CN105844154B - A kind of rogue program detection method based on internal honey jar - Google Patents
A kind of rogue program detection method based on internal honey jar Download PDFInfo
- Publication number
- CN105844154B CN105844154B CN201610165172.3A CN201610165172A CN105844154B CN 105844154 B CN105844154 B CN 105844154B CN 201610165172 A CN201610165172 A CN 201610165172A CN 105844154 B CN105844154 B CN 105844154B
- Authority
- CN
- China
- Prior art keywords
- threat
- file
- app
- open
- value
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 235000012907 honey Nutrition 0.000 title claims abstract description 18
- 238000013459 approach Methods 0.000 claims description 3
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical group CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 claims description 2
- 230000000977 initiatory effect Effects 0.000 claims 1
- 238000000034 method Methods 0.000 abstract description 8
- 238000012544 monitoring process Methods 0.000 abstract description 4
- 238000001514 detection method Methods 0.000 abstract description 3
- 238000005516 engineering process Methods 0.000 description 6
- 238000011161 development Methods 0.000 description 2
- 241001269238 Data Species 0.000 description 1
- 241001465754 Metazoa Species 0.000 description 1
- 230000003542 behavioural effect Effects 0.000 description 1
- 230000006378 damage Effects 0.000 description 1
- 230000007812 deficiency Effects 0.000 description 1
- 230000009545 invasion Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a kind of rogue program detection methods based on internal honey jar, this method has recorded internal document access position by the way that a honey jar, honey jar is arranged, and opens file speed, four features such as network launch speed and Application Monitoring are detected rogue program with this.Angle that the present invention is accustomed to from the usage behavior of rogue program designs the honey jar, to coming into the rogue program detectability of internal system, is better than traditional honey jar detection method.
Description
Technical field
The present invention relates to computer network security technology field more particularly to a kind of rogue program spies based on internal honey jar
Survey method.
Background technology
Inside threat is in today of computer nowadays network technology high speed development, the hidden trouble being still in many human eyes
One of.With the development of present information electronic technology, technically also quickly update, rogue program author compile rogue program therewith
The level write is also higher and higher.China can all occur a large amount of cyber thefts and destroy case every year, and many of which case is related to
Military-political equal important departments, these cases are attacked by rogue program mostly, therefore research rogue program detection technique has
Vital meaning.And with the continuous promotion of rogue program concealing technology and operating personnel's level, rogue program is in network
In become increasingly difficult to find, many conventional means are all difficult to find its trace.Therefore, it is necessary to some new rogue program inspections
Survey technology solves these problems.
Traditional rogue program detection technique generally has lag, i.e. rogue program to make intrusion behavior, and band
Walking after some significant datas either have resulted in destruction can be found by the means of system action or network data.
The safety that then can both ensure sensitive information by Honeypot Techniques, can also obtain rogue program sample, be a kind of anti-well
Soldier in charge of pack animals's section.
Invention content
In view of the above-mentioned deficiencies in the prior art, it is an object of the present invention to provide a kind of rogue program detection based on internal honey jar
Method.
The purpose of the present invention is achieved through the following technical solutions:A kind of rogue program detection based on internal honey jar
Method, which is characterized in that this approach includes the following steps:
(1) remember that the daily file set often accessed is SFileIf detect the access produced positioned at position L, andThen file threat value ThreatFile=ThreatFile+ 1, if finding L ∈ Ssensitive, then file threat value
ThreatFile=ThreatFile+NFile, wherein SsensitiveIndicate the sensitive document set of label, NFileFor preset value;
(2) it is Speed that note, which opens file speed,openIf detecting Speedopen>Thresholdopen, then File Open is fast
Spend threat value Threatopen=Threatopen+1;Wherein, ThresholdopenIndicate opening speed preset value;
(3) note network launch speed is SpeedconnectIf detecting Speedconnect>Thresholdconnect, then network
Launch speed threat value Threatconnect=Threatconnect+1;ThresholdconnectFor network launch speed preset value;
(4) remember that daily common pool of applications is SappIf detect the application program started positioned at position A, andThen application program threat value Threatapp=Threatapp+ 1, if finding A ∈ SBlacklist, then application program threat value
Threatapp=Threatapp+Napp, wherein SBlacklistIndicate application program blacklist set, NappFor preset value;
(5) to all feature sets and SfeatureThe threat value Threat of={ File, Open, Connect, app } featuresFile,
Threatopen, Threatconnect, ThreatappDistribute respective weight:WFile、WOpen、WConnect、Wapp, and calculate total threaten
ValueIf Threat>ThresholdThreat, then it is assumed that system is entered by rogue program
It invades.
If having been invaded by rogue program according to step (5) identification system, and the program has accessed N in for a period of time1It is a
The file or file hiding, manual operation can not access, it is believed that the program is rogue program, wherein N1For threshold value;
If rogue program has initiated at least 1 network request in the process of implementation, then can be assumed that the program is trojan horse program.
The invention has the advantages that the present invention has recorded internal document access position by the way that a honey jar, honey jar is arranged,
File speed is opened, four features such as network launch speed and Application Monitoring are detected rogue program with this.This
Angle that invention is accustomed to from the usage behavior of rogue program designs the honey jar, and the rogue program to coming into internal system is examined
In survey ability, it is better than traditional honey jar detection method.
Specific implementation mode
The present invention provides one kind and being based on internal honey jar behavioural analysis, by monitoring to system operatios such as file, networks, comes true
Recognize the method for rogue program invasion.Rogue program detection technique is mainly used for detection of divulging a secret, server protection, PC safety
Deng being an important content of computer safety field.This approach includes the following steps:
1, remember that the daily file set often accessed is SFileIf detect the access produced positioned at position L, andThen file threat value ThreatFile=ThreatFile+ 1, if finding L ∈ Ssensitive, then file threat value
ThreatFile=ThreatFile+NFile, wherein SsensitiveIndicate the sensitive document set of label, NFileIt is preset for one
Any natural number in number, such as desirable 10-1000.
2, it is Speed that note, which opens file speed,openIf detecting Speedopen>Thresholdopen, then File Open is fast
Spend threat value Threatopen=Threatopen+1.Wherein, ThresholdopenIndicate opening speed preset value, such as desirable 1-
Any value in 50ms.
3, note network launch speed is SpeedconnectIf detecting Speedconnect>Thresholdconnect, then network
Launch speed threat value Threatconnect=Threatconnect+1。ThresholdconnectFor network launch speed preset value, example
Any value in such as desirable 1-50ms.
4, remember that daily common pool of applications is SappIf detect the application program started positioned at position A, andThen application program threat value Threatapp=Threatapp+ 1, if finding A ∈ SBlacklist, then application program threat value
Threatapp=Threatapp+Napp, wherein SBlacklistIndicate application program blacklist set, NappFor a preset number
Any natural number in word, such as desirable 10-1000.
5, to all feature sets and SfeatureThe threat value Threat of={ File, Open, Connect, app } featuresFile,
Threatopen, Threatconnect, ThreatappDistribute respective weight:WFile、WOpen、WConnect、Wapp, and calculate total threaten
ValueIf Threat>ThresholdThreat, then it is assumed that system is entered by rogue program
It invades, ThresholdThreatFor any natural number in synthetic threat preset value, such as desirable 10-1000.
Weight WFile、WOpen、WConnect、WappIt can arbitrarily distribute, it can also equivalence distribution.
If certain program has accessed N in for a period of time1The file or file that a hiding, manual operation can not access,
It is believed that be the program being rogue program, wherein N1For threshold value, for example, it is 10 desirable, and described a period of time can be arbitrarily arranged,
Such as one day.If rogue program has initiated at least 1 network request in the process of implementation, then can be assumed that the program is wooden horse
Program.
The present invention is based on internal honey jars, by monitoring to system operatios such as file, networks, to confirm that rogue program is invaded,
It can be extensively using departments such as government, national defence, commercial companies.
Claims (2)
1. a kind of rogue program detection method based on internal honey jar, which is characterized in that this approach includes the following steps:
(1) remember that the daily file set often accessed is SFileIf detect the access produced positioned at position L, and
Then file threat value ThreatFile=ThreatFile+ 1, if finding L ∈ Ssensitive, then file threat value ThreatFile=
ThreatFile+NFile, wherein SsensitiveIndicate the sensitive document set of label, NFileFor preset value;
(2) it is Speed that note, which opens file speed,openIf detecting Speedopen>Thresholdopen, then File Open speed prestige
Side of body value Threatopen=Threatopen+1;Wherein, ThresholdopenIndicate opening speed preset value;
(3) note network launch speed is SpeedconnectIf detecting Speedconnect>Thresholdconnect, then network initiation
Speed threat value Threatconnect=Threatconnect+1;ThresholdconnectFor network launch speed preset value;
(4) remember that daily common pool of applications is SappIf detect the application program started positioned at position A, andThen application program threat value Threatapp=Threatapp+ 1, if finding A ∈ SBlacklist, then application program threat value
Threatapp=Threatapp+Napp, wherein SBlacklistIndicate application program blacklist set, NappFor preset value;
(5) to all feature sets and SfeatureThe threat value Threat of={ File, Open, Connect, app } featuresFile,
Threatopen, Threatconnect, ThreatappDistribute respective weight:WFile、WOpen、WConnect、Wapp, and calculate total threaten
ValueIf Threat>ThresholdThreat, then it is assumed that system is entered by rogue program
It invades.
2. the rogue program detection method based on internal honey jar according to claim 1, which is characterized in that if according to step
(5) identification system is invaded by rogue program, and the program has accessed N in for a period of time1A hiding, manual operation can not
The file or file of access, it is believed that the program is rogue program, wherein N1For threshold value;If rogue program was executing
At least 1 network request is initiated in journey, then can be assumed that the program is trojan horse program.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610165172.3A CN105844154B (en) | 2016-03-19 | 2016-03-19 | A kind of rogue program detection method based on internal honey jar |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610165172.3A CN105844154B (en) | 2016-03-19 | 2016-03-19 | A kind of rogue program detection method based on internal honey jar |
Publications (2)
Publication Number | Publication Date |
---|---|
CN105844154A CN105844154A (en) | 2016-08-10 |
CN105844154B true CN105844154B (en) | 2018-09-07 |
Family
ID=56588425
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610165172.3A Active CN105844154B (en) | 2016-03-19 | 2016-03-19 | A kind of rogue program detection method based on internal honey jar |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN105844154B (en) |
Families Citing this family (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106951781A (en) * | 2017-03-22 | 2017-07-14 | 福建平实科技有限公司 | Extort software defense method and apparatus |
CN109413048B (en) * | 2018-09-30 | 2021-06-04 | 上海观安信息技术股份有限公司 | Method for detecting luxo software based on file-type honeypot, electronic device and program product |
CN112367315B (en) * | 2020-11-03 | 2021-09-28 | 浙江大学 | Endogenous safe WAF honeypot deployment method |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101867498A (en) * | 2009-04-17 | 2010-10-20 | 中国科学院软件研究所 | Network security situation evaluating method |
CN102185858A (en) * | 2011-05-06 | 2011-09-14 | 山东中创软件商用中间件股份有限公司 | Web intrusion prevention method and system based on application layer |
CN103561003A (en) * | 2013-10-22 | 2014-02-05 | 西安交通大学 | Cooperative type active defense method based on honeynets |
CN103634306A (en) * | 2013-11-18 | 2014-03-12 | 北京奇虎科技有限公司 | Security detection method and security detection server for network data |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20110214157A1 (en) * | 2000-09-25 | 2011-09-01 | Yevgeny Korsunsky | Securing a network with data flow processing |
-
2016
- 2016-03-19 CN CN201610165172.3A patent/CN105844154B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101867498A (en) * | 2009-04-17 | 2010-10-20 | 中国科学院软件研究所 | Network security situation evaluating method |
CN102185858A (en) * | 2011-05-06 | 2011-09-14 | 山东中创软件商用中间件股份有限公司 | Web intrusion prevention method and system based on application layer |
CN103561003A (en) * | 2013-10-22 | 2014-02-05 | 西安交通大学 | Cooperative type active defense method based on honeynets |
CN103634306A (en) * | 2013-11-18 | 2014-03-12 | 北京奇虎科技有限公司 | Security detection method and security detection server for network data |
Also Published As
Publication number | Publication date |
---|---|
CN105844154A (en) | 2016-08-10 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US9935967B2 (en) | Method and device for detecting malicious URL | |
Sabhadiya et al. | Android malware detection using deep learning | |
US9323925B2 (en) | Method and system for prevention of windowless screen capture | |
Hadi et al. | Performance analysis of big data intrusion detection system over random forest algorithm | |
CN105844154B (en) | A kind of rogue program detection method based on internal honey jar | |
Gruss et al. | Kernel isolation: From an academic idea to an efficient patch for every computer | |
Poudyal et al. | Malware analytics: Review of data mining, machine learning and big data perspectives | |
Qiao et al. | How to automatically identify the homology of different malware | |
Yu et al. | Detecting SQL injection attacks based on text analysis | |
Vast et al. | Artificial intelligence based security orchestration, automation and response system | |
Ibrahim et al. | Retaliation against ransomware in cloud-enabled PureOS system | |
Sayar et al. | A review of intrusion detection system in computer network | |
Alaba et al. | Ransomware attacks on remote learning systems in 21st century: a survey | |
KR20240016085A (en) | AI-based malware detection, analysis, and verification method | |
장현성 | Data-mining Based Anomaly Detection in Document Management System | |
CN113722641A (en) | AI-based injection request protection method, device, terminal equipment and medium | |
Subektiningsih et al. | The Role of Digital Forensic Experts in Cybercrime Investigations in Indonesia Based on The Scopus Research Index | |
Arse et al. | Mitigating Malware Attacks using Machine Learning: A Review | |
Chandrakala et al. | An Investigation for detecting cyber security to overcome cyber attacks using machine learning methods | |
Zhou et al. | Pdf Exploitable malware analysis based on exploit genes | |
Khitan et al. | Enhanced Analysis Method for Suspicious PDF Files | |
Ariffin et al. | Web application scanning for malware attack detection with provide appropriate incident report by using hybrid method | |
Alshaikh et al. | Crypto-Ransomware Detection and Prevention Techniques and Tools A Survey | |
Akbar et al. | Implementasi Teknologi AI Dalam Deteksi dan Pencegahan Serangan Malware pada Jaringan Komputer Perusahaan | |
Cannady et al. | Improving the Performance of Self-Organizing Maps for Intrusion Detection |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |