CN105791236B - A kind of wooden horse communication channel detection method and system - Google Patents
A kind of wooden horse communication channel detection method and system Download PDFInfo
- Publication number
- CN105791236B CN105791236B CN201410816251.7A CN201410816251A CN105791236B CN 105791236 B CN105791236 B CN 105791236B CN 201410816251 A CN201410816251 A CN 201410816251A CN 105791236 B CN105791236 B CN 105791236B
- Authority
- CN
- China
- Prior art keywords
- data
- client
- suspicious
- score value
- server end
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Abstract
The invention discloses a kind of wooden horse communication channel detection method and systems, comprising: obtains data to be tested stream, setting detection score value is 0.It checks and whether there is suspicious encryption behavior in data to be tested stream, then increase detection score value if it exists;And suspicious heartbeat behavior is checked for, then increase detection score value if it exists, and the data packet that suspicious heartbeat behavior will be present is deleted from data to be tested stream, the data to be tested stream after being denoted as cleaning.It checks and whether there is abnormal data transmission mode after cleaning in data to be tested, then increase detection score value if it exists;And detect whether there is abnormal uplink and downlink flow-rate ratio, then increase detection score value if it exists.According to the final result of detection score value, judge whether network connection is suspicious wooden horse communication channel.Scheme through the invention, can detect unknown wooden horse from the features such as heartbeat behavior, abnormal data transmission drive mode, suspicious encryption behavior, abnormal uplink and downlink flow-rate ratio, and reduction fails to report, reports by mistake.
Description
Technical field
The present invention relates to information security fields, and in particular to a kind of wooden horse communication channel detection method and system.
Background technique
Currently, APT (Advanced Persistent Threat: advanced duration threatens) has become all types network
The major security threat faced.It make Cyberthreat from stragglers and disbanded soldiers' formula it is random attack become purposeful, organized, have it is pre-
Group's formula of scheme is attacked, and traditional defense mechanism based on real-time detection, real-time blocking is made to be difficult to play a role again.From
It can be seen that, wooden horse is still to implement the main means remotely controlled after attacker penetrates into target network in APT process.
Therefore detection wooden horse communication channel becomes the important link of APT detection defence.
The detection method of current main-stream wooden horse communication channel is: operation wooden horse sample first extracts net when wooden horse communication
Network connection features;Then characteristic matching is carried out to the network flow of capture, identifies wooden horse communication behavior therein.This scheme
Advantage is that rate of false alarm is low, the disadvantage is that the communication behavior of unknown, encryption, deformation trojan horse program can not be identified.
Through the literature search of existing technologies, Chinese Patent Application No. 201110157821.2, patent name " are based on
The quick Trojan detecting method of heartbeat behavioural analysis " proposes a kind of method for detecting unknown wooden horse based on wooden horse heartbeat signal;
A kind of Chinese Patent Application No. 201110430821.5, patent name " method and device of trojan horse detection ", proposes a kind of base
In the method for wooden horse heartbeat signal and the unknown wooden horse of wooden horse control command packet check;Chinese Patent Application No.
201310478492.0, patent name " the wooden horse communication feature rapid extracting method based on network data flow cluster cluster " proposes
One kind first passes through data flow cluster clustering algorithm and clusters data packet, so that wooden horse communication process, which is divided into connection, keeps nothing
Operational phase and operational phase are passing through heartbeat signal detection, communication time, data package size distribution, upload downloading flow ratio
Etc. features carry out trojan horse detection.These detection methods can solve the problems, such as unknown trojan horse detection to a certain extent, but deposit
Following insufficient:
(1) typical wooden horse communication channel, is the channel of heartbeat behavior Yu data transport behavior mixed transport, and this
Two kinds of behaviors have biggish difference.Such as heartbeat behavior is generally controlled terminal and actively issues control terminal, control terminal responds quilt again
End is controlled, and the period is more steady, uplink and downlink difference in flow is away from little;And data transport behavior is generally control terminal and first sends a command to
Controlled terminal, controlled terminal respond control terminal again, and without apparent periodicity, uplink and downlink difference in flow is away from larger.If not by the two into
Row is distinguished, and suspicious actions detection is carried out directly from the data packet of capture, it will lead to the biggish error of testing result.
(2) wooden horse communication is detected in order to hide detection device by the method for characteristic matching, many wooden horses use encryption
For the method for communication around detection, this will will affect the detection method based on wooden horse order control message;A sheet should not simultaneously
There is abnormal encryption behavior in the network connection of encryption, is inherently regarded as the important feature of wooden horse communication channel.Therefore such as
Do not consider that channel with the presence or absence of encryption, will lead to biggish fail to report in fruit detection algorithm.
Summary of the invention
To solve the above-mentioned problems, the invention proposes a kind of wooden horse communication channel detection method and systems, can be from the heart
It slips a line to transmit for, abnormal data and detects unknown wood in the features such as drive mode, suspicious encryption behavior, abnormal uplink and downlink flow-rate ratio
Horse, reduction are failed to report, are reported by mistake.
In order to achieve the above object, the invention proposes a kind of wooden horse communication channel detection methods, this method comprises:
A network connection entire packet from start to end is obtained in a manner of serial or parallel access, be denoted as to
Detection data stream, setting detection score value is 0.
It checks and whether there is suspicious encryption behavior in data to be tested stream, and if so, increasing detection score value.
It checks and whether there is suspicious heartbeat behavior in data to be tested stream, and if so, increasing detection score value, and will deposit
It is deleted from data to be tested stream in the data packet of suspicious heartbeat behavior, data to be tested stream is denoted as the number to be detected after cleaning
According to stream.
