CN105844154B - A kind of rogue program detection method based on internal honey jar - Google Patents

A kind of rogue program detection method based on internal honey jar Download PDF

Info

Publication number
CN105844154B
CN105844154B CN201610165172.3A CN201610165172A CN105844154B CN 105844154 B CN105844154 B CN 105844154B CN 201610165172 A CN201610165172 A CN 201610165172A CN 105844154 B CN105844154 B CN 105844154B
Authority
CN
China
Prior art keywords
threat
file
app
open
value
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201610165172.3A
Other languages
Chinese (zh)
Other versions
CN105844154A (en
Inventor
吴春明
陈双喜
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhejiang University ZJU
Original Assignee
Zhejiang University ZJU
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhejiang University ZJU filed Critical Zhejiang University ZJU
Priority to CN201610165172.3A priority Critical patent/CN105844154B/en
Publication of CN105844154A publication Critical patent/CN105844154A/en
Application granted granted Critical
Publication of CN105844154B publication Critical patent/CN105844154B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection

Abstract

The invention discloses a kind of rogue program detection methods based on internal honey jar, this method has recorded internal document access position by the way that a honey jar, honey jar is arranged, and opens file speed, four features such as network launch speed and Application Monitoring are detected rogue program with this.Angle that the present invention is accustomed to from the usage behavior of rogue program designs the honey jar, to coming into the rogue program detectability of internal system, is better than traditional honey jar detection method.

Description

A kind of rogue program detection method based on internal honey jar
Technical field
The present invention relates to computer network security technology field more particularly to a kind of rogue program spies based on internal honey jar Survey method.
Background technology
Inside threat is in today of computer nowadays network technology high speed development, the hidden trouble being still in many human eyes One of.With the development of present information electronic technology, technically also quickly update, rogue program author compile rogue program therewith The level write is also higher and higher.China can all occur a large amount of cyber thefts and destroy case every year, and many of which case is related to Military-political equal important departments, these cases are attacked by rogue program mostly, therefore research rogue program detection technique has Vital meaning.And with the continuous promotion of rogue program concealing technology and operating personnel's level, rogue program is in network In become increasingly difficult to find, many conventional means are all difficult to find its trace.Therefore, it is necessary to some new rogue program inspections Survey technology solves these problems.
Traditional rogue program detection technique generally has lag, i.e. rogue program to make intrusion behavior, and band Walking after some significant datas either have resulted in destruction can be found by the means of system action or network data. The safety that then can both ensure sensitive information by Honeypot Techniques, can also obtain rogue program sample, be a kind of anti-well Soldier in charge of pack animals's section.
Invention content
In view of the above-mentioned deficiencies in the prior art, it is an object of the present invention to provide a kind of rogue program detection based on internal honey jar Method.
The purpose of the present invention is achieved through the following technical solutions:A kind of rogue program detection based on internal honey jar Method, which is characterized in that this approach includes the following steps:
(1) remember that the daily file set often accessed is SFileIf detect the access produced positioned at position L, andThen file threat value ThreatFile=ThreatFile+ 1, if finding L ∈ Ssensitive, then file threat value ThreatFile=ThreatFile+NFile, wherein SsensitiveIndicate the sensitive document set of label, NFileFor preset value;
(2) it is Speed that note, which opens file speed,openIf detecting Speedopen>Thresholdopen, then File Open is fast Spend threat value Threatopen=Threatopen+1;Wherein, ThresholdopenIndicate opening speed preset value;
(3) note network launch speed is SpeedconnectIf detecting Speedconnect>Thresholdconnect, then network Launch speed threat value Threatconnect=Threatconnect+1;ThresholdconnectFor network launch speed preset value;
(4) remember that daily common pool of applications is SappIf detect the application program started positioned at position A, andThen application program threat value Threatapp=Threatapp+ 1, if finding A ∈ SBlacklist, then application program threat value Threatapp=Threatapp+Napp, wherein SBlacklistIndicate application program blacklist set, NappFor preset value;
(5) to all feature sets and SfeatureThe threat value Threat of={ File, Open, Connect, app } featuresFile, Threatopen, Threatconnect, ThreatappDistribute respective weight:WFile、WOpen、WConnect、Wapp, and calculate total threaten ValueIf Threat>ThresholdThreat, then it is assumed that system is entered by rogue program It invades.
If having been invaded by rogue program according to step (5) identification system, and the program has accessed N in for a period of time1It is a The file or file hiding, manual operation can not access, it is believed that the program is rogue program, wherein N1For threshold value; If rogue program has initiated at least 1 network request in the process of implementation, then can be assumed that the program is trojan horse program.
The invention has the advantages that the present invention has recorded internal document access position by the way that a honey jar, honey jar is arranged, File speed is opened, four features such as network launch speed and Application Monitoring are detected rogue program with this.This Angle that invention is accustomed to from the usage behavior of rogue program designs the honey jar, and the rogue program to coming into internal system is examined In survey ability, it is better than traditional honey jar detection method.
Specific implementation mode
The present invention provides one kind and being based on internal honey jar behavioural analysis, by monitoring to system operatios such as file, networks, comes true Recognize the method for rogue program invasion.Rogue program detection technique is mainly used for detection of divulging a secret, server protection, PC safety Deng being an important content of computer safety field.This approach includes the following steps:
1, remember that the daily file set often accessed is SFileIf detect the access produced positioned at position L, andThen file threat value ThreatFile=ThreatFile+ 1, if finding L ∈ Ssensitive, then file threat value ThreatFile=ThreatFile+NFile, wherein SsensitiveIndicate the sensitive document set of label, NFileIt is preset for one Any natural number in number, such as desirable 10-1000.
2, it is Speed that note, which opens file speed,openIf detecting Speedopen>Thresholdopen, then File Open is fast Spend threat value Threatopen=Threatopen+1.Wherein, ThresholdopenIndicate opening speed preset value, such as desirable 1- Any value in 50ms.
3, note network launch speed is SpeedconnectIf detecting Speedconnect>Thresholdconnect, then network Launch speed threat value Threatconnect=Threatconnect+1。ThresholdconnectFor network launch speed preset value, example Any value in such as desirable 1-50ms.
4, remember that daily common pool of applications is SappIf detect the application program started positioned at position A, andThen application program threat value Threatapp=Threatapp+ 1, if finding A ∈ SBlacklist, then application program threat value Threatapp=Threatapp+Napp, wherein SBlacklistIndicate application program blacklist set, NappFor a preset number Any natural number in word, such as desirable 10-1000.
5, to all feature sets and SfeatureThe threat value Threat of={ File, Open, Connect, app } featuresFile, Threatopen, Threatconnect, ThreatappDistribute respective weight:WFile、WOpen、WConnect、Wapp, and calculate total threaten ValueIf Threat>ThresholdThreat, then it is assumed that system is entered by rogue program It invades, ThresholdThreatFor any natural number in synthetic threat preset value, such as desirable 10-1000.
Weight WFile、WOpen、WConnect、WappIt can arbitrarily distribute, it can also equivalence distribution.
If certain program has accessed N in for a period of time1The file or file that a hiding, manual operation can not access, It is believed that be the program being rogue program, wherein N1For threshold value, for example, it is 10 desirable, and described a period of time can be arbitrarily arranged, Such as one day.If rogue program has initiated at least 1 network request in the process of implementation, then can be assumed that the program is wooden horse Program.
The present invention is based on internal honey jars, by monitoring to system operatios such as file, networks, to confirm that rogue program is invaded, It can be extensively using departments such as government, national defence, commercial companies.

Claims (2)

1. a kind of rogue program detection method based on internal honey jar, which is characterized in that this approach includes the following steps:
(1) remember that the daily file set often accessed is SFileIf detect the access produced positioned at position L, and Then file threat value ThreatFile=ThreatFile+ 1, if finding L ∈ Ssensitive, then file threat value ThreatFile= ThreatFile+NFile, wherein SsensitiveIndicate the sensitive document set of label, NFileFor preset value;
(2) it is Speed that note, which opens file speed,openIf detecting Speedopen>Thresholdopen, then File Open speed prestige Side of body value Threatopen=Threatopen+1;Wherein, ThresholdopenIndicate opening speed preset value;
(3) note network launch speed is SpeedconnectIf detecting Speedconnect>Thresholdconnect, then network initiation Speed threat value Threatconnect=Threatconnect+1;ThresholdconnectFor network launch speed preset value;
(4) remember that daily common pool of applications is SappIf detect the application program started positioned at position A, andThen application program threat value Threatapp=Threatapp+ 1, if finding A ∈ SBlacklist, then application program threat value Threatapp=Threatapp+Napp, wherein SBlacklistIndicate application program blacklist set, NappFor preset value;
(5) to all feature sets and SfeatureThe threat value Threat of={ File, Open, Connect, app } featuresFile, Threatopen, Threatconnect, ThreatappDistribute respective weight:WFile、WOpen、WConnect、Wapp, and calculate total threaten ValueIf Threat>ThresholdThreat, then it is assumed that system is entered by rogue program It invades.
2. the rogue program detection method based on internal honey jar according to claim 1, which is characterized in that if according to step (5) identification system is invaded by rogue program, and the program has accessed N in for a period of time1A hiding, manual operation can not The file or file of access, it is believed that the program is rogue program, wherein N1For threshold value;If rogue program was executing At least 1 network request is initiated in journey, then can be assumed that the program is trojan horse program.
CN201610165172.3A 2016-03-19 2016-03-19 A kind of rogue program detection method based on internal honey jar Active CN105844154B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610165172.3A CN105844154B (en) 2016-03-19 2016-03-19 A kind of rogue program detection method based on internal honey jar

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610165172.3A CN105844154B (en) 2016-03-19 2016-03-19 A kind of rogue program detection method based on internal honey jar

Publications (2)

Publication Number Publication Date
CN105844154A CN105844154A (en) 2016-08-10
CN105844154B true CN105844154B (en) 2018-09-07

Family

ID=56588425

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610165172.3A Active CN105844154B (en) 2016-03-19 2016-03-19 A kind of rogue program detection method based on internal honey jar

Country Status (1)

Country Link
CN (1) CN105844154B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106951781A (en) * 2017-03-22 2017-07-14 福建平实科技有限公司 Extort software defense method and apparatus
CN109413048B (en) * 2018-09-30 2021-06-04 上海观安信息技术股份有限公司 Method for detecting luxo software based on file-type honeypot, electronic device and program product
CN112367315B (en) * 2020-11-03 2021-09-28 浙江大学 Endogenous safe WAF honeypot deployment method

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101867498A (en) * 2009-04-17 2010-10-20 中国科学院软件研究所 Network security situation evaluating method
CN102185858A (en) * 2011-05-06 2011-09-14 山东中创软件商用中间件股份有限公司 Web intrusion prevention method and system based on application layer
CN103561003A (en) * 2013-10-22 2014-02-05 西安交通大学 Cooperative type active defense method based on honeynets
CN103634306A (en) * 2013-11-18 2014-03-12 北京奇虎科技有限公司 Security detection method and security detection server for network data

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110214157A1 (en) * 2000-09-25 2011-09-01 Yevgeny Korsunsky Securing a network with data flow processing

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101867498A (en) * 2009-04-17 2010-10-20 中国科学院软件研究所 Network security situation evaluating method
CN102185858A (en) * 2011-05-06 2011-09-14 山东中创软件商用中间件股份有限公司 Web intrusion prevention method and system based on application layer
CN103561003A (en) * 2013-10-22 2014-02-05 西安交通大学 Cooperative type active defense method based on honeynets
CN103634306A (en) * 2013-11-18 2014-03-12 北京奇虎科技有限公司 Security detection method and security detection server for network data

Also Published As

Publication number Publication date
CN105844154A (en) 2016-08-10

Similar Documents

Publication Publication Date Title
US9935967B2 (en) Method and device for detecting malicious URL
US20190034632A1 (en) Method and system for static behavior-predictive malware detection
Sabhadiya et al. Android malware detection using deep learning
US9323925B2 (en) Method and system for prevention of windowless screen capture
Sundarkumar et al. Malware detection via API calls, topic models and machine learning
Hadi et al. Performance analysis of big data intrusion detection system over random Forest algorithm
CN105844154B (en) A kind of rogue program detection method based on internal honey jar
Nissim et al. Keeping pace with the creation of new malicious PDF files using an active-learning based detection framework
CN103218561B (en) Tamper-proof method and device for protecting browser
Paturi et al. Mobile malware visual analytics and similarities of Attack Toolkits (Malware gene analysis)
Qiao et al. How to automatically identify the homology of different malware
Poudyal et al. Malware analytics: Review of data mining, machine learning and big data perspectives
Yu et al. Detecting SQL injection attacks based on text analysis
Vast et al. Artificial intelligence based security orchestration, automation and response system
Sayar et al. A review of intrusion detection system in computer network
Alaba et al. Ransomware attacks on remote learning systems in 21st century: A survey
Carrascosa et al. Data analytics and decision support for cybersecurity: trends, methodologies and applications
CN113722641A (en) AI-based injection request protection method, device, terminal equipment and medium
Subektiningsih et al. The Role of Digital Forensic Experts in Cybercrime Investigations in Indonesia Based on The Scopus Research Index
Maheshwar et al. A review of data mining based intrusion detection techniques
Zhou et al. Pdf Exploitable malware analysis based on exploit genes
Khitan et al. Enhanced Analysis Method for Suspicious PDF Files
Bai et al. A dynamic malware detection approach by mining the frequency of API calls
Alshaikh et al. Crypto-Ransomware Detection and Prevention Techniques and Tools A Survey
Akbar et al. Implementasi Teknologi AI Dalam Deteksi dan Pencegahan Serangan Malware pada Jaringan Komputer Perusahaan

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant