CN107086978B - Method and device for identifying Trojan horse virus - Google Patents
Method and device for identifying Trojan horse virus Download PDFInfo
- Publication number
- CN107086978B CN107086978B CN201610085868.5A CN201610085868A CN107086978B CN 107086978 B CN107086978 B CN 107086978B CN 201610085868 A CN201610085868 A CN 201610085868A CN 107086978 B CN107086978 B CN 107086978B
- Authority
- CN
- China
- Prior art keywords
- data
- trojan horse
- service data
- service
- business
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
Abstract
The invention discloses a method and a device for identifying Trojan horse virus, comprising the following steps: collecting core network data and charging data, wherein the core network data comprises signaling data and service data; performing historical habit analysis and periodic behavior analysis on the periodic service data, and identifying suspected infected Trojan horse users by combining the charging data; when the business information corresponding to the business data is judged not to belong to a white list library and belongs to a blacklist library, adding the business data to a suspected Trojan behavior event table; when the business information corresponding to the business data is judged not to belong to the white name list library and not to belong to the black name list library, adding the business data meeting the screening strategy into a suspected Trojan behavior event table; and carrying out centralized analysis on the service data in the suspected Trojan horse behavior event table to determine the service data belonging to the Trojan horse, and adding the service information of the service data belonging to the Trojan horse to the blacklist library.
Description
Technical Field
The invention relates to the field of mobile communication, in particular to a method and a device for identifying Trojan horse viruses of a mobile phone through user behaviors on a network.
Background
with the development of mobile internet and the popularization of mobile terminals, particularly intelligent terminals, mobile phone viruses or mobile phone malicious programs are about to cause even a lot of harm. Among all virus types, the proportion of trojan viruses for consuming charges, stealing user identity information, transaction information and payment information exceeds 75 percent, which is the most important aspect affecting the safety and economic safety of user information.
the mobile phone virus originates from computer virus. Following the definition of a computer Trojan, a mobile Trojan can be defined as: the trojan horse is a hidden and spontaneous program which can be used for carrying out malicious behaviors, most of the trojan horse is not directly harmful to the mobile phone, and is mainly controlled.
At present, the discovery and processing of the Trojan horse virus are mainly completed by actively installing security applications (App) such as a QQ security guard, a 360 security guard, a Jinshan guard and the like through a mobile terminal, and meanwhile, a mobile terminal user needs to establish a precaution consciousness on networking applications such as mobile payment and web page browsing.
because the related precaution consciousness and the initiative of the middle-aged and old user groups, the female user groups and other user groups are weak, the Trojan horse of the mobile phone is difficult to restrain based on the existing scheme. The harm caused by the mobile phone trojans is increasing day by day.
in addition, the mobile phone trojan program has obvious taxis and is more harmful. The following are main hazards:
1. and pushing the advertisement by sending the spam short message.
2. steal user information and carry out fraud.
3. Various service provider (sp) services are illegally customized.
4. Various traps are used to absorb the charge.
Under the condition that a mobile phone user cannot actively defend and kill the Trojan horse, the operator, another main body involved in the Trojan horse virus, is also greatly influenced. The harm such as the expense, the consumption flow and the like caused by the Trojan horse of the mobile phone generally causes adverse effect on operators through complaints and off-network indirection of users. If the operator cannot find the reason in time, the operator needs to compensate the complaint of the user about the expense loss, which causes the loss of the economic and brand satisfaction. For such problems, the existing scheme is difficult to solve.
disclosure of Invention
in order to solve the above technical problems, embodiments of the present invention provide a method and an apparatus for identifying a trojan horse virus.
the method for identifying the Trojan horse virus provided by the embodiment of the invention comprises the following steps:
collecting core network data and charging data, wherein the core network data comprises signaling data and service data, and periodically counting the service data to obtain periodic service data;
performing historical habit analysis and periodic behavior analysis on the periodic service data, and identifying suspected infected Trojan horse users by combining the charging data;
when the business information corresponding to the business data is judged not to belong to a white list library and belongs to a blacklist library, adding the business data to a suspected Trojan behavior event table;
when the business information corresponding to the business data is judged not to belong to the white name list library and not to belong to the black name list library, filtering the business data according to a screening strategy, and adding the business data meeting the screening strategy into a suspected Trojan behavior event table; the screening strategy is related to the signaling data and the suspected infected Trojan horse user;
And carrying out centralized analysis on the service data in the suspected Trojan horse behavior event table to determine the service data belonging to the Trojan horse, and adding the service information of the service data belonging to the Trojan horse to the blacklist library.
in the embodiment of the present invention, when it is determined that the service information corresponding to the service data does not belong to the white list library and belongs to the blacklist library, adding the service data to the suspected Trojan behavior event table includes:
Judging whether the service information corresponding to the service data belongs to a white list library or not;
When the business information corresponding to the business data is judged to belong to the white list library, no processing is carried out;
when the business information corresponding to the business data is judged not to belong to the white list library, judging whether the business information corresponding to the business data belongs to the black list library or not;
and when the service information corresponding to the service data is judged to belong to the blacklist library, adding the service data to a suspected Trojan behavior event table.
in the embodiment of the present invention, the screening policy includes: a first screening rule, a second screening rule, a third screening rule; wherein the content of the first and second substances,
The first screening rule is that: determining the time difference between the networking behavior and the service behavior according to the signaling data and the service data; judging whether the flow is generated immediately after networking according to the time difference; if yes, the service data meets the screening strategy;
The second screening rule is that: determining an uploading event and a downloading event according to the service data; judging whether an uploading event is generated and then a downloading event is generated; if yes, the service data meets the screening strategy;
the third screening rule is that: judging whether the service data belongs to a suspected infected Trojan horse user list, wherein the suspected infected Trojan horse user list is composed of suspected infected Trojan horse users; if yes, the service data meets the screening strategy.
in this embodiment of the present invention, the performing centralized analysis on the service data in the suspected Trojan horse behavior event table to determine the service data belonging to the Trojan horse, and adding the service information of the service data belonging to the Trojan horse to the blacklist library includes:
carrying out periodic or aperiodic centralized analysis on the service data in the suspected Trojan horse behavior event table to judge whether the service data in the suspected Trojan horse behavior event table is converged;
For the converged service data, further judging whether the service data belongs to the Trojan horse or not according to the obtained verification operation;
And when the business data is judged to belong to the Trojan horse, adding the business information of the business data belonging to the Trojan horse to the blacklist library.
in the embodiment of the present invention, the method further includes:
when the business data are judged to belong to the Trojan horse, adding the relevant users of the business data belonging to the Trojan horse to the suspected infected Trojan horse user list;
and when the business data are judged not to belong to the Trojan horse, adding the business information of the business data not belonging to the Trojan horse to the white list library.
in the embodiment of the present invention, the performing historical habit analysis and periodic behavior analysis on the periodic service data, and identifying suspected infected Trojan horse users by combining the charging data includes:
Respectively carrying out flow habit analysis, service habit analysis and time habit analysis on historical periodic service data to obtain a historical analysis result;
Obtaining data related to historical periodic service data based on flow, service and time according to the current periodic service data, and taking the data as a current analysis result;
Comparing the current analysis result with the historical analysis result, comparing the current analysis result with the charging data when the current analysis result is not consistent with the historical analysis result, and identifying a suspected infected Trojan horse user when the current analysis result is not consistent with the charging data.
The device for identifying the Trojan horse virus provided by the embodiment of the invention comprises:
the data module is used for acquiring core network data and charging data, the core network data comprises signaling data and service data, and the service data is periodically counted to obtain periodic service data;
the periodic behavior clustering module is used for performing historical habit analysis and periodic behavior analysis on the periodic service data and identifying suspected infected Trojan horse users by combining the charging data;
The real-time behavior screening module is used for adding the business data into a suspected Trojan behavior event table when judging that the business information corresponding to the business data does not belong to a white list library and belongs to a blacklist library; when the business information corresponding to the business data is judged not to belong to the white name list library and not to belong to the black name list library, filtering the business data according to a screening strategy, and adding the business data meeting the screening strategy into a suspected Trojan behavior event table; the screening strategy is related to the signaling data and the suspected infected Trojan horse user; and carrying out centralized analysis on the service data in the suspected Trojan horse behavior event table to determine the service data belonging to the Trojan horse, and adding the service information of the service data belonging to the Trojan horse to the blacklist library.
In an embodiment of the present invention, the real-time behavior screening module includes:
The white list judging module is used for judging whether the service information corresponding to the service data belongs to a white list library; when the business information corresponding to the business data is judged to belong to the white list library, no processing is carried out;
The blacklist judging module is used for judging whether the service information corresponding to the service data belongs to a blacklist library or not when the service information corresponding to the service data is judged not to belong to a whitelist library; and when the service information corresponding to the service data is judged to belong to the blacklist library, adding the service data to a suspected Trojan behavior event table.
in an embodiment of the present invention, the real-time behavior screening module includes:
the screening strategy module is used for filtering the service data according to a screening strategy when the service information corresponding to the service data is judged not to belong to a white list library and not to belong to a black list library, and adding the service data meeting the screening strategy into a suspected Trojan behavior event table; the screening strategy is related to the signaling data and the suspected infected Trojan horse user;
wherein the screening strategy comprises: a first screening rule, a second screening rule, a third screening rule; wherein the content of the first and second substances,
The first screening rule is that: determining the time difference between the networking behavior and the service behavior according to the signaling data and the service data; judging whether the flow is generated immediately after networking according to the time difference; if yes, the service data meets the screening strategy;
The second screening rule is that: determining an uploading event and a downloading event according to the service data; judging whether an uploading event is generated and then a downloading event is generated; if yes, the service data meets the screening strategy;
the third screening rule is that: judging whether the service data belongs to a suspected infected Trojan horse user list, wherein the suspected infected Trojan horse user list is composed of suspected infected Trojan horse users; if yes, the service data meets the screening strategy.
In an embodiment of the present invention, the real-time behavior screening module includes:
The centralized analysis module is used for periodically or non-periodically performing centralized analysis on the service data in the suspected Trojan horse behavior event table to judge whether the service data in the suspected Trojan horse behavior event table is converged; for the converged service data, further judging whether the service data belongs to the Trojan horse or not according to the obtained verification operation; and when the business data is judged to belong to the Trojan horse, adding the business information of the business data belonging to the Trojan horse to the blacklist library.
in the embodiment of the present invention, the centralized analysis module is further configured to, when it is determined that the service data belongs to a Trojan horse, add a user related to the service data belonging to the Trojan horse to the suspected infected Trojan horse user list; and when the business data are judged not to belong to the Trojan horse, adding the business information of the business data not belonging to the Trojan horse to the white list library.
In an embodiment of the present invention, the periodic behavior clustering module includes:
the historical habit analysis module is used for respectively carrying out flow habit analysis, business habit analysis and time habit analysis on historical periodic business data to obtain a historical analysis result;
The periodic behavior analysis module is used for obtaining data related to historical periodic service data based on flow, service and time according to the current periodic service data and taking the data as a current analysis result;
And the comparison module is used for comparing the current analysis result with the historical analysis result, comparing the current analysis result with the charging data when the current analysis result is not consistent with the historical analysis result, and identifying a suspected infected Trojan horse user when the current analysis result is not consistent with the charging data.
In the technical scheme of the embodiment of the invention, core network data and charging data are collected, the core network data comprise signaling data and service data, and the service data are periodically counted to obtain periodic service data; performing historical habit analysis and periodic behavior analysis on the periodic service data, and identifying suspected infected Trojan horse users by combining the charging data; when the business information corresponding to the business data is judged not to belong to a white list library and belongs to a blacklist library, adding the business data to a suspected Trojan behavior event table; when the business information corresponding to the business data is judged not to belong to the white name list library and not to belong to the black name list library, filtering the business data according to a screening strategy, and adding the business data meeting the screening strategy into a suspected Trojan behavior event table; the screening strategy is related to the signaling data and the suspected infected Trojan horse user; and carrying out centralized analysis on the service data in the suspected Trojan horse behavior event table to determine the service data belonging to the Trojan horse, and adding the service information of the service data belonging to the Trojan horse to the blacklist library. Therefore, the embodiment of the invention identifies whether the user is infected with the Trojan horse virus by monitoring the user behavior in the network. The method provides important safety protection measures for middle-aged, old people and female groups with weak safety consciousness, and ensures the safety of user information. In addition, the method has important significance for operators to use big data, improve user perception and maintain network security environment.
drawings
FIG. 1 is a schematic flow chart of a method for identifying Trojan horse virus according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of core network interfaces of networks such as 2/3/G and LTE;
FIG. 3 is a schematic structural diagram of an apparatus for identifying Trojan horse virus according to an embodiment of the present invention, as shown in FIG. 3;
FIG. 4 is a schematic view illustrating interaction of flow of modules in the apparatus for identifying Trojan horse virus according to the embodiment of the present invention;
Fig. 5 is a schematic diagram illustrating relationships among modules in the apparatus for identifying a trojan horse virus according to the embodiment of the present invention.
Detailed Description
so that the manner in which the features and aspects of the embodiments of the present invention can be understood in detail, a more particular description of the embodiments of the invention, briefly summarized above, may be had by reference to the embodiments, some of which are illustrated in the appended drawings.
The technical scheme of the embodiment of the invention is mainly based on the information of user service behavior data, charging system data, user package data and the like collected in the mobile communication network, and whether the mobile phone is attacked by Trojan horse virus or not is identified through the behavior of the user.
fig. 1 is a schematic flowchart of a method for identifying a trojan horse virus according to an embodiment of the present invention, and as shown in fig. 1, the method for identifying a trojan horse virus includes the following steps:
step 101: the method comprises the steps of collecting core network data and charging data, wherein the core network data comprise signaling data and service data, and carrying out periodic statistics on the service data to obtain periodic service data.
in the embodiment of the invention, the data acquisition system based on the core network interface acquires data. As shown in fig. 2, fig. 2 is a schematic diagram of core network interfaces of networks such as 2/3/G and LTE. Here, the core network interface is applicable to General Packet Radio Service (GPRS), time Division-Synchronous Code Division Multiple Access (TD-SCDMA), Wideband Code Division Multiple Access (WCDMA), time Division duplex LTE (TDD-LTE), and frequency Division duplex LTE (FDD-LTE) networks.
step 102: and performing historical habit analysis and periodic behavior analysis on the periodic service data, and identifying suspected infected Trojan horse users by combining the charging data.
specifically, traffic habit analysis, business habit analysis and time habit analysis are respectively carried out on historical periodic business data to obtain historical analysis results;
Obtaining data related to historical periodic service data based on flow, service and time according to the current periodic service data, and taking the data as a current analysis result;
Comparing the current analysis result with the historical analysis result, comparing the current analysis result with the charging data when the current analysis result is not consistent with the historical analysis result, and identifying a suspected infected Trojan horse user when the current analysis result is not consistent with the charging data.
step 103: and when the business information corresponding to the business data is judged not to belong to the white list library and to belong to the blacklist library, adding the business data to a suspected Trojan behavior event table.
specifically, whether the service information corresponding to the service data belongs to a white list library is judged;
When the business information corresponding to the business data is judged to belong to the white list library, no processing is carried out;
when the business information corresponding to the business data is judged not to belong to the white list library, judging whether the business information corresponding to the business data belongs to the black list library or not;
And when the service information corresponding to the service data is judged to belong to the blacklist library, adding the service data to a suspected Trojan behavior event table.
step 104: when the business information corresponding to the business data is judged not to belong to the white name list library and not to belong to the black name list library, filtering the business data according to a screening strategy, and adding the business data meeting the screening strategy into a suspected Trojan behavior event table; the screening policy is associated with the signaling data and the suspected infected Trojan horse user.
The screening strategy comprises the following steps: a first screening rule, a second screening rule, a third screening rule; wherein the content of the first and second substances,
The first screening rule is that: determining the time difference between the networking behavior and the service behavior according to the signaling data and the service data; judging whether the flow is generated immediately after networking according to the time difference; if yes, the service data meets the screening strategy;
The second screening rule is that: determining an uploading event and a downloading event according to the service data; judging whether an uploading event is generated and then a downloading event is generated; if yes, the service data meets the screening strategy;
The third screening rule is that: judging whether the service data belongs to a suspected infected Trojan horse user list, wherein the suspected infected Trojan horse user list is composed of suspected infected Trojan horse users; if yes, the service data meets the screening strategy.
Step 105: and carrying out centralized analysis on the service data in the suspected Trojan horse behavior event table to determine the service data belonging to the Trojan horse, and adding the service information of the service data belonging to the Trojan horse to the blacklist library.
specifically, performing periodic or aperiodic centralized analysis on the service data in the suspected Trojan horse behavior event table to determine whether the service data in the suspected Trojan horse behavior event table converges;
For the converged service data, further judging whether the service data belongs to the Trojan horse or not according to the obtained verification operation;
and when the business data is judged to belong to the Trojan horse, adding the business information of the business data belonging to the Trojan horse to the blacklist library.
In the embodiment of the invention, when the business data is judged to belong to the Trojan horse, the related users of the business data belonging to the Trojan horse are added to the suspected infected Trojan horse user list;
and when the business data are judged not to belong to the Trojan horse, adding the business information of the business data not belonging to the Trojan horse to the white list library.
fig. 3 is a schematic structural diagram of an apparatus for identifying a trojan horse virus according to an embodiment of the present invention, and as shown in fig. 3, the apparatus includes:
The data module 31 is configured to collect core network data and charging data, where the core network data includes signaling data and service data, and perform periodic statistics on the service data to obtain periodic service data;
The periodic behavior clustering module 32 is configured to perform historical habit analysis and periodic behavior analysis on the periodic service data, and identify suspected infected Trojan horse users by combining the charging data;
The real-time behavior screening module 33 is configured to add the service data to a suspected Trojan horse behavior event table when determining that the service information corresponding to the service data does not belong to a white list library and belongs to a blacklist library; when the business information corresponding to the business data is judged not to belong to the white name list library and not to belong to the black name list library, filtering the business data according to a screening strategy, and adding the business data meeting the screening strategy into a suspected Trojan behavior event table; the screening strategy is related to the signaling data and the suspected infected Trojan horse user; and carrying out centralized analysis on the service data in the suspected Trojan horse behavior event table to determine the service data belonging to the Trojan horse, and adding the service information of the service data belonging to the Trojan horse to the blacklist library.
The real-time behavior screening module 33 includes:
The white list judging module 331 is configured to judge whether the service information corresponding to the service data belongs to a white list library; when the business information corresponding to the business data is judged to belong to the white list library, no processing is carried out;
a blacklist determining module 332, configured to determine whether the service information corresponding to the service data belongs to a blacklist library when it is determined that the service information corresponding to the service data does not belong to a whitelist library; and when the service information corresponding to the service data is judged to belong to the blacklist library, adding the service data to a suspected Trojan behavior event table.
The real-time behavior screening module 33 includes:
A screening policy module 333, configured to, when determining that the service information corresponding to the service data does not belong to the white list library and does not belong to the black list library, filter the service data according to a screening policy, and add the service data meeting the screening policy to a suspected Trojan horse behavior event table; the screening strategy is related to the signaling data and the suspected infected Trojan horse user;
Wherein the screening strategy comprises: a first screening rule, a second screening rule, a third screening rule; wherein the content of the first and second substances,
the first screening rule is that: determining the time difference between the networking behavior and the service behavior according to the signaling data and the service data; judging whether the flow is generated immediately after networking according to the time difference; if yes, the service data meets the screening strategy;
the second screening rule is that: determining an uploading event and a downloading event according to the service data; judging whether an uploading event is generated and then a downloading event is generated; if yes, the service data meets the screening strategy;
The third screening rule is that: judging whether the service data belongs to a suspected infected Trojan horse user list, wherein the suspected infected Trojan horse user list is composed of suspected infected Trojan horse users; if yes, the service data meets the screening strategy.
The real-time behavior screening module 33 includes:
A centralized analysis module 334, configured to perform centralized analysis periodically or aperiodically on the service data in the suspected Trojan horse behavior event table to determine whether the service data in the suspected Trojan horse behavior event table is converged; for the converged service data, further judging whether the service data belongs to the Trojan horse or not according to the obtained verification operation; and when the business data is judged to belong to the Trojan horse, adding the business information of the business data belonging to the Trojan horse to the blacklist library.
The centralized analysis module 334 is further configured to, when it is determined that the business data belongs to a Trojan horse, add a user related to the business data belonging to the Trojan horse to the suspected infected Trojan horse user list; and when the business data are judged not to belong to the Trojan horse, adding the business information of the business data not belonging to the Trojan horse to the white list library.
The periodic behavior clustering module 32 includes:
a historical habit analysis module 321, configured to perform traffic habit analysis, business habit analysis, and time habit analysis on historical periodic business data, respectively, to obtain a historical analysis result;
a periodic behavior analysis module 322, configured to obtain data related to historical periodic service data based on traffic, service, and time according to the current periodic service data, as a current analysis result;
a comparing module 323, configured to compare the current analysis result with the historical analysis result, compare the current analysis result with the billing data when the current analysis result does not match the historical analysis result, and identify a suspected infected trojan user when the current analysis result does not match the billing data.
Fig. 4 is a schematic view of the interaction of the flow of each module in the apparatus for identifying a trojan horse virus according to the embodiment of the present invention, as shown in fig. 4:
1) Data module
the module mainly provides data required by the scheme and mainly comprises two parts, namely core network acquisition system data and charging system data.
The data of the core network acquisition system is divided into signaling data and service data.
the signaling Data refers to procedures of 2/3G, such as user establishment of Packet Data Protocol (PDP) context, attachment (Attach) with 4G, bearer establishment, and the like, and mainly reflects behavior and time of a user connection network.
the service data refers to data such as which websites a user visits, what generated traffic, and how long the service lasts, and mainly represents the behavior and time of the user using the service.
on the basis of the service data, periodic statistics of the service data of the user, namely periodic service data, can be obtained by defining a period for statistics, and the periodic service behavior of the user is mainly reflected.
The charging system data mainly provides the package condition of the user, in particular the ordering, changing condition and the like of the data service package.
2) Real-time behavior screening module
The module is mainly used for completing quasi-real-time screening of suspected Trojan horse records and periodical centralized analysis of the suspected Trojan horse records based on real-time data.
the main flow of this module is described below.
After the real-time service data of the user is input, the white list judging module compares the information of the service name, the target IP and the like of the service behavior with a white list library according to the information of the service name, the target IP and the like of the service behavior, and judges whether the service name and the target IP of the service are normal or not.
if the service name and the target IP of the service belong to the white list library, no processing is performed and the processing work of the next record is continued.
If the service name and the destination IP of the service do not belong to the white list library, entering a blacklist judgment module for comparison. The operation of judging whether the service name and the destination IP of the service belong to the blacklist library needs to be completed.
If the service name and the target IP of the service belong to the blacklist library, adding the record into a suspected Trojan behavior event table, and reserving subsequent centralized analysis work.
If the service name and the target IP of the service do not belong to the blacklist library, filtering work is finished through a screening strategy, and records meeting the screening strategy are added into a suspected Trojan behavior event table.
The screening strategy is defined based on the behavior generated after the mobile phone receives the attack of the Trojan horse virus, and the screening strategy mainly comprises the following three points.
A first screening rule: networking produces traffic. The method is mainly designed for the situation that a plurality of trojan viruses carry out networking by controlling (or monitoring) an attacked mobile phone and then upload stolen data or download more virus plug-in operations. The screening is mainly carried out through the time difference between the networking behavior and the service behavior of the user. The setting of the time difference may be obtained empirically or statistically. The time difference is 500-1000 ms according to experience, and the time is required to be shorter than the operation time of a user. The statistical time difference is obtained by analyzing the distribution range of the values, and is generally obtained by a decile number.
the second screening rule is as follows: the upload action is generated followed by the download action. This is also defined in terms of the behavior of many Trojan horse viruses. Many trojan viruses not only can update privacy information of mobile phone users, but also can automatically update and download more malicious programs, and the general sequence is uploading and then downloading. The rule judges through the service behavior data of the user, and judges the uploading and downloading behaviors through HTTPPOST/GET information and the size ratio of the uploading and the downloading packages.
A third screening rule: the users belong to a suspected infected Trojan horse user list. The list of suspected infected trojan users is generated by a periodic behavior analysis module, i.e. a third main module.
these screening rules operate on a single or multiple records, and the single or multiple records that satisfy the rules are added to the table of suspected Trojan behavior events.
based on the suspected Trojan horse behavior event data, the convergence condition of the records in terms of service names and destination IPs can be analyzed through periodic or irregular (meeting a certain record quantity) centralized analysis.
If a centralized business name or destination IP is found, then a manual verification operation is followed to confirm whether it is associated with the trojan horse. Through some of the previous procedures, the amount of work required for manual confirmation is not large, typically on the order of 100/day.
finally, adding the manually confirmed Trojan horse business and target IP into a blacklist library, and adding related users into a suspected infected Trojan horse user list; and adding the service name and the destination IP which are irrelevant to the Trojan horse into a white list library. Thus, one cycle of the module is completed.
3) Periodic behavior clustering module
the module completes the tasks of identifying and outputting suspected infected Trojan horse users mainly by performing historical habit analysis, periodic behavior analysis, comparison between the two and other operations on periodic service data.
Historical habit analysis module: the method mainly analyzes the internet access habits in three aspects of flow, service, time and the like through historical period service data (distinguished from the current period). These habits all come from several aspects of user behavior changes generated after Trojan horse viruses attack the mobile phones of users.
1> flow habit: the statistical indexes such as the average value, the standard deviation, the variation coefficient and the like of the uplink flow and the downlink flow of the user in the analysis period are shown, and the habits of the user such as the height of the used flow, the magnitude of the flow variation range and the like are reflected. Users may be classified based on this habit as stable high-traffic users, stable low-traffic users, fluctuating traffic users, and so on. The analysis angle comes from the influence aspect of Trojan horse virus on user traffic.
And 2, service habit: the name and the ordering condition of TOPN services with higher flow in an analysis period are referred to by a user, and 10 services are generally selected as objects to be considered. And specific use of several services as investigation objects can be determined according to the distribution situation of the number of services of normal users. The data organization form of the analysis process is vectors, and the business stability of the user is expressed through the gravity center and the distance between the vectors. The users can be divided into a stable type and a fluctuation type. The analysis angle comes from the influence of advertisement and automatic download trojan-like viruses on users.
3> temporal habit: the distribution situation of the internet surfing time of the user is referred. Generally, the time within a cycle is grouped by working day/non-working day, busy/idle, at the same time interval, etc., so that a continuous time variable becomes a discrete variable. On the basis, the indexes such as the average value, the standard deviation, the variation coefficient and the like of the indexes such as the flow, the duration and the like of the user are counted to obtain the time habit of the user. The analysis angle comes from the influence of stealing privacy, advertisement, automatic downloading trojan horse or timing or very random internet control on the user.
A periodic behavior analysis module: the module mainly obtains data of the current period to obtain data structures related to the historical habit analysis module, such as dimensions of flow, service, time and the like.
a comparison module: the method mainly carries out comparison between current period behaviors and habits, and carries out comparison between current period behaviors different from the habits and package change conditions.
1> comparison of current periodic behavior with habits: and through comparison of the current period data and the habit data, the conditions and data such as whether the behavior of the user in the current period changes, the change amplitude, the change time point and the like are found.
and 2, comparing the current period different from the habit with a set meal: when the current period behavior of the user is inconsistent with the habit, the change condition of the user package, particularly the data service package, in the natural month belonging to the current period is used for checking. If the package has changed similarly to the user service behavior, for example, the user traffic suddenly increases and the traffic package correspondingly increases, the abnormal behavior of the user is considered to be caused by the package, so the processing is not performed. And if the package is not changed or the package is not consistent with the user behavior change, adding the user to a suspected infected Trojan horse user list for the real-time behavior screening module to use.
fig. 5 is a schematic diagram illustrating relationships among modules in the apparatus for identifying a trojan horse virus according to the embodiment of the present invention, as shown in fig. 5: 1. 2 represents: data is provided. And 3 represents: and providing a suspected infected Trojan user list, namely the suspected infected Trojan user list.
the specific contents of the files related in the embodiment of the invention are as follows:
White list library: the collection of service names and destination IPs, the representatives within the collection being independent of the trojan virus.
and (3) black list library: the collection of the service name and the destination IP, the representatives in the collection are related to the trojan virus, and the collection is a distribution site of the trojan virus, a control IP, an infected application, an advertisement publishing site for earning click-through rate, and the like.
Suspected infected Trojan user list: the user list with higher probability of being attacked by the Trojan horse virus can be used for departments such as customer service, business support and the like, and can be used for reference during work such as customer service, business blocking and the like.
Infected Trojan user list: and confirming the user list attacked by the Trojan horse virus. The system can support the work of active care, network management, service management, network optimization and the like.
The technical schemes described in the embodiments of the present invention can be combined arbitrarily without conflict.
in the embodiments provided in the present invention, it should be understood that the disclosed method and intelligent device may be implemented in other ways. The above-described device embodiments are merely illustrative, for example, the division of the unit is only a logical functional division, and there may be other division ways in actual implementation, such as: multiple units or components may be combined, or may be integrated into another system, or some features may be omitted, or not implemented. In addition, the coupling, direct coupling or communication connection between the components shown or discussed may be through some interfaces, and the indirect coupling or communication connection between the devices or units may be electrical, mechanical or other forms.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed on a plurality of network units; some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, all the functional units in the embodiments of the present invention may be integrated into one second processing unit, or each unit may be separately regarded as one unit, or two or more units may be integrated into one unit; the integrated unit can be realized in a form of hardware, or in a form of hardware plus a software functional unit.
the above description is only for the specific embodiments of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present invention, and all the changes or substitutions should be covered within the scope of the present invention.
Claims (12)
1. a method of identifying a trojan horse virus, the method comprising:
Collecting core network data and charging data, wherein the core network data comprises signaling data and service data, and periodically counting the service data to obtain periodic service data; the charging data provides package conditions of the user;
performing historical habit analysis and periodic behavior analysis on the periodic service data, and identifying suspected infected Trojan horse users by combining the charging data;
When the business information corresponding to the business data is judged not to belong to a white list library and belongs to a blacklist library, adding the business data to a suspected Trojan behavior event table;
When the business information corresponding to the business data is judged not to belong to the white name list library and not to belong to the black name list library, filtering the business data according to a screening strategy, and adding the business data meeting the screening strategy into a suspected Trojan behavior event table; the screening strategy is related to the signaling data and the suspected infected Trojan horse user;
And carrying out centralized analysis on the service data in the suspected Trojan horse behavior event table to determine the service data belonging to the Trojan horse, and adding the service information of the service data belonging to the Trojan horse to the blacklist library.
2. The method according to claim 1, wherein when it is determined that the service information corresponding to the service data does not belong to a whitelist library and belongs to a blacklist library, adding the service data to a suspected Trojan horse behavior event table includes:
Judging whether the service information corresponding to the service data belongs to a white list library or not;
When the business information corresponding to the business data is judged to belong to the white list library, no processing is carried out;
when the business information corresponding to the business data is judged not to belong to the white list library, judging whether the business information corresponding to the business data belongs to the black list library or not;
and when the service information corresponding to the service data is judged to belong to the blacklist library, adding the service data to a suspected Trojan behavior event table.
3. the method for identifying Trojan horse viruses according to claim 1, wherein the screening strategy comprises: a first screening rule, a second screening rule, a third screening rule; wherein the content of the first and second substances,
the first screening rule is that: determining the time difference between the networking behavior and the service behavior according to the signaling data and the service data; judging whether the flow is generated immediately after networking according to the time difference; if yes, the service data meets the screening strategy;
The second screening rule is that: determining an uploading event and a downloading event according to the service data; judging whether an uploading event is generated and then a downloading event is generated; if yes, the service data meets the screening strategy;
The third screening rule is that: judging whether the service data belongs to a suspected infected Trojan horse user list, wherein the suspected infected Trojan horse user list is composed of suspected infected Trojan horse users; if yes, the service data meets the screening strategy.
4. the method according to claim 3, wherein the performing a centralized analysis on the business data in the suspected Trojan horse behavior event table to determine the business data belonging to the Trojan horse, and adding the business information of the business data belonging to the Trojan horse to the blacklist library comprises:
Carrying out periodic or aperiodic centralized analysis on the service data in the suspected Trojan horse behavior event table to judge whether the service data in the suspected Trojan horse behavior event table is converged;
for the converged service data, further judging whether the service data belongs to the Trojan horse or not according to the obtained verification operation;
and when the business data is judged to belong to the Trojan horse, adding the business information of the business data belonging to the Trojan horse to the blacklist library.
5. The method of identifying Trojan horse viruses of claim 4, further comprising:
When the business data are judged to belong to the Trojan horse, adding the relevant users of the business data belonging to the Trojan horse to the suspected infected Trojan horse user list;
and when the business data are judged not to belong to the Trojan horse, adding the business information of the business data not belonging to the Trojan horse to the white list library.
6. The method for identifying Trojan horse viruses according to any one of claims 1 to 5, wherein the performing historical habit analysis and periodic behavior analysis on the periodic business data and the identifying suspected Trojan horse infected users by combining the billing data comprises:
Respectively carrying out flow habit analysis, service habit analysis and time habit analysis on historical periodic service data to obtain a historical analysis result;
Obtaining data related to historical periodic service data based on flow, service and time according to the current periodic service data, and taking the data as a current analysis result;
comparing the current analysis result with the historical analysis result, comparing the current analysis result with the charging data when the current analysis result is not consistent with the historical analysis result, and identifying a suspected infected Trojan horse user when the current analysis result is not consistent with the charging data.
7. An apparatus for identifying a Trojan horse virus, the apparatus comprising:
The data module is used for acquiring core network data and charging data, the core network data comprises signaling data and service data, and the service data is periodically counted to obtain periodic service data; the charging data provides package conditions of the user;
the periodic behavior clustering module is used for performing historical habit analysis and periodic behavior analysis on the periodic service data and identifying suspected infected Trojan horse users by combining the charging data;
The real-time behavior screening module is used for adding the business data into a suspected Trojan behavior event table when judging that the business information corresponding to the business data does not belong to a white list library and belongs to a blacklist library; when the business information corresponding to the business data is judged not to belong to the white name list library and not to belong to the black name list library, filtering the business data according to a screening strategy, and adding the business data meeting the screening strategy into a suspected Trojan behavior event table; the screening strategy is related to the signaling data and the suspected infected Trojan horse user; and carrying out centralized analysis on the service data in the suspected Trojan horse behavior event table to determine the service data belonging to the Trojan horse, and adding the service information of the service data belonging to the Trojan horse to the blacklist library.
8. the apparatus for identifying Trojan horse virus according to claim 7, wherein the real-time behavior screening module comprises:
the white list judging module is used for judging whether the service information corresponding to the service data belongs to a white list library; when the business information corresponding to the business data is judged to belong to the white list library, no processing is carried out;
The blacklist judging module is used for judging whether the service information corresponding to the service data belongs to a blacklist library or not when the service information corresponding to the service data is judged not to belong to a whitelist library; and when the service information corresponding to the service data is judged to belong to the blacklist library, adding the service data to a suspected Trojan behavior event table.
9. The apparatus for identifying Trojan horse virus according to claim 7, wherein the real-time behavior screening module comprises:
The screening strategy module is used for filtering the service data according to a screening strategy when the service information corresponding to the service data is judged not to belong to a white list library and not to belong to a black list library, and adding the service data meeting the screening strategy into a suspected Trojan behavior event table; the screening strategy is related to the signaling data and the suspected infected Trojan horse user;
wherein the screening strategy comprises: a first screening rule, a second screening rule, a third screening rule; wherein the content of the first and second substances,
The first screening rule is that: determining the time difference between the networking behavior and the service behavior according to the signaling data and the service data; judging whether the flow is generated immediately after networking according to the time difference; if yes, the service data meets the screening strategy;
the second screening rule is that: determining an uploading event and a downloading event according to the service data; judging whether an uploading event is generated and then a downloading event is generated; if yes, the service data meets the screening strategy;
The third screening rule is that: judging whether the service data belongs to a suspected infected Trojan horse user list, wherein the suspected infected Trojan horse user list is composed of suspected infected Trojan horse users; if yes, the service data meets the screening strategy.
10. the apparatus for identifying Trojan horse virus according to claim 9, wherein the real-time behavior screening module comprises:
The centralized analysis module is used for periodically or non-periodically performing centralized analysis on the service data in the suspected Trojan horse behavior event table to judge whether the service data in the suspected Trojan horse behavior event table is converged; for the converged service data, further judging whether the service data belongs to the Trojan horse or not according to the obtained verification operation; and when the business data is judged to belong to the Trojan horse, adding the business information of the business data belonging to the Trojan horse to the blacklist library.
11. The apparatus for identifying Trojan horse virus according to claim 10, wherein the centralized analysis module is further configured to add the relevant users of the business data belonging to Trojan horse to the list of suspected infected Trojan horse users when the business data is determined to belong to Trojan horse; and when the business data are judged not to belong to the Trojan horse, adding the business information of the business data not belonging to the Trojan horse to the white list library.
12. the apparatus for identifying Trojan horse virus according to any one of claims 7 to 11, wherein the periodic behavior clustering module comprises:
the historical habit analysis module is used for respectively carrying out flow habit analysis, business habit analysis and time habit analysis on historical periodic business data to obtain a historical analysis result;
the periodic behavior analysis module is used for obtaining data related to historical periodic service data based on flow, service and time according to the current periodic service data and taking the data as a current analysis result;
And the comparison module is used for comparing the current analysis result with the historical analysis result, comparing the current analysis result with the charging data when the current analysis result is not consistent with the historical analysis result, and identifying a suspected infected Trojan horse user when the current analysis result is not consistent with the charging data.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610085868.5A CN107086978B (en) | 2016-02-15 | 2016-02-15 | Method and device for identifying Trojan horse virus |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610085868.5A CN107086978B (en) | 2016-02-15 | 2016-02-15 | Method and device for identifying Trojan horse virus |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107086978A CN107086978A (en) | 2017-08-22 |
| CN107086978B true CN107086978B (en) | 2019-12-10 |
Family
ID=59614351
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610085868.5A Active CN107086978B (en) | 2016-02-15 | 2016-02-15 | Method and device for identifying Trojan horse virus |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107086978B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107395650B (en) * | 2017-09-07 | 2020-06-09 | 杭州安恒信息技术股份有限公司 | Method and device for identifying Trojan back connection based on sandbox detection file |
| CN115408420B (en) * | 2022-09-02 | 2023-08-01 | 自然资源部地图技术审查中心 | Method and apparatus for automatically filtering map notes and points of interest using a computer |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1343288A1 (en) * | 2002-02-28 | 2003-09-10 | NTT DoCoMo, Inc. | Server apparatus and information processing method |
| CN101299660A (en) * | 2007-04-30 | 2008-11-05 | 华为技术有限公司 | Method, system and equipment for executing security control |
| CN101621511A (en) * | 2009-06-09 | 2010-01-06 | 北京安天电子设备有限公司 | Multilayer detecting method without local virus library and multilayer detecting system |
| CN102801740A (en) * | 2012-08-30 | 2012-11-28 | 苏州山石网络有限公司 | Trojan horse virus prevention method and equipment |
| CN103475663A (en) * | 2013-09-13 | 2013-12-25 | 无锡华御信息技术有限公司 | Trojan recognition method based on network communication behavior characteristics |
| CN103632096A (en) * | 2013-11-29 | 2014-03-12 | 北京奇虎科技有限公司 | Method and device for carrying out safety detection on equipment |
| CN104468507A (en) * | 2014-10-28 | 2015-03-25 | 刘胜利 | Torjan detection method based on uncontrolled end flow analysis |
-
2016
- 2016-02-15 CN CN201610085868.5A patent/CN107086978B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1343288A1 (en) * | 2002-02-28 | 2003-09-10 | NTT DoCoMo, Inc. | Server apparatus and information processing method |
| CN101299660A (en) * | 2007-04-30 | 2008-11-05 | 华为技术有限公司 | Method, system and equipment for executing security control |
| CN101621511A (en) * | 2009-06-09 | 2010-01-06 | 北京安天电子设备有限公司 | Multilayer detecting method without local virus library and multilayer detecting system |
| CN102801740A (en) * | 2012-08-30 | 2012-11-28 | 苏州山石网络有限公司 | Trojan horse virus prevention method and equipment |
| CN103475663A (en) * | 2013-09-13 | 2013-12-25 | 无锡华御信息技术有限公司 | Trojan recognition method based on network communication behavior characteristics |
| CN103632096A (en) * | 2013-11-29 | 2014-03-12 | 北京奇虎科技有限公司 | Method and device for carrying out safety detection on equipment |
| CN104468507A (en) * | 2014-10-28 | 2015-03-25 | 刘胜利 | Torjan detection method based on uncontrolled end flow analysis |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107086978A (en) | 2017-08-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11689899B2 (en) | System and method for triggering on platform usage | |
| US10798252B2 (en) | System and method for providing user notifications | |
| KR101768743B1 (en) | System and method for providing user notifications | |
| EP2564556B1 (en) | Mobile device bandwidth throttling | |
| US9596154B2 (en) | Classifying client devices in a network | |
| CN102665191B (en) | The policy control method of a kind of data service, Apparatus and system | |
| US20130305322A1 (en) | System and Method for Providing User Notifications | |
| US20230046839A1 (en) | System and method for providing user notifications | |
| CN104021141B (en) | Method, device and system for data processing and cloud service | |
| CN106656989B (en) | Flow monitoring method and terminal | |
| CN106911675B (en) | A kind of mobile phone Malware method for early warning and device | |
| CN102231888A (en) | Monitoring method and device | |
| CN105101138A (en) | Method and system for controlling traffic, and terminal | |
| CN108322354B (en) | Method and device for identifying running-stealing flow account | |
| CN107086978B (en) | Method and device for identifying Trojan horse virus | |
| CN106203067B (en) | A kind of method for cleaning and device of application program | |
| CN101827328A (en) | Device and method for monitoring short-message | |
| CN110378120A (en) | Application programming interfaces attack detection method, device and readable storage medium storing program for executing | |
| US11108914B2 (en) | Method and system for revenue maximization in a communication network | |
| CN111698683B (en) | Network security control method and device, storage medium and computer equipment | |
| CN111294311B (en) | Traffic charging method and system for preventing traffic fraud | |
| CN111698684B (en) | Service security control method, device and storage medium | |
| CN116991533A (en) | Capacity adjustment method, device, equipment and storage medium | |
| CN116074202A (en) | Slice information processing method, equipment and computer readable storage medium | |
| CN114091563A (en) | Control method of Internet of things card and electronic equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |