication message;
Step 206: when determining C & C server, judge whether bot communication target is C & C server, if the current communication target of bot is not C & C server, forwards step 207 to, otherwise forward step 208 to;
When the current communication target of step 207:bot is not C & C server, the message of this communication is defined as to communication message;
When the current communication target of step 208:bot is C & C server, and the message transmitting between described bot and described C & C server is as command message.
In the embodiment of the present invention, bot detected and initiate new communication connection new, refer to bot and extraneous initiation with the communication of extraneous server, such as initiating TCP, bot connects, when the beginning connecting, need to detect message, when TCP connect set up after until TCP connects end, message during this does not need again to detect, and is defaulted as communicating by letter of bot and C & C server.Can also set up a white list list simultaneously, pre-configured server address in white list list, the domain name of the websites such as input such as Google, Sohu, Sina, guarantee that bot can access them before C & C communication starts, in white list list, the quantity of server address can be to be more than or equal to zero arbitrary integer.Simultaneously, detect bot initiate new, during with the communication of extraneous server, do not detect C & C communication and current bot with white list list in server communication, can the directly clearance of communicating by letter with server in white list list by bot, so just can reduce the invalid packet of catching.
For said method flow process, the embodiment of the present invention also provides a kind of device of the DDoS of identification Botnet communication protocol, and the particular content of this device can be implemented with reference to said method, does not repeat them here.
As shown in Figure 3, the device of a kind of DDoS of identification Botnet communication protocol that the embodiment of the present invention three provides, comprising:
Network behavior trapping module 301 for obtaining command message and the communication message of communicating by letter between bot that main frame moves and server, is determined the attack attribute information that in each attack, every class is attacked from the communication message obtaining;
Relating module 302 according to the attack attribute information that in described each attack, every class is attacked, is determined strike order message from the command message obtaining, and according to described strike order message and described attack attribute information, determines and attacks instruction message characteristic information.
Preferably, network behavior trapping module 301 specifically for: if there is C & C communication, and determined C & C server, the message transmitting between described bot and C & C server is as command message, and the message transmitting between described bot and non-C & C server is as communication message;
If there is not C & C communication, and do not determine C & C server, using described bot with current server of communicating by letter as C & C server, and the message transmitting between described bot and described C & C server is as command message, the message transmitting between described bot and non-C & C server is as communication message;
If there is C & C communication, using object Internet protocol IP address in object Internet protocol IP address and destination interface and C & C communication message in the message transmitting between current described bot and server, the message identical with destination interface is as command message, and the message that object Internet protocol IP address in object Internet protocol IP address and destination interface and C & C communication message in the message transmitting between current described bot and server is not identical with destination interface is as communication message.
Preferably, described relating module 302 specifically for: the described command message that the attack attribute information of attacking according to every class in each attack is received before attack is started is for the last time defined as commence firing instruction;
The described command message of receiving for the last time before attack being stopped according to the attack attribute information that in each attack, every class is attacked is defined as attacking halt instruction;
Using described commence firing instruction and described attack halt instruction as strike order message.
Preferably, described attack instruction message characteristic information comprise in following message partly or entirely:
The skew of type of message field and coding; The skew of attack type field and coding; The skew of target of attack and peer-port field and coding; The skew of particular attack type relevant parameter and coding.
Preferably, described relating module 302 specifically for: determine in all commence firing instruction messages identical byte content in same byte offset, and the identical byte content of determining and corresponding byte offset are divided in commence firing set, and determine in all attack halt instruction messages identical byte content in same byte offset, and the identical byte content of determining and corresponding byte offset are divided in and are attacked in Stopping set;
Determine in the set of described commence firing and described attack Stopping set byte content different in same byte offset and the byte number of described different byte content, and the skew using definite described different byte content, the byte number of described different byte content and the byte offset of described different byte content as type of message field.
Preferably, described relating module 302 specifically for: determine in all commence firing instruction messages different byte content in same byte offset, and different byte content and the corresponding byte offset determined be divided in commence firing supplementary set;
By described attack attribute information according to attack type identical but target of attack difference sort out, determine that every class attacks in corresponding commence firing instruction and described commence firing supplementary set identical byte content in same byte offset, from described identical byte content, determine attack type field, by definite attack type field, the byte number of the byte offset of attack type field and attack type field is as skew and the coding of attack type field.
Preferably, described relating module 302 specifically for: determine byte offset in described commence firing instruction of target of attack and port and the byte number comprising, skew and coding using the byte offset of the described target of attack of determining and port and the byte number that comprises as target of attack and peer-port field;
Described target of attack and port comprise following part or all of:
Object internet protocol address; Destination interface; Internet protocol address, source; Source port.
In sum, always with C & C there is binding relationship in instruction to the network behavior showing due to bot, it is the semanteme that bot network behavior has embodied C & C instruction, to the semantic understanding of C & C instruction, can be converted into the understanding to bot network behavior, by understanding the network behavior of bot, and then understand the semanteme of C & C instruction, thereby output C & C message format feature.In order to obtain the network behavior of bot, in main frame, move bot, then the communication behavior of bot and external server is controlled.When bot and C & C server communication, record the transmitting time of each C & C communication message, using C & C communication message content record as command message, when bot and non-C & C server communication, to being defined as analyzing with the communication message of attack in the communication message of bot and non-C & C server communication, thereby when confirm to which under fire person carried out the attack of what type, after attack finishes, the communication message with attack is added up simultaneously, the time started that in being attacked, every class is attacked at every turn, duration, attack type, target of attack IP address, attacked port, other parameters such as the source port using and source IP address, the attack attribute information that in can being attacked according to these parameters, every class is attacked at every turn.The attack attribute information of attacking according to every class determines that the strike order message in command message is last, associated strike order message and attack attribute information, and the different strike order messages of difference analysis are found its feature, and output is described the feature of command message form.
Those skilled in the art should understand, embodiments of the invention can be provided as method, system or computer program.Therefore, the present invention can adopt complete hardware implementation example, implement software example or in conjunction with the form of the embodiment of software and hardware aspect completely.And the present invention can adopt the form that wherein includes the upper computer program of implementing of computer-usable storage medium (including but not limited to magnetic disc store and optical memory etc.) of computer usable program code one or more.
The present invention is with reference to describing according to flow chart and/or the block diagram of the method for the embodiment of the present invention, equipment (system) and computer program.Should understand can be in computer program instructions realization flow figure and/or block diagram each flow process and/or the flow process in square frame and flow chart and/or block diagram and/or the combination of square frame.Can provide these computer program instructions to the processor of all-purpose computer, special-purpose computer, Embedded Processor or other programmable data processing device to produce a machine, the instruction of carrying out by the processor of computer or other programmable data processing device is produced for realizing the device in the function of flow process of flow chart or a plurality of flow process and/or square frame of block diagram or a plurality of square frame appointments.
These computer program instructions also can be stored in energy vectoring computer or the computer-readable memory of other programmable data processing device with ad hoc fashion work, the instruction that makes to be stored in this computer-readable memory produces the manufacture that comprises command device, and this command device is realized the function of appointment in flow process of flow chart or a plurality of flow process and/or square frame of block diagram or a plurality of square frame.
These computer program instructions also can be loaded in computer or other programmable data processing device, make to carry out sequence of operations step to produce computer implemented processing on computer or other programmable devices, thereby the instruction of carrying out is provided for realizing the step of the function of appointment in flow process of flow chart or a plurality of flow process and/or square frame of block diagram or a plurality of square frame on computer or other programmable devices.
Obviously, those skilled in the art can carry out various changes and modification and not depart from the spirit and scope of the present invention the present invention.Like this, if within of the present invention these are revised and modification belongs to the scope of the claims in the present invention and equivalent technologies thereof, the present invention is also intended to comprise these changes and modification interior.
Claims (14)
1. a method of identifying DDoS Botnet communication protocol, is characterized in that, the method comprises:
Obtain command message and the communication message of between the bot program bot that moves in main frame and server, communicating by letter;
From the communication message obtaining, determine each attack attribute information of attacking;
According to the attack attribute information that in described each attack, every class is attacked, from the command message obtaining, determine strike order message;
According to described strike order message and/or described attack attribute information, determine and attack instruction message characteristic information.
2. the method for claim 1, is characterized in that, described in obtain command message and the communication message of communicating by letter between the bot program bot that moves in main frame and server, comprising:
If there is not C & C communication, and determined C & C server, the message transmitting between described bot and C & C server is as command message, and the message transmitting between described bot and non-C & C server is as communication message;
If there is not C & C communication, and do not determine C & C server, using described bot with current server of communicating by letter as C & C server, and the message transmitting between described bot and described C & C server is as command message, the message transmitting between described bot and non-C & C server is as communication message;
If there is C & C communication, using object Internet protocol IP address in object Internet protocol IP address and destination interface and C & C communication message in the message transmitting between current described bot and server, the message identical with destination interface is as command message, and the message that object Internet protocol IP address in object Internet protocol IP address and destination interface and C & C communication message in the message transmitting between current described bot and server is not identical with destination interface is as communication message.
3. the method for claim 1, is characterized in that, described according to the attack attribute information that in described each attack, every class is attacked, and determines strike order message from the command message obtaining, and comprising:
The described command message of receiving for the last time before attack being started according to the attack attribute information that in each attack, every class is attacked is defined as commence firing instruction;
The described command message of receiving for the last time before attack being stopped according to the attack attribute information that in each attack, every class is attacked is defined as attacking halt instruction;
Using described commence firing instruction and described attack halt instruction as strike order message.
4. method as claimed in claim 3, is characterized in that, described attack instruction message characteristic information comprise in following message partly or entirely:
The skew of type of message field and coding;
The skew of attack type field and coding;
The skew of target of attack and peer-port field and coding;
The skew of particular attack type parameter and coding.
5. method as claimed in claim 4, is characterized in that, described according to described strike order message and/or described attack attribute information, determines and attacks instruction message characteristic information, comprising:
Determine in all commence firing instruction messages identical byte content in same byte offset, and the identical byte content of determining and corresponding byte offset are divided in commence firing set, and determine in all attack halt instruction messages identical byte content in same byte offset, and the identical byte content of determining and corresponding byte offset are divided in and are attacked in Stopping set;
Determine in the set of described commence firing and described attack Stopping set byte content different in same byte offset and the byte number of described different byte content, and the skew using definite described different byte content, the byte number of described different byte content and the byte offset of described different byte content as type of message field.
6. method as claimed in claim 4, is characterized in that, described according to described strike order message and/or described attack attribute information, determines and attacks instruction message characteristic information, comprising:
Determine in all commence firing instruction messages different byte content in same byte offset, and different byte content and the corresponding byte offset determined are divided in commence firing supplementary set;
By described attack attribute information according to attack type identical but target of attack difference sort out, determine that every class attacks in corresponding commence firing instruction and described commence firing supplementary set identical byte content in same byte offset, from described identical byte content, determine attack type field, by definite attack type field, the byte number of the byte offset of attack type field and attack type field is as skew and the coding of attack type field.
7. method as claimed in claim 4, is characterized in that, described according to described strike order message and/or described attack attribute information, determines and attacks instruction message characteristic information, comprising:
Determine byte offset in described commence firing instruction of target of attack and port and the byte number comprising, skew and coding using the byte offset of the described target of attack of determining and port and the byte number that comprises as target of attack and peer-port field;
Described target of attack and port comprise following part or all of:
Object internet protocol address; Destination interface; Internet protocol address, source; Source port.
8. a device of identifying DDoS Botnet communication protocol, is characterized in that, this device comprises:
Network behavior trapping module for obtaining command message and the communication message of communicating by letter between bot that main frame moves and server, is determined the attack attribute information that in each attack, every class is attacked from the communication message obtaining;
Relating module according to the attack attribute information that in described each attack, every class is attacked, is determined strike order message from the command message obtaining, and according to described strike order message and described attack attribute information, determines and attacks instruction message characteristic information.
9. device as claimed in claim 8, is characterized in that, described network behavior trapping module is used for:
If there is not C & C communication, and determined C & C server, the message transmitting between described bot and C & C server is as command message, and the message transmitting between described bot and non-C & C server is as communication message;
If there is not C & C communication, and do not determine C & C server, using described bot with current server of communicating by letter as C & C server, and the message transmitting between described bot and described C & C server is as command message, the message transmitting between described bot and non-C & C server is as communication message;
If there is C & C communication, using object Internet protocol IP address in object Internet protocol IP address and destination interface and C & C communication message in the message transmitting between current described bot and server, the message identical with destination interface is as command message, and the message that object Internet protocol IP address in object Internet protocol IP address and destination interface and C & C communication message in the message transmitting between current described bot and server is not identical with destination interface is as communication message.
10. device as claimed in claim 8, is characterized in that, described relating module is used for:
The described command message of receiving for the last time before attack being started according to the attack attribute information that in each attack, every class is attacked is defined as commence firing instruction;
The described command message of receiving for the last time before attack being stopped according to the attack attribute information that in each attack, every class is attacked is defined as attacking halt instruction;
Using described commence firing instruction and described attack halt instruction as strike order message.
11. devices as claimed in claim 10, is characterized in that, described attack instruction message characteristic information comprise in following message partly or entirely:
The skew of type of message field and coding; The skew of attack type field and coding; The skew of target of attack and peer-port field and coding; The skew of particular attack type relevant parameter and coding.
12. devices as claimed in claim 11, is characterized in that, described relating module is used for:
Determine in all commence firing instruction messages identical byte content in same byte offset, and the identical byte content of determining and corresponding byte offset are divided in commence firing set, and determine in all attack halt instruction messages identical byte content in same byte offset, and the identical byte content of determining and corresponding byte offset are divided in and are attacked in Stopping set;
Determine in the set of described commence firing and described attack Stopping set byte content different in same byte offset and the byte number of described different byte content, and the skew using definite described different byte content, the byte number of described different byte content and the byte offset of described different byte content as type of message field.
13. devices as claimed in claim 11, is characterized in that, described relating module is used for:
Determine in all commence firing instruction messages different byte content in same byte offset, and different byte content and the corresponding byte offset determined are divided in commence firing supplementary set;
By described attack attribute information according to attack type identical but target of attack difference sort out, determine that every class attacks in corresponding commence firing instruction and described commence firing supplementary set identical byte content in same byte offset, from described identical byte content, determine attack type field, by definite attack type field, the byte number of the byte offset of attack type field and attack type field is as skew and the coding of attack type field.
14. devices as claimed in claim 11, is characterized in that, described relating module is used for:
Determine byte offset in described commence firing instruction of target of attack and port and the byte number comprising, skew and coding using the byte offset of the described target of attack of determining and port and the byte number that comprises as target of attack and peer-port field;
Described target of attack and port comprise following part or all of:
Object internet protocol address; Destination interface; Internet protocol address, source; Source port.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410196838.2A CN103997489B (en) | 2014-05-09 | 2014-05-09 | Method and device for recognizing DDoS bot network communication protocol |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410196838.2A CN103997489B (en) | 2014-05-09 | 2014-05-09 | Method and device for recognizing DDoS bot network communication protocol |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103997489A true CN103997489A (en) | 2014-08-20 |
| CN103997489B CN103997489B (en) | 2017-02-22 |
Family
ID=51311496
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410196838.2A Active CN103997489B (en) | 2014-05-09 | 2014-05-09 | Method and device for recognizing DDoS bot network communication protocol |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103997489B (en) |
Cited By (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105635067A (en) * | 2014-11-04 | 2016-06-01 | 华为技术有限公司 | Packet transmission method and apparatus |
| CN105827630A (en) * | 2016-05-03 | 2016-08-03 | 国家计算机网络与信息安全管理中心 | Botnet attribute identification method, defense method and device |
| CN106921612A (en) * | 2015-12-24 | 2017-07-04 | 阿里巴巴集团控股有限公司 | It was found that the method and device of ddos attack |
| CN107306266A (en) * | 2016-04-25 | 2017-10-31 | 阿里巴巴集团控股有限公司 | Scan the method and device of control server |
| CN107454043A (en) * | 2016-05-31 | 2017-12-08 | 阿里巴巴集团控股有限公司 | The monitoring method and device of a kind of network attack |
| CN107547547A (en) * | 2017-09-05 | 2018-01-05 | 成都知道创宇信息技术有限公司 | A kind of TCP CC recognition methods based on editing distance |
| CN108200041A (en) * | 2017-12-28 | 2018-06-22 | 贵阳忆联网络有限公司 | A kind of method and system for protecting DDOS attack |
| CN108289084A (en) * | 2017-01-10 | 2018-07-17 | 阿里巴巴集团控股有限公司 | The blocking-up method and device and non-transient computer readable storage medium of flowing of access |
| CN109600362A (en) * | 2018-11-26 | 2019-04-09 | 平安科技(深圳)有限公司 | Zombie host recognition methods, identification equipment and medium based on identification model |
| CN110740144A (en) * | 2019-11-27 | 2020-01-31 | 腾讯科技(深圳)有限公司 | Method, device, equipment and storage medium for determining attack target |
| CN112398781A (en) * | 2019-08-14 | 2021-02-23 | 大唐移动通信设备有限公司 | Attack testing method, host server and control server |
| CN113992391A (en) * | 2018-12-28 | 2022-01-28 | 阿波罗智联(北京)科技有限公司 | Method and device for analyzing message |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080229149A1 (en) * | 2007-03-14 | 2008-09-18 | Clifford Penton | Remote testing of computer devices |
| CN101360019A (en) * | 2008-09-18 | 2009-02-04 | 华为技术有限公司 | Detection method, system and apparatus of zombie network |
| CN101741862A (en) * | 2010-01-22 | 2010-06-16 | 西安交通大学 | System and method for detecting IRC bot network based on data packet sequence characteristics |
| CN101753377A (en) * | 2009-12-29 | 2010-06-23 | 吉林大学 | p2p_botnet real-time detection method and system |
| CN101924757A (en) * | 2010-07-30 | 2010-12-22 | 中国电信股份有限公司 | Method and system for reviewing Botnet |
| CN102546298A (en) * | 2012-01-06 | 2012-07-04 | 北京大学 | Botnet family detection method based on active probing |
-
2014
- 2014-05-09 CN CN201410196838.2A patent/CN103997489B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080229149A1 (en) * | 2007-03-14 | 2008-09-18 | Clifford Penton | Remote testing of computer devices |
| CN101360019A (en) * | 2008-09-18 | 2009-02-04 | 华为技术有限公司 | Detection method, system and apparatus of zombie network |
| CN101753377A (en) * | 2009-12-29 | 2010-06-23 | 吉林大学 | p2p_botnet real-time detection method and system |
| CN101741862A (en) * | 2010-01-22 | 2010-06-16 | 西安交通大学 | System and method for detecting IRC bot network based on data packet sequence characteristics |
| CN101924757A (en) * | 2010-07-30 | 2010-12-22 | 中国电信股份有限公司 | Method and system for reviewing Botnet |
| CN102546298A (en) * | 2012-01-06 | 2012-07-04 | 北京大学 | Botnet family detection method based on active probing |
Cited By (20)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105635067B (en) * | 2014-11-04 | 2019-11-15 | 华为技术有限公司 | File transmitting method and device |
| CN105635067A (en) * | 2014-11-04 | 2016-06-01 | 华为技术有限公司 | Packet transmission method and apparatus |
| US10791127B2 (en) | 2014-11-04 | 2020-09-29 | Huawei Technologies Co., Ltd. | Packet transmission method and apparatus |
| CN106921612A (en) * | 2015-12-24 | 2017-07-04 | 阿里巴巴集团控股有限公司 | It was found that the method and device of ddos attack |
| CN107306266A (en) * | 2016-04-25 | 2017-10-31 | 阿里巴巴集团控股有限公司 | Scan the method and device of control server |
| CN107306266B (en) * | 2016-04-25 | 2020-08-04 | 阿里巴巴集团控股有限公司 | Method and device for scanning central control server |
| CN105827630A (en) * | 2016-05-03 | 2016-08-03 | 国家计算机网络与信息安全管理中心 | Botnet attribute identification method, defense method and device |
| CN105827630B (en) * | 2016-05-03 | 2019-11-12 | 国家计算机网络与信息安全管理中心 | Botnet attribute recognition approach, defence method and device |
| CN107454043A (en) * | 2016-05-31 | 2017-12-08 | 阿里巴巴集团控股有限公司 | The monitoring method and device of a kind of network attack |
| CN108289084A (en) * | 2017-01-10 | 2018-07-17 | 阿里巴巴集团控股有限公司 | The blocking-up method and device and non-transient computer readable storage medium of flowing of access |
| CN107547547A (en) * | 2017-09-05 | 2018-01-05 | 成都知道创宇信息技术有限公司 | A kind of TCP CC recognition methods based on editing distance |
| CN108200041A (en) * | 2017-12-28 | 2018-06-22 | 贵阳忆联网络有限公司 | A kind of method and system for protecting DDOS attack |
| CN109600362A (en) * | 2018-11-26 | 2019-04-09 | 平安科技(深圳)有限公司 | Zombie host recognition methods, identification equipment and medium based on identification model |
| CN109600362B (en) * | 2018-11-26 | 2022-10-18 | 平安科技(深圳)有限公司 | Zombie host recognition method, device and medium based on recognition model |
| CN113992391A (en) * | 2018-12-28 | 2022-01-28 | 阿波罗智联(北京)科技有限公司 | Method and device for analyzing message |
| CN113992391B (en) * | 2018-12-28 | 2023-12-29 | 阿波罗智联(北京)科技有限公司 | Method and device for analyzing message |
| CN112398781A (en) * | 2019-08-14 | 2021-02-23 | 大唐移动通信设备有限公司 | Attack testing method, host server and control server |
| CN112398781B (en) * | 2019-08-14 | 2022-04-08 | 大唐移动通信设备有限公司 | Attack testing method, host server and control server |
| CN110740144A (en) * | 2019-11-27 | 2020-01-31 | 腾讯科技(深圳)有限公司 | Method, device, equipment and storage medium for determining attack target |
| CN110740144B (en) * | 2019-11-27 | 2022-09-16 | 腾讯科技(深圳)有限公司 | Method, device, equipment and storage medium for determining attack target |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103997489B (en) | 2017-02-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103997489A (en) | Method and device for recognizing DDoS bot network communication protocol | |
| CN104052734B (en) | It the attack detecting that is identified using global device-fingerprint and prevents | |
| EP2434689B1 (en) | Method and apparatus for detecting message | |
| CN109194680B (en) | Network attack identification method, device and equipment | |
| CN109587156B (en) | Method, system, medium, and apparatus for identifying and blocking abnormal network access connection | |
| CN100553206C (en) | Internet, applications method for recognizing flux based on packet sampling and application signature | |
| CA3159619C (en) | Packet processing method and apparatus, device, and computer-readable storage medium | |
| JP2013009185A (en) | Communication monitoring system and method, communication monitoring device, virtual host device, and communication monitoring program | |
| CN111049784B (en) | Network attack detection method, device, equipment and storage medium | |
| CN112738022B (en) | Attack method for ROS message of robot operating system | |
| US20230115046A1 (en) | Network security system for preventing unknown network attacks | |
| CN111049781A (en) | Detection method, device, equipment and storage medium for rebound network attack | |
| JP6962374B2 (en) | Log analyzer, log analysis method and program | |
| WO2016008212A1 (en) | Terminal as well as method for detecting security of terminal data interaction, and storage medium | |
| CN109474567B (en) | DDOS attack tracing method and device, storage medium and electronic equipment | |
| WO2024113953A1 (en) | C2 server identification method and apparatus, electronic device, and readable storage medium | |
| US20240114052A1 (en) | Network security system for preventing spoofed ip attacks | |
| CN105827627A (en) | Method and apparatus for acquiring information | |
| CN103209181A (en) | Achieving method for application and connection firewall under linux network architecture | |
| CN112311728A (en) | Host attack and sink judgment method and device, computing equipment and computer storage medium | |
| Ponomarev | Intrusion Detection System of industrial control networks using network telemetry | |
| CN105530098B (en) | A kind of agreement fingerprint extraction method and system | |
| CN114389863A (en) | Honeypot interaction method and device, honeypot network, honeypot equipment and storage medium | |
| CN114363059A (en) | Attack identification method and device and related equipment | |
| CN115664844B (en) | Honeypot camouflage simulation method and device based on protocol agent and electronic equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP01 | Change in the name or title of a patent holder | ||
| CP01 | Change in the name or title of a patent holder |
Address after: 100089 Beijing city Haidian District Road No. 4 North wa Yitai three storey building Patentee after: NSFOCUS Technologies Group Co.,Ltd. Patentee after: NSFOCUS TECHNOLOGIES Inc. Address before: 100089 Beijing city Haidian District Road No. 4 North wa Yitai three storey building Patentee before: NSFOCUS INFORMATION TECHNOLOGY Co.,Ltd. Patentee before: NSFOCUS TECHNOLOGIES Inc. |