CN105119938A - Method for defending against innerport recall trojan - Google Patents
Method for defending against innerport recall trojan Download PDFInfo
- Publication number
- CN105119938A CN105119938A CN201510585555.1A CN201510585555A CN105119938A CN 105119938 A CN105119938 A CN 105119938A CN 201510585555 A CN201510585555 A CN 201510585555A CN 105119938 A CN105119938 A CN 105119938A
- Authority
- CN
- China
- Prior art keywords
- message
- program
- value
- intranet
- trojan
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0245—Filtering by information in the payload
Abstract
The invention belongs to the technical field of information security under the network environment, provides a method for defending against an innerport recall trojan, and aims to solve a problem that anti-virus software cannot well find variations of a known Trojan and a new Trojan. The method comprises: firstly establishing a credible program list, and storing the credible program list at an intranet exit gateway; secondly, performing security context marking on a message to be sent; and finally, extracting a security context of the message at the intranet exit, comparing the extracted security context with the content of the credible program list, and releasing the message if a program name and a MD5 value in the message are consistent with the program name and the MD5 value of one application in the credible program list, or discarding the message, restricting the release and adding an application associated with the message into a blacklist if the program name and the MD5 value are different from the program name and the MD5 value of any application in the credible program list. Therefore, a problem of poor intranet security caused by the fact that the variations of the known Trojan and the new Trojan cannot be effectively detected through a traditional Trojan detection method is effectively solved.
Description
Technical field
The invention belongs to Information Security under Network technical field, specifically a kind of prevention method for Intranet Port Recall wooden horse.
Background technology
In network safety filed, malicious code increases fast, and various malicious code is full of in the Internet, and the most serious surely belongs to virus and wooden horse, and the object of virus is destruction of computer systems and file, and wooden horse is then more prone to confidential information and steals.Wooden horse has client and server end, and in general server end and client cooperatively interact, and destroys and information stealth activity to complete some.Current, wooden horse can accomplish self vestige free to kill and hiding completely, and due to fire compartment wall restriction, present most of wooden horse is all Recall wooden horse.
Rebound ports Trojan horse make use of the weakness of fire compartment wall:
Fire compartment wall often carries out very strict filtration for the link be connected into, but is but neglectful in taking precautions for the link connected; So, contrary with general wooden horse, the service end (controlled terminal) of rebound ports Trojan horse uses active port, client (control end) uses passive port, the existence of wooden horse periodic monitor control end, finds that control end is reached the standard grade and ejects port immediately and initiatively link the active port that control end opens.
For the purpose of hidden, the passive port of control end is generally opened 80, like this, even if user uses port scanning software to check oneself port, discovery be also that normal network connects, can not throw doubt upon.
At present for the method for detection method mainly signature scan and the Initiative Defense of wooden horse, the method according to scanning condition code judges that its defect of method of wooden horse is: once wooden horse generation mutation or produce a new wooden horse, and antivirus software is just had no idea better detection.
And the method for Initiative Defense also has no idea to detect the wooden horse using Kernel Technology well.
Summary of the invention
The object of the present invention is to provide a kind of prevention method for Intranet Port Recall wooden horse, well can not find the mutation of known wooden horse and the problem of new wooden horse for overcoming antivirus software.
For solving the problem, technical scheme of the present invention is:
For a prevention method for Intranet Port Recall wooden horse, comprise the following steps:
Step 1. determines trusted program list:
For all trusted program setting key-value, wherein key is program name, and value value is MD5 (MessageDigestAlgorithm5) value of executable program;
Intranet egress gateways preserves a key-value list, i.e. credible program name list;
Step 2. beats safety label:
Carry out safe context mark to the network message that platform host application program every in Intranet sends, safe context tag content comprises:
(1) program name of this message is sent,
(2) the MD5 value of program,
(3) MAC (Medium/MediaAccessControl) address of main frame;
Step 3. Intranet egress gateways place catches all messages flowed out in Intranet;
The safe context provided in step 4. detection messages also analyzes message content:
Extract the safe context in message, the trusted program list (key-value list) of itself and gateway contrasted, if program name and MD5 value consistent with trusted program list, then let pass and set up a cache (buffer memory); In Preset Time, the network message that the identical program again capturing main frame corresponding to MAC Address thus sends then directly is let pass;
Otherwise then lose packet, restriction is let pass, and is recorded in daily record by relevant information; Meanwhile, blacklist is charged to the outer net IP address that message connects.
The invention has the advantages that:
(1) solve antivirus software and cannot detect the mutation of up-to-date wooden horse and existing wooden horse thus the threat brought.
(2) no longer only depend on the method for traditional website white list, because of the multi-link third party website obtaining information of bounce-back wooden horse, and these third party websites mostly are safe and reliable website.
The present invention, by safe context, verifies the main body that message sends, thus determines the fail safe of connection, not only judge according to the information in white list.
(3) existing procotol and network application is not destroyed.Safe context only when application program is by the machine network interface card, is added by the kernel module of system, is not affected existing network application in network message.
The judgement of safe context is also by kernel module, is extracted by the safe context in message and is again recovered by message and pass to gateway, and judge module can check the check code of application program thus determine whether to let pass.
Whole process can not have any impact to user and program, is a complete transparent process.
Accompanying drawing explanation
Fig. 1 is that intranet host application program carries out safe context labeling process by main frame transmission message.
Fig. 2 be Intranet gateway receive outreach packet after extract safe context and analyze the process of data message.
Embodiment
According to the above, in conjunction with the accompanying drawings and embodiments the technical scheme in the present invention is described in further detail.
In the present embodiment, suppose that an intranet host is A, a web application on this main frame is WA, and safety label adds module MA, Intranet gateway G, and the safe context on gateway is resolved and control module MG.
First, first determine trusted application, the MD5 value of its program name and program is stored in Intranet egress gateways stored in trusted program list (key-value list), can dynamically increases according to demand or delete the content in trusted application list;
WA connects outer net and sends message, module MA is added by safety label, safe context is added in message, comprise the machine MAC Address, send the application name of message and the MD5 check value of this application program, then by the machine network interface card, message is sent to Intranet egress gateways, as described in Figure 1;
Gateway control module MG catches message, extracts the safe context in message, the application program in the application name of transmission message and corresponding check value and trusted program list is contrasted, as shown in Figure 2;
If there is not this Apply Names in list, lose this message, and the host address and suspect application programs that send message are recorded in blacklist, notify keeper or the operating personnel of this main frame simultaneously, safety inspection is carried out to this main frame; If safe context is different from the MD5 check value preserved in gateway, also carry out same treatment;
If the program name in safe context and MD5 check value identical with the trusted program list in gateway, then this message is removed safe context to revert to normal message and pass to gateway G, and set up a buffer memory, notify that packet that main frame corresponding to this program send for this program no longer carries out safe context mark in 10 minutes simultaneously, the message capturing the transmission of this mainframe program within 10 minutes is more then directly let pass, after 10 minutes, then carry out normal labeled, catch and process.
The above, be only the specific embodiment of the present invention, arbitrary feature disclosed in this specification, unless specifically stated otherwise, all can be replaced by other equivalences or the alternative features with similar object; Step in disclosed all features or all methods or process, except mutually exclusive feature and/or step, all can be combined in any way.
Claims (1)
1., for a prevention method for Intranet Port Recall wooden horse, comprise the following steps:
Step 1. determines trusted program list:
For all trusted program setting key-value, wherein key is program name, and value value is the MD5 value of executable program;
Intranet egress gateways preserves a key-value list, i.e. credible program name list;
Step 2. beats safety label:
Carry out safe context mark to the network message that platform host application program every in Intranet sends, safe context tag content comprises:
(1) program name of this message is sent,
(2) the MD5 value of program,
(3) MAC Address of main frame;
Step 3. Intranet egress gateways place catches all messages flowed out in Intranet;
The safe context provided in step 4. detection messages also analyzes message content:
Extract the safe context in message, the trusted program list of itself and gateway contrasted, if program name and MD5 value consistent with trusted program list, then let pass and set up a cache; In Preset Time, the network message that the identical program again capturing main frame corresponding to MAC Address thus sends then directly is let pass;
Otherwise then lose packet, restriction is let pass, and is recorded in daily record by relevant information; Meanwhile, blacklist is charged to the outer net IP address that message connects.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510585555.1A CN105119938B (en) | 2015-09-14 | 2015-09-14 | A kind of prevention method for Intranet Port Recall wooden horse |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510585555.1A CN105119938B (en) | 2015-09-14 | 2015-09-14 | A kind of prevention method for Intranet Port Recall wooden horse |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105119938A true CN105119938A (en) | 2015-12-02 |
| CN105119938B CN105119938B (en) | 2018-05-18 |
Family
ID=54667826
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510585555.1A Active CN105119938B (en) | 2015-09-14 | 2015-09-14 | A kind of prevention method for Intranet Port Recall wooden horse |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105119938B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107786531A (en) * | 2017-03-14 | 2018-03-09 | 平安科技(深圳)有限公司 | APT attack detection methods and device |
| CN110135153A (en) * | 2018-11-01 | 2019-08-16 | 哈尔滨安天科技股份有限公司 | The credible detection method and device of software |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101572711A (en) * | 2009-06-08 | 2009-11-04 | 北京理工大学 | Network-based detection method of rebound ports Trojan horse |
| CN102761458A (en) * | 2011-12-20 | 2012-10-31 | 北京安天电子设备有限公司 | Detection method and system of rebound type Trojan |
| CN103051627A (en) * | 2012-12-21 | 2013-04-17 | 公安部第一研究所 | Rebound trojan horse detection method |
| CN104753955A (en) * | 2015-04-13 | 2015-07-01 | 成都双奥阳科技有限公司 | Interconnection auditing method based on rebound port Trojans |
-
2015
- 2015-09-14 CN CN201510585555.1A patent/CN105119938B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101572711A (en) * | 2009-06-08 | 2009-11-04 | 北京理工大学 | Network-based detection method of rebound ports Trojan horse |
| CN102761458A (en) * | 2011-12-20 | 2012-10-31 | 北京安天电子设备有限公司 | Detection method and system of rebound type Trojan |
| CN103051627A (en) * | 2012-12-21 | 2013-04-17 | 公安部第一研究所 | Rebound trojan horse detection method |
| CN104753955A (en) * | 2015-04-13 | 2015-07-01 | 成都双奥阳科技有限公司 | Interconnection auditing method based on rebound port Trojans |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107786531A (en) * | 2017-03-14 | 2018-03-09 | 平安科技(深圳)有限公司 | APT attack detection methods and device |
| CN107786531B (en) * | 2017-03-14 | 2020-02-18 | 平安科技(深圳)有限公司 | APT attack detection method and device |
| CN110135153A (en) * | 2018-11-01 | 2019-08-16 | 哈尔滨安天科技股份有限公司 | The credible detection method and device of software |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105119938B (en) | 2018-05-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10397253B2 (en) | Cognitive and contextual detection of malicious DNS | |
| US10133866B1 (en) | System and method for triggering analysis of an object for malware in response to modification of that object | |
| AU2014318585B2 (en) | Automated runtime detection of malware | |
| US11405410B2 (en) | System and method for detecting lateral movement and data exfiltration | |
| CN107612924B (en) | Attacker positioning method and device based on wireless network intrusion | |
| US20160078229A1 (en) | System And Method For Threat Risk Scoring Of Security Threats | |
| US11122061B2 (en) | Method and server for determining malicious files in network traffic | |
| CN107888607A (en) | A kind of Cyberthreat detection method, device and network management device | |
| CN102110198B (en) | Anti-counterfeiting method for web page | |
| Moustafa et al. | Data analytics-enabled intrusion detection: Evaluations of ToN_IoT linux datasets | |
| EP3295359A1 (en) | Detection of sql injection attacks | |
| CN113660224B (en) | Situation awareness defense method, device and system based on network vulnerability scanning | |
| US9876806B2 (en) | Behavioral detection of malware agents | |
| US20140359708A1 (en) | Honeyport active network security | |
| WO2018099206A1 (en) | Apt detection method, system, and device | |
| Zimba | Malware-free intrusion: a novel approach to ransomware infection vectors | |
| CN107465702B (en) | Early warning method and device based on wireless network intrusion | |
| CN108369541B (en) | System and method for threat risk scoring of security threats | |
| CN113422771A (en) | Threat early warning method and system | |
| CN107566401B (en) | Protection method and device for virtualized environment | |
| KR102002880B1 (en) | Method for detecting malcious packets based on machine learning model and apparatus using the same | |
| JP2014099758A (en) | Unauthorized communication detection method by comparing observation information by multiple sensors | |
| Yamada et al. | RAT-based malicious activities detection on enterprise internal networks | |
| KR101487476B1 (en) | Method and apparatus to detect malicious domain | |
| Keong Ng et al. | VoterChoice: A ransomware detection honeypot with multiple voting framework |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |