CN108229159A - A kind of malicious code detecting method and system - Google Patents

A kind of malicious code detecting method and system Download PDF

Info

Publication number
CN108229159A
CN108229159A CN201611128576.1A CN201611128576A CN108229159A CN 108229159 A CN108229159 A CN 108229159A CN 201611128576 A CN201611128576 A CN 201611128576A CN 108229159 A CN108229159 A CN 108229159A
Authority
CN
China
Prior art keywords
malicious code
detection
real
data
time traffic
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201611128576.1A
Other languages
Chinese (zh)
Other versions
CN108229159B (en
Inventor
胡雪飞
冯泽
乔伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wuhan Antian Information Technology Co Ltd
Original Assignee
Wuhan Antian Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wuhan Antian Information Technology Co Ltd filed Critical Wuhan Antian Information Technology Co Ltd
Priority to CN201611128576.1A priority Critical patent/CN108229159B/en
Publication of CN108229159A publication Critical patent/CN108229159A/en
Application granted granted Critical
Publication of CN108229159B publication Critical patent/CN108229159B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/18Protocol analysers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/16Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
    • H04L69/161Implementation details of TCP/IP or UDP/IP stack architecture; Specification of modified or new header fields
    • H04L69/162Implementation details of TCP/IP or UDP/IP stack architecture; Specification of modified or new header fields involving adaptations of sockets based mechanisms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/16Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
    • H04L69/163In-band adaptation of TCP data exchange; In-band control procedures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a kind of malicious code detecting method and system, this method includes the following steps:Obtain the real-time traffic data on mobile terminal device;Real time parsing and filtering are carried out, and extract the characteristic of real-time traffic data to the real-time traffic data got;The characteristic of extraction is matched with preset malicious code rule feature library;If matching, expression detects malicious code.The present invention has detection effect well to the malicious code by network upload or downloading data;Malicious act can be more early found so that user to be notified to handle, and reduce loss.

Description

A kind of malicious code detecting method and system
Technical field
The present invention relates to malicious code of mobile terminal detection technique field more particularly to a kind of malicious code detecting method and System.
Background technology
Traditional mobile terminal from malicious software detection technology can substantially be divided into two classes, i.e. static detection and dynamic detection.
(1) stationary detection technique refers to be scanned the source program of Malware, and is carried out using reverse Engineering Technology Decompiling and dis-assembling match with malicious code feature database static data to find out malicious code.This technology is easy Implement in mobile terminal, so the safety product of the mobile terminal of major security firm mostly uses this pattern at present.But It is the development with malicious code, the appearance of the countermeasure techniques such as Code obfuscation, shell adding makes decompiling more and more difficult, maliciously generation Spreading unchecked but also the characteristic matching of malicious code is more and more huger for code, causes resource consumption increasing, and efficiency is also increasingly Lowly, meanwhile, this stationary detection technique is highly dependent on the feature of existing malicious code, to the discovery energy of unknown malware Power is extremely insufficient.
(2) dynamic detection technology is then by running application software, and monitoring application software is to the calling of system sensitive resource To achieve the purpose that identification.This dynamic method has certain ability of discovery, but this skill to unknown malicious application Art implement on mobile terminals it is more complicated, it is huge to the resource consumption of user terminal, and it is difficult to ensure that system stability.
Invention content
The technical problem to be solved in the present invention is to be directed in the prior art to unknown malware ability of discovery deficiency, and The defects of resource consumption is huge provides a kind of malicious code detecting method and system.
The technical solution adopted by the present invention to solve the technical problems is:
The present invention provides a kind of malicious code detecting method, includes the following steps:
Obtain the real-time traffic data on mobile terminal device;
Real time parsing and filtering are carried out, and extract the characteristic of real-time traffic data to the real-time traffic data got According to;
The characteristic of extraction is matched with preset malicious code rule feature library;If matching, represents to detect Malicious code.
Further, when obtaining the real-time traffic data on mobile terminal device, it is corresponding that real-time traffic data are also obtained The application message of each application program;When the characteristic of extraction is with preset malicious code rule feature storehouse matching, detection tool There is the application program of malicious code.
Further, it is of the invention to include characteristic and the rule feature library matched method of progress:Quick detection side Method and deep layer detection method.
Further, rapid detection method of the invention specifically includes:
The data after parsing are obtained, it is handled, is obtained:Protocol type, ip addresses, port numbers, domain name, uri, Value, protocol method or command type, uriparam, httpparam, the attached text that url, url of host and uri compositions are calculated At least one of part type, filehash, user name, password and mail matter topics detection information;
According to the detection information that processing obtains, matched with corresponding type in the rule feature library quickly detected, when When the hit rate of each detection information reaches threshold value in single rule, expression detects malicious code.
Further, deep layer detection method of the invention specifically includes:
Increase following at least one detection information:The ancillary documents filecontent of http, FTP and email, The cryptographic Hash of filecontent, the length of filecontent, message body, quick detection output result;
The detection information that will be obtained in increased detection information and rapid detection method, collectively as treating for deep layer detection Detection information is matched with corresponding type in the rule feature library of deep layer detection, when the life of type each in single rule When middle rate reaches threshold value, expression detects malicious code.
This provides a kind of malicious code detection system to the present invention, including:
Flow acquisition module, for obtaining real-time traffic data and its corresponding application message on mobile terminal device;
Flow parsing module for the real-time traffic data got to be carried out with real time parsing and filtering, and extracts real-time The characteristic of data on flows;
Detection module, for the characteristic of extraction to be matched with preset malicious code rule feature library;
Whether output control module matches for judging characteristic data and the malicious code information in rule feature library, If matching, expression detects malicious code.
Further, it when the flow acquisition module obtains the real-time traffic data on mobile terminal device, is additionally operable to obtain Take the application message of the corresponding each application program of real-time traffic data;When the characteristic of extraction and preset malicious code rule During feature storehouse matching, the output control module has the application program of malicious code for detecting.
Further, detection module of the invention includes quick detection module and deep layer detection module.
The beneficial effect comprise that:The malicious code detecting method of the present invention, the inspection based on real-time traffic data It surveys, the anti-virus detection technique such as malicious code can effectively be avoided to obscure, reinforced, uploaded or download number especially for network is passed through According to malicious code have well detection effect;This method can more early find malicious act, and user is notified to handle, to reduce use It loses at family;This method can be directed to the data for uploading and downloading and carry out deep detection, with reference to stationary detection technique, provide more comprehensively Malicious Code Detection ability.
Description of the drawings
Below in conjunction with accompanying drawings and embodiments, the invention will be further described, in attached drawing:
Fig. 1 is the method flow diagram of the embodiment of the present invention;
Fig. 2 is the traffic capture flow chart of the embodiment of the present invention;
Fig. 3 is the flow process of analysis figure of the embodiment of the present invention;
Fig. 4 is the system structure diagram of the embodiment of the present invention.
Specific embodiment
In order to make the purpose , technical scheme and advantage of the present invention be clearer, with reference to the accompanying drawings and embodiments, it is right The present invention is further elaborated.It should be appreciated that specific embodiment described herein is only to explain the present invention, not For limiting the present invention.
As shown in Figure 1, the malicious code detecting method of the embodiment of the present invention, includes the following steps:
S1, the real-time traffic data on mobile terminal device are obtained and its correspond to the application message of each application program;
The method that real-time traffic data are obtained in step S1 specifically includes:
S11, judge whether user sets monitoring network interface card, if having set, perform step S12;It, will monitoring if not setting Pattern is set as automatic mode, is successively read each network interface card information, the network interface card for working as front opening is monitored, and set timed task Monitor network card status;
S12, create socket, set filter, and establish one can not exchange memory buffer circle, setting filtering Device is to filter out some useless network datas, the considerations of for performance;
S13, buffer circle is mapped into user's space, socket is tied to monitoring network interface card, and the prison of network interface card is set Control pattern;
S14, when buffer circle has readable data on flows, real time parsing is carried out to it;
If S15, receiving network interface card switching signal, the acquisition of current network interface card data on flows is exited, after switching network interface card, is obtained again Real-time traffic data are taken, signal is exited until receiving, stop obtaining real-time traffic data.
S2, real time parsing and filtering are carried out, and extract the feature of real-time traffic data to the real-time traffic data got Data;
Obtain the side of the real-time traffic data and its corresponding application message of corresponding application message on mobile terminal device Method:
Method 1:By hook system api, the ip ports that network behavior occurs and its corresponding application message are obtained in real time.
Method 2:Network log file is exported by real time inquiry system to obtain the corresponding application message of flow.
The method for carrying out real time parsing to real-time traffic data in step S2 specifically includes:
S21, the network data packet head for reading real-time traffic data, and then identify transport layer protocol, if Transmission Control Protocol or Udp protocol performs step S22;
S22, the IP of real-time traffic data is matched with preset IP white lists, if meeting IP white lists, directly Return to corresponding title in IP white lists;If not meeting IP white lists, corresponding protocol analysis is carried out according to transport layer protocol;
If S23, transport layer protocol are Transmission Control Protocol, TCP recombinations are carried out, identify application layer protocol, extract characteristic;
If application layer protocol is http agreements, extracts and record ip, uri, port, host, http method name, http methods Parameter and at least one of http content headers information;
If application layer protocol be File Transfer Protocol, extract and record ip, port numbers, user name, password, FTP instruction types and At least one of ftp file title information;
If application layer protocol is SMTP, POP3 or IMAP4 agreement, extracts and record ip, port numbers, user name, password, hair At least one of the person of sending, recipient and theme information;
If S24, transport layer protocol are udp protocol, dns application layer protocols are identified, and parsed, record dns inquiry fields Name and ip, and analysis result is detected in real time.
The data packet that same connection is identified to data package-restructuring process in step S23, then according to the sequence number of TCP and Confirm a number sequence for the data for determining host and long-range both ends respectively, wrapped so as to fulfill group.According to the machine data on flows packet and non- The machine data on flows packet detection environment difference, identify same connection data packet be respectively adopted again two different methods into Row processing,:
For the flow in the machine:
A, the machine ip addresses are obtained, by judge in data packet source ip addresses and purpose ip addresses and destination address whether phase The same local side slogan for judging the network connection extracts local port for source tcp port number or purpose TCP port number Number, long-range ip, remote port slogan.
B, for the data packet with identical local side slogan, further verify whether long-range ip is consistent with port numbers, such as Fruit is consistent, then it is assumed that these data packets are the data packet of same connection.
For the flow on non-native:
A, by source ip, purpose ip, source port number, destination slogan spliced in particular order;Small ip is right The ip and port numbers answered is placed on front or big ip, corresponding ip and port numbers put front.
B, it is same connection by the consistent judgement of spliced data.
S3, the characteristic of extraction is matched with preset malicious code rule feature library;
Characteristic and rule feature library are subjected to matched method in step S3 and include rapid detection method and deep layer inspection Survey method.
Rapid detection method specifically includes:
S311, the data after parsing are obtained, it is handled, is obtained:Protocol type, ip addresses, port numbers, domain name, Value, protocol method or the order class that url, url of unified resource descriptor, host and uri compositions in http heads are calculated Entity header field and its content, attached text in request message head in parameter, http heads in type, http heads behind uri At least one of Content-MD5 values, user name, password and mail matter topics detection information in part type, http entities head;
The method handled the data after parsing in step S311 specifically includes:
A, uri combines output url with host, and calculates the cryptographic Hash urlhash of url;
B, according to uri suffix, either content-type or file header identify the file type of http document of agreement, Labeled as filetype;
C, hash is calculated to the content of each agreement attachment files, labeled as filehash;
D, to extracting content of parameter below in the uri of http, labeled as uriparam.
S312, the detection information obtained according to processing, type progress corresponding with the rule feature library quickly detected Match, when the hit rate of type each in single rule reaches threshold value, expression detects malicious code.
Deep layer detection method specifically includes:
S321, increase following at least one detection information:The ancillary documents filecontent of http, FTP and email, The cryptographic Hash of filecontent, the length of filecontent, message body, quick detection output result;
The method handled in step S321 the data after parsing specifically includes:
A, the file of file, the file that File Transfer Protocol is downloaded and mail reception sent to http agreements, uses static engine It is detected, if it is detected that it is viral, export Virus Name;
B, it for the post attachmentes of http, the STOR attachmentes of FTP and smtp Mail Contents, is detected:
I, indicate that the data for having carried out said shank are unziped it or turned accordingly for Content-Encoding Code, and judge new file content form, update filetype;
Ii, it is unziped it for filetype for known compressed format;
Iii, new file content are labeled as fileconntent;
Iv, new filehash is calculated;
C, final file f ilecontent, filetype and filehash are carried out together with the data quickly detected The detection of deep layer detected rule.
S322, the detection information that will be obtained in increased detection information and rapid detection method are detected collectively as deep layer Measurement information to be checked, with deep layer detection rule feature library in corresponding type matched, when type each in single rule Hit rate when reaching threshold value, expression detects malicious code.
If S4, characteristic are consistent with the malicious code information in rule feature library, expression detected malicious code.
Due to obtaining the application message of each application program corresponding with real-time traffic data in S1, in detection malice Also the application program with malicious code can be detected after code simultaneously.
The malicious code detection system of the embodiment of the present invention, including:
Flow acquisition module, for obtaining real-time traffic data and its corresponding application message on mobile terminal device;
Flow parsing module for the real-time traffic data got to be carried out with real time parsing and filtering, and extracts real-time The characteristic of data on flows;
Detection module, for the characteristic of extraction to be matched with preset malicious code rule feature library;
Whether output control module matches for judging characteristic data and the malicious code information in rule feature library, If matching, expression detects malicious code.
It should be understood that if flow acquisition module also obtains the application of each application program corresponding with real-time traffic data Information, then output control module after malicious code is detected also simultaneously can detect the application program with malicious code.
Wherein, detection module includes quick detection module and deep layer detection module.
Quick detection module handles it, obtains for obtaining the data after parsing:Protocol type, ip addresses, end The value of url, url calculating of unified resource descriptor, host and uri compositions in slogan, domain name, http heads, protocol method Or parameter in command type, http heads behind uri, entity header field and its interior in request message head in http heads At least one of Content-MD5 values, user name, password and mail matter topics in appearance, ancillary documents type, http entities head Detection information;According to the detection information that processing obtains, matched with corresponding type in the rule feature library quickly detected, when When the hit rate of each type reaches threshold value in single rule, expression detects malicious code.
Deep layer detection module increases following at least one detection information for handling the data after parsing:http、 The cryptographic Hash of the ancillary documents filecontent, filecontent of FTP and email, the length of filecontent, mail is just Text, quick detection output title;The detection information that will be obtained in increased detection information and quick detection module, collectively as The measurement information to be checked of deep layer detection is matched with corresponding type in the rule feature library of deep layer detection, when in single rule When the hit rate of each type reaches threshold value, expression detects malicious code.It is corresponding with real-time traffic data due to obtaining The application message of each application program, therefore also can detect the application journey with malicious code simultaneously after malicious code is detected Sequence.
In another specific embodiment of the present invention, malicious code detecting method includes the following steps:
A) real-time traffic data are captured.
B) real time parsing filtering and extraction characteristic are carried out to the data on flows of capture.
C) characteristic with rule feature library is matched, if hit, exports malicious code detection title.
The capture flow of real-time traffic is as follows:
If 1) user sets monitoring network card port, this step is skipped.If be not provided with, monitoring mode is set as Automatic mode can be successively read each network interface card information under this pattern, judge which network interface card when front opening be, for currently beating The network interface card opened is monitored, and is given tacit consent to if being opened without network interface card into wlan0 network interface cards and monitored.And timed task monitoring network is set Card-like state changes if it find that opening network interface card, then sends network interface card switching signal.
2) socket is created.
3) BPF filters are set.
4) buffer circle of not commutative (unswappable) memory is established.
5) buffer circle is mapped in user's space by mmap functions.
6) socket is tied to monitoring network interface card.
7) network interface card monitoring mode is set.
8) it checks whether buffer circle has readable data on flows, has readable data that data then are passed to parsing module.
9) judge whether to receive when exiting signal and then exiting current prize procedure or receive network interface card switching signal, The capture of current network interface card is exited, then reenters monitoring flow.
Real-time traffic process of analysis is as follows:
1) tpacket_hdr network data packet heads are read.
2) Ethernet heads are read, distinguish ipv4, ipv6.
3) IP heads are read, identify transport layer protocol, then enter next step if it is TCP and UDP.
4) IP is matched with IP white lists, if hit, directly returns to corresponding white title.Otherwise according to transmission Layer protocol enters corresponding protocol analysis below.Here matching is carried out for non-native IP, is matched using binary chop To improve efficiency.
5) for Transmission Control Protocol, TCP recombinations, identification application layer protocol HTTP, FTP, SMTP, IMAP4, POP3 etc. are carried out.Needle The following information of some information extractions on head is established to the connection of each agreement, detection module is submitted to and does quick detection.
For http agreements, extraction ip, uri, port, host, http method name (GET, POST etc.), the ginseng of http methods Number is (including Content-Type, Content-Length, Content-Language, Content-Encoding, Content- Location, Content_Range, Content-MD5 etc.), http content headers partial contents.
For File Transfer Protocol, extract and record ip, port numbers, user name, password, FTP instruction types (LIST, STOR, RETR orders), the contents such as ftp file title.
For SMTP, POP3, IMAP4 agreements, extraction ip, port numbers, user name, password, sender, recipient, theme Etc. contents.
Said extracted information is submitted into parsing module, makes it into quick detection branches.Then http is treated, FTP is attached After file and smtp, pop3, imap4 Mail Contents receive completely, then content and its ancillary documents by parsing, submit to parsing Module, into deep layer detection branches.
6) for udp protocol, dns application layer protocols are identified, and parsed, records dns nslookups, ip will be parsed As a result detection module is submitted to.
As shown in figure 4, malicious code detection system, including with lower module:
A) traffic capture module, for capturing real-time traffic data.
B) flow parsing module, for analyzing real-time traffic data and extracting characteristic.
C) detection module matches characteristic with rule feature library, so as to find malicious code.
D) output control module, for controlling exiting for program, the output of the detection title of malicious code and malicious code Processing operation etc..
The workflow of detection module is as follows:
1. quick testing process is as follows:The data that parsing module is passed to, are further processed;
A) uri combines output url with host, and calculates the cryptographic Hash urlhash of url.
B) file of http agreements, according to uri suffix, either content-type or file header identify file type, Labeled as filetype.
C) each agreement attachment files content calculates hash, labeled as filehash.
D) content of parameter below is extracted in the uri of http, marks uriparam.
Data and type declaration all after treatment are as follows:
It by above- mentioned information, is matched with fast regular library according to type, when the rule life of regular kind of each type of single Middle rate reaches certain proportion, then it is assumed that detects the rule, exports viral name and handled accordingly to control module.
2. deep layer testing process is as follows:
A) file and the ancillary documents of the mail received that the file for http-server transmission and FTP are downloaded use Static engine, is detected, if the viral name of detection, submits to control module by viral name and handled accordingly.
B) for http post attachmentes, FTP STOR attachmentes and smtp Mail Contents, following testing process is carried out,
The step is divided into as following two steps:
I. indicate that the data for having carried out said shank are unziped it or turned accordingly for Content-Encoding Code, and judge new file content form, update filetype
Ii. it is unziped it for filetype for known compressed format.
Iii. new file content is labeled as fileconntent
Iv. new filehash is calculated
C) by final file f ilecontent and filetype, filehash is carried out together with the data quickly detected The detection of deep layer detected rule.
D) the detection data type of deep layer detection relative to quick detection, increases following content newly:
With quick detection, when regular hit rate reaches certain ratio, then it is assumed that detection, output detection name to control Module carries out subsequent processing
3. quick detect and be deeply detected as Liang Tiao branches, user can be as needed, and voluntarily setting is that only progress is quick Detection or deeply detection, or both combine detection.
In another specific embodiment of the present invention, the capture flow See Figure 2 of real-time traffic, specific implementation step is as follows:
If 1) user sets monitoring network card port, this step is skipped.If be not provided with, monitoring mode is set as Automatic mode can be successively read each network interface card information under this pattern, judge which network interface card when front opening be, for currently beating The network interface card opened is monitored, and is given tacit consent to if being opened without network interface card into wlan0 network interface cards and monitored.
2) setting timed task monitors network card status, changes if it find that opening network interface card, then sends network interface card switching signal.
3) socket is created, if necessary to acquisition link layer information, then mode is set as SOCK_RAW;If you do not need to chain Road floor information, then be set as SOCK_DGRAM by mode, and kernel can provide a false head.
4) bpf filtering rules are parsed and BPF filters (SOL_SOCKET, SO_ATTACH_FILTER) are set by setsockopt.
5) if system is supported to set hard timestamp, hard timestamp (SIOCSHWTSTAMP) is set by ioctl.
6) bps and system paging of monitoring network interface card, calculation block data and frame data size are read, and struct is set Then tpacket_req structures establish one not by setsockopt (SOL_PACKET, PACKET_RX_RING) settings The buffer circle of commutative (unswappable) memory.According to the difference of system version, which is slightly different, For example newest structure is struct tpacket_req3 at present.Pass through setsockopt (SOL_PACKET, PACKET_ VERSION) version of tpacket is set.
7) it is mapped in user's space by mmap functions and uses buffer circle.
8) sock is tied to monitoring network interface card using bind functions (to all addresses).
9) interface modes, promiscuous mode are set;
10) tp_status of struct tpacket_hdr (is checked in the status domains for being examined in each frame Value).If status is TP_STATUS_USER, by the corresponding data pointer incoming traffic parsing modules of the frame.Then Status is set to TP_STATUS_KERNEL again.
11) socket that poll function pairs is called to create is polled, and repeats execution 10 later) step, until receiving To when exiting signal and then exiting current prize procedure or receive network interface card switching signal, the capture of current network interface card is exited, then Reenter 3) flow.
Fig. 3 is shown in real-time traffic parsing, and idiographic flow is as follows:
1) tpacket_hdr network data packet heads are read.
2) Ethernet heads are read, distinguish ipv4, ipv6.
3) IP heads are read, identify transport layer protocol, then enter next step if it is TCP and UDP.
4) IP is matched with IP white lists, if hit, directly returns to corresponding white title.Otherwise according to transmission Layer protocol enters corresponding protocol analysis below.Here matching is carried out for non-native IP, is matched using binary chop To improve efficiency.
5) for Transmission Control Protocol, TCP recombinations, identification application layer protocol HTTP, FTP, SMTP, IMAP4, POP3 etc. are carried out.Needle The following information of some information extractions on head is established to the connection of each agreement, detection module is submitted to and does quick detection.
For http agreements, extraction ip, uri, port, host, http method name (GET, POST etc.), the ginseng of http methods Number is (including Content-Type, Content-Length, Content-Language, Content-Encoding, Content- Location, Content_Range, Content-MD5 etc.), http content headers partial contents.
For File Transfer Protocol, extract and record ip, port numbers, user name, password, FTP instruction types (LIST, STOR, RETR orders), the contents such as ftp file title.
For SMTP, POP3, IMAP4 agreement, extraction ip, port numbers, user name, password, sender, recipient, theme Etc. contents.
Said extracted information is submitted into parsing module, makes it into quick detection branches.Then http is treated, FTP is attached After file and smtp, pop3, imap4 Mail Contents receive completely, then content and its ancillary documents by parsing, submit to parsing Module, into deep layer detection branches.
6) for udp protocol, dns application layer protocols are identified, and parsed, records dns nslookups, ip will be parsed As a result detection module is submitted to.
Detection module flow is as follows:
1. quick testing process is as follows:The data that parsing module is passed to, are further processed,
A) uri combines output url with host, and calculates the cryptographic Hash urlhash of url.
B) file of http agreements, according to uri suffix, either content-type or file header identify file type, Labeled as filetype.
C) each agreement attachment files content calculates hash, labeled as filehash.
D) content of parameter below is extracted in the uri of http, marks uriparam.
Data and type declaration all after treatment are as follows:
It by above- mentioned information, is matched with fast regular library according to type, when the rule life of regular kind of each type of single Middle rate reaches certain proportion, then it is assumed that detects the rule, exports viral name and handled accordingly to control module.
2. deep layer testing process is as follows:
A) file and the ancillary documents of the mail received that the file for http-server transmission and FTP are downloaded use Static engine, is detected, if the viral name of detection, submits to control module by viral name and handled accordingly.
B) for http post attachmentes, FTP STOR attachmentes and smtp Mail Contents, following testing process is carried out,
The step is divided into as following two steps:
I. indicate that the data for having carried out said shank are unziped it or turned accordingly for Content-Encoding Code, and judge new file content form, update filetype
Ii. it is unziped it for filetype for known compressed format.
Iii. new file content is labeled as fileconntent
Iv. new filehash is calculated
C) by final file f ilecontent and filetype, filehash is carried out together with the data quickly detected The detection of deep layer detected rule.
D) the detection data type of deep layer detection relative to quick detection, increases following content newly:
With quick detection, when regular hit rate reaches certain ratio, then it is assumed that detection, output detection name to control Module carries out subsequent processing
3. quick detect and be deeply detected as Liang Tiao branches, user can be as needed, and voluntarily setting is that only progress is quick Detection or deeply detection, or both combine detection.
Detection of this programme based on real-time traffic data, effectively can avoid malicious code from obscuring, the anti-virus detection such as reinforcing Technology has detection effect well especially for the malicious code by network upload or downloading data.It is fast in this programme Speed detection can more early find malicious act, alarm, and user is notified to handle, can reduce loss.This programme mid-deep strata detects Deep detection can be carried out for the data for uploading and downloading, with reference to stationary detection technique, provide more fully malicious code inspection Survey ability.
It should be understood that for those of ordinary skills, can be improved or converted according to the above description, And all these modifications and variations should all belong to the protection domain of appended claims of the present invention.

Claims (11)

1. a kind of malicious code detecting method, which is characterized in that include the following steps:
Obtain the real-time traffic data on mobile terminal device;
Real time parsing and filtering are carried out, and extract the characteristic of real-time traffic data to the real-time traffic data got;
The characteristic of extraction with preset malicious code rule feature library is matched, if matching, judges there is malice Code.
2. malicious code detecting method according to claim 1, which is characterized in that obtain real-time on mobile terminal device During data on flows, the application message of the corresponding each application program of real-time traffic data is also obtained;When extraction characteristic with it is pre- If malicious code rule feature storehouse matching when, detection with malicious code application program.
3. malicious code detecting method according to claim 1 or 2, which is characterized in that obtain the side of real-time traffic data Method specifically includes:
Set monitoring network interface card after, create socket, set filter, and establish one can not exchange memory loop buffer Area;
Buffer circle is mapped into user's space, socket is tied to monitoring network interface card, and the monitoring mode of network interface card is set;
When buffer circle has readable data on flows, real time parsing is carried out to it;
It is waiting receive exit signal after, stop obtain real-time traffic data.
4. malicious code detecting method according to claim 1, which is characterized in that by characteristic and rule feature library into The matched method of row includes:Rapid detection method and deep layer detection method.
5. malicious code detecting method according to claim 1, which is characterized in that the data after parsing are handled Method specifically includes:
Uri combines output url with host, calculates the cryptographic Hash urlhash of url;
The file type filetype of http document of agreement is identified according to uri;
Calculate the file Hash filehash of each agreement attachment files content;
Extract the content of parameter uriparam in the uri of http.
6. malicious code detecting method according to claim 1, which is characterized in that the data after parsing are handled Method specifically includes:
The file of file, the file that File Transfer Protocol is downloaded and mail reception sent to http agreements, is examined using static engine It surveys, if it is detected that malicious code, exports testing result;
Post attachmentes for http, the file in the STOR attachmentes and smtp Mail Contents of FTP are unziped it or are turned Code, judges file format, and update the value of file type filetype;According to new up-to-date ancillary documents The value of filecontent updates the value of filehash according to the value of ancillary documents filecontent.
7. a kind of malicious code detection system, which is characterized in that including:
Flow acquisition module, for obtaining real-time traffic data and its corresponding application message on mobile terminal device;
Flow parsing module for carrying out real time parsing and filtering to the real-time traffic data got, and extracts real-time traffic The characteristic of data;
Detection module, for the characteristic of extraction to be matched with preset malicious code rule feature library;
Whether output control module matches for judging characteristic data and the malicious code information in rule feature library, if Match, expression detects malicious code.
8. malicious code detection system according to claim 7, which is characterized in that the flow acquisition module obtains movement During real-time traffic data on terminal device, it is additionally operable to obtain the application message of the corresponding each application program of real-time traffic data; When the characteristic of extraction is with preset malicious code rule feature storehouse matching, the output control module has for detecting The application program of malicious code.
9. malicious code detection system according to claim 7 or 8, which is characterized in that the detection module includes fast Fast detection module and deep layer detection module, the quick detection module are used to implement quick detection, and the deep layer detection module is used In realization deep layer detection.
10. malicious code detecting method according to claim 4 or Malicious Code Detection system according to claim 9 System, which is characterized in that the rapid detection method includes obtaining the data after parsing, handles it, obtains:Protocol class Value, protocol method or the order class that url, url that type, ip addresses, port numbers, domain name, uri, host and uri are formed are calculated Type, http uri in the content of parameter httpparam of content of parameter uriparam, http, ancillary documents type, At least one of filehash, user name, password and mail matter topics detection information;According to the obtained detection information of processing, with Corresponding type is matched in the rule feature library quickly detected, when the hit rate of detection information each in single rule reaches During threshold value, expression detects malicious code.
11. malicious code detecting method according to claim 4 or Malicious Code Detection system according to claim 9 System, which is characterized in that the deep layer detection method includes handling the data after parsing, increases following at least one detection Information:The ancillary documents filecontent of http, FTP and email, the cryptographic Hash of ancillary documents filecontent, attached text The length of part filecontent, message body, quick detection output result;By increased detection information and quick detection module In the measurement information to be checked that is detected collectively as deep layer of obtained detection information, by measurement information to be checked and the rule feature of deep layer detection Corresponding type is matched in library, and when the hit rate of type each in single rule reaches threshold value, expression detects malice Code.
CN201611128576.1A 2016-12-09 2016-12-09 Malicious code detection method and system Active CN108229159B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201611128576.1A CN108229159B (en) 2016-12-09 2016-12-09 Malicious code detection method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201611128576.1A CN108229159B (en) 2016-12-09 2016-12-09 Malicious code detection method and system

Publications (2)

Publication Number Publication Date
CN108229159A true CN108229159A (en) 2018-06-29
CN108229159B CN108229159B (en) 2022-04-01

Family

ID=62637162

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201611128576.1A Active CN108229159B (en) 2016-12-09 2016-12-09 Malicious code detection method and system

Country Status (1)

Country Link
CN (1) CN108229159B (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109167783A (en) * 2018-08-31 2019-01-08 杭州迪普科技股份有限公司 A kind of method and apparatus identifying mail virus
CN109327453A (en) * 2018-10-31 2019-02-12 北斗智谷(北京)安全技术有限公司 A kind of recognition methods of specific threat and electronic equipment
CN112311721A (en) * 2019-07-25 2021-02-02 深信服科技股份有限公司 Method and device for detecting downloading behavior
CN112822150A (en) * 2020-08-19 2021-05-18 北京辰信领创信息技术有限公司 Method for detecting suspicious IP
CN113242252A (en) * 2021-05-21 2021-08-10 北京国联天成信息技术有限公司 Method and system for detecting and processing malicious codes in big data
CN114817923A (en) * 2022-05-17 2022-07-29 安天科技集团股份有限公司 Method and device for generating intrusion detection rule, computer equipment and storage medium
CN118378252A (en) * 2024-06-20 2024-07-23 北京六方云信息技术有限公司 Configuration software prevention and control method, device, equipment and storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103065089A (en) * 2012-12-11 2013-04-24 深信服网络科技(深圳)有限公司 Method and device for detecting webpage Trojan horses
US9092625B1 (en) * 2012-07-03 2015-07-28 Bromium, Inc. Micro-virtual machine forensics and detection
CN105337994A (en) * 2015-11-26 2016-02-17 晶赞广告(上海)有限公司 Malicious code detection method and device based on network flow

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9092625B1 (en) * 2012-07-03 2015-07-28 Bromium, Inc. Micro-virtual machine forensics and detection
CN103065089A (en) * 2012-12-11 2013-04-24 深信服网络科技(深圳)有限公司 Method and device for detecting webpage Trojan horses
CN105337994A (en) * 2015-11-26 2016-02-17 晶赞广告(上海)有限公司 Malicious code detection method and device based on network flow

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
李俊: "Android平台下基于流量监测的安全软件设计与实现", 《中国优秀硕士学位论文全文数据库信息科技辑》 *

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109167783A (en) * 2018-08-31 2019-01-08 杭州迪普科技股份有限公司 A kind of method and apparatus identifying mail virus
CN109327453A (en) * 2018-10-31 2019-02-12 北斗智谷(北京)安全技术有限公司 A kind of recognition methods of specific threat and electronic equipment
CN109327453B (en) * 2018-10-31 2021-04-13 北斗智谷(北京)安全技术有限公司 Specific threat identification method and electronic equipment
CN112311721A (en) * 2019-07-25 2021-02-02 深信服科技股份有限公司 Method and device for detecting downloading behavior
CN112311721B (en) * 2019-07-25 2022-11-22 深信服科技股份有限公司 Method and device for detecting downloading behavior
CN112822150A (en) * 2020-08-19 2021-05-18 北京辰信领创信息技术有限公司 Method for detecting suspicious IP
CN113242252A (en) * 2021-05-21 2021-08-10 北京国联天成信息技术有限公司 Method and system for detecting and processing malicious codes in big data
CN114817923A (en) * 2022-05-17 2022-07-29 安天科技集团股份有限公司 Method and device for generating intrusion detection rule, computer equipment and storage medium
CN118378252A (en) * 2024-06-20 2024-07-23 北京六方云信息技术有限公司 Configuration software prevention and control method, device, equipment and storage medium

Also Published As

Publication number Publication date
CN108229159B (en) 2022-04-01

Similar Documents

Publication Publication Date Title
CN108229159A (en) A kind of malicious code detecting method and system
CN106815112B (en) Massive data monitoring system and method based on deep packet inspection
CN107733851A (en) DNS tunnels Trojan detecting method based on communication behavior analysis
CN101854275A (en) Method and device for detecting Trojans by analyzing network behaviors
CN103401863B (en) A kind of network data analysis method and apparatus based on cloud security
US20090319659A1 (en) Source detection device for detecting a source of sending a virus and/or a dns attack linked to an application, method thereof, and program thereof
CN105554009B (en) A method of passing through Network Data Capture device operating system information
CN103051617A (en) Method, device and system for identifying network behaviors of program
US20220263823A1 (en) Packet Processing Method and Apparatus, Device, and Computer-Readable Storage Medium
CN105103496A (en) System and method for extracting and storing metadata for analyzing network communications
CN112019506B (en) Phishing mail detection method based on behavior recognition, electronic device and medium
Al-Dalky et al. A Modbus traffic generator for evaluating the security of SCADA systems
CN103581909A (en) Suspected mobile phone malicious software positioning method and device
CN109474485A (en) Method, system and storage medium based on network traffic information detection Botnet
Xing et al. Research on the defense against ARP spoofing attacks based on Winpcap
CN113518042A (en) Data processing method, device, equipment and storage medium
CN112804263A (en) Vulnerability scanning method, system and equipment for Internet of things
CN105530218A (en) Link security detection method and client
CN111901326A (en) Multi-device intrusion detection method, device, system and storage medium
US9497167B2 (en) System and method for automatic provisioning of multi-stage rule-based traffic filtering
CN112003842B (en) High-interaction honeypot system and honeypot protection method
CN113315678A (en) Encrypted TCP (Transmission control protocol) traffic acquisition method and device
CN105337797A (en) Data capturing method of network protocol of complex electronic information system
CN103067360B (en) Program network Activity recognition method and system
CN201789524U (en) Device for detecting trojan programs by analyzing network behaviors

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant