CN105656872A - Attacker tracking method and system based on backbone network - Google Patents
Attacker tracking method and system based on backbone network Download PDFInfo
- Publication number
- CN105656872A CN105656872A CN201510421096.3A CN201510421096A CN105656872A CN 105656872 A CN105656872 A CN 105656872A CN 201510421096 A CN201510421096 A CN 201510421096A CN 105656872 A CN105656872 A CN 105656872A
- Authority
- CN
- China
- Prior art keywords
- effector
- server
- backbone network
- command
- monitor
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
Abstract
The invention provides an attacker tracking method and system based on a backbone network. The attacker tracking method comprises the following steps of: monitoring a malicious network communication behaviour through monitoring equipment of the backbone network, and obtaining a malicious code sample; analyzing the malicious code sample, and extracting information of an instruction and control server; obtaining the IP of a controller of the current instruction and controller server and corresponding information when the backbone network monitors IP communication between the instruction and control server and a corresponding port; judging whether the IP of the controller is a final controller, and if so, positioning the IP of the final controller; and otherwise, returning to continuously monitor till the IP of the controller is tracked. According to the invention, the problem of being difficult to track the position of a hacker in network communication can be solved; the hacker or control end IP can be tracked and positioned through the backbone network; and the malicious network behaviour is struck.
Description
Technical field
The present invention relates to computer network security technology field, particularly relate to a kind of assailant's method for tracing based on backbone network and system.
Background technology
Fast development along with network and computing technique, the kind of malicious code, spread speed, infection quantity and coverage are all strengthening gradually, the exploration of the Internet simultaneously also accelerates the propagation of malicious code, various malicious codes emerge in an endless stream, and the attacking ways of assault person constantly converts especially. Meanwhile, the relevant information of assailant is more hidden. The propagation of malicious code and its malicious act are all to rely on network, along with network service behavior, threaten network security greatly.
So, from substantial amounts of network traffic information, how to get the information of hacker, assailant, thus tracking hacker or hacker's tissue, hitting hostile network behavior, guaranteeing network security.
It is to carry out hostile network behavior that hacker discharges malicious code, the machine infecting malicious code eventually connects name and the control of controlled terminal, or send information to controlling end, therefore all can there is a corresponding control and process this type of order and information with command server (C&C server). C&C server mode has two kinds, hubbed mode and decentralized model, and in hubbed mode, effector issues order from a center C&C server to infecting machine, and not only one of which C&C server in decentralized model.
Summary of the invention
Based on existing issue, the present invention proposes a kind of assailant's method for tracing based on backbone network and system, solves the problem that prior art is difficult to final effector is positioned.
A kind of assailant's method for tracing based on backbone network, including:
By backbone network monitoring device, monitor malicious network service behavior, and obtain malicious code sample;
Analyze malicious code sample, extract order and control server info;
Communicate with the IP controlling server and corresponding ports at backbone network monitor command, obtain the current effector IP controlled with command server and corresponding informance;
Judge whether effector IP is final effector, if it is, position final effector IP; Otherwise return previous step and continue monitoring.
In described method, described order includes with controlling server info: network service five-tuple information, server domain name information, and desired data information.
In described method, described communicate with the IP controlling server and corresponding ports at backbone network monitor command, obtain current control and command server effector IP and corresponding informance particularly as follows:
Sense command and control server OS environment, if order is windows with control server OS environment, then monitor 3389 ports; If order is linux with control server OS environment, then monitor 22 ports; If order is web site with control server OS environment, then monitoring FTP and webshell.
In described method, the described effector of judgement IP be whether final effector particularly as follows:
Effector's IP corresponding device is carried out packet capturing, if the packet sent comprises instruction bag, the packet received comprises the first packet that controlled terminal sends, and externally do not send particular network packet, then effector IP corresponding device is final effector, otherwise controls and command server for another.
A kind of assailant's tracing system based on backbone network, including:
Backbone network monitoring module, is used for by backbone network monitoring device, monitor malicious network service behavior, and obtains malicious code sample;
Sample analysis module, is used for analyzing malicious code sample, extracts order and controls server info;
Control client information acquisition module, for communicating with the IP controlling server and corresponding ports at backbone network monitor command, obtain the current effector IP controlled with command server and corresponding informance;
Terminal judges module, is used for judging whether effector IP is final effector, if it is, position final effector IP; Otherwise return previous step and continue monitoring.
In described system, described order includes with controlling server info: network service five-tuple information, server domain name information, and desired data information.
In described system, described communicate with the IP controlling server and corresponding ports at backbone network monitor command, obtain current control and command server effector IP and corresponding informance particularly as follows:
Sense command and control server OS environment, if order is windows with control server OS environment, then monitor 3389 ports; If order is linux with control server OS environment, then monitor 22 ports; If order is web site with control server OS environment, then monitoring FTP and webshell.
In described system, the described effector of judgement IP be whether final effector particularly as follows:
Effector's IP corresponding device is carried out packet capturing, if the packet sent comprises instruction bag, the packet received comprises the first packet that controlled terminal sends, and externally do not send particular network packet, then effector IP corresponding device is final effector, otherwise controls and command server for another.
Advantage of the invention is that, can according to the analysis to malice sample, malicious act in network is tracked, by backbone network is monitored, find the IP communication information, and determine whether whether its effector IP is a new C&C website, if it is continue to follow the trail of, finally navigate to assailant and control end IP.
The invention provides a kind of assailant's method for tracing based on backbone network and system, including: by backbone network monitoring device, monitor malicious network service behavior, and obtain malicious code sample; Analyze malicious code sample, extract order and control server info; Communicate with the IP controlling server and corresponding ports at backbone network monitor command, obtain the current effector IP controlled with command server and corresponding informance; Judge whether effector IP is final effector, if it is, position final effector IP; Otherwise return and continue monitoring, until tracking effector IP. The invention solves the problem following the trail of hacker position difficulty in network service, it is possible to by backbone network, hacker or control end IP are tracked location, hit network malicious act.
Accompanying drawing explanation
In order to be illustrated more clearly that the present invention or technical scheme of the prior art, the accompanying drawing used required in embodiment or description of the prior art will be briefly described below, apparently, the accompanying drawing that the following describes is only some embodiments recorded in the present invention, for those of ordinary skill in the art, under the premise not paying creative work, it is also possible to obtain other accompanying drawing according to these accompanying drawings.
Fig. 1 is a kind of assailant's method for tracing flow chart based on backbone network of the present invention;
Fig. 2 is a kind of assailant's tracking system architecture schematic diagram based on backbone network of the present invention.
Detailed description of the invention
In order to make those skilled in the art be more fully understood that the technical scheme in the embodiment of the present invention, and it is understandable to enable the above-mentioned purpose of the present invention, feature and advantage to become apparent from, and below in conjunction with accompanying drawing, technical scheme in the present invention is described in further detail.
The present invention proposes a kind of assailant's method for tracing based on backbone network and system, solves the problem that prior art is difficult to final effector is positioned.
A kind of assailant's method for tracing based on backbone network, as it is shown in figure 1, include:
S101: by backbone network monitoring device, monitor malicious network service behavior, and obtain malicious code sample;
S102: analyze malicious code sample, extracts order and controls server info;
S103: communicate with the IP controlling server and corresponding ports at backbone network monitor command, obtains the current effector IP controlled with command server and corresponding informance;
S104: judge whether effector IP is final effector, if it is, position final effector IP; Otherwise return previous step and continue monitoring.
In described method, described order includes with controlling server info: network service five-tuple information, server domain name information, and desired data information. Data message can include the first packet of data, heartbeat packet and instruction bag etc.
In described method, described communicate with the IP controlling server and corresponding ports at backbone network monitor command, obtain current control and command server effector IP and corresponding informance particularly as follows:
Sense command and control server OS environment, if order is windows with control server OS environment, then monitor 3389 ports; If order is linux with control server OS environment, then monitor 22 ports; If order is web site with control server OS environment, then monitoring FTP and webshell.
In described method, the described effector of judgement IP be whether final effector particularly as follows:
Effector's IP corresponding device is carried out packet capturing, if the packet sent comprises instruction bag, the packet received comprises the first packet that controlled terminal sends, and externally do not send particular network packet, then effector IP corresponding device is final effector, otherwise controls and command server for another. Therefore it is not final effector, but the transfer of an instruction, it is therefore desirable to continue to follow the tracks of his effector IP, until finding final effector.
A kind of assailant's tracing system based on backbone network, as in figure 2 it is shown, include:
Backbone network monitoring module 201, is used for by backbone network monitoring device, monitor malicious network service behavior, and obtains malicious code sample;
Sample analysis module 202, is used for analyzing malicious code sample, extracts order and controls server info;
Control client information acquisition module 203, for communicating with the IP controlling server and corresponding ports at backbone network monitor command, obtain the current effector IP controlled with command server and corresponding informance;
Terminal judges module 204, is used for judging whether effector IP is final effector, if it is, position final effector IP; Otherwise return previous step and continue monitoring.
In described system, described order includes with controlling server info: network service five-tuple information, server domain name information, and desired data information.
In described system, described communicate with the IP controlling server and corresponding ports at backbone network monitor command, obtain current control and command server effector IP and corresponding informance particularly as follows:
Sense command and control server OS environment, if order is windows with control server OS environment, then monitor 3389 ports; If order is linux with control server OS environment, then monitor 22 ports; If order is web site with control server OS environment, then monitoring FTP and webshell.
In described system, the described effector of judgement IP be whether final effector particularly as follows:
Effector's IP corresponding device is carried out packet capturing, if the packet sent comprises instruction bag, the packet received comprises the first packet that controlled terminal sends, and externally do not send particular network packet, then effector IP corresponding device is final effector, otherwise controls and command server for another.
Advantage of the invention is that, can according to the analysis to malice sample, malicious act in network is tracked, by backbone network is monitored, find the IP communication information, and determine whether whether its effector IP is a new C&C website, if it is continue to follow the trail of, finally navigate to assailant and control end IP.
The invention provides a kind of assailant's method for tracing based on backbone network and system, including: by backbone network monitoring device, monitor malicious network service behavior, and obtain malicious code sample; Analyze malicious code sample, extract order and control server info; Communicate with the IP controlling server and corresponding ports at backbone network monitor command, obtain the current effector IP controlled with command server and corresponding informance; Judge whether effector IP is final effector, if it is, position final effector IP; Otherwise return and continue monitoring, until tracking effector IP. The invention solves the problem following the trail of hacker position difficulty in network service, it is possible to by backbone network, hacker or control end IP are tracked location, hit network malicious act.
Although depicting the present invention by embodiment, it will be appreciated by the skilled addressee that the present invention has many deformation and is varied without departing from the spirit of the present invention, it is desirable to appended claim includes these deformation and is varied without departing from the spirit of the present invention.
Claims (8)
1. the assailant's method for tracing based on backbone network, it is characterised in that including:
By backbone network monitoring device, monitor malicious network service behavior, and obtain malicious code sample;
Analyze malicious code sample, extract order and control server info;
Communicate with the IP controlling server and corresponding ports at backbone network monitor command, obtain the current effector IP controlled with command server and corresponding informance;
Judge whether effector IP is final effector, if it is, position final effector IP; Otherwise return previous step and continue monitoring.
2. the method for claim 1, it is characterised in that described order includes with controlling server info: network service five-tuple information, server domain name information, and desired data information.
3. the method for claim 1, it is characterised in that described communicate with the IP controlling server and corresponding ports at backbone network monitor command, obtain current control and command server effector IP and corresponding informance particularly as follows:
Sense command and control server OS environment, if order is windows with control server OS environment, then monitor 3389 ports; If order is linux with control server OS environment, then monitor 22 ports; If order is web site with control server OS environment, then monitoring FTP and webshell.
4. the method for claim 1, it is characterised in that the described effector of judgement IP be whether final effector particularly as follows:
Effector's IP corresponding device is carried out packet capturing, if the packet sent comprises instruction bag, the packet received comprises the first packet that controlled terminal sends, and externally do not send particular network packet, then effector IP corresponding device is final effector, otherwise controls and command server for another.
5. the assailant's tracing system based on backbone network, it is characterised in that including:
Backbone network monitoring module, is used for by backbone network monitoring device, monitor malicious network service behavior, and obtains malicious code sample;
Sample analysis module, is used for analyzing malicious code sample, extracts order and controls server info;
Control client information acquisition module, for communicating with the IP controlling server and corresponding ports at backbone network monitor command, obtain the current effector IP controlled with command server and corresponding informance;
Terminal judges module, is used for judging whether effector IP is final effector, if it is, position final effector IP; Otherwise return previous step and continue monitoring.
6. system as claimed in claim 5, it is characterised in that described order includes with controlling server info: network service five-tuple information, server domain name information, and desired data information.
7. system as claimed in claim 5, it is characterised in that described communicate with the IP controlling server and corresponding ports at backbone network monitor command, obtain effector IP and the corresponding informance of current control and command server particularly as follows:
Sense command and control server OS environment, if order is windows with control server OS environment, then monitor 3389 ports; If order is linux with control server OS environment, then monitor 22 ports; If order is web site with control server OS environment, then monitoring FTP and webshell.
8. system as claimed in claim 5, it is characterised in that the described effector of judgement IP be whether final effector particularly as follows:
Effector's IP corresponding device is carried out packet capturing, if the packet sent comprises instruction bag, the packet received comprises the first packet that controlled terminal sends, and externally do not send particular network packet, then effector IP corresponding device is final effector, otherwise controls and command server for another.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510421096.3A CN105656872A (en) | 2015-07-17 | 2015-07-17 | Attacker tracking method and system based on backbone network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510421096.3A CN105656872A (en) | 2015-07-17 | 2015-07-17 | Attacker tracking method and system based on backbone network |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN105656872A true CN105656872A (en) | 2016-06-08 |
Family
ID=56481639
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510421096.3A Pending CN105656872A (en) | 2015-07-17 | 2015-07-17 | Attacker tracking method and system based on backbone network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105656872A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106790142A (en) * | 2016-12-28 | 2017-05-31 | 北京安天网络安全技术有限公司 | The method and system that a kind of discovery IoT equipment is invaded |
| CN108512805A (en) * | 2017-02-24 | 2018-09-07 | 腾讯科技(深圳)有限公司 | A kind of network security defence method and network security defence installation |
| CN111212063A (en) * | 2019-12-31 | 2020-05-29 | 北京安码科技有限公司 | Attack countering method based on gateway remote control |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080127338A1 (en) * | 2006-09-26 | 2008-05-29 | Korea Information Security Agency | System and method for preventing malicious code spread using web technology |
| CN101360019A (en) * | 2008-09-18 | 2009-02-04 | 华为技术有限公司 | Detection method, system and apparatus of zombie network |
| CN101753562A (en) * | 2009-12-28 | 2010-06-23 | 成都市华为赛门铁克科技有限公司 | Detection methods, device and network security protecting device for botnet |
| CN101841523A (en) * | 2010-02-05 | 2010-09-22 | 中国科学院计算技术研究所 | Method for detecting network behavior of malicious code sample and system thereof |
| CN102833240A (en) * | 2012-08-17 | 2012-12-19 | 中国科学院信息工程研究所 | Malicious code capturing method and system |
| CN103475529A (en) * | 2013-10-11 | 2013-12-25 | 大唐移动通信设备有限公司 | Method and device for tracking core network side application plane and application plane tracking system |
| CN103595732A (en) * | 2013-11-29 | 2014-02-19 | 北京奇虎科技有限公司 | Method and device for obtaining evidence of network attack |
| CN104766011A (en) * | 2015-03-26 | 2015-07-08 | 国家电网公司 | Sandbox detection alarming method and system based on main engine characteristic |
-
2015
- 2015-07-17 CN CN201510421096.3A patent/CN105656872A/en active Pending
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080127338A1 (en) * | 2006-09-26 | 2008-05-29 | Korea Information Security Agency | System and method for preventing malicious code spread using web technology |
| CN101360019A (en) * | 2008-09-18 | 2009-02-04 | 华为技术有限公司 | Detection method, system and apparatus of zombie network |
| CN101753562A (en) * | 2009-12-28 | 2010-06-23 | 成都市华为赛门铁克科技有限公司 | Detection methods, device and network security protecting device for botnet |
| CN101841523A (en) * | 2010-02-05 | 2010-09-22 | 中国科学院计算技术研究所 | Method for detecting network behavior of malicious code sample and system thereof |
| CN102833240A (en) * | 2012-08-17 | 2012-12-19 | 中国科学院信息工程研究所 | Malicious code capturing method and system |
| CN103475529A (en) * | 2013-10-11 | 2013-12-25 | 大唐移动通信设备有限公司 | Method and device for tracking core network side application plane and application plane tracking system |
| CN103595732A (en) * | 2013-11-29 | 2014-02-19 | 北京奇虎科技有限公司 | Method and device for obtaining evidence of network attack |
| CN104766011A (en) * | 2015-03-26 | 2015-07-08 | 国家电网公司 | Sandbox detection alarming method and system based on main engine characteristic |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106790142A (en) * | 2016-12-28 | 2017-05-31 | 北京安天网络安全技术有限公司 | The method and system that a kind of discovery IoT equipment is invaded |
| CN108512805A (en) * | 2017-02-24 | 2018-09-07 | 腾讯科技(深圳)有限公司 | A kind of network security defence method and network security defence installation |
| CN111212063A (en) * | 2019-12-31 | 2020-05-29 | 北京安码科技有限公司 | Attack countering method based on gateway remote control |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| KR20120068612A (en) | Dns query traffic monitoring and processing method and apparatus | |
| US20140189867A1 (en) | DDoS ATTACK PROCESSING APPARATUS AND METHOD IN OPENFLOW SWITCH | |
| EP2448211B1 (en) | Method, system and equipment for detecting botnets | |
| CN106302450B (en) | A kind of detection method and device based on malice address in DDOS attack | |
| EP1976227A3 (en) | Method and system for monitoring a selected region of an airspace associated with local area networks of computing devices | |
| US20120173712A1 (en) | Method and device for identifying p2p application connections | |
| CN105656872A (en) | Attacker tracking method and system based on backbone network | |
| CN104796405B (en) | Rebound connecting detection method and apparatus | |
| CN104135474A (en) | Network anomaly behavior detection method based on out-degree and in-degree of host | |
| CN109587156A (en) | Abnormal network access connection identification and blocking-up method, system, medium and equipment | |
| CN105791220A (en) | Method and system for actively defending distributed denial of service attacks | |
| CN106686007A (en) | Active flow analysis method for finding intranet controlled rerouting nodes | |
| CN108270722A (en) | A kind of attack detection method and device | |
| CN102130920A (en) | Botnet discovery method and system thereof | |
| CN110336808A (en) | A kind of attack source tracing method and system towards electric power industry control network | |
| CN101051997A (en) | P2P flow identifying control method based on network application | |
| CN100493065C (en) | Method for using immediate information software by data detection network address switching equipment | |
| CN110300091A (en) | Host in tracking network, which threatens and is directed to host and threatens, implements threat strategy movement | |
| KR101528928B1 (en) | Apparatus and method for managing network traffic based on flow and session | |
| CN105959289A (en) | Self-learning-based safety detection method for OPC Classic protocol | |
| KR20150076613A (en) | Method for collecting the suspicious file and trace information to analysis the ATP attack | |
| CN113572764B (en) | Industrial Internet network security situation awareness system based on AI | |
| KR20150026345A (en) | Apparatus and method for creating whitelist with network traffic | |
| CN108055166A (en) | A kind of the state machine extraction system and its extracting method of the application layer protocol of nesting | |
| CN105915536A (en) | Attack behavior real-time tracking and analysis method for cyber range |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information |
Address after: 150028 Building 7, Innovation Plaza, Science and Technology Innovation City, Harbin High-tech Industrial Development Zone, Heilongjiang Province (838 Shikun Road) Applicant after: Harbin antiy Technology Group Limited by Share Ltd Address before: 506 room 162, Hongqi Avenue, Nangang District, Harbin Development Zone, Heilongjiang, 150090 Applicant before: Harbin Antiy Technology Co., Ltd. |
|
| CB02 | Change of applicant information | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20160608 |
|
| WD01 | Invention patent application deemed withdrawn after publication |