CN105791236B - A kind of wooden horse communication channel detection method and system - Google Patents

A kind of wooden horse communication channel detection method and system Download PDF

Info

Publication number
CN105791236B
CN105791236B CN201410816251.7A CN201410816251A CN105791236B CN 105791236 B CN105791236 B CN 105791236B CN 201410816251 A CN201410816251 A CN 201410816251A CN 105791236 B CN105791236 B CN 105791236B
Authority
CN
China
Prior art keywords
data
client
suspicious
score value
server end
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201410816251.7A
Other languages
Chinese (zh)
Other versions
CN105791236A (en
Inventor
周涛
彭涛
李高超
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
BEIJING LEADSEC TECHNOLOGY CO LTD
Original Assignee
BEIJING LEADSEC TECHNOLOGY CO LTD
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by BEIJING LEADSEC TECHNOLOGY CO LTD filed Critical BEIJING LEADSEC TECHNOLOGY CO LTD
Priority to CN201410816251.7A priority Critical patent/CN105791236B/en
Publication of CN105791236A publication Critical patent/CN105791236A/en
Application granted granted Critical
Publication of CN105791236B publication Critical patent/CN105791236B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Abstract

The invention discloses a kind of wooden horse communication channel detection method and systems, comprising: obtains data to be tested stream, setting detection score value is 0.It checks and whether there is suspicious encryption behavior in data to be tested stream, then increase detection score value if it exists;And suspicious heartbeat behavior is checked for, then increase detection score value if it exists, and the data packet that suspicious heartbeat behavior will be present is deleted from data to be tested stream, the data to be tested stream after being denoted as cleaning.It checks and whether there is abnormal data transmission mode after cleaning in data to be tested, then increase detection score value if it exists;And detect whether there is abnormal uplink and downlink flow-rate ratio, then increase detection score value if it exists.According to the final result of detection score value, judge whether network connection is suspicious wooden horse communication channel.Scheme through the invention, can detect unknown wooden horse from the features such as heartbeat behavior, abnormal data transmission drive mode, suspicious encryption behavior, abnormal uplink and downlink flow-rate ratio, and reduction fails to report, reports by mistake.

Description

A kind of wooden horse communication channel detection method and system
Technical field
The present invention relates to information security fields, and in particular to a kind of wooden horse communication channel detection method and system.
Background technique
Currently, APT (Advanced Persistent Threat: advanced duration threatens) has become all types network The major security threat faced.It make Cyberthreat from stragglers and disbanded soldiers' formula it is random attack become purposeful, organized, have it is pre- Group's formula of scheme is attacked, and traditional defense mechanism based on real-time detection, real-time blocking is made to be difficult to play a role again.From It can be seen that, wooden horse is still to implement the main means remotely controlled after attacker penetrates into target network in APT process. Therefore detection wooden horse communication channel becomes the important link of APT detection defence.
The detection method of current main-stream wooden horse communication channel is: operation wooden horse sample first extracts net when wooden horse communication Network connection features;Then characteristic matching is carried out to the network flow of capture, identifies wooden horse communication behavior therein.This scheme Advantage is that rate of false alarm is low, the disadvantage is that the communication behavior of unknown, encryption, deformation trojan horse program can not be identified.
Through the literature search of existing technologies, Chinese Patent Application No. 201110157821.2, patent name " are based on The quick Trojan detecting method of heartbeat behavioural analysis " proposes a kind of method for detecting unknown wooden horse based on wooden horse heartbeat signal; A kind of Chinese Patent Application No. 201110430821.5, patent name " method and device of trojan horse detection ", proposes a kind of base In the method for wooden horse heartbeat signal and the unknown wooden horse of wooden horse control command packet check;Chinese Patent Application No. 201310478492.0, patent name " the wooden horse communication feature rapid extracting method based on network data flow cluster cluster " proposes One kind first passes through data flow cluster clustering algorithm and clusters data packet, so that wooden horse communication process, which is divided into connection, keeps nothing Operational phase and operational phase are passing through heartbeat signal detection, communication time, data package size distribution, upload downloading flow ratio Etc. features carry out trojan horse detection.These detection methods can solve the problems, such as unknown trojan horse detection to a certain extent, but deposit Following insufficient:
(1) typical wooden horse communication channel, is the channel of heartbeat behavior Yu data transport behavior mixed transport, and this Two kinds of behaviors have biggish difference.Such as heartbeat behavior is generally controlled terminal and actively issues control terminal, control terminal responds quilt again End is controlled, and the period is more steady, uplink and downlink difference in flow is away from little;And data transport behavior is generally control terminal and first sends a command to Controlled terminal, controlled terminal respond control terminal again, and without apparent periodicity, uplink and downlink difference in flow is away from larger.If not by the two into Row is distinguished, and suspicious actions detection is carried out directly from the data packet of capture, it will lead to the biggish error of testing result.
(2) wooden horse communication is detected in order to hide detection device by the method for characteristic matching, many wooden horses use encryption For the method for communication around detection, this will will affect the detection method based on wooden horse order control message;A sheet should not simultaneously There is abnormal encryption behavior in the network connection of encryption, is inherently regarded as the important feature of wooden horse communication channel.Therefore such as Do not consider that channel with the presence or absence of encryption, will lead to biggish fail to report in fruit detection algorithm.
Summary of the invention
To solve the above-mentioned problems, the invention proposes a kind of wooden horse communication channel detection method and systems, can be from the heart It slips a line to transmit for, abnormal data and detects unknown wood in the features such as drive mode, suspicious encryption behavior, abnormal uplink and downlink flow-rate ratio Horse, reduction are failed to report, are reported by mistake.
In order to achieve the above object, the invention proposes a kind of wooden horse communication channel detection methods, this method comprises:
A network connection entire packet from start to end is obtained in a manner of serial or parallel access, be denoted as to Detection data stream, setting detection score value is 0.
It checks and whether there is suspicious encryption behavior in data to be tested stream, and if so, increasing detection score value.
It checks and whether there is suspicious heartbeat behavior in data to be tested stream, and if so, increasing detection score value, and will deposit It is deleted from data to be tested stream in the data packet of suspicious heartbeat behavior, data to be tested stream is denoted as the number to be detected after cleaning According to stream.
It checks and whether there is abnormal data transmission mode after cleaning in data to be tested, and if so, increasing detection point Value.
With the presence or absence of abnormal uplink and downlink flow-rate ratio in data to be tested stream after detection cleaning, and if so, increasing detection Score value.
According to the final result of detection score value, judge whether network connection is suspicious wooden horse communication channel.
Preferably, detecting whether there is suspicious encryption behavior in data to be tested stream, and if so, increasing detection score value Specifically includes the following steps:
Take the top n data packet in data to be tested stream, wherein N is the positive integer of setting;If in data to be tested stream Total data packet number be less than N, then take the total data in data to be tested stream.
For each data packet, the header part of data packet is removed, takes the payload portions of the transport layer of data packet.
Payload portions are considered as to the character string being made of the character of single byte, count each in top n data packet The number that character occurs counts the whole in data to be tested stream if the total data packet number in data to be tested stream is less than N The number that each character occurs in data packet.
According to the number that each character occurs, it is calculate by the following formula the comentropy of data to be tested stream:
Wherein, S is the sum of all characters, cnThe number occurred for character n.
If the comentropy of data to be tested stream be more than setting threshold value Te, determine in data to be tested stream exist can Encryption behavior is doubted, and increases the value of detection score value according to the degree for deviateing Te.
Preferably, suspicious heartbeat behavior includes following characteristics: data packet is sent to control terminal from controlled terminal;The size of data packet It is fixed, and it is no more than setting value Ns;Data packet transmission time interval is stablized.
Preferably, detecting whether there is suspicious heartbeat behavior in data to be tested stream, and if so, increasing detection score value Specifically includes the following steps:
The structural array comprising Ns element is generated, traversal is sent to the data packet of control terminal from controlled terminal, and Ns is Positive integer greater than 1;Data packet less than Ns is recorded in predefined structure identical respectively according to data package size The transmission interval of the sending time of size data packet, former and later two data packets.
Total array is traversed, the mean μ and standard of each same size data packet transmission time interval sequence are calculated Poor σ.
The smoothness of each same size data packet transmission time interval sequence is calculated by following equatioies:
Time interval sequence the most stable is searched by smoothness P, if smoothness P has been more than the threshold value Ti of setting, And beats have been more than the threshold value Thb of setting, then generate and detect suspicious heartbeat signal alarm, while according to smoothness P's As a result increase the value of detection score value.
The doubtful heartbeat data packets that session data Bao Zhongcong client is sent to server end are deleted, and are sent out from server end Toward the doubtful heartbeat reply data packet of client.
Preferably, detecting whether there is abnormal data transmission mode in data to be tested stream, and if so, increasing detection Score value specifically includes the following steps:
According to data flow to be detected, two time serieses: client to servers' data transmission time sequence are generated With server end to client data transmission time sequence.
The active point in two time serieses is found, generate two active time point sequences: client is living to server end Jump time point sequence and service device end to client active time point sequence.
Server end is searched into the active time point of client, how many active time point has obtained the sound of client It answers.
Calculation server end calculates client to server end active time point to the response rate of client active time point Activity ratio;If the ratio of the two is more than the threshold value Tr of setting, and the order of server end and client-response interaction is secondary Number has been more than the threshold value Tmn of setting, then generates the alarm for detecting abnormal data transmission mode, while increasing according to testing result Detect the value of score value.
Preferably, active time point refers to: if the time point at the time point of current data packet and its previous data packet Between interval be greater than setting threshold value Tat, then current point in time be active time point;Otherwise using current data packet as upper Data transport behavior it is subsequent, not as newly generated active time point.
Preferably, judge the method that how many active time point has obtained the response of client are as follows: if server end Into client, there are an active time points, after the active time point, before maximum delay time Tmp terminates, Client there is also an active time point, then determines that active time point is responded into server end.
Preferably, response rate and the activity ratio are higher, then the probability of wooden horse order control channel is bigger.
Wherein, response rate refers to: in the alive data transmission from server end to client, having obtained client and has rung in time The probability answered;Response rate is high, then the order of server end by client executing and returned data probability it is high.
Activity ratio refers to: in the alive data transmission from client to server end, data transport behavior is due to bedding and clothing The probability that the activation of business device end just occurs;Activity ratio is high, then client is other than the order for passively receiving server end, all in quiet Silent state.
Preferably, it detects with the presence or absence of abnormal uplink and downlink flow-rate ratio in data to be tested stream, and if so, increasing detection Score value specifically includes the following steps:
According to the data to be tested stream after cleaning, calculate separately client to server end the sum of data packet number SumC2S and server end are to the sum of the data packet number of client SumS2C.
The ratio of SumC2S and SumS2C is calculated, if ratio has been more than the threshold value Tud of setting, generation is detected up and down The alarm of row flow-rate ratio exception, while increasing the value of detection score value according to testing result.
Preferably, this method further include: when network connection is suspicious wooden horse communication channel, being calculated according to detection score value should Network connection is the probability of wooden horse communication channel.
The present invention also proposes a kind of wooden horse communication channel detection system, the system include: data to be tested stream obtain module, Suspicious encryption behavioral value module, suspicious heartbeat behavioral value module, abnormal data transmission mode detection module, abnormal uplink and downlink Flow-rate ratio detection module and wooden horse communication channel determination module.
Data to be tested stream obtains module: for obtaining a network connection in such a way that serial or parallel accesses from the beginning of To the entire packet of end, it is denoted as data to be tested stream, setting detection score value is 0.
The suspicious encryption behavioral value module: whether there is suspicious encryption behavior for detecting in data to be tested stream, And if so, increasing detection score value.
Suspicious heartbeat behavioral value module: whether there is suspicious wooden horse heartbeat behavior for detecting in data to be tested stream, And if so, increasing detection score value, and the data packet that suspicious heartbeat behavior will be present is deleted from data to be tested stream, will be to Detection data stream is denoted as the data to be tested stream after cleaning.
Abnormal data transmission mode detection module: for detecting in the data to be tested stream after cleaning with the presence or absence of abnormal number According to transmission mode, and if so, increasing detection score value.
Abnormal uplink and downlink flow-rate ratio detection module: for detecting in the data to be tested stream after cleaning with the presence or absence of exception Downlink traffic ratio, and if so, increasing detection score value.
Wooden horse communication channel determination module: for according to detection score value final result, judge network connection whether be can Doubt wooden horse communication channel.
Preferably, the system further include: data packet memory module, for storing data to be tested stream.
Preferably,
Data to be tested stream obtains module and data to be tested stream is output to data packet memory module.
It is suspicious encryption behavioral value module, suspicious heartbeat behavioral value module, abnormal data transmission mode detection module, different Content in normal uplink and downlink flow-rate ratio detection module read data packet memory module.
It is suspicious encryption behavioral value module, suspicious heartbeat behavioral value module, abnormal data transmission mode detection module, different The final result that normal uplink and downlink flow-rate ratio detection module will test score value is output to wooden horse communication channel determination module.
Wherein, suspicious heartbeat behavioral value module can modify the content in data packet memory module.
Compared with prior art, the present invention includes: that a network connection is obtained in a manner of serial or parallel access from opening Begin to the entire packet of end, is denoted as data to be tested stream, setting detection score value is 0.Check data to be tested stream in whether There are suspicious encryption behaviors, and if so, increasing detection score value.It checks and whether there is suspicious heartbeat row in data to be tested stream For and if so, increasing the detection score value, and the data packet that suspicious heartbeat behavior will be present is deleted from data to be tested stream It removes, data to be tested stream is denoted as the data to be tested stream after cleaning.It checks and whether there is exception after cleaning in data to be tested Data-transmission mode, and if so, increasing detection score value.With the presence or absence of in exception in data to be tested stream after detection cleaning Downlink traffic ratio, and if so, increasing detection score value.According to detection score value final result, judge network connection whether be can Doubt wooden horse communication channel.Scheme through the invention can transmit drive mode, suspicious encryption from heartbeat behavior, abnormal data Detect unknown wooden horse in the features such as behavior, abnormal uplink and downlink flow-rate ratio, reduction fails to report, reports by mistake.
Detailed description of the invention
The attached drawing in the embodiment of the present invention is illustrated below, the attached drawing in embodiment be for of the invention into one Step understands, is used to explain the present invention, does not constitute a limitation on the scope of protection of the present invention together with specification.
Fig. 1 is wooden horse communication channel detection method flow chart of the invention;
Fig. 2 is wooden horse communication channel detection system block diagram of the invention;
Fig. 3 is wooden horse communication channel detection method embodiment overhaul flow chart of the invention.
Specific embodiment
For the ease of the understanding of those skilled in the art, the invention will be further described with reference to the accompanying drawing, not It can be used to limit the scope of the invention.
The invention proposes a kind of wooden horse communication channel detection methods, as shown in Figure 1, this method comprises:
S101, the entire packet of a network connection from start to end is obtained in a manner of serial or parallel access, It is denoted as data to be tested stream, setting detection score value is 0.
S102, it checks with the presence or absence of suspicious encryption behavior in the data to be tested stream, and if so, increasing the inspection Survey score value.
Preferably, detecting whether there is suspicious encryption behavior in data to be tested stream, and if so, increasing detection score value Specifically includes the following steps:
S1021, top n data packet in data to be tested stream is taken, wherein N is the positive integer of setting;If number to be detected It is less than N according to the total data packet number in stream, then takes the total data in data to be tested stream.
S1022, for each data packet, remove the header part of data packet, take the payload of the transport layer of data packet Part.
S1023, payload portions are considered as to the character string being made of the character of single byte (8), count top n number According to the number that character each in packet occurs, if the total data packet number in data to be tested stream is less than N, data to be tested are counted The number that each character occurs in entire packet in stream.
S1024, the number occurred according to each character, are calculate by the following formula the comentropy of data to be tested stream:
Wherein, S is the sum of all characters, cnThe number occurred for character n.
If the comentropy of S1025, data to be tested stream have been more than the threshold value Te of setting, determine in data to be tested stream There are suspicious encryption behaviors, and increase the value of detection score value according to the degree for deviateing Te.
S103, it checks with the presence or absence of suspicious heartbeat behavior in data to be tested stream, and if so, increase detection score value, and The data packet that suspicious heartbeat behavior will be present is deleted from data to be tested stream, to be checked after data to be tested stream to be denoted as to cleaning Measured data stream.
Preferably, suspicious heartbeat behavior includes following characteristics: data packet is sent to control terminal from controlled terminal;The size of data packet It is fixed, and it is no more than setting value Ns;Data packet transmission time interval is stablized.
Preferably, detecting whether there is suspicious heartbeat behavior in data to be tested stream, and if so, increasing detection score value Specifically includes the following steps:
S1031, the structural array comprising Ns element is generated, traversal is sent to the data of control terminal from controlled terminal Packet, Ns are the positive integer greater than 1;Data packet less than Ns is remembered in predefined structure respectively according to data package size Picture recording is the same as the sending time of size data packet, the transmission interval of former and later two data packets.
S1032, traversal total array, calculate the mean μ of each same size data packet transmission time interval sequence And standard deviation sigma.
S1033, the smoothness that each same size data packet transmission time interval sequence is calculated by following equatioies:
S1034, time interval sequence the most stable is searched by the smoothness P, if the smoothness P is more than The threshold value Ti of setting, and beats have been more than the threshold value Thb of setting, then generate and detect suspicious heartbeat signal alarm, simultaneously Increase the value of the detection score value according to the result of smoothness P.
S1035, it deletes session data Bao Zhongcong client and is sent to the doubtful heartbeat data packets of server end, and from service Device end is sent to the doubtful heartbeat reply data packet of client.
Wherein, before in detection data to be tested stream with the presence or absence of suspicious heartbeat behavior, a pre-defined knot is needed Structure, content include the parameters such as data package size, data packet sending time sequence, data packet transmission time interval sequence.
It whether there is abnormal data transmission mode in data to be tested after S104, inspection cleaning, and if so, increasing inspection Survey score value.
Preferably, detecting whether there is abnormal data transmission mode in data to be tested stream, and if so, increasing detection Score value specifically includes the following steps:
S1041, according to the data flow to be detected, generate two time serieses: client to servers' data passes Defeated time series and server end are to client data transmission time sequence.
S1042, active point in two time serieses is found, generates two active time point sequences: client to service Device end active time point sequence and server end are to client active time point sequence.
S1043, server end is searched into the active time point of client, how many active time point obtains The response of client.
S1044, calculation server end to client active time point response rate, it is active to server end to calculate client The activity ratio at time point;If the ratio of the two is more than the threshold value Tr of setting, and order-response of server end and client Interaction times have been more than the threshold value Tmn of setting, then generate the alarm for detecting the abnormal data transmission mode, while according to inspection Survey the value that result increases the detection score value.
Preferably, active time point refers to: if the time point at the time point of current data packet and its previous data packet Between interval be greater than setting threshold value Tat, then current point in time be active time point;Otherwise using current data packet as upper Data transport behavior it is subsequent, not as newly generated active time point.
Preferably, judge the method that how many active time point has obtained the response of client are as follows: if server end Into client, there are an active time points, after the active time point, before maximum delay time Tmp terminates, Client there is also an active time point, then determines that the active time point is responded into server end.
Preferably, response rate and activity ratio are higher, then the probability of wooden horse order control channel is bigger.
Wherein, response rate refers to: in the alive data transmission from server end to client, having obtained client and has rung in time The probability answered;Response rate is high, then the order of server end by client executing and returned data probability it is high.
Activity ratio refers to: in the alive data transmission from client to server end, data transport behavior is due to bedding and clothing The probability that the activation of business device end just occurs;Activity ratio is high, then client is other than the order for passively receiving server end, all in quiet Silent state.
Response rate is high, illustrate the order of server end by client executing and returned data probability it is high;Activity ratio is high, Illustrate client other than the order for passively receiving server end, generally all in silent status, these are all typical wooden horse lives Enable the behavioural characteristic of control.
With the presence or absence of abnormal uplink and downlink flow-rate ratio in data to be tested stream after S105, detection cleaning, and if so, increasing Add detection score value.
Preferably, it detects with the presence or absence of abnormal uplink and downlink flow-rate ratio in data to be tested stream, and if so, increasing detection Score value specifically includes the following steps:
S1051, according to the data to be tested stream after cleaning, calculate separately client to server end data packet number it With SumC2S and server end to the sum of the data packet number of client SumS2C.
S1052, the ratio for calculating SumC2S and SumS2C generate detection if ratio has been more than the threshold value Tud of setting To the alarm of uplink and downlink flow-rate ratio exception, while increasing the value of detection score value according to testing result.
The threshold value Tud set if more than illustrates that the data volume sent in current sessions is much larger than and receives Data volume, be very similar to the order execution and result passback process of wooden horse.
S106, according to detection score value final result, judge network connection whether be suspicious wooden horse communication channel.
Preferably, this method further include: when network connection is suspicious wooden horse communication channel, being calculated according to detection score value should Network connection is the probability of wooden horse communication channel.
The present invention also proposes a kind of wooden horse communication channel detection system 01, as shown in Fig. 2, the system includes: number to be detected Module 02, suspicious encryption behavioral value module 03, suspicious heartbeat behavioral value module 04, abnormal data transmission mode are obtained according to stream Detection module 05, abnormal uplink and downlink flow-rate ratio detection module 06 and wooden horse communication channel determination module 07.
Data to be tested stream obtains module 02: for obtaining a network connection in such a way that serial or parallel accesses from opening Begin to the entire packet of end, is denoted as data to be tested stream, setting detection score value is 0.
Suspicious encryption behavioral value module 03: for detecting with the presence or absence of suspicious encryption behavior in data to be tested stream, such as Fruit, which exists, then increases the detection score value.
Suspicious heartbeat behavioral value module 04: for detecting in data to be tested stream with the presence or absence of suspicious wooden horse heartbeat row For, and if so, increase detection score value, and the data packet that suspicious heartbeat behavior will be present is deleted from data to be tested stream, it will Data to be tested stream is denoted as the data to be tested stream after cleaning.
Abnormal data transmission mode detection module 05: for detecting in the data to be tested stream after cleaning with the presence or absence of abnormal Data-transmission mode, and if so, increasing detection score value.
Abnormal uplink and downlink flow-rate ratio detection module 06: for detecting in the data to be tested stream after cleaning with the presence or absence of abnormal Uplink and downlink flow-rate ratio, and if so, increasing detection score value.
Wooden horse communication channel determination module 07: for according to detection score value final result, judge network connection whether be Suspicious wooden horse communication channel.
Preferably, the system further include: data packet memory module 08, for storing data to be tested stream.
Preferably,
Data to be tested stream obtains module 02 and data to be tested stream is output to data packet memory module 08.
Suspicious encryption behavioral value module 03, suspicious heartbeat behavioral value module 04, abnormal data transmission mode detect mould Content in block 05, abnormal 06 read data packet memory module 08 of uplink and downlink flow-rate ratio detection module.
Suspicious encryption behavioral value module 03, suspicious heartbeat behavioral value module 04, abnormal data transmission mode detect mould The final result that block 05, abnormal uplink and downlink flow-rate ratio detection module 06 will test score value is output to wooden horse communication channel determination module 07。
Wherein, suspicious heartbeat behavioral value module 04 can modify the content in data packet memory module 08.
Preferably, the suspicious encryption behavioral value module 03 is detected in the data to be tested stream by following steps is No there are suspicious encryption behaviors, and if so, increasing the detection score value:
S1021, top n data packet in data to be tested stream is taken, wherein N is the positive integer of setting;If number to be detected It is less than N according to the total data packet number in stream, then takes the total data in data to be tested stream.
S1022, for each data packet, remove the header part of data packet, take the payload of the transport layer of data packet Part.
S1023, payload portions are considered as to the character string being made of the character of single byte, count top n data packet In the number that occurs of each character counted in data to be tested stream if the total data packet number in data to be tested stream is less than N Entire packet in the number that occurs of each character.
S1024, the number occurred according to each character, are calculate by the following formula the comentropy of data to be tested stream:
Wherein, S is the sum of all characters, cnThe number occurred for character n.
If the comentropy of S1025, data to be tested stream have been more than the threshold value Te of setting, determine in data to be tested stream There are suspicious encryption behaviors, and increase the value of detection score value according to the degree for deviateing Te.
Preferably, suspicious heartbeat behavioral value module 04 can by whether there is in following steps detection data to be tested stream Suspicion is slipped a line as and if so, increasing the detection score value:
S1031, the structural array comprising Ns element is generated, traversal is sent to the data of control terminal from controlled terminal Packet, Ns are the positive integer greater than 1;Data packet less than Ns is remembered in predefined structure respectively according to data package size Picture recording is the same as the sending time of size data packet, the transmission interval of former and later two data packets.
S1032, traversal total array, calculate the mean μ of each same size data packet transmission time interval sequence And standard deviation sigma.
S1033, the smoothness that each same size data packet transmission time interval sequence is calculated by following equatioies:
S1034, time interval sequence the most stable is searched by smoothness P, if smoothness P has been more than the threshold of setting Value Ti, and beats have been more than the threshold value Thb of setting, then generate and detect suspicious heartbeat signal alarm, while according to steady The result for spending P increases the value of detection score value.
S1035, it deletes session data Bao Zhongcong client and is sent to the doubtful heartbeat data packets of server end, and from service Device end is sent to the doubtful heartbeat reply data packet of client.
Wherein, before in detection data to be tested stream with the presence or absence of suspicious heartbeat behavior, a pre-defined knot is needed Structure, content include the parameters such as data package size, data packet sending time sequence, data packet transmission time interval sequence.
Preferably, whether abnormal data transmission mode detection module 05 is detected in data to be tested stream by following steps and is deposited In abnormal data transmission mode, and if so, increasing the detection score value:
S1041, according to data flow to be detected, generate two time serieses: when client to servers' data is transmitted Between sequence and server end to client data transmission time sequence.
S1042, active point in two time serieses is found, generates two active time point sequences: client to service Device end active time point sequence and server end are to client active time point sequence.
S1043, server end is searched into the active time point of client, how many active time point has obtained client The response at end.
S1044, calculation server end to client active time point response rate, it is active to server end to calculate client The activity ratio at time point;If the ratio of the two is more than the threshold value Tr of setting, and order-response of server end and client Interaction times have been more than the threshold value Tmn of setting, then generate the alarm for detecting abnormal data transmission mode, while tying according to detection Fruit increases the value of detection score value.
Preferably, abnormal data transmission mode detection module 05 judges that how many active time point obtains by following steps Arrive the response of client: if there are an active time points into client for server end, after the active time point, Before maximum delay time Tmp terminates, the work is then determined there is also an active time point into server end in client Jump time point is responded.
Preferably, whether abnormal uplink and downlink flow-rate ratio detection module 06 is detected in data to be tested stream by following steps and is deposited In abnormal uplink and downlink flow-rate ratio, and if so, increasing detection score value:
S1051, according to the data to be tested stream after cleaning, calculate separately client to server end data packet number it With SumC2S and server end to the sum of the data packet number of client SumS2C.
S1052, the ratio for calculating SumC2S and SumS2C currently can if ratio has been more than the threshold value Tud of setting The data volume sent in words is much larger than the data volume received, generates the alarm for detecting uplink and downlink flow-rate ratio exception, together When according to testing result increase detection score value value.
Preferably, the wooden horse communication channel determination module 07 is also used to: when the network connection is that suspicious wooden horse communicates When channel, the probability which is wooden horse communication channel is calculated according to the detection score value.
In a specific embodiment of the present invention, as shown in Figure 3, comprising the following steps:
S201, network flow is obtained in real time in a manner of serial or bypass, obtain the total data of network connection, be denoted as Data to be tested stream, setting initial detecting score value are 0.
It whether there is suspicious encryption behavior in S202, detection data to be tested stream, if it is, carrying out step S203, such as Fruit is no, then carries out step S204.
S203, if there is suspicious encryption behavior, then according to suspicious degree increase detection score value.
It whether there is suspicious heartbeat behavior in S204, detection data to be tested stream, if it is, carrying out step S205, such as Fruit is no, then carries out step S206.
S205, if there is suspicious heartbeat behavior, then according to suspicious degree increase detection score value, then by suspicious heartbeat packet It is deleted from data to be tested stream, is denoted as data to be tested after cleaning.
S206, data to be tested after cleaning are carried out with abnormal transmission mode detection, is in data to be tested after detection cleaning No there are abnormal transmission modes, if it is, step S207 is carried out, if it is not, then carrying out step S208.
S207, if there is abnormal transmission mode, then according to intensity of anomaly increase detection score value.
S208, data to be tested after cleaning are carried out with uplink and downlink flow-rate ratio abnormality detection, data to be tested after detection cleaning In it is abnormal with the presence or absence of uplink and downlink flow-rate ratio, if it is, step S209 is carried out, if it is not, then carrying out step S210.
S209, if there is abnormal uplink and downlink flow-rate ratio, then according to intensity of anomaly increase detection score value.
S210, judge the network connection for the probability of wooden horse communication channel according to final detection score value.
The present invention can reach following technical effect:
Whether it is encrypted link by one communication link of detection, directly regard encryption behavior itself as wooden horse communication channel Important feature, can be avoided encryption after can not from content identification data stream with the presence or absence of wooden horse order control message, reduce It fails to report.
By distinguishing heartbeat behavior and data transport behavior, it can accomplish two class rows when carrying out all kinds of unusual checkings Not interfere with each other, corresponding detection algorithm is used to the data of different type behavior, to promote the accuracy of testing result, is dropped Low wrong report.
It should be noted that embodiment described above be merely for convenience of it will be understood by those skilled in the art that, and It is not used in and limits the scope of the invention, under the premise of not departing from inventive concept of the invention, those skilled in the art couple Any obvious replacement and improvement that the present invention is made etc. are within the scope of the present invention.

Claims (12)

1. a kind of wooden horse communication channel detection method, which is characterized in that the described method includes:
The entire packet of a network connection from start to end is obtained in a manner of serial or parallel access, is denoted as to be detected Data flow, setting detection score value is 0;
It checks with the presence or absence of suspicious encryption behavior in the data to be tested stream, and if so, increasing the detection score value;
It checks with the presence or absence of suspicious heartbeat behavior in the data to be tested stream, and if so, increase the detection score value, and The data packet that suspicious heartbeat behavior will be present is deleted from the data to be tested stream, and the data to be tested stream is denoted as cleaning Data to be tested stream afterwards;
It checks after the cleaning in data to be tested stream with the presence or absence of abnormal data transmission mode, and if so, increasing the inspection Survey score value;
With the presence or absence of abnormal uplink and downlink flow-rate ratio in data to be tested stream after detecting the cleaning, and if so, described in increasing Detect score value;
According to the final result of the detection score value, judge whether the network connection is suspicious wooden horse communication channel;
Wherein, it whether there is abnormal data transmission mode in the data to be tested stream after the detection cleaning, and if so, increasing Add the detection score value specifically includes the following steps:
According to the data to be tested stream after the cleaning, two time serieses are generated: when client to servers' data is transmitted Between sequence and server end to client data transmission time sequence;
The active point in two time serieses is found, generates two active time point sequences: when client to server end is enlivened Between point sequence and server end to client active time point sequence;
Server end is searched into the active time point of client, how many active time point has obtained the sound of client It answers;
Calculation server end calculates client swashing to server end active time point to the response rate of client active time point Motility rate;If the ratio of the two is more than the threshold value Tr of setting, and the order of server end and client-response interaction times are super The threshold value Tmn of setting has been crossed, then has generated the alarm for detecting the abnormal data transmission mode, while increasing according to testing result The value of the detection score value, the response rate refer to: in the alive data transmission from server end to client, having obtained visitor The probability that family end timely responds to;The activity ratio refers to: in the alive data transmission from client to server end, data transmission Behavior is the probability due to just being occurred by server end activation.
2. the method as described in claim 1, which is characterized in that with the presence or absence of suspicious in the detection data to be tested stream Encryption behavior, and if so, increase the detection score value specifically includes the following steps:
Take the top n data packet in the data to be tested stream, wherein N is the positive integer of setting;If the data to be tested Total data packet number in stream is less than N, then takes the total data in the data to be tested stream;
For each data packet, the header part of the data packet is removed, takes the payload portion of the transport layer of the data packet Point;
The payload portions are considered as to the character string being made of the character of single byte, count each in top n data packet The number that character occurs counts the data to be tested stream if the total data packet number in the data to be tested stream is less than N In entire packet in the number that occurs of each character;
According to the number that each character occurs, it is calculate by the following formula the comentropy of the data to be tested stream:
Wherein, S is the sum of all characters, cnThe number occurred for character n;
If the comentropy of the data to be tested stream has been more than the threshold value Te of setting, determine to deposit in the data to be tested stream In suspicious encryption behavior, and increase the value for detecting score value according to the degree for deviateing Te.
3. the method as described in claim 1, which is characterized in that the suspicious heartbeat behavior includes following characteristics: data packet from Controlled terminal is sent to control terminal;The size of data packet is fixed, and is no more than setting value Ns;Data packet transmission time interval is stablized.
4. method as claimed in claim 3, which is characterized in that whether there is suspicious heartbeat in the detection data to be tested stream Behavior, and if so, increase the detection score value specifically includes the following steps:
The structural array comprising Ns element is generated, traversal is sent to the data packet of control terminal from controlled terminal, and Ns is greater than 1 Positive integer;For being less than the data packet of Ns, according to data package size, same size number is recorded in predefined structure respectively According to the transmission interval of the sending time of packet, former and later two data packets;
Total array is traversed, the mean μ and standard deviation sigma of each same size data packet transmission time interval sequence are calculated;
The smoothness of each same size data packet transmission time interval sequence is calculated by following equatioies:
Time interval sequence the most stable is searched by the smoothness P, if the smoothness P has been more than the threshold value of setting Ti, and beats have been more than the threshold value Thb of setting, then generate and detect suspicious heartbeat signal alarm, while according to smoothness P Result increase it is described detection score value value;
It deletes session data Bao Zhongcong client and is sent to the doubtful heartbeat data packets of server end, and be sent to visitor from server end The doubtful heartbeat reply data packet at family end.
5. the method as described in claim 1, which is characterized in that the active time point refers to: if current data packet when Between put and the time point of its previous data packet between interval be greater than setting threshold value Tat, then current point in time be the work It jumps time point;Otherwise using current data packet as the subsequent of last data transport behavior, not as newly generated enliven when Between point.
6. the method as described in claim 1, which is characterized in that judge that how many active time point has obtained client Response method are as follows: if there are an active time points into client for server end, after the active time point, Before maximum delay time Tmp terminates, in client into server end there is also an active time point, then determine that this is active Time point is responded.
7. the method as described in claim 1, which is characterized in that the response rate and the activity ratio are higher, then wooden horse order The probability of control channel is bigger;
Wherein, response rate is high, then the order of server end by client executing and returned data probability it is high;
Activity ratio is high, then client is other than the order for passively receiving server end, all in silent status.
8. the method as described in claim 1, which is characterized in that whether there is in the data to be tested stream after the detection cleaning Abnormal uplink and downlink flow-rate ratio, and if so, increase the detection score value specifically includes the following steps:
According to the data to be tested stream after cleaning, calculate separately client to server end the sum of data packet number SumC2S and server end are to the sum of the data packet number of client SumS2C;
The ratio of SumC2S and SumS2C is calculated, if the ratio has been more than the threshold value Tud of setting, generation is detected up and down The alarm of row flow-rate ratio exception, while increasing the value of the detection score value according to testing result.
9. the method as described in claim 1, which is characterized in that the method also includes: when the network connection is suspicious wood When horse communication channel, the probability which is wooden horse communication channel is calculated according to the detection score value.
10. a kind of wooden horse communication channel detection system, which is characterized in that the system comprises: data to be tested stream acquisition module, Suspicious encryption behavioral value module, suspicious heartbeat behavioral value module, abnormal data transmission mode detection module, abnormal uplink and downlink Flow-rate ratio detection module and wooden horse communication channel determination module;
The data to be tested stream obtains module: for obtaining a network connection in such a way that serial or parallel accesses from the beginning of To the entire packet of end, it is denoted as data to be tested stream, setting detection score value is 0;
The suspicious encryption behavioral value module: whether there is suspicious encryption behavior for detecting in the data to be tested stream, And if so, increasing the detection score value;
The suspicious heartbeat behavioral value module: for detecting in the data to be tested stream with the presence or absence of suspicious wooden horse heartbeat row And if so, increase the detection score value, and the data packet of suspicious heartbeat behavior to will be present from the data to be tested stream The data to be tested stream is denoted as the data to be tested stream after cleaning by middle deletion;
The abnormal data transmission mode detection module: for detecting in the data to be tested stream after the cleaning with the presence or absence of different Regular data transmission mode, and if so, increase the detection score value, in the data to be tested stream after the detection cleaning whether There are abnormal data transmission mode, and if so, increase the detection score value specifically includes the following steps:
According to the data flow to be detected after the cleaning, generate two time serieses: client to servers' data is transmitted Time series and server end are to client data transmission time sequence;
The active point in two time serieses is found, generates two active time point sequences: when client to server end is enlivened Between point sequence and server end to client active time point sequence;
Server end is searched into the active time point of client, how many active time point has obtained the sound of client It answers;
Calculation server end calculates client swashing to server end active time point to the response rate of client active time point Motility rate;If the ratio of the two is more than the threshold value Tr of setting, and the order of server end and client-response interaction times are super The threshold value Tmn of setting has been crossed, then has generated the alarm for detecting the abnormal data transmission mode, while increasing according to testing result The value of the detection score value, the response rate refer to: in the alive data transmission from server end to client, having obtained visitor The probability that family end timely responds to;The activity ratio refers to: in the alive data transmission from client to server end, data transmission Behavior is the probability due to just being occurred by server end activation;
The exception uplink and downlink flow-rate ratio detection module: for detecting in the data to be tested stream after the cleaning with the presence or absence of different Normal uplink and downlink flow-rate ratio, and if so, increasing the detection score value;
The wooden horse communication channel determination module: for the final result according to the detection score value, judge the network connection It whether is suspicious wooden horse communication channel.
11. system as claimed in claim 10, which is characterized in that the system also includes: data packet memory module, for depositing Store up the data to be tested stream.
12. system as claimed in claim 11, which is characterized in that
The data to be tested stream obtains module and the data to be tested stream is output to the data packet memory module;
The suspicious encryption behavioral value module, the suspicious heartbeat behavioral value module, abnormal data transmission mode inspection Survey module, the abnormal uplink and downlink flow-rate ratio detection module reads the content in the data packet memory module;
The suspicious encryption behavioral value module, the suspicious heartbeat behavioral value module, abnormal data transmission mode inspection Survey module, the final result of the detection score value is output to the wooden horse and communicated by the abnormal uplink and downlink flow-rate ratio detection module Channel determination module;
Wherein, the suspicious heartbeat behavioral value module can modify the content in the data packet memory module.
CN201410816251.7A 2014-12-23 2014-12-23 A kind of wooden horse communication channel detection method and system Active CN105791236B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201410816251.7A CN105791236B (en) 2014-12-23 2014-12-23 A kind of wooden horse communication channel detection method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201410816251.7A CN105791236B (en) 2014-12-23 2014-12-23 A kind of wooden horse communication channel detection method and system

Publications (2)

Publication Number Publication Date
CN105791236A CN105791236A (en) 2016-07-20
CN105791236B true CN105791236B (en) 2019-03-12

Family

ID=56377485

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201410816251.7A Active CN105791236B (en) 2014-12-23 2014-12-23 A kind of wooden horse communication channel detection method and system

Country Status (1)

Country Link
CN (1) CN105791236B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106603557A (en) * 2016-12-30 2017-04-26 哈尔滨安天科技股份有限公司 Trojan detection method and system based on configuration information structure
CN109784096B (en) * 2019-01-18 2023-04-18 电子科技大学 Hardware Trojan horse detection and elimination method based on clustering algorithm
CN109698835B (en) * 2019-01-19 2021-03-26 郑州轻工业学院 Encrypted Trojan horse detection method facing HTTPS hidden tunnel
CN114884715A (en) * 2022-04-27 2022-08-09 深信服科技股份有限公司 Flow detection method, detection model training method, device and related equipment

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103327029A (en) * 2013-07-09 2013-09-25 腾讯科技(深圳)有限公司 Malicious URL (Uniform Resource Locator) detection method and malicious URL detection device
WO2014119669A1 (en) * 2013-01-30 2014-08-07 日本電信電話株式会社 Log analysis device, information processing method and program
CN104168272A (en) * 2014-08-04 2014-11-26 国家电网公司 Trojan horse detection method based on communication behavior clustering

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2014119669A1 (en) * 2013-01-30 2014-08-07 日本電信電話株式会社 Log analysis device, information processing method and program
CN103327029A (en) * 2013-07-09 2013-09-25 腾讯科技(深圳)有限公司 Malicious URL (Uniform Resource Locator) detection method and malicious URL detection device
CN104168272A (en) * 2014-08-04 2014-11-26 国家电网公司 Trojan horse detection method based on communication behavior clustering

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
基于网络流量特征的未知木马检测技术及其实现;彭国军等;《信息网络安全》;20121031(第10期);5-8

Also Published As

Publication number Publication date
CN105791236A (en) 2016-07-20

Similar Documents

Publication Publication Date Title
Hamza et al. Detecting volumetric attacks on lot devices via sdn-based monitoring of mud activity
Sharafaldin et al. Toward generating a new intrusion detection dataset and intrusion traffic characterization.
US11316878B2 (en) System and method for malware detection
US9462009B1 (en) Detecting risky domains
Gu et al. Bothunter: Detecting malware infection through ids-driven dialog correlation.
Bilge et al. Disclosure: detecting botnet command and control servers through large-scale netflow analysis
US9386028B2 (en) System and method for malware detection using multidimensional feature clustering
US10686814B2 (en) Network anomaly detection
CN106453392B (en) Whole network exception stream recognition method based on traffic characteristic distribution
CN105791236B (en) A kind of wooden horse communication channel detection method and system
JP2020521383A5 (en)
CN109660539A (en) It falls device identification method, device, electronic equipment and storage medium
US20200014713A1 (en) Hierarchical activation of scripts for detecting a security threat to a network using a programmable data plane
CN103957203B (en) A kind of network security protection system
CN110855659A (en) redis honeypot deployment system
CN109428857A (en) A kind of detection method and device of malice detection behavior
CN107454068B (en) Honey net safety situation perception method combining immune hazard theory
Liu et al. Real-time diagnosis of network anomaly based on statistical traffic analysis
Viegas et al. A resilient stream learning intrusion detection mechanism for real-time analysis of network traffic
Thi et al. Federated learning-based cyber threat hunting for apt attack detection in SDN-enabled networks
CN107360190A (en) Wooden horse communication behavior detection method based on sequence pattern identification
Hurley et al. ITACA: Flexible, scalable network analysis
Li et al. A lightweight DDoS flooding attack detection algorithm based on synchronous long flows
Komárek et al. Passive NAT detection using HTTP access logs
CN111901286B (en) APT attack detection method based on flow log

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant