CN104168272A - Trojan horse detection method based on communication behavior clustering - Google Patents
Trojan horse detection method based on communication behavior clustering Download PDFInfo
- Publication number
- CN104168272A CN104168272A CN201410378948.0A CN201410378948A CN104168272A CN 104168272 A CN104168272 A CN 104168272A CN 201410378948 A CN201410378948 A CN 201410378948A CN 104168272 A CN104168272 A CN 104168272A
- Authority
- CN
- China
- Prior art keywords
- tcp session
- cluster
- feature
- trojan horse
- clustering
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Abstract
The invention discloses a Trojan horse detection method based on communication behavior clustering, and belongs to the field of information safety. The unknown Trojan horse detection method is excellent in feature extraction performance, proper in clustering algorithm and high in detection efficiency and accuracy in order to resolve the problems that the existing Trojan horse detection technology is low in feature extraction capacity, improper in clustering algorithm selection and the like. According to the technical scheme, the Trojan horse detection method comprises the steps of extracting a network flow data package, recombining a TCP conversation, extracting a Trojan horse reverse connecting feature, an entropy feature, a heart beat feature and the like, building a feature vector of the TCP conversation and carrying out real-time clustering on the feature vector based on a real-time increment clustering algorithm of LSH. According to the difference of communication behavior features of a Trojan horse conversation and normal network communication behaviors, the Trojan horse detection method marks the difference of the communication behavior features of the Trojan horse conversation and the normal network communication behaviors by combining the statistic analysis and the time series analysis technology, guarantees high detection accuracy and a zero false alarm rate, lowers the false alarm rate, and can effectively carry out real-time detection on the abnormal communication behaviors of a Trojan horse.
Description
Technical field
The present invention relates to information security field, espespecially a kind of Trojan detecting method based on communication behavior cluster.
Background technology
In recent years, the network information security threatens great variety has occurred, the personal behavior of character is shown off in assault behavior with mischief and technology from tradition, progressively change in a organized way, have specific objective, duration extremely long and to chase the professional behavior of business or other particular interest.In order to break through traditional network security defence method, the senior continuation of a kind of by name APT(Advanced Persistent Threat threatens, and is called for short APT) attack means develop rapidly, and developed into maximum in recent years network security threats.Wooden horse, as one of of paramount importance link in APT attack, has become the primary study of network security and has taken precautions against object.
Conventionally at the beginning of new APT attacks and initiates, for the not yet wide-scale distribution of wooden horse of auxiliary its attack, this means for anti-virus manufacturer and IDS(Intrusion Detection System intruding detection system, be called for short IDS), IPS(Intrusion Prevention System intrusion prevention system, be called for short IPS), it is unknown that this wooden horse and feature thereof remain, and is called unknown wooden horse.Utilize 0-day leak or legal feature tag, unknown wooden horse can be walked around safety detection software very easily.In specific network environment, IDS is Sampling network communication flows abnormal behaviour automatically.But for the unknown wooden horse of major part, IDS is invalid.Unknown wooden horse by controlling and simulate normal network behavior, makes it in network traffics, not have obvious characteristic in network layer, and unknown wooden horse is walked around IDS with this.Therefore, for unknown wooden horse, it is easy to do walking around IDS detection, and detecting in time and protect unknown wooden horse is good problem to study.Conventionally, wooden horse is attacked and is mainly contained two kinds of objects, and the first is destroyed network and the terminal facilities of target; Its two be collect and steal confidential information.
The operating mechanism of wooden horse is different from other malicious codes, due to the hidden attribute in system level, almost cannot find from system variation angle.At present, can be divided into following four classes for the detection technique of wooden horse: the detection based on host-feature label, the detection of feature tag Network Based, detection based on protocal analysis and the detection of behavioural analysis Network Based.Based on the detection of host-feature label, be mainly that detector is arranged on main frame, detect by feature tag pattern matching.The detection of feature tag Network Based, is mainly arranged on detector on network, and as IDS or IPS, the network behavior obtaining by network monitoring compares with predefined intrusion model and mates to realize detection; Due to the hysteresis quality of feature tag, and do not carry feature tag in the network traffic that causes of unknown wooden horse, the Trojan Horse Detection of feature tag Network Based be difficult to reply unknown or the wooden horse of variation, it is lower that the method detects performance, and rate of failing to report is higher.Detection technique based on protocal analysis can not realize separately the detection to wooden horse, need to be used in conjunction with other technologies.The detection technique of behavioural analysis Network Based, mainly detect according to the communication behavior feature of wooden horse, due to not use characteristic matching technique of the method, there is not the situation of feature tag deficiency, make the method can effectively realize the detection for unknown wooden horse or variation wooden horse.Under prior art condition, the Trojan Horse Detection of behavioural analysis Network Based is detection scheme relatively excellent in Trojan detecting method.The present invention has utilized the communication behavior feature in the analysis of wooden horse network behavior, and in conjunction with suitable clustering algorithm, has realized the real-time detection to unknown wooden horse.
From the essence of wooden horse, its final purpose is malice, and its most basic network characterization is the control command of accepting control end, and the sensitive information that it is obtained from controlled end main frame sends to control end, i.e. assailant.For realizing the malicious intent of wooden horse, the communication behavior of wooden horse differs greatly with normal network service behavior.In view of current main stream approach is for wooden horse communication TCP(Transmission Control Protocol transmission control protocol, being called for short TCP) abnormal behavior of session describes limited, there is the problem that rate of false alarm is higher, the present invention has proposed wooden horse communication behavior feature more comprehensively by analyzing the behavioural characteristic of wooden horse, the abnormal part of these wooden horse behaviors be usually expressed as following some:
Up-downgoing Traffic Anomaly: wooden horse with the communication process of control end in, control end is to wooden horse sending controling instruction, wooden horse need to send a large amount of its data of stealing to control end.This will cause in wooden horse communication downlink traffic often much smaller than uplink traffic, and normal browsing page and downloading data, downlink traffic is conventionally much larger than uplink traffic.According to transmission direction, the data package size of data in a TCP session, calculate respectively controlled end always big or small to the packet of controlled end to the total size of packet and the control end of control end, the ratio of the two is up-downgoing flow-rate ratio.If up-downgoing flow-rate ratio exceedes the threshold value of setting, the data volume that controlled end sends in current TCP session data volume receives much larger than it is described, the data behavior of stealing of this and wooden horse is closely similar, can be judged as abnormal.
Up-downgoing bag size is abnormal: the major function of the control end of wooden horse is sending controling instruction, and sends response message receiving after the data of controlled end.Therefore, the downlink data packet of being sent by control end, be arranged in TCP session stream is all the packet that data volume is very little conventionally, and the controlled end that wooden horse is hidden oneself send packet in except fraction be response control end message, its major part is the data message of stealing, packet can be larger.According to transmission direction, the data package size feature of data in a TCP session, calculate respectively the data package size average of controlled end to the data package size average of control end and control end to controlled end, i.e. the average length of upstream data bag and the average length of downlink data packet.If the average length of the upstream data bag of a certain TCP session stream is greater than
, and the average length of downlink data packet is less than
, meet the length characteristic of wooden horse communication data packet, can be judged as abnormal.
Heartbeat behavior: wooden horse, in order to characterize the state of its survival and work to its control end, is set up and keeps a session between the controlled end that conventionally can hide oneself at it and its control end, until network connects the trojan horse program of disconnection or any one end by killing.The maintenance of this session sends packet by both sides and realizes, and this packet generally adopts the mode of timed sending, its existing way and meaning are similar to the heartbeat of animal, therefore this session behavior between its controlled end and its control end that wooden horse causes is called as heartbeat behavior, the related data packets of heartbeat behavior is called as heartbeat packet.Heartbeat packet is a kind of self-defined, fix information, circulation transmission, variable length and variable-frequency packet in network data flow.
Encryption behavior: the behavior that wooden horse is uploaded sensitive data in order to cover it, escape the detection of IDS or IPS, conventionally the sensitive data of stealing from controlled end being encrypted, send to control end.
Interactive order is abnormal: wooden horse, after the order receiving from its control end, is given control end except stealing Data Concurrent, also may on its control end main frame, carry out some operation (for example, carrying out shell-command etc.).In shell-command interactive sessions, wooden horse sends the interval time of continuous small data packets between 10ms and 2s to its control end, the ratio when time interval of continuous small data packets between 10ms and 2s
kwhile being greater than certain threshold values, this data flow is considered to have the command interaction type feature of Malware.
Connect hours is abnormal: normal discharge is produced by benign software conventionally, and is manual operation, and therefore, normal discharge generation time is generally the operating time.For the flow outside the operating time, in eliminating, P2P affects in situation, and the possibility that produces flow for wooden horse is relatively large.And, once connecting, sets up by wooden horse, roll off the production line or controlled end shutdown if not control end, and wooden horse can initiatively not disconnect conventionally, and the duration therefore connecting can be relatively long.
Reverse connection is abnormal: after wooden horse connects controlled end and control end, controlled end, in quiet state, is only receiving after the packet of control end, and controlled end is just activated and carries out data transmission.And the normal feature connecting is that client sends request, server end is responded, and in the situation that there is no client-requested, server end is in quiet state.This reverse connection behavior is the principal character of rebound ports Trojan horse.If exist reverse connection to be judged as extremely in TCP session.
Current, main flow for analyzing and extract the modal K-Mean of the being method of clustering algorithm of wooden horse off-note, there is local optimum, initial value sensitivity, the problem such as increment cluster in real time in this algorithm.Adopt K-Mean clustering algorithm to detect, once clustering cluster initial value is falsely dropped or occurred local optimum, its accuracy of detection is often not high.
In sum, Trojan Horse Detection based on communication behavior under prior art is best method, but present stage the method due to TCP session characteristics extractability a little less than, and feature clustering algorithm select improper, can not detect in real time TCP session, and it is undesirable to detect effect.A feature extraction excellent performance is proposed, clustering algorithm is suitable, and detection efficiency and the high unknown Trojan detecting method of precision very urgent.
Summary of the invention
For overcoming the defect of prior art, solve the problems of the technologies described above, the invention discloses a kind of Trojan detecting method based on communication behavior cluster.The method can extracted on the basis of wooden horse off-note fully and effectively, realizes the real-time detection to unknown wooden horse and variation wooden horse.Meanwhile, the method has higher detection performance and computational efficiency.
Technical scheme of the present invention is:
Capture at random network flow data bag from Internet portal, and carry out TCP Session reassemble.
With the five-tuple information of TCP session stream, be that source IP address, object IP address, source port number, destination slogan and transport layer protocol are basis, according to the communication behavior feature of wooden horse to TCP session process, obtain TCP session possible off-note information, and set up TCP session
ndimensional feature vector
.
Use Gaussian normalization algorithm by characteristic vector
ethe characteristic value normalization of each dimension, is exaggerated and the uncared-for situation of the impact of some characteristic value with the impact of avoiding some characteristic value, obtains normalization characteristic vector
, wherein
,
with
be respectively characteristic vector
eaverage and variance.Utilize
be normalized, make characteristic value after normalization
drop on interval
probability reach more than 99%.If
regulation
if,
regulation
.After Gaussian normalization, characteristic vector
in the characteristic value of each dimension all drop on interval
in.
Use the real-time increment cluster of the responsive Hash of position-based (Locality Sensitive Hashing is called for short LSH) to normalization characteristic vector
carry out cluster, obtain three-dimensional clustering cluster
.Concrete steps are as follows:
from hash function family, choose at random
mindividual hash function
;
calculate
lSH value
;
calculate
lSH value
;
compute euclidian distances
;
if
, judge
with
for similar cluster feature, select one and be saved to clustering cluster
in; If
, judge
with
for inhomogeneous cluster feature, be all saved to clustering cluster
in;
rfor difference distance, can utilize a large amount of malice samples and optimum sample to draw through machine learning training;
repeat
~
until remove in traversal
outer all vector value, obtain clustering cluster
;
by clustering cluster
as new characteristic vector, repeat
~
until obtain three-dimensional clustering cluster
, wherein
,
with
demarcate respectively the cluster result of wooden horse, benign software and other behaviors.
According to three-dimensional clustering cluster
cdifferentiating TCP session is the session of wooden horse, benign software or other softwares, and decision condition is
, and wooden horse is carried out to alarm.If three-dimensional clustering cluster
, cluster result is wooden horse; If three-dimensional clustering cluster
, cluster result is benign software; If three-dimensional clustering cluster, cluster result is other softwares.
Concrete, TCP session
ndimensional feature vector
ebe 15 dimensional feature vectors, its each dimensional characteristics value is respectively the uplink traffic of TCP session, the downlink traffic of TCP session, the up parcel quantity of TCP session, the up large bag quantity of TCP session, the descending parcel quantity of TCP session, the descending large bag quantity of TCP session, TCP session duration, TCP session data transmission quantity, the average length of TCP session upstream data bag, the average length of TCP session downlink data packet, TCP session data comentropy, TCP session heartbeat feature, whether TCP session there is interactivity order, the TCP session connection time, whether TCP session there is reverse connection.
Wherein, the parcel in the up parcel quantity of TCP session and the descending parcel quantity of TCP session, refers to the packet of uninterrupted within the scope of 0 ~ 127 byte; Large bag in the up large bag quantity of TCP session and the descending large bag quantity of TCP session, refers to the packet of uninterrupted>=1500 byte; TCP session data comentropy is used for characterizing it and whether has encryption behavior, a certain TCP session data comentropy
, wherein,
sfor character sum,
for character
ithe number of times occurring; An if TCP session data comentropy
h>=certain threshold value, thinks that current TCP session is suspicious encryption session, can be judged to be abnormal; Use transmission direction, data package size and the Packet Generation time interval of data in a TCP session to calculate the smoothness of formed objects Packet Generation time interval sequence
, wherein
μwith
σbe respectively average and the standard deviation of time interval sequence, smoothness
pbe used for characterizing the heartbeat feature of TCP session, if smoothness
p>=certain threshold value, thinks that current TCP session is abnormal; Utilize the ratio of the time interval that sends continuous small data packets in a TCP session between 10ms and 2s
kcharacterize TCP session and whether have interactivity order, if ratio
k>=certain threshold value, thinks that current TCP session exists interactivity order, judges that it is abnormal; The TCP session connection time refers to that time and TCP session that TCP session establishment connects close time of connection, it is concrete time point, if the time that TCP session establishment connects and the time of closing connection are all on one's own time, assert that abnormal and characteristic value is set as 2, if the two one of appear at the non-working time, characteristic value is set as 1, if the two all appears at the operating time, assert that normal and characteristic value is set as 0.
Beneficial effect of the present invention: 1, capture at random network flow data bag and extract characteristic vector and cluster, having realized real-time wooden horse and detected, thering is stronger practicality; 2, comprehensively analyze all sidedly the inherent characteristics of wooden horse communication behavior, proposed 15 dimensional feature vectors of wooden horse communication behavior feature, taken into account accuracy and actual effect that wooden horse detects; 3, before cluster, use Gaussian normalization algorithm to be normalized the characteristic value of each dimension in characteristic vector, reduce because of the impact of the unit difference of characteristic value or amplitude difference some feature causing such as excessive and excessively amplified or ignore the problems such as omission, increased the accuracy of cluster; 4, the increment real-time clustering algorithm based on LSH only can complete according to characteristic vector, break away from the dependence of the experience database to wooden horse, fundamentally overcome factor data bank and upgraded the problem to unknown wooden horse or variation wooden horse killing scarce capacity that the inherent technology defect that lags behind causes; In addition, the time complexity of increment real-time clustering algorithm and the dimension of characteristic vector based on LSH are directly related, 15 dimensional feature vectors of the wooden horse communication behavior that the present invention proposes can meet under the prerequisite of wooden horse feature description, make computational complexity and the time complexity of clustering algorithm lower simultaneously, make cluster process meet the needs that detect in real time; 5, use three-dimensional clustering cluster to differentiate, it is more clear to make the description of network flow data bag, except wooden horse and benign software, introduce the class categories of other behaviors, avoided either-or two-value classification to cause classify accuracy and the lower situation of flexibility, applicable surface is wider.
Brief description of the drawings
Fig. 1 is schematic flow sheet of the present invention.
Fig. 2 is the composition structured flowchart of embodiment.
Embodiment
Below in conjunction with accompanying drawing, the invention will be further described.
Progressively organize and implement routine flow process according to Fig. 1, embodiment is divided into several modules, as shown in Figure 2.Embodiment comprises TCP Session reassemble module, off-note extraction module, communication behavior characteristic vector generation module, Gaussian normalization module, real-time increment cluster module and TCP session discrimination module based on LSH.
Wherein, TCP Session reassemble module is used for capturing network flow data bag, and it is carried out to TCP Session reassemble, to facilitate follow-up acquisition TCP session information; Off-note extraction module, according to the feature of wooden horse communication behavior, carries out the statistical analysis of data flow to TCP session; The corresponding statistical information that communication behavior characteristic vector generation module provides according to off-note extraction module, in conjunction with off-note computational algorithm, generating feature vector; Gaussian normalization module is used Gaussian normalization algorithm to be normalized the characteristic vector of TCP session, generates normalization characteristic vector; Real-time increment cluster module based on LSH adopts the real-time incremental clustering algorithm based on LSH, and the normalization characteristic vector of TCP session is carried out to cluster, generates clustering cluster information, and clustering cluster is marked; TCP session discrimination module, according to the clustering cluster information after mark, determines whether each TCP session is wooden horse.
It should be noted that, the Transmission Control Protocol that captures network flow data bag and thereupon carry out is resolved and TCP Session reassemble is the common practise of this area (information security field), even if the present invention is not elaborated, those skilled in the art also should know this step.
From prior art, the network service behavior of wooden horse and the network service behavior of normal software are distinguishing, and according to these difference, the present embodiment is added up the communication behavior feature of TCP session, draws the characteristic vector that can describe wooden horse communication behavior.Characteristic vector in the present embodiment is the uplink traffic that characteristic value is respectively TCP session, the downlink traffic of TCP session, the up parcel quantity of TCP session, the up large bag quantity of TCP session, the descending parcel quantity of TCP session, the descending large bag quantity of TCP session, TCP session duration, TCP session data transmission quantity, the average length of TCP session upstream data bag, the average length of TCP session downlink data packet, TCP session data comentropy, TCP session heartbeat feature, whether TCP session there is interactivity order, whether TCP session connection time and TCP session there are 15 dimensional feature vectors of reverse connection.Generating feature vector various threshold values used, comprise parcel upper limit threshold, wrap lower threshold, comentropy greatly
hupper limit threshold, smoothness
pupper limit threshold and ratio
kupper limit threshold, all can utilize a large amount of malice samples and optimum sample to draw through machine learning training.In addition, in the present embodiment, utilize Euclidean distance
ljudge when whether feature belongs to same class the difference distance of using
r, also can utilize a large amount of malice samples and optimum sample to draw through machine learning training.
The above execution mode is only the preferred embodiments of the present invention, and is not the exhaustive of the feasible enforcement of the present invention.For persons skilled in the art, any apparent change of under the prerequisite that does not deviate from the principle of the invention and spirit, it having been done, within all should being contemplated as falling with claim protection range of the present invention.
Claims (5)
1. the Trojan detecting method based on communication behavior cluster, is characterized in that step is as follows:
(1) capture network flow data bag;
(2) described network flow data bag is carried out to transmission control protocol Session reassemble, generate TCP session;
(3) extract the communication behavior feature of described TCP session, generate its communication behavior
ndimensional feature vector
;
(4) described characteristic vector is carried out to Gaussian normalization processing, obtain normalization characteristic vector
;
(5) to described normalization characteristic vector
carry out the real-time increment clustering processing of the responsive Hash of position-based, the clustering cluster of generating three-dimensional
;
(6) according to described clustering cluster
cdifferentiate the communication data packet that described network flow data bag is wooden horse, benign software or other softwares, and wooden horse is carried out to alarm.
2. according to a kind of Trojan detecting method based on communication behavior cluster claimed in claim 1, it is characterized in that characteristic vector described in described step (3)
ebe 15 dimensional feature vectors, comprise whether uplink traffic, the downlink traffic of TCP session, the up parcel quantity of TCP session, the up large bag quantity of TCP session, the descending parcel quantity of TCP session, the descending large bag quantity of TCP session, TCP session duration, TCP session data transmission quantity, the average length of TCP session upstream data bag, the average length of TCP session downlink data packet, TCP session data comentropy, TCP session heartbeat feature, the TCP session of TCP session exists interactivity order, TCP session connection time, TCP session whether to have reverse connection.
3. according to a kind of Trojan detecting method based on communication behavior cluster claimed in claim 1, it is characterized in that normalization characteristic vector described in described step (4)
each element
if,
regulation
if,
regulation
, wherein
with
be respectively described characteristic vector
eaverage and variance.
4. according to a kind of Trojan detecting method based on communication behavior cluster claimed in claim 1, it is characterized in that in described step (5) described normalization characteristic vector
the step of carrying out the real-time increment cluster of the responsive Hash of position-based is as follows:
(5a) from hash function family, choose at random
mindividual hash function
;
(5b) calculate
lSH value
;
(5c) calculate
lSH value
;
(5d) compute euclidian distances
;
If (5e)
, judge
with
for similar cluster feature, select one and be saved to clustering cluster
in; If
, judge
with
for inhomogeneous cluster feature, be all saved to clustering cluster
in, wherein
rfor difference distance;
(5f) repeat
~
until traversal
in remove
outer all vector value, obtain clustering cluster
;
(5g) by clustering cluster
as new characteristic vector, repeat
~
until obtain three-dimensional clustering cluster
, wherein
,
with
demarcate respectively the cluster result of wooden horse, benign software and other behaviors.
5. according to a kind of Trojan detecting method based on communication behavior cluster claimed in claim 4, it is characterized in that in described step (6) described three-dimensional clustering cluster
ckind judging condition be
.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410378948.0A CN104168272A (en) | 2014-08-04 | 2014-08-04 | Trojan horse detection method based on communication behavior clustering |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410378948.0A CN104168272A (en) | 2014-08-04 | 2014-08-04 | Trojan horse detection method based on communication behavior clustering |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN104168272A true CN104168272A (en) | 2014-11-26 |
Family
ID=51911896
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410378948.0A Pending CN104168272A (en) | 2014-08-04 | 2014-08-04 | Trojan horse detection method based on communication behavior clustering |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104168272A (en) |
Cited By (22)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104660584A (en) * | 2014-12-30 | 2015-05-27 | 赖洪昌 | Trojan virus analysis technique based on network conversation |
| CN104849648A (en) * | 2015-05-26 | 2015-08-19 | 大连理工大学 | Test vector generation method for improving Trojan activity |
| CN105045715A (en) * | 2015-07-27 | 2015-11-11 | 电子科技大学 | Programming mode and mode matching based bug clustering method |
| CN105227408A (en) * | 2015-10-22 | 2016-01-06 | 蓝盾信息安全技术股份有限公司 | A kind of intelligent wooden horse recognition device and method |
| CN105262729A (en) * | 2015-09-11 | 2016-01-20 | 携程计算机技术(上海)有限公司 | Trojan horse detection method and system |
| CN105429973A (en) * | 2015-11-10 | 2016-03-23 | 浪潮(北京)电子信息产业有限公司 | Network card flow monitoring method and device |
| CN105791236A (en) * | 2014-12-23 | 2016-07-20 | 北京网御星云信息技术有限公司 | Trojan communication channel detection method and system |
| CN105978897A (en) * | 2016-06-28 | 2016-09-28 | 南京南瑞继保电气有限公司 | Detection method of electricity secondary system botnet |
| CN106416171A (en) * | 2014-12-30 | 2017-02-15 | 华为技术有限公司 | Method and device for feature information analysis |
| CN106599686A (en) * | 2016-10-12 | 2017-04-26 | 四川大学 | Malware clustering method based on TLSH character representation |
| CN106599168A (en) * | 2016-12-09 | 2017-04-26 | 北京锐安科技有限公司 | Source analysis method and device for network data |
| CN107370752A (en) * | 2017-08-21 | 2017-11-21 | 北京工业大学 | A kind of efficient remote control Trojan detection method |
| CN107454052A (en) * | 2016-05-31 | 2017-12-08 | 华为技术有限公司 | Network attack detecting method and attack detecting device |
| CN107612882A (en) * | 2017-08-03 | 2018-01-19 | 北京奇安信科技有限公司 | A kind of user behavior recognition method and device based on middle daily record |
| CN108540430A (en) * | 2017-03-03 | 2018-09-14 | 华为技术有限公司 | A kind of threat detection method and device |
| CN108769001A (en) * | 2018-04-11 | 2018-11-06 | 哈尔滨工程大学 | Malicious code detecting method based on the analysis of network behavior feature clustering |
| CN108809989A (en) * | 2018-06-14 | 2018-11-13 | 北京中油瑞飞信息技术有限责任公司 | A kind of detection method and device of Botnet |
| CN109660512A (en) * | 2018-11-12 | 2019-04-19 | 全球能源互联网研究院有限公司 | A kind of sensitive information flows to vectorization method, abnormal flows to recognition methods and device |
| WO2019128938A1 (en) * | 2017-12-29 | 2019-07-04 | 北京神州绿盟信息安全科技股份有限公司 | Method for extracting feature string, device, network apparatus, and storage medium |
| CN110287735A (en) * | 2019-07-04 | 2019-09-27 | 电子科技大学 | Wooden horse based on chip netlist feature infects circuit identification method |
| CN112685473A (en) * | 2020-12-29 | 2021-04-20 | 山东大学 | Network abnormal flow detection method and system based on time sequence analysis technology |
| CN115314325A (en) * | 2022-10-11 | 2022-11-08 | 科来网络技术股份有限公司 | Access relation analysis method, system, device and medium based on TCP communication |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102222187A (en) * | 2011-06-02 | 2011-10-19 | 国家计算机病毒应急处理中心 | Domain name structural feature-based hang horse web page detection method |
| US20140165198A1 (en) * | 2012-10-23 | 2014-06-12 | Verint Systems Ltd. | System and method for malware detection using multidimensional feature clustering |
-
2014
- 2014-08-04 CN CN201410378948.0A patent/CN104168272A/en active Pending
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102222187A (en) * | 2011-06-02 | 2011-10-19 | 国家计算机病毒应急处理中心 | Domain name structural feature-based hang horse web page detection method |
| US20140165198A1 (en) * | 2012-10-23 | 2014-06-12 | Verint Systems Ltd. | System and method for malware detection using multidimensional feature clustering |
Non-Patent Citations (3)
| Title |
|---|
| 孙海涛: ""基于通信行为分析的木马检测技术研究"", 《中国优秀硕士学位论文全文数据库信息科技辑》 * |
| 徐小琳,等: ""基于特征聚类的海量恶意代码在线自动分析模型"", 《通信学报》 * |
| 易军凯,等: ""一种基于网络行为分析的HTTP木马检测模型"", 《北京化工大学学报》 * |
Cited By (36)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105791236A (en) * | 2014-12-23 | 2016-07-20 | 北京网御星云信息技术有限公司 | Trojan communication channel detection method and system |
| CN105791236B (en) * | 2014-12-23 | 2019-03-12 | 北京网御星云信息技术有限公司 | A kind of wooden horse communication channel detection method and system |
| CN104660584A (en) * | 2014-12-30 | 2015-05-27 | 赖洪昌 | Trojan virus analysis technique based on network conversation |
| CN106416171A (en) * | 2014-12-30 | 2017-02-15 | 华为技术有限公司 | Method and device for feature information analysis |
| CN106416171B (en) * | 2014-12-30 | 2020-06-16 | 华为技术有限公司 | Characteristic information analysis method and device |
| CN104849648A (en) * | 2015-05-26 | 2015-08-19 | 大连理工大学 | Test vector generation method for improving Trojan activity |
| CN104849648B (en) * | 2015-05-26 | 2017-11-07 | 大连理工大学 | A kind of test vector generating method for improving wooden horse activity |
| CN105045715A (en) * | 2015-07-27 | 2015-11-11 | 电子科技大学 | Programming mode and mode matching based bug clustering method |
| CN105045715B (en) * | 2015-07-27 | 2018-01-12 | 电子科技大学 | Leak clustering method based on programming mode and pattern match |
| CN105262729A (en) * | 2015-09-11 | 2016-01-20 | 携程计算机技术(上海)有限公司 | Trojan horse detection method and system |
| CN105262729B (en) * | 2015-09-11 | 2018-07-31 | 携程计算机技术(上海)有限公司 | Trojan detecting method and system |
| CN105227408A (en) * | 2015-10-22 | 2016-01-06 | 蓝盾信息安全技术股份有限公司 | A kind of intelligent wooden horse recognition device and method |
| CN105429973A (en) * | 2015-11-10 | 2016-03-23 | 浪潮(北京)电子信息产业有限公司 | Network card flow monitoring method and device |
| CN107454052A (en) * | 2016-05-31 | 2017-12-08 | 华为技术有限公司 | Network attack detecting method and attack detecting device |
| CN105978897A (en) * | 2016-06-28 | 2016-09-28 | 南京南瑞继保电气有限公司 | Detection method of electricity secondary system botnet |
| CN106599686A (en) * | 2016-10-12 | 2017-04-26 | 四川大学 | Malware clustering method based on TLSH character representation |
| CN106599686B (en) * | 2016-10-12 | 2019-06-21 | 四川大学 | A kind of Malware clustering method based on TLSH character representation |
| CN106599168B (en) * | 2016-12-09 | 2020-03-20 | 北京锐安科技有限公司 | Method and device for analyzing source of network data |
| CN106599168A (en) * | 2016-12-09 | 2017-04-26 | 北京锐安科技有限公司 | Source analysis method and device for network data |
| EP3582463A4 (en) * | 2017-03-03 | 2020-01-22 | Huawei Technologies Co., Ltd. | Threat detection method and apparatus |
| CN108540430B (en) * | 2017-03-03 | 2019-06-11 | 华为技术有限公司 | A kind of threat detection method and device |
| US11665179B2 (en) | 2017-03-03 | 2023-05-30 | Huawei Technologies Co., Ltd. | Threat detection method and apparatus |
| CN108540430A (en) * | 2017-03-03 | 2018-09-14 | 华为技术有限公司 | A kind of threat detection method and device |
| CN107612882A (en) * | 2017-08-03 | 2018-01-19 | 北京奇安信科技有限公司 | A kind of user behavior recognition method and device based on middle daily record |
| CN107370752B (en) * | 2017-08-21 | 2020-09-25 | 北京工业大学 | Efficient remote control Trojan detection method |
| CN107370752A (en) * | 2017-08-21 | 2017-11-21 | 北京工业大学 | A kind of efficient remote control Trojan detection method |
| WO2019128938A1 (en) * | 2017-12-29 | 2019-07-04 | 北京神州绿盟信息安全科技股份有限公司 | Method for extracting feature string, device, network apparatus, and storage medium |
| US11379687B2 (en) | 2017-12-29 | 2022-07-05 | Nsfocus Technologies Group Co., Ltd. | Method for extracting feature string, device, network apparatus, and storage medium |
| CN108769001A (en) * | 2018-04-11 | 2018-11-06 | 哈尔滨工程大学 | Malicious code detecting method based on the analysis of network behavior feature clustering |
| CN108809989B (en) * | 2018-06-14 | 2021-04-23 | 北京中油瑞飞信息技术有限责任公司 | Botnet detection method and device |
| CN108809989A (en) * | 2018-06-14 | 2018-11-13 | 北京中油瑞飞信息技术有限责任公司 | A kind of detection method and device of Botnet |
| CN109660512A (en) * | 2018-11-12 | 2019-04-19 | 全球能源互联网研究院有限公司 | A kind of sensitive information flows to vectorization method, abnormal flows to recognition methods and device |
| CN110287735A (en) * | 2019-07-04 | 2019-09-27 | 电子科技大学 | Wooden horse based on chip netlist feature infects circuit identification method |
| CN110287735B (en) * | 2019-07-04 | 2021-05-04 | 电子科技大学 | Trojan horse infected circuit identification method based on chip netlist characteristics |
| CN112685473A (en) * | 2020-12-29 | 2021-04-20 | 山东大学 | Network abnormal flow detection method and system based on time sequence analysis technology |
| CN115314325A (en) * | 2022-10-11 | 2022-11-08 | 科来网络技术股份有限公司 | Access relation analysis method, system, device and medium based on TCP communication |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104168272A (en) | Trojan horse detection method based on communication behavior clustering | |
| Meidan et al. | ProfilIoT: A machine learning approach for IoT device identification based on network traffic analysis | |
| CN105208037B (en) | A kind of DoS/DDoS attack detectings and filter method based on lightweight intrusion detection | |
| Bilge et al. | Disclosure: detecting botnet command and control servers through large-scale netflow analysis | |
| Zhong et al. | DDoS detection system based on data mining | |
| Qin et al. | DDoS attack detection using flow entropy and clustering technique | |
| CN107040517B (en) | Cognitive intrusion detection method oriented to cloud computing environment | |
| CN107018084B (en) | DDOS attack defense network security method based on SDN framework | |
| CN104135474B (en) | Intrusion Detection based on host goes out the Network anomalous behaviors detection method of in-degree | |
| Wang et al. | A DDoS attack detection method based on information entropy and deep learning in SDN | |
| CN107370752B (en) | Efficient remote control Trojan detection method | |
| CN103840983A (en) | WEB tunnel detection method based on protocol behavior analysis | |
| CN102130920A (en) | Botnet discovery method and system thereof | |
| CN110611640A (en) | DNS protocol hidden channel detection method based on random forest | |
| CN104796405B (en) | Rebound connecting detection method and apparatus | |
| Sun et al. | Detection and classification of malicious patterns in network traffic using Benford's law | |
| Furutani et al. | Detection of DDoS backscatter based on traffic features of darknet TCP packets | |
| CN110113348A (en) | A method of Internet of Things threat detection is carried out based on machine learning | |
| Ireland | Intrusion detection with genetic algorithms and fuzzy logic | |
| CN109194608B (en) | DDoS attack and flash congestion event detection method based on flow | |
| ALEKSIEVA et al. | An approach for host based botnet detection system | |
| Banerjee et al. | Network traffic analysis based iot botnet detection using honeynet data applying classification techniques | |
| Kong et al. | Identification of abnormal network traffic using support vector machine | |
| Kumar et al. | Deep in the dark: A novel threat detection system using darknet traffic | |
| Wang et al. | Exploiting Artificial Immune systems to detect unknown DoS attacks in real-time |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20141126 |
|
| RJ01 | Rejection of invention patent application after publication |