It checks and whether there is abnormal data transmission mode after cleaning in data to be tested, and if so, increasing detection point
Value.
With the presence or absence of abnormal uplink and downlink flow-rate ratio in data to be tested stream after detection cleaning, and if so, increasing detection
Score value.
According to the final result of detection score value, judge whether network connection is suspicious wooden horse communication channel.
Preferably, detecting whether there is suspicious encryption behavior in data to be tested stream, and if so, increasing detection score value
Specifically includes the following steps:
Take the top n data packet in data to be tested stream, wherein N is the positive integer of setting;If in data to be tested stream
Total data packet number be less than N, then take the total data in data to be tested stream.
For each data packet, the header part of data packet is removed, takes the payload portions of the transport layer of data packet.
Payload portions are considered as to the character string being made of the character of single byte, count each in top n data packet
The number that character occurs counts the whole in data to be tested stream if the total data packet number in data to be tested stream is less than N
The number that each character occurs in data packet.
According to the number that each character occurs, it is calculate by the following formula the comentropy of data to be tested stream:
Wherein, S is the sum of all characters, cnThe number occurred for character n.
If the comentropy of data to be tested stream be more than setting threshold value Te, determine in data to be tested stream exist can
Encryption behavior is doubted, and increases the value of detection score value according to the degree for deviateing Te.
Preferably, suspicious heartbeat behavior includes following characteristics: data packet is sent to control terminal from controlled terminal;The size of data packet
It is fixed, and it is no more than setting value Ns;Data packet transmission time interval is stablized.
Preferably, detecting whether there is suspicious heartbeat behavior in data to be tested stream, and if so, increasing detection score value
Specifically includes the following steps:
The structural array comprising Ns element is generated, traversal is sent to the data packet of control terminal from controlled terminal, and Ns is
Positive integer greater than 1;Data packet less than Ns is recorded in predefined structure identical respectively according to data package size
The transmission interval of the sending time of size data packet, former and later two data packets.
Total array is traversed, the mean μ and standard of each same size data packet transmission time interval sequence are calculated
Poor σ.
The smoothness of each same size data packet transmission time interval sequence is calculated by following equatioies:
Time interval sequence the most stable is searched by smoothness P, if smoothness P has been more than the threshold value Ti of setting,
And beats have been more than the threshold value Thb of setting, then generate and detect suspicious heartbeat signal alarm, while according to smoothness P's
As a result increase the value of detection score value.
The doubtful heartbeat data packets that session data Bao Zhongcong client is sent to server end are deleted, and are sent out from server end
Toward the doubtful heartbeat reply data packet of client.
Preferably, detecting whether there is abnormal data transmission mode in data to be tested stream, and if so, increasing detection
Score value specifically includes the following steps:
According to data flow to be detected, two time serieses: client to servers' data transmission time sequence are generated
With server end to client data transmission time sequence.
The active point in two time serieses is found, generate two active time point sequences: client is living to server end
Jump time point sequence and service device end to client active time point sequence.
Server end is searched into the active time point of client, how many active time point has obtained the sound of client
It answers.
Calculation server end calculates client to server end active time point to the response rate of client active time point
Activity ratio;If the ratio of the two is more than the threshold value Tr of setting, and the order of server end and client-response interaction is secondary
Number has been more than the threshold value Tmn of setting, then generates the alarm for detecting abnormal data transmission mode, while increasing according to testing result
Detect the value of score value.
Preferably, active time point refers to: if the time point at the time point of current data packet and its previous data packet
Between interval be greater than setting threshold value Tat, then current point in time be active time point;Otherwise using current data packet as upper
Data transport behavior it is subsequent, not as newly generated active time point.
Preferably, judge the method that how many active time point has obtained the response of client are as follows: if server end
Into client, there are an active time points, after the active time point, before maximum delay time Tmp terminates,
Client there is also an active time point, then determines that active time point is responded into server end.
Preferably, response rate and the activity ratio are higher, then the probability of wooden horse order control channel is bigger.
Wherein, response rate refers to: in the alive data transmission from server end to client, having obtained client and has rung in time
The probability answered;Response rate is high, then the order of server end by client executing and returned data probability it is high.
Activity ratio refers to: in the alive data transmission from client to server end, data transport behavior is due to bedding and clothing
The probability that the activation of business device end just occurs;Activity ratio is high, then client is other than the order for passively receiving server end, all in quiet
Silent state.
Preferably, it detects with the presence or absence of abnormal uplink and downlink flow-rate ratio in data to be tested stream, and if so, increasing detection
Score value specifically includes the following steps:
According to the data to be tested stream after cleaning, calculate separately client to server end the sum of data packet number
SumC2S and server end are to the sum of the data packet number of client SumS2C.
The ratio of SumC2S and SumS2C is calculated, if ratio has been more than the threshold value Tud of setting, generation is detected up and down
The alarm of row flow-rate ratio exception, while increasing the value of detection score value according to testing result.
Preferably, this method further include: when network connection is suspicious wooden horse communication channel, being calculated according to detection score value should
Network connection is the probability of wooden horse communication channel.
The present invention also proposes a kind of wooden horse communication channel detection system, the system include: data to be tested stream obtain module,
Suspicious encryption behavioral value module, suspicious heartbeat behavioral value module, abnormal data transmission mode detection module, abnormal uplink and downlink
Flow-rate ratio detection module and wooden horse communication channel determination module.
Data to be tested stream obtains module: for obtaining a network connection in such a way that serial or parallel accesses from the beginning of
To the entire packet of end, it is denoted as data to be tested stream, setting detection score value is 0.
The suspicious encryption behavioral value module: whether there is suspicious encryption behavior for detecting in data to be tested stream,
And if so, increasing detection score value.
Suspicious heartbeat behavioral value module: whether there is suspicious wooden horse heartbeat behavior for detecting in data to be tested stream,
And if so, increasing detection score value, and the data packet that suspicious heartbeat behavior will be present is deleted from data to be tested stream, will be to
Detection data stream is denoted as the data to be tested stream after cleaning.
Abnormal data transmission mode detection module: for detecting in the data to be tested stream after cleaning with the presence or absence of abnormal number
According to transmission mode, and if so, increasing detection score value.
Abnormal uplink and downlink flow-rate ratio detection module: for detecting in the data to be tested stream after cleaning with the presence or absence of exception
Downlink traffic ratio, and if so, increasing detection score value.
Wooden horse communication channel determination module: for according to detection score value final result, judge network connection whether be can
Doubt wooden horse communication channel.
Preferably, the system further include: data packet memory module, for storing data to be tested stream.
Preferably,
Data to be tested stream obtains module and data to be tested stream is output to data packet memory module.
It is suspicious encryption behavioral value module, suspicious heartbeat behavioral value module, abnormal data transmission mode detection module, different
Content in normal uplink and downlink flow-rate ratio detection module read data packet memory module.
It is suspicious encryption behavioral value module, suspicious heartbeat behavioral value module, abnormal data transmission mode detection module, different
The final result that normal uplink and downlink flow-rate ratio detection module will test score value is output to wooden horse communication channel determination module.
Wherein, suspicious heartbeat behavioral value module can modify the content in data packet memory module.
Compared with prior art, the present invention includes: that a network connection is obtained in a manner of serial or parallel access from opening
Begin to the entire packet of end, is denoted as data to be tested stream, setting detection score value is 0.Check data to be tested stream in whether
There are suspicious encryption behaviors, and if so, increasing detection score value.It checks and whether there is suspicious heartbeat row in data to be tested stream
For and if so, increasing the detection score value, and the data packet that suspicious heartbeat behavior will be present is deleted from data to be tested stream
It removes, data to be tested stream is denoted as the data to be tested stream after cleaning.It checks and whether there is exception after cleaning in data to be tested
Data-transmission mode, and if so, increasing detection score value.With the presence or absence of in exception in data to be tested stream after detection cleaning
Downlink traffic ratio, and if so, increasing detection score value.According to detection score value final result, judge network connection whether be can
Doubt wooden horse communication channel.Scheme through the invention can transmit drive mode, suspicious encryption from heartbeat behavior, abnormal data
Detect unknown wooden horse in the features such as behavior, abnormal uplink and downlink flow-rate ratio, reduction fails to report, reports by mistake.
Detailed description of the invention
The attached drawing in the embodiment of the present invention is illustrated below, the attached drawing in embodiment be for of the invention into one
Step understands, is used to explain the present invention, does not constitute a limitation on the scope of protection of the present invention together with specification.
Fig. 1 is wooden horse communication channel detection method flow chart of the invention;
Fig. 2 is wooden horse communication channel detection system block diagram of the invention;
Fig. 3 is wooden horse communication channel detection method embodiment overhaul flow chart of the invention.
Specific embodiment
For the ease of the understanding of those skilled in the art, the invention will be further described with reference to the accompanying drawing, not
It can be used to limit the scope of the invention.
The invention proposes a kind of wooden horse communication channel detection methods, as shown in Figure 1, this method comprises:
S101, the entire packet of a network connection from start to end is obtained in a manner of serial or parallel access,
It is denoted as data to be tested stream, setting detection score value is 0.
S102, it checks with the presence or absence of suspicious encryption behavior in the data to be tested stream, and if so, increasing the inspection
Survey score value.
Preferably, detecting whether there is suspicious encryption behavior in data to be tested stream, and if so, increasing detection score value
Specifically includes the following steps:
S1021, top n data packet in data to be tested stream is taken, wherein N is the positive integer of setting;If number to be detected
It is less than N according to the total data packet number in stream, then takes the total data in data to be tested stream.
S1022, for each data packet, remove the header part of data packet, take the payload of the transport layer of data packet
Part.
S1023, payload portions are considered as to the character string being made of the character of single byte (8), count top n number
According to the number that character each in packet occurs, if the total data packet number in data to be tested stream is less than N, data to be tested are counted
The number that each character occurs in entire packet in stream.
S1024, the number occurred according to each character, are calculate by the following formula the comentropy of data to be tested stream:
Wherein, S is the sum of all characters, cnThe number occurred for character n.
If the comentropy of S1025, data to be tested stream have been more than the threshold value Te of setting, determine in data to be tested stream
There are suspicious encryption behaviors, and increase the value of detection score value according to the degree for deviateing Te.
S103, it checks with the presence or absence of suspicious heartbeat behavior in data to be tested stream, and if so, increase detection score value, and
The data packet that suspicious heartbeat behavior will be present is deleted from data to be tested stream, to be checked after data to be tested stream to be denoted as to cleaning
Measured data stream.
Preferably, suspicious heartbeat behavior includes following characteristics: data packet is sent to control terminal from controlled terminal;The size of data packet
It is fixed, and it is no more than setting value Ns;Data packet transmission time interval is stablized.
Preferably, detecting whether there is suspicious heartbeat behavior in data to be tested stream, and if so, increasing detection score value
Specifically includes the following steps:
S1031, the structural array comprising Ns element is generated, traversal is sent to the data of control terminal from controlled terminal
Packet, Ns are the positive integer greater than 1;Data packet less than Ns is remembered in predefined structure respectively according to data package size
Picture recording is the same as the sending time of size data packet, the transmission interval of former and later two data packets.
S1032, traversal total array, calculate the mean μ of each same size data packet transmission time interval sequence
And standard deviation sigma.
S1033, the smoothness that each same size data packet transmission time interval sequence is calculated by following equatioies:
S1034, time interval sequence the most stable is searched by the smoothness P, if the smoothness P is more than
The threshold value Ti of setting, and beats have been more than the threshold value Thb of setting, then generate and detect suspicious heartbeat signal alarm, simultaneously
Increase the value of the detection score value according to the result of smoothness P.
S1035, it deletes session data Bao Zhongcong client and is sent to the doubtful heartbeat data packets of server end, and from service
Device end is sent to the doubtful heartbeat reply data packet of client.
Wherein, before in detection data to be tested stream with the presence or absence of suspicious heartbeat behavior, a pre-defined knot is needed
Structure, content include the parameters such as data package size, data packet sending time sequence, data packet transmission time interval sequence.
It whether there is abnormal data transmission mode in data to be tested after S104, inspection cleaning, and if so, increasing inspection
Survey score value.
Preferably, detecting whether there is abnormal data transmission mode in data to be tested stream, and if so, increasing detection
Score value specifically includes the following steps:
S1041, according to the data flow to be detected, generate two time serieses: client to servers' data passes
Defeated time series and server end are to client data transmission time sequence.
S1042, active point in two time serieses is found, generates two active time point sequences: client to service
Device end active time point sequence and server end are to client active time point sequence.
S1043, server end is searched into the active time point of client, how many active time point obtains
The response of client.
S1044, calculation server end to client active time point response rate, it is active to server end to calculate client
The activity ratio at time point;If the ratio of the two is more than the threshold value Tr of setting, and order-response of server end and client
Interaction times have been more than the threshold value Tmn of setting, then generate the alarm for detecting the abnormal data transmission mode, while according to inspection
Survey the value that result increases the detection score value.
Preferably, active time point refers to: if the time point at the time point of current data packet and its previous data packet
Between interval be greater than setting threshold value Tat, then current point in time be active time point;Otherwise using current data packet as upper
Data transport behavior it is subsequent, not as newly generated active time point.
Preferably, judge the method that how many active time point has obtained the response of client are as follows: if server end
Into client, there are an active time points, after the active time point, before maximum delay time Tmp terminates,
Client there is also an active time point, then determines that the active time point is responded into server end.
Preferably, response rate and activity ratio are higher, then the probability of wooden horse order control channel is bigger.
Wherein, response rate refers to: in the alive data transmission from server end to client, having obtained client and has rung in time
The probability answered;Response rate is high, then the order of server end by client executing and returned data probability it is high.
Activity ratio refers to: in the alive data transmission from client to server end, data transport behavior is due to bedding and clothing
The probability that the activation of business device end just occurs;Activity ratio is high, then client is other than the order for passively receiving server end, all in quiet
Silent state.
Response rate is high, illustrate the order of server end by client executing and returned data probability it is high;Activity ratio is high,
Illustrate client other than the order for passively receiving server end, generally all in silent status, these are all typical wooden horse lives
Enable the behavioural characteristic of control.
With the presence or absence of abnormal uplink and downlink flow-rate ratio in data to be tested stream after S105, detection cleaning, and if so, increasing
Add detection score value.
Preferably, it detects with the presence or absence of abnormal uplink and downlink flow-rate ratio in data to be tested stream, and if so, increasing detection
Score value specifically includes the following steps:
S1051, according to the data to be tested stream after cleaning, calculate separately client to server end data packet number it
With SumC2S and server end to the sum of the data packet number of client SumS2C.
S1052, the ratio for calculating SumC2S and SumS2C generate detection if ratio has been more than the threshold value Tud of setting
To the alarm of uplink and downlink flow-rate ratio exception, while increasing the value of detection score value according to testing result.
The threshold value Tud set if more than illustrates that the data volume sent in current sessions is much larger than and receives
Data volume, be very similar to the order execution and result passback process of wooden horse.
S106, according to detection score value final result, judge network connection whether be suspicious wooden horse communication channel.
Preferably, this method further include: when network connection is suspicious wooden horse communication channel, being calculated according to detection score value should
Network connection is the probability of wooden horse communication channel.
The present invention also proposes a kind of wooden horse communication channel detection system 01, as shown in Fig. 2, the system includes: number to be detected
Module 02, suspicious encryption behavioral value module 03, suspicious heartbeat behavioral value module 04, abnormal data transmission mode are obtained according to stream
Detection module 05, abnormal uplink and downlink flow-rate ratio detection module 06 and wooden horse communication channel determination module 07.
Data to be tested stream obtains module 02: for obtaining a network connection in such a way that serial or parallel accesses from opening
Begin to the entire packet of end, is denoted as data to be tested stream, setting detection score value is 0.
Suspicious encryption behavioral value module 03: for detecting with the presence or absence of suspicious encryption behavior in data to be tested stream, such as
Fruit, which exists, then increases the detection score value.
Suspicious heartbeat behavioral value module 04: for detecting in data to be tested stream with the presence or absence of suspicious wooden horse heartbeat row
For, and if so, increase detection score value, and the data packet that suspicious heartbeat behavior will be present is deleted from data to be tested stream, it will
Data to be tested stream is denoted as the data to be tested stream after cleaning.
Abnormal data transmission mode detection module 05: for detecting in the data to be tested stream after cleaning with the presence or absence of abnormal
Data-transmission mode, and if so, increasing detection score value.
Abnormal uplink and downlink flow-rate ratio detection module 06: for detecting in the data to be tested stream after cleaning with the presence or absence of abnormal
Uplink and downlink flow-rate ratio, and if so, increasing detection score value.
Wooden horse communication channel determination module 07: for according to detection score value final result, judge network connection whether be
Suspicious wooden horse communication channel.
Preferably, the system further include: data packet memory module 08, for storing data to be tested stream.
Preferably,
Data to be tested stream obtains module 02 and data to be tested stream is output to data packet memory module 08.
Suspicious encryption behavioral value module 03, suspicious heartbeat behavioral value module 04, abnormal data transmission mode detect mould
Content in block 05, abnormal 06 read data packet memory module 08 of uplink and downlink flow-rate ratio detection module.
Suspicious encryption behavioral value module 03, suspicious heartbeat behavioral value module 04, abnormal data transmission mode detect mould
The final result that block 05, abnormal uplink and downlink flow-rate ratio detection module 06 will test score value is output to wooden horse communication channel determination module
07。
Wherein, suspicious heartbeat behavioral value module 04 can modify the content in data packet memory module 08.
Preferably, the suspicious encryption behavioral value module 03 is detected in the data to be tested stream by following steps is
No there are suspicious encryption behaviors, and if so, increasing the detection score value:
S1021, top n data packet in data to be tested stream is taken, wherein N is the positive integer of setting;If number to be detected
It is less than N according to the total data packet number in stream, then takes the total data in data to be tested stream.
S1022, for each data packet, remove the header part of data packet, take the payload of the transport layer of data packet
Part.
S1023, payload portions are considered as to the character string being made of the character of single byte, count top n data packet
In the number that occurs of each character counted in data to be tested stream if the total data packet number in data to be tested stream is less than N
Entire packet in the number that occurs of each character.
S1024, the number occurred according to each character, are calculate by the following formula the comentropy of data to be tested stream:
Wherein, S is the sum of all characters, cnThe number occurred for character n.
If the comentropy of S1025, data to be tested stream have been more than the threshold value Te of setting, determine in data to be tested stream
There are suspicious encryption behaviors, and increase the value of detection score value according to the degree for deviateing Te.
Preferably, suspicious heartbeat behavioral value module 04 can by whether there is in following steps detection data to be tested stream
Suspicion is slipped a line as and if so, increasing the detection score value:
S1031, the structural array comprising Ns element is generated, traversal is sent to the data of control terminal from controlled terminal
Packet, Ns are the positive integer greater than 1;Data packet less than Ns is remembered in predefined structure respectively according to data package size
Picture recording is the same as the sending time of size data packet, the transmission interval of former and later two data packets.
S1032, traversal total array, calculate the mean μ of each same size data packet transmission time interval sequence
And standard deviation sigma.
S1033, the smoothness that each same size data packet transmission time interval sequence is calculated by following equatioies:
S1034, time interval sequence the most stable is searched by smoothness P, if smoothness P has been more than the threshold of setting
Value Ti, and beats have been more than the threshold value Thb of setting, then generate and detect suspicious heartbeat signal alarm, while according to steady
The result for spending P increases the value of detection score value.
S1035, it deletes session data Bao Zhongcong client and is sent to the doubtful heartbeat data packets of server end, and from service
Device end is sent to the doubtful heartbeat reply data packet of client.
Wherein, before in detection data to be tested stream with the presence or absence of suspicious heartbeat behavior, a pre-defined knot is needed
Structure, content include the parameters such as data package size, data packet sending time sequence, data packet transmission time interval sequence.
Preferably, whether abnormal data transmission mode detection module 05 is detected in data to be tested stream by following steps and is deposited
In abnormal data transmission mode, and if so, increasing the detection score value:
S1041, according to data flow to be detected, generate two time serieses: when client to servers' data is transmitted
Between sequence and server end to client data transmission time sequence.
S1042, active point in two time serieses is found, generates two active time point sequences: client to service
Device end active time point sequence and server end are to client active time point sequence.
S1043, server end is searched into the active time point of client, how many active time point has obtained client
The response at end.
S1044, calculation server end to client active time point response rate, it is active to server end to calculate client
The activity ratio at time point;If the ratio of the two is more than the threshold value Tr of setting, and order-response of server end and client
Interaction times have been more than the threshold value Tmn of setting, then generate the alarm for detecting abnormal data transmission mode, while tying according to detection
Fruit increases the value of detection score value.
Preferably, abnormal data transmission mode detection module 05 judges that how many active time point obtains by following steps
Arrive the response of client: if there are an active time points into client for server end, after the active time point,
Before maximum delay time Tmp terminates, the work is then determined there is also an active time point into server end in client
Jump time point is responded.
Preferably, whether abnormal uplink and downlink flow-rate ratio detection module 06 is detected in data to be tested stream by following steps and is deposited
In abnormal uplink and downlink flow-rate ratio, and if so, increasing detection score value:
S1051, according to the data to be tested stream after cleaning, calculate separately client to server end data packet number it
With SumC2S and server end to the sum of the data packet number of client SumS2C.
S1052, the ratio for calculating SumC2S and SumS2C currently can if ratio has been more than the threshold value Tud of setting
The data volume sent in words is much larger than the data volume received, generates the alarm for detecting uplink and downlink flow-rate ratio exception, together
When according to testing result increase detection score value value.
Preferably, the wooden horse communication channel determination module 07 is also used to: when the network connection is that suspicious wooden horse communicates
When channel, the probability which is wooden horse communication channel is calculated according to the detection score value.
In a specific embodiment of the present invention, as shown in Figure 3, comprising the following steps:
S201, network flow is obtained in real time in a manner of serial or bypass, obtain the total data of network connection, be denoted as
Data to be tested stream, setting initial detecting score value are 0.
It whether there is suspicious encryption behavior in S202, detection data to be tested stream, if it is, carrying out step S203, such as
Fruit is no, then carries out step S204.
S203, if there is suspicious encryption behavior, then according to suspicious degree increase detection score value.
It whether there is suspicious heartbeat behavior in S204, detection data to be tested stream, if it is, carrying out step S205, such as
Fruit is no, then carries out step S206.
S205, if there is suspicious heartbeat behavior, then according to suspicious degree increase detection score value, then by suspicious heartbeat packet
It is deleted from data to be tested stream, is denoted as data to be tested after cleaning.
S206, data to be tested after cleaning are carried out with abnormal transmission mode detection, is in data to be tested after detection cleaning
No there are abnormal transmission modes, if it is, step S207 is carried out, if it is not, then carrying out step S208.
S207, if there is abnormal transmission mode, then according to intensity of anomaly increase detection score value.
S208, data to be tested after cleaning are carried out with uplink and downlink flow-rate ratio abnormality detection, data to be tested after detection cleaning
In it is abnormal with the presence or absence of uplink and downlink flow-rate ratio, if it is, step S209 is carried out, if it is not, then carrying out step S210.
S209, if there is abnormal uplink and downlink flow-rate ratio, then according to intensity of anomaly increase detection score value.
S210, judge the network connection for the probability of wooden horse communication channel according to final detection score value.
The present invention can reach following technical effect:
Whether it is encrypted link by one communication link of detection, directly regard encryption behavior itself as wooden horse communication channel
Important feature, can be avoided encryption after can not from content identification data stream with the presence or absence of wooden horse order control message, reduce
It fails to report.
By distinguishing heartbeat behavior and data transport behavior, it can accomplish two class rows when carrying out all kinds of unusual checkings
Not interfere with each other, corresponding detection algorithm is used to the data of different type behavior, to promote the accuracy of testing result, is dropped
Low wrong report.
It should be noted that embodiment described above be merely for convenience of it will be understood by those skilled in the art that, and
It is not used in and limits the scope of the invention, under the premise of not departing from inventive concept of the invention, those skilled in the art couple
Any obvious replacement and improvement that the present invention is made etc. are within the scope of the present invention.
Claims (12)
1. a kind of wooden horse communication channel detection method, which is characterized in that the described method includes:
The entire packet of a network connection from start to end is obtained in a manner of serial or parallel access, is denoted as to be detected
Data flow, setting detection score value is 0;
It checks with the presence or absence of suspicious encryption behavior in the data to be tested stream, and if so, increasing the detection score value;
It checks with the presence or absence of suspicious heartbeat behavior in the data to be tested stream, and if so, increase the detection score value, and
The data packet that suspicious heartbeat behavior will be present is deleted from the data to be tested stream, and the data to be tested stream is denoted as cleaning
Data to be tested stream afterwards;
It checks after the cleaning in data to be tested stream with the presence or absence of abnormal data transmission mode, and if so, increasing the inspection
Survey score value;
With the presence or absence of abnormal uplink and downlink flow-rate ratio in data to be tested stream after detecting the cleaning, and if so, described in increasing
Detect score value;
According to the final result of the detection score value, judge whether the network connection is suspicious wooden horse communication channel;
Wherein, it whether there is abnormal data transmission mode in the data to be tested stream after the detection cleaning, and if so, increasing
Add the detection score value specifically includes the following steps:
According to the data to be tested stream after the cleaning, two time serieses are generated: when client to servers' data is transmitted
Between sequence and server end to client data transmission time sequence;
The active point in two time serieses is found, generates two active time point sequences: when client to server end is enlivened
Between point sequence and server end to client active time point sequence;
Server end is searched into the active time point of client, how many active time point has obtained the sound of client
It answers;
Calculation server end calculates client swashing to server end active time point to the response rate of client active time point
Motility rate;If the ratio of the two is more than the threshold value Tr of setting, and the order of server end and client-response interaction times are super
The threshold value Tmn of setting has been crossed, then has generated the alarm for detecting the abnormal data transmission mode, while increasing according to testing result
The value of the detection score value, the response rate refer to: in the alive data transmission from server end to client, having obtained visitor
The probability that family end timely responds to;The activity ratio refers to: in the alive data transmission from client to server end, data transmission
Behavior is the probability due to just being occurred by server end activation.
2. the method as described in claim 1, which is characterized in that with the presence or absence of suspicious in the detection data to be tested stream
Encryption behavior, and if so, increase the detection score value specifically includes the following steps:
Take the top n data packet in the data to be tested stream, wherein N is the positive integer of setting;If the data to be tested
Total data packet number in stream is less than N, then takes the total data in the data to be tested stream;
For each data packet, the header part of the data packet is removed, takes the payload portion of the transport layer of the data packet
Point;
The payload portions are considered as to the character string being made of the character of single byte, count each in top n data packet
The number that character occurs counts the data to be tested stream if the total data packet number in the data to be tested stream is less than N
In entire packet in the number that occurs of each character;
According to the number that each character occurs, it is calculate by the following formula the comentropy of the data to be tested stream:
Wherein, S is the sum of all characters, cnThe number occurred for character n;
If the comentropy of the data to be tested stream has been more than the threshold value Te of setting, determine to deposit in the data to be tested stream
In suspicious encryption behavior, and increase the value for detecting score value according to the degree for deviateing Te.
3. the method as described in claim 1, which is characterized in that the suspicious heartbeat behavior includes following characteristics: data packet from
Controlled terminal is sent to control terminal;The size of data packet is fixed, and is no more than setting value Ns;Data packet transmission time interval is stablized.
4. method as claimed in claim 3, which is characterized in that whether there is suspicious heartbeat in the detection data to be tested stream
Behavior, and if so, increase the detection score value specifically includes the following steps:
The structural array comprising Ns element is generated, traversal is sent to the data packet of control terminal from controlled terminal, and Ns is greater than 1
Positive integer;For being less than the data packet of Ns, according to data package size, same size number is recorded in predefined structure respectively
According to the transmission interval of the sending time of packet, former and later two data packets;
Total array is traversed, the mean μ and standard deviation sigma of each same size data packet transmission time interval sequence are calculated;
The smoothness of each same size data packet transmission time interval sequence is calculated by following equatioies:
Time interval sequence the most stable is searched by the smoothness P, if the smoothness P has been more than the threshold value of setting
Ti, and beats have been more than the threshold value Thb of setting, then generate and detect suspicious heartbeat signal alarm, while according to smoothness P
Result increase it is described detection score value value;
It deletes session data Bao Zhongcong client and is sent to the doubtful heartbeat data packets of server end, and be sent to visitor from server end
The doubtful heartbeat reply data packet at family end.
5. the method as described in claim 1, which is characterized in that the active time point refers to: if current data packet when
Between put and the time point of its previous data packet between interval be greater than setting threshold value Tat, then current point in time be the work
It jumps time point;Otherwise using current data packet as the subsequent of last data transport behavior, not as newly generated enliven when
Between point.
6. the method as described in claim 1, which is characterized in that judge that how many active time point has obtained client
Response method are as follows: if there are an active time points into client for server end, after the active time point,
Before maximum delay time Tmp terminates, in client into server end there is also an active time point, then determine that this is active
Time point is responded.
7. the method as described in claim 1, which is characterized in that the response rate and the activity ratio are higher, then wooden horse order
The probability of control channel is bigger;
Wherein, response rate is high, then the order of server end by client executing and returned data probability it is high;
Activity ratio is high, then client is other than the order for passively receiving server end, all in silent status.
8. the method as described in claim 1, which is characterized in that whether there is in the data to be tested stream after the detection cleaning
Abnormal uplink and downlink flow-rate ratio, and if so, increase the detection score value specifically includes the following steps:
According to the data to be tested stream after cleaning, calculate separately client to server end the sum of data packet number
SumC2S and server end are to the sum of the data packet number of client SumS2C;
The ratio of SumC2S and SumS2C is calculated, if the ratio has been more than the threshold value Tud of setting, generation is detected up and down
The alarm of row flow-rate ratio exception, while increasing the value of the detection score value according to testing result.
9. the method as described in claim 1, which is characterized in that the method also includes: when the network connection is suspicious wood
When horse communication channel, the probability which is wooden horse communication channel is calculated according to the detection score value.
10. a kind of wooden horse communication channel detection system, which is characterized in that the system comprises: data to be tested stream acquisition module,
Suspicious encryption behavioral value module, suspicious heartbeat behavioral value module, abnormal data transmission mode detection module, abnormal uplink and downlink
Flow-rate ratio detection module and wooden horse communication channel determination module;
The data to be tested stream obtains module: for obtaining a network connection in such a way that serial or parallel accesses from the beginning of
To the entire packet of end, it is denoted as data to be tested stream, setting detection score value is 0;
The suspicious encryption behavioral value module: whether there is suspicious encryption behavior for detecting in the data to be tested stream,
And if so, increasing the detection score value;
The suspicious heartbeat behavioral value module: for detecting in the data to be tested stream with the presence or absence of suspicious wooden horse heartbeat row
And if so, increase the detection score value, and the data packet of suspicious heartbeat behavior to will be present from the data to be tested stream
The data to be tested stream is denoted as the data to be tested stream after cleaning by middle deletion;
The abnormal data transmission mode detection module: for detecting in the data to be tested stream after the cleaning with the presence or absence of different
Regular data transmission mode, and if so, increase the detection score value, in the data to be tested stream after the detection cleaning whether
There are abnormal data transmission mode, and if so, increase the detection score value specifically includes the following steps:
According to the data flow to be detected after the cleaning, generate two time serieses: client to servers' data is transmitted
Time series and server end are to client data transmission time sequence;
The active point in two time serieses is found, generates two active time point sequences: when client to server end is enlivened
Between point sequence and server end to client active time point sequence;
Server end is searched into the active time point of client, how many active time point has obtained the sound of client
It answers;
Calculation server end calculates client swashing to server end active time point to the response rate of client active time point
Motility rate;If the ratio of the two is more than the threshold value Tr of setting, and the order of server end and client-response interaction times are super
The threshold value Tmn of setting has been crossed, then has generated the alarm for detecting the abnormal data transmission mode, while increasing according to testing result
The value of the detection score value, the response rate refer to: in the alive data transmission from server end to client, having obtained visitor
The probability that family end timely responds to;The activity ratio refers to: in the alive data transmission from client to server end, data transmission
Behavior is the probability due to just being occurred by server end activation;
The exception uplink and downlink flow-rate ratio detection module: for detecting in the data to be tested stream after the cleaning with the presence or absence of different
Normal uplink and downlink flow-rate ratio, and if so, increasing the detection score value;
The wooden horse communication channel determination module: for the final result according to the detection score value, judge the network connection
It whether is suspicious wooden horse communication channel.
11. system as claimed in claim 10, which is characterized in that the system also includes: data packet memory module, for depositing
Store up the data to be tested stream.
12. system as claimed in claim 11, which is characterized in that
The data to be tested stream obtains module and the data to be tested stream is output to the data packet memory module;
The suspicious encryption behavioral value module, the suspicious heartbeat behavioral value module, abnormal data transmission mode inspection
Survey module, the abnormal uplink and downlink flow-rate ratio detection module reads the content in the data packet memory module;
The suspicious encryption behavioral value module, the suspicious heartbeat behavioral value module, abnormal data transmission mode inspection
Survey module, the final result of the detection score value is output to the wooden horse and communicated by the abnormal uplink and downlink flow-rate ratio detection module
Channel determination module;
Wherein, the suspicious heartbeat behavioral value module can modify the content in the data packet memory module.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410816251.7A CN105791236B (en) | 2014-12-23 | 2014-12-23 | A kind of wooden horse communication channel detection method and system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410816251.7A CN105791236B (en) | 2014-12-23 | 2014-12-23 | A kind of wooden horse communication channel detection method and system |
Publications (2)
Publication Number | Publication Date |
---|---|
CN105791236A CN105791236A (en) | 2016-07-20 |
CN105791236B true CN105791236B (en) | 2019-03-12 |
Family
ID=56377485
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201410816251.7A Active CN105791236B (en) | 2014-12-23 | 2014-12-23 | A kind of wooden horse communication channel detection method and system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN105791236B (en) |
Families Citing this family (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106603557A (en) * | 2016-12-30 | 2017-04-26 | 哈尔滨安天科技股份有限公司 | Trojan detection method and system based on configuration information structure |
CN109784096B (en) * | 2019-01-18 | 2023-04-18 | 电子科技大学 | Hardware Trojan horse detection and elimination method based on clustering algorithm |
CN109698835B (en) * | 2019-01-19 | 2021-03-26 | 郑州轻工业学院 | Encrypted Trojan horse detection method facing HTTPS hidden tunnel |
CN114884715A (en) * | 2022-04-27 | 2022-08-09 | 深信服科技股份有限公司 | Flow detection method, detection model training method, device and related equipment |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103327029A (en) * | 2013-07-09 | 2013-09-25 | 腾讯科技(深圳)有限公司 | Malicious URL (Uniform Resource Locator) detection method and malicious URL detection device |
WO2014119669A1 (en) * | 2013-01-30 | 2014-08-07 | 日本電信電話株式会社 | Log analysis device, information processing method and program |
CN104168272A (en) * | 2014-08-04 | 2014-11-26 | 国家电网公司 | Trojan horse detection method based on communication behavior clustering |
-
2014
- 2014-12-23 CN CN201410816251.7A patent/CN105791236B/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2014119669A1 (en) * | 2013-01-30 | 2014-08-07 | 日本電信電話株式会社 | Log analysis device, information processing method and program |
CN103327029A (en) * | 2013-07-09 | 2013-09-25 | 腾讯科技(深圳)有限公司 | Malicious URL (Uniform Resource Locator) detection method and malicious URL detection device |
CN104168272A (en) * | 2014-08-04 | 2014-11-26 | 国家电网公司 | Trojan horse detection method based on communication behavior clustering |
Non-Patent Citations (1)
Title |
---|
基于网络流量特征的未知木马检测技术及其实现;彭国军等;《信息网络安全》;20121031(第10期);5-8 |
Also Published As
Publication number | Publication date |
---|---|
CN105791236A (en) | 2016-07-20 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Hamza et al. | Detecting volumetric attacks on lot devices via sdn-based monitoring of mud activity | |
Sharafaldin et al. | Toward generating a new intrusion detection dataset and intrusion traffic characterization. | |
US11316878B2 (en) | System and method for malware detection | |
US9462009B1 (en) | Detecting risky domains | |
Gu et al. | Bothunter: Detecting malware infection through ids-driven dialog correlation. | |
Bilge et al. | Disclosure: detecting botnet command and control servers through large-scale netflow analysis | |
US9386028B2 (en) | System and method for malware detection using multidimensional feature clustering | |
US10686814B2 (en) | Network anomaly detection | |
CN106453392B (en) | Whole network exception stream recognition method based on traffic characteristic distribution | |
CN105791236B (en) | A kind of wooden horse communication channel detection method and system | |
JP2020521383A5 (en) | ||
CN109660539A (en) | It falls device identification method, device, electronic equipment and storage medium | |
US20200014713A1 (en) | Hierarchical activation of scripts for detecting a security threat to a network using a programmable data plane | |
CN103957203B (en) | A kind of network security protection system | |
CN110855659A (en) | redis honeypot deployment system | |
CN109428857A (en) | A kind of detection method and device of malice detection behavior | |
CN107454068B (en) | Honey net safety situation perception method combining immune hazard theory | |
Liu et al. | Real-time diagnosis of network anomaly based on statistical traffic analysis | |
Viegas et al. | A resilient stream learning intrusion detection mechanism for real-time analysis of network traffic | |
Thi et al. | Federated learning-based cyber threat hunting for apt attack detection in SDN-enabled networks | |
CN107360190A (en) | Wooden horse communication behavior detection method based on sequence pattern identification | |
Hurley et al. | ITACA: Flexible, scalable network analysis | |
Li et al. | A lightweight DDoS flooding attack detection algorithm based on synchronous long flows | |
Komárek et al. | Passive NAT detection using HTTP access logs | |
CN111901286B (en) | APT attack detection method based on flow log |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |