CN108111476B - C & C channel detection method - Google Patents
C & C channel detection method Download PDFInfo
- Publication number
- CN108111476B CN108111476B CN201710670294.2A CN201710670294A CN108111476B CN 108111476 B CN108111476 B CN 108111476B CN 201710670294 A CN201710670294 A CN 201710670294A CN 108111476 B CN108111476 B CN 108111476B
- Authority
- CN
- China
- Prior art keywords
- destination
- list
- suspicious
- target
- ips
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0254—Stateful filtering
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a C & C channel detection method, which counts all target IPs and source IPs at intervals of a first period, and records the target IPs which do not belong to a legal target IP list or an abnormal target IP list and the source IPs corresponding to the target IPs as preliminary suspicious IP pairs; counting the number of data packets transmitted between the target IP and the source IP in each preliminary suspicious IP pair, wherein the number of the data packets transmitted between the target IP and the source IP in any preliminary suspicious IP pair is more than 1000, and/or counting the uplink flow and the downlink flow transmitted between the target IP and the source IP in each preliminary suspicious IP pair, wherein the uplink flow transmitted between the target IP and the source IP in any preliminary suspicious IP pair is more than N times of the downlink flow, and marking the preliminary suspicious IP pair as a suspicious IP pair; and adding the destination IP of which the number of the source IP corresponding to the same destination IP in the suspicious IP pair is less than or equal to 3 into the suspicious destination IP list, and obtaining the IP of the attacker server and the IP of the controlled host by analyzing the data packet.
Description
Technical Field
The invention belongs to the technical field of information network security, and particularly relates to a C & C channel detection method.
Background
The C & C channel, also called command and control channel, is a mechanism for secretly transmitting information in violation of security policy, and the C & C channel communication tool achieves secretly transmitting effective data without discovering by embedding the effective data in a data message and normally transmitting the effective data in a network through a carrier; the C & C channel becomes a main tool for information transmission between an attacker and a host controlled by the attacker, and the attacker transmits data information in a controlled host to a personal host through the C & C channel in a network so as to acquire information; meanwhile, an attacker transmits a control command through the C & C channel, so that the purpose of controlling the controlled host for a long time is achieved.
C & C channel detection, aiming at obtaining IP of attacker server and IP of controlled host; therefore, data transmission between the controlled host and the attacker server can be cut off, and the following two detection technologies mainly exist at present.
1. Detection technology based on feature matching
The C & C channel detection technology based on feature matching is characterized in that a feature database is established and maintained, feature information in the database is matched in network data flow, if matching is successful, an alarm is generated, detection based on feature matching is mainly used for analyzing and matching data in an application layer, for example, relevant parameters such as URL, GET, POST and the like of an HTTP protocol tunnel are detected, and characteristics of attack are searched.
2. Detection technology based on protocol anomaly analysis
The C & C channel detection technology based on protocol anomaly analysis carries out protocol analysis on network data flow, and generates an alarm if the data flow is found to violate protocol specifications; for example, each "HTTP request" operation of the HTTP protocol corresponds to an "HTTP response" operation, a host field and the like are necessary in a protocol header under HTTP/1.1, and when an abnormal protocol operation occurs in a monitored data stream, an alarm is given; protocol anomaly analysis has the ability to look for any behavior that deviates from a standard or expected value, and therefore is able to detect known and unknown attack behaviors, but is ineffective in the face of well-designed HTTP channel tools, such as proxy service-type and CGI script-type channel tools.
Disclosure of Invention
In view of the above, the present invention is directed to a method for detecting a C & C channel.
In order to achieve the purpose, the technical scheme of the invention is realized as follows:
the embodiment of the invention provides a C & C channel detection method, which comprises the following steps: counting all target IPs and source IPs at intervals of a first period, and recording the target IPs which do not belong to a legal target IP list or an abnormal target IP list and the source IPs corresponding to the target IPs as preliminary suspicious IP pairs; counting the number of data packets transmitted between the target IP and the source IP in each preliminary suspicious IP pair, wherein the number of the data packets transmitted between the target IP and the source IP in any preliminary suspicious IP pair is more than 1000, and/or counting the uplink flow and the downlink flow transmitted between the target IP and the source IP in each preliminary suspicious IP pair, wherein the uplink flow transmitted between the target IP and the source IP in any preliminary suspicious IP pair is more than N times of the downlink flow, and marking the preliminary suspicious IP pair as a suspicious IP pair; adding the destination IP of which the number of the source IP corresponding to the same destination IP in the suspicious IP pair is less than or equal to 3 into the suspicious destination IP list, and simultaneously storing data packets transmitted between all the destination IPs in the suspicious destination IP list and the source IPs corresponding to the destination IPs; the IP of the attacker server and the IP of the controlled host are obtained by analyzing the data packet.
In the above scheme, the method further comprises: and counting the number of the target IPs of which the number is more than 3 corresponding to the same target IP in the suspicious IP pair, adding the target IP into a legal target IP list, and adding a host field corresponding to the target IP into the legal host list.
In the above solution, after obtaining the IP of the attacker server and the IP of the controlled host by analyzing the data packet, the method further includes: and counting the number of the destination IPs of which the number of the source IPs corresponding to the same destination IP is more than 5 in the suspicious destination IP list every second period, deleting the destination IP from the suspicious destination IP list, simultaneously adding the destination IP into a legal destination IP list, deleting the host field corresponding to the destination IP from the suspicious host list, and simultaneously adding the host field corresponding to the destination IP into the legal host list.
In the above solution, after obtaining the IP of the attacker server and the IP of the controlled host by analyzing the data packet, the method further includes: counting the number of the source IPs corresponding to the same destination IP in the suspicious destination IP list, wherein the number of the source IPs is less than or equal to 5, adding the destination IP into an abnormal destination IP list, adding a host field corresponding to the destination IP into the abnormal host list, deleting the destination IP from the suspicious destination IP list, and deleting the host field corresponding to the destination IP from the suspicious host list.
In the foregoing solution, before counting all the destination IPs and the source IPs every first period, the method further includes: configuring a legal destination IP list for storing legal destination IPs; configuring an abnormal target IP list for storing abnormal target IPs; configuring a legal host list for storing legal hosts; and configuring a host list of the exception for storing the host of the exception.
Compared with the prior art, the invention has the beneficial effects that:
the method and the system can accurately determine the IP of the attacker server and the IP of the controlled host, thereby cutting off the data transmission between the controlled host and the attacker server.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is further described in detail with reference to the following embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
The embodiment of the invention provides a C & C channel detection method, which is realized by the following steps:
step 1: configuring a legal destination IP list, wherein the legal destination IP list stores legal destination IPs; configuring an abnormal target IP list, wherein the abnormal target IP list stores abnormal target IPs; configuring a legal host list, wherein the legal host list stores legal hosts; configuring an abnormal host list, wherein the abnormal host list stores abnormal hosts;
step 2: counting all target IPs and source IPs every other first period, finding out target IPs which do not belong to a legal target IP list and do not belong to an abnormal target IP list, and marking the target IPs and the source IPs corresponding to the target IPs as preliminary suspicious IP pairs;
specifically, in consideration of the problem of occupying the system storage space, the first period is ten minutes, so that the problem that the occupied system storage space is too large due to too long time is avoided.
And step 3: counting the number of data packets transmitted between each preliminary suspicious IP pair, finding out the preliminary suspicious IP pairs with the number of the data packets transmitted between the target IP and the corresponding source IP larger than 1000,
if the number of the data packets transmitted between the preliminary suspicious IP pairs is too small, the randomness is high, and the accuracy of the statistical result is influenced; according to the invention, when the number of the data packets transmitted between the suspicious IP pairs is larger than 1000, the statistical result is more accurate.
Counting the uplink flow and the downlink flow transmitted between each preliminary suspicious IP pair, and finding out the preliminary suspicious IP pair with the uplink flow being N times of the downlink flow and marking as the suspicious IP pair; n is an integer between 10 and 25; the uplink flow in the invention is the data packet flow sent by the controlled host to the attacker server, the downlink flow is the data packet flow sent by the attacker server to the controlled host, if the flow ratio between the uplink flow and the downlink flow is too small, the data packet flow does not accord with the flow transmission characteristics of the C & C channel.
And 4, step 4: counting the number of the target IPs of which the number is more than 3 corresponding to the same target IP in the suspicious IP pair, adding the target IP into a legal target IP list, and adding a host field corresponding to the target IP into the legal host list; generally, the number of controlled hosts for data transmission with the attacker server is less than or equal to three, and if the number of source IPs corresponding to the unified destination IP is greater than 3, the transmission characteristics of the C & C channel are not met.
Configuring an empty suspicious destination IP list and an empty suspicious host list, adding destination IPs of which the number of source IPs corresponding to the same destination IP in a suspicious IP pair is less than or equal to 3 into the suspicious destination IP list, and adding the hosts corresponding to the destination IPs into the suspicious host list; meanwhile, data packets transmitted between all the target IPs in the suspicious IP list and the source IPs corresponding to the target IPs are stored; obtaining the IP of the attacker server and the IP of the controlled host by analyzing the data packet; so that the data transmission between the controlled host and the attacker server can be cut off;
and 5: counting the number of the source IPs corresponding to the same destination IP in the suspicious destination IP list, which is more than 5, every second period, deleting the destination IP from the suspicious destination IP list, simultaneously adding the destination IP into a legal destination IP list, deleting the host field corresponding to the destination IP from the suspicious host list, and simultaneously adding the host field corresponding to the destination IP into the legal host list;
counting the number of the source IPs corresponding to the same destination IP in the suspicious destination IP list, wherein the number of the source IPs is less than or equal to 5, adding the destination IP into an abnormal destination IP list, adding a host field corresponding to the destination IP into the abnormal host list, deleting the destination IP from the suspicious destination IP list, and deleting the host field corresponding to the destination IP from the suspicious host list.
Specifically, in order to perfect the legal destination IP list, the legal host list, the abnormal IP list and the abnormal host list, the statistical result is more accurate, and the second period is 24 hours.
The above description is only a preferred embodiment of the present invention, and is not intended to limit the scope of the present invention.
Claims (5)
1. A C & C channel detection method is characterized by comprising the following steps:
counting all target IPs and source IPs at intervals of a first period, and recording the target IPs which do not belong to a legal target IP list or an abnormal target IP list and the source IPs corresponding to the target IPs as preliminary suspicious IP pairs;
counting the number of data packets transmitted between the target IP and the source IP in each preliminary suspicious IP pair, wherein the number of the data packets transmitted between the target IP and the source IP in any preliminary suspicious IP pair is more than 1000, counting the uplink flow and the downlink flow transmitted between the target IP and the source IP in each preliminary suspicious IP pair, and marking the preliminary suspicious IP pair as a suspicious IP pair, wherein the N is an integer between 10 and 25, and the uplink flow transmitted between the target IP and the source IP in any preliminary suspicious IP pair is more than N times of the downlink flow;
adding the destination IP of which the number of the source IP corresponding to the same destination IP in the suspicious IP pair is less than or equal to 3 into the suspicious destination IP list, and simultaneously storing data packets transmitted between all the destination IPs in the suspicious destination IP list and the source IPs corresponding to the destination IPs;
the IP of the attacker server and the IP of the controlled host are obtained by analyzing the data packet.
2. The method of claim 1, further comprising: and counting the number of the target IPs of which the number is more than 3 corresponding to the same target IP in the suspicious IP pair, adding the target IP into a legal target IP list, and adding a host field corresponding to the target IP into the legal host list.
3. The C & C channel detection method according to claim 1 or 2, wherein after the IP of the attacker server and the IP of the controlled host are obtained by analyzing the data packet, the method further comprises: and counting the number of the destination IPs of which the number of the source IPs corresponding to the same destination IP is more than 5 in the suspicious destination IP list every second period, deleting the destination IP from the suspicious destination IP list, simultaneously adding the destination IP into a legal destination IP list, deleting the host field corresponding to the destination IP from the suspicious host list, and simultaneously adding the host field corresponding to the destination IP into the legal host list.
4. A C & C channel detection method according to claim 3, wherein after the IP of the attacker server and the IP of the controlled host are obtained by analyzing the data packet, the method further comprises: counting the number of the source IPs corresponding to the same destination IP in the suspicious destination IP list, wherein the number of the source IPs is less than or equal to 5, adding the destination IP into an abnormal destination IP list, adding a host field corresponding to the destination IP into the abnormal host list, deleting the destination IP from the suspicious destination IP list, and deleting the host field corresponding to the destination IP from the suspicious host list.
5. The method according to claim 1, wherein before counting all the destination IPs and the source IPs every first period, the method further comprises: configuring a legal destination IP list for storing legal destination IPs; configuring an abnormal target IP list for storing abnormal target IPs; configuring a legal host list for storing legal hosts; and configuring a host list of the exception for storing the host of the exception.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710670294.2A CN108111476B (en) | 2017-08-08 | 2017-08-08 | C & C channel detection method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710670294.2A CN108111476B (en) | 2017-08-08 | 2017-08-08 | C & C channel detection method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108111476A CN108111476A (en) | 2018-06-01 |
| CN108111476B true CN108111476B (en) | 2021-01-19 |
Family
ID=62207262
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710670294.2A Active CN108111476B (en) | 2017-08-08 | 2017-08-08 | C & C channel detection method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108111476B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110198298B (en) * | 2018-10-11 | 2021-08-27 | 腾讯科技(深圳)有限公司 | Information processing method, device and storage medium |
| WO2021134528A1 (en) * | 2019-12-31 | 2021-07-08 | 李庆远 | Anti-secret-photographing traffic monitoring and interference method and device |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101465865A (en) * | 2009-01-13 | 2009-06-24 | 成都市华为赛门铁克科技有限公司 | Method and equipment for defending network aggression and establishing network connection |
| CN101741847A (en) * | 2009-12-22 | 2010-06-16 | 北京锐安科技有限公司 | Detecting method of DDOS (distributed denial of service) attacks |
| CN101895521A (en) * | 2009-05-22 | 2010-11-24 | 中国科学院研究生院 | Network worm detection and characteristic automatic extraction method and system |
| CN102984003A (en) * | 2012-11-30 | 2013-03-20 | 深圳中兴网信科技有限公司 | Network access detection system and network access detection method |
| CN103297433A (en) * | 2013-05-29 | 2013-09-11 | 中国科学院计算技术研究所 | HTTP botnet detection method and system based on net data stream |
Family Cites Families (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101378394B (en) * | 2008-09-26 | 2012-01-18 | 成都市华为赛门铁克科技有限公司 | Detection defense method for distributed reject service and network appliance |
| CN102271068B (en) * | 2011-09-06 | 2015-07-15 | 电子科技大学 | Method for detecting DOS/DDOS (denial of service/distributed denial of service) attack |
| EP2843889A1 (en) * | 2013-08-29 | 2015-03-04 | Alcatel Lucent | System and method for routing traffic in a mobile network interfaced with a cdn |
| US9119064B2 (en) * | 2013-11-20 | 2015-08-25 | At&T Intellectual Property I, L.P. | Method and apparatus for providing broadcast channel encryption to enhance cellular network security |
| CN105681250B (en) * | 2014-11-17 | 2019-04-02 | 中国信息安全测评中心 | A kind of Botnet distribution real-time detection method and system |
| CN104468554A (en) * | 2014-11-28 | 2015-03-25 | 北京奇虎科技有限公司 | Attack detection method and device based on IP and HOST |
| CN104468631A (en) * | 2014-12-31 | 2015-03-25 | 国家电网公司 | Network intrusion identification method based on anomaly flow and black-white list library of IP terminal |
-
2017
- 2017-08-08 CN CN201710670294.2A patent/CN108111476B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101465865A (en) * | 2009-01-13 | 2009-06-24 | 成都市华为赛门铁克科技有限公司 | Method and equipment for defending network aggression and establishing network connection |
| CN101895521A (en) * | 2009-05-22 | 2010-11-24 | 中国科学院研究生院 | Network worm detection and characteristic automatic extraction method and system |
| CN101741847A (en) * | 2009-12-22 | 2010-06-16 | 北京锐安科技有限公司 | Detecting method of DDOS (distributed denial of service) attacks |
| CN102984003A (en) * | 2012-11-30 | 2013-03-20 | 深圳中兴网信科技有限公司 | Network access detection system and network access detection method |
| CN103297433A (en) * | 2013-05-29 | 2013-09-11 | 中国科学院计算技术研究所 | HTTP botnet detection method and system based on net data stream |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108111476A (en) | 2018-06-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11374835B2 (en) | Apparatus and process for detecting network security attacks on IoT devices | |
| US8813220B2 (en) | Methods and systems for internet protocol (IP) packet header collection and storage | |
| Xu et al. | DNS for massive-scale command and control | |
| US7903566B2 (en) | Methods and systems for anomaly detection using internet protocol (IP) traffic conversation data | |
| US8918875B2 (en) | System and method for ARP anti-spoofing security | |
| KR101424490B1 (en) | Reverse access detecting system and method based on latency | |
| US8726382B2 (en) | Methods and systems for automated detection and tracking of network attacks | |
| WO2021139643A1 (en) | Method and apparatus for detecting encrypted network attack traffic, and electronic device | |
| CN107332723B (en) | Detection method and detection equipment for hidden channel | |
| Goher et al. | Covert channel detection: A survey based analysis | |
| US8762515B2 (en) | Methods and systems for collection, tracking, and display of near real time multicast data | |
| JP2006279930A (en) | Method and device for detecting and blocking unauthorized access | |
| WO2016110273A1 (en) | System and method for limiting access request | |
| US10855705B2 (en) | Enhanced flow-based computer network threat detection | |
| CN108111476B (en) | C & C channel detection method | |
| Burghouwt et al. | Detection of covert botnet command and control channels by causal analysis of traffic flows | |
| US11916942B2 (en) | Automated identification of false positives in DNS tunneling detectors | |
| Pashamokhtari et al. | Progressive monitoring of iot networks using sdn and cost-effective traffic signatures | |
| US11895146B2 (en) | Infection-spreading attack detection system and method, and program | |
| Cai et al. | A behavior-based method for detecting DNS amplification attacks | |
| CN114189361B (en) | Situation awareness method, device and system for defending threat | |
| CN116318785A (en) | Identification method and system for fake attack traffic | |
| KR20100048105A (en) | Network management apparatus and method thereof, user terminal for managing network and recoding medium thereof | |
| Wendzel et al. | Preventing protocol switching covert channels | |
| Bellaïche et al. | SYN flooding attack detection by TCP handshake anomalies |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |