A kind of method and device of real time on-line monitoring remote control Trojan control terminal IP address
Technical field
The present invention relates to the technical fields of network security, more particularly, to a kind of real time on-line monitoring remote control Trojan control terminal
The method and device of IP address.
Background technology
According to a large amount of APT cases, remote control Trojan is the main Types of current Botnet wooden horse, such wooden horse is in order to escape
Keep away the monitoring of Security Officer, it will usually in conjunction with domain name generating algorithm, be continuously generated thousands of a C&C domain names up to ten thousand, this is to invading thing
It the tracking of part and traces to the source and causes great interference.
After infecting remote control Trojan, the host invaded will become a part for Botnet.Remote control Trojan utilizes deadlock
The network and hardware resource of corpse host, can initiate big flow DDOS attack, influence to network security and very harmful.Safety
The C&C domain names of domain name generating algorithm generation can not be analyzed in personnel's short time in time, and prevents and destroys a remote control Trojan
The most effective method of Botnet is exactly to find the server ip address of wooden horse control terminal.
It is existing carry out remote control Trojan control terminal IP address acquisition when, generally have following two schemes:One is roots
It is oral to pass to Security Officer according to the remote control Trojan server domain name (namely domain name blacklist) grasped, so that safe people
Member parses domain name to obtain IP address by hand;Another kind is to run wireshark or tcpdump classes on compromised machine to grab
Job contract tool, captures flow information, and then analyze abnormal flow by artificial mode, and record remote control Trojan generates upper
Ten thousand C&C domain names go to parse all C&C domain names by hand.
The first scheme is larger to existing information data dependence, and existing information data be easy it is out-of-date, to lead
Cause the IP address accuracy rate that parsing obtains low;Second scheme takes and laborious, and because IP and the mapping mode of domain name can be through
It often changes, when subsequent domain name mapping hardly results in true wooden horse control terminal IP address, cannot be satisfied the peace of emergency event
Full demand, work of tracking and trace to the source afterwards are also extremely difficult.
To sum up, in the acquisition methods of existing remote control Trojan control terminal IP address, the IP address accuracy got is poor,
Real-time is poor, can not be tracked and trace to the source to control terminal IP.
Invention content
In view of this, the purpose of the present invention is to provide a kind of sides of real time on-line monitoring remote control Trojan control terminal IP address
Method and device, the IP address accuracy that the acquisition methods to alleviate existing remote control Trojan control terminal IP address acquire is poor,
Real-time is poor, can not be tracked the technical issues of tracing to the source to control terminal IP.
In a first aspect, an embodiment of the present invention provides a kind of sides of real time on-line monitoring remote control Trojan control terminal IP address
Method, the method includes:
The mirror image flow that mirror image router is sent is obtained in real time, wherein the mirror image router is connect with by infringement equipment,
It is described by infringement equipment refer to the equipment invaded by remote control Trojan;
Judge whether the access request in the mirror image flow is DNS access requests;
If it is the DNS access requests, then the DNS access requests are judged according to the domain name of the DNS access requests
Whether it is malice DNS access requests;
If it is the malice DNS access requests, then obtained and the malice DNS access requests in the mirror image flow
Corresponding response message;
The response message is parsed, corresponding target ip address is obtained, wherein the target ip address is remote control
The IP address of wooden horse control terminal;
The target ip address is preserved in real time with corresponding domain name to database, to record the remote control Trojan control terminal
IP address variation.
With reference to first aspect, an embodiment of the present invention provides the first possible embodiments of first aspect, wherein institute
The method of stating further includes:
If the access request in the mirror image flow is not the DNS access requests, the mirror image flow is abandoned.
With reference to first aspect, an embodiment of the present invention provides second of possible embodiments of first aspect, wherein root
Judge whether the DNS access requests are that malice DNS access requests include according to the domain name of the DNS access requests:
Malice domain name detection algorithm is used whether to detect the domain name of the DNS access requests for malice domain name;
If it is the malice domain name, then the DNS access requests are the malice DNS access requests;
If not the malice domain name, then the DNS access requests are not the malice DNS access requests.
With reference to first aspect, an embodiment of the present invention provides the third possible embodiments of first aspect, wherein institute
The method of stating further includes:
If the DNS access requests are not the malice DNS access requests, it includes the DNS access requests to abandon
Mirror image flow.
With reference to first aspect, an embodiment of the present invention provides the 4th kind of possible embodiments of first aspect, wherein
After being parsed to the response message, the method further includes:
Judge whether that parsing obtains the corresponding IP address of the response message;
If parsing obtains the IP address, using the IP address as the target ip address;
If not parsing to obtain the IP address, the mirror image flow for including the response message is abandoned.
Second aspect, the embodiment of the present invention additionally provide a kind of dress of real time on-line monitoring remote control Trojan control terminal IP address
It sets, described device includes:
First acquisition module, the mirror image flow sent for obtaining mirror image router in real time, wherein the mirror image router
With by infringement equipment connect, it is described by encroach on equipment refer to the equipment invaded by remote control Trojan;
First judgment module, for judging whether the access request in the mirror image flow is DNS access requests;
Second judgment module then judges institute if it is the DNS access requests according to the domain name of the DNS access requests
State whether DNS access requests are malice DNS access requests;
Second acquisition module then obtains and the evil in the mirror image flow if it is the malice DNS access requests
The corresponding response message of DNS access requests of anticipating;
Parsing module obtains corresponding target ip address for being parsed to the response message, wherein the mesh
Mark the IP address that IP address is remote control Trojan control terminal;
Preserving module, for being preserved in real time the target ip address to database, described in record with corresponding domain name
The variation of the IP address of remote control Trojan control terminal.
In conjunction with second aspect, an embodiment of the present invention provides the first possible embodiments of second aspect, wherein institute
Stating device further includes:
First discard module abandons institute if the access request in the mirror image flow is not the DNS access requests
State mirror image flow.
In conjunction with second aspect, an embodiment of the present invention provides second of possible embodiments of second aspect, wherein institute
Stating the second judgment module includes:
Detection unit, for using malice domain name detection algorithm whether to detect the domain name of the DNS access requests for malice
Domain name;
First setup unit, if it is the malice domain name, then the DNS access requests are that malice DNS access is asked
It asks;
Second setup unit, if not the malice domain name, then the DNS access requests are not that the malice DNS is visited
Ask request.
In conjunction with second aspect, an embodiment of the present invention provides the third possible embodiments of second aspect, wherein institute
Stating device further includes:
Second discard module, if the DNS access requests are not the malice DNS access requests, it includes institute to abandon
State the mirror image flow of DNS access requests.
The third aspect, the embodiment of the present invention additionally provide a kind of electronic equipment, including memory, processor, the storage
The computer program that can be run on the processor is stored on device, the processor is realized when executing the computer program
The step of method described in above-mentioned first aspect.
The embodiment of the present invention brings following advantageous effect:
In the acquisition methods of existing remote control Trojan control terminal IP address, the IP address accuracy acquired is poor, in real time
Property is poor, can not be tracked and trace to the source to control terminal IP.The side of the real time on-line monitoring remote control Trojan control terminal IP address of the present invention
In method, the mirror image flow that mirror image router is sent is obtained in real time, and then judges whether the access request in mirror image flow is that DNS is visited
It asks request, if it is DNS access requests, then judges whether DNS access requests are malice DNS according to the domain name of DNS access requests
Access request then obtains response corresponding with malice DNS access requests if it is malice DNS access requests in mirror image flow
Information, and then response message is parsed, corresponding target ip address is obtained, finally by target ip address and corresponding domain name
It is preserved in real time to database.This method can obtain mirror image flow in real time, and analyze in real time mirror image flow, obtain malice
The corresponding response message of DNS access requests, and then obtain corresponding target ip address, and by target ip address domain corresponding with its
Name is preserved to database, and the mode accuracy of on-line analysis is good, and real-time is good, can be tracked to remote control Trojan control terminal IP
It traces to the source, it is poor to alleviate the IP address accuracy that the acquisition methods of existing remote control Trojan control terminal IP address acquire, in real time
Property is poor, can not be tracked the technical issues of tracing to the source to control terminal IP.
Other features and advantages of the present invention will illustrate in the following description, also, partly become from specification
It obtains it is clear that understand through the implementation of the invention.The purpose of the present invention and other advantages are in specification, claims
And specifically noted structure is realized and is obtained in attached drawing.
To enable the above objects, features and advantages of the present invention to be clearer and more comprehensible, preferred embodiment cited below particularly, and coordinate
Appended attached drawing, is described in detail below.
Description of the drawings
It, below will be to specific in order to illustrate more clearly of the specific embodiment of the invention or technical solution in the prior art
Embodiment or attached drawing needed to be used in the description of the prior art are briefly described, it should be apparent that, in being described below
Attached drawing is some embodiments of the present invention, for those of ordinary skill in the art, before not making the creative labor
It puts, other drawings may also be obtained based on these drawings.
Fig. 1 is a kind of method flow of real time on-line monitoring remote control Trojan control terminal IP address provided in an embodiment of the present invention
Figure;
Fig. 2 is the method stream of another real time on-line monitoring remote control Trojan control terminal IP address provided in an embodiment of the present invention
Cheng Tu;
Fig. 3 is that the domain name provided in an embodiment of the present invention according to DNS access requests judges whether DNS access requests are malice
The method flow diagram of DNS access requests;
Fig. 4 is a kind of work(of the device of real time on-line monitoring remote control Trojan control terminal IP address provided in an embodiment of the present invention
It can module map;
Fig. 5 is the schematic diagram of a kind of electronic equipment provided in an embodiment of the present invention.
Specific implementation mode
In order to make the object, technical scheme and advantages of the embodiment of the invention clearer, below in conjunction with attached drawing to the present invention
Technical solution be clearly and completely described, it is clear that described embodiments are some of the embodiments of the present invention, rather than
Whole embodiments.Based on the embodiments of the present invention, those of ordinary skill in the art are not making creative work premise
Lower obtained every other embodiment, shall fall within the protection scope of the present invention.
It is remote to a kind of real time on-line monitoring disclosed in the embodiment of the present invention first for ease of understanding the present embodiment
The method of control wooden horse control terminal IP address describes in detail.
Embodiment one:
A kind of method of real time on-line monitoring remote control Trojan control terminal IP address, with reference to figure 1, this method includes:
S102, the mirror image flow that mirror image router is sent is obtained in real time, wherein mirror image router connects with by infringement equipment
It connects, is referred to the equipment invaded by remote control Trojan by infringement equipment;
In embodiments of the present invention, the executive agent of this method holds the monitoring device of IP address in order to control.It is remote when work
The equipment that control wooden horse is invaded is connect with mirror image router, and the equipment invaded by remote control Trojan is when being communicated, a way
It is communicated it is believed that breath walks normal channel, another way includes the prison of the mirror image flow controlled terminal IP address of identical data information
Measurement equipment obtains.
Remote control Trojan refers to combining the malice trojan horse program of remote computer control technology, and remote control Trojan is logical with control terminal
When letter, C&C domain names are generated usually using domain name generating algorithm scheduling algorithm to escape to monitor.Wherein, remote control Trojan and wooden horse
When control terminal server ip is communicated, used domain name is known as C&C domain names.
S104, judge whether the access request in mirror image flow is DNS access requests;
After acquiring mirror image flow, judge whether the access request in mirror image flow is DNS access requests.
Specifically, the agreement of parsing mirror image flow, if the agreement of mirror image flow is DNS Protocol, in mirror image flow
Access request be DNS access requests;If the agreement of mirror image flow is not DNS Protocol, the access in mirror image flow
Request is nor DNS access requests.
S106, if it is DNS access requests, then judge whether DNS access requests are evil according to the domain name of DNS access requests
Meaning DNS access requests;
If it is DNS access requests, then judge whether DNS access requests are malice DNS according to the domain name of DNS access requests
Access request.It hereinafter describes in detail again to the differentiation process of malice DNS access requests, details are not described herein.
S108, if it is malice DNS access requests, then in mirror image flow obtain it is corresponding with malice DNS access requests
Response message;
If DNS access requests are malice DNS access requests, obtained and malice DNS access requests in mirror image flow
Corresponding response message.
S110, response message is parsed, obtains corresponding target ip address, wherein target ip address is remote control wood
The IP address of horse control terminal;
S112, target ip address is preserved in real time with corresponding domain name to database, to record remote control Trojan control terminal
The variation of IP address.
In the acquisition methods of existing remote control Trojan control terminal IP address, the IP address accuracy acquired is poor, in real time
Property is poor, can not be tracked and trace to the source to control terminal IP.The side of the real time on-line monitoring remote control Trojan control terminal IP address of the present invention
In method, the mirror image flow that mirror image router is sent is obtained in real time, and then judges whether the access request in mirror image flow is that DNS is visited
It asks request, if it is DNS access requests, then judges whether DNS access requests are malice DNS according to the domain name of DNS access requests
Access request then obtains response corresponding with malice DNS access requests if it is malice DNS access requests in mirror image flow
Information, and then response message is parsed, corresponding target ip address is obtained, finally by target ip address and corresponding domain name
It is preserved in real time to database.This method can obtain mirror image flow in real time, and analyze in real time mirror image flow, obtain malice
The corresponding response message of DNS access requests, and then obtain corresponding target ip address, and by target ip address domain corresponding with its
Name is preserved to database, and the mode accuracy of on-line analysis is good, and real-time is good, can be tracked to remote control Trojan control terminal IP
It traces to the source, it is poor to alleviate the IP address accuracy that the acquisition methods of existing remote control Trojan control terminal IP address acquire, in real time
Property is poor, can not be tracked the technical issues of tracing to the source to control terminal IP.
The above is described the partial content of the method for real time on-line monitoring remote control Trojan control terminal IP address,
Other contents therein are introduced below.
Optionally, with reference to figure 2, this method further includes:
If the access request in S105, mirror image flow is not DNS access requests, mirror image flow is abandoned.
Optionally, with reference to figure 2, this method further includes:
If S107, DNS access request are not malice DNS access requests, the mirror image stream for including DNS access requests is abandoned
Amount.
Optionally, after being parsed to response message, with reference to figure 2, this method further includes:
S1110, judge whether to parse the corresponding IP address of information that meets with a response;
If S1111, parsing obtain IP address, using IP address as target ip address;
If S1112, not parsing to obtain IP address, the mirror image flow for including response message is abandoned.
The above is the process of the method for real time on-line monitoring remote control Trojan control terminal IP address, below to wherein relating to
And to the processes of differentiation malice DNS access requests describe in detail.
Optionally, with reference to figure 3, judge whether DNS access requests are that malice DNS is accessed according to the domain name of DNS access requests
Request includes:
S301, use the domain name of malice domain name detection algorithm detection DNS access requests whether for malice domain name;
Specifically, malice domain name detection algorithm exists in the prior art, the detection process of malice domain name uses in the present invention
Be malice domain name detection algorithm in the prior art.
Citing introduction is carried out to several malice domain names below:
Super long type domain name is generally malice domain name, and random character serial type domain name is generally malice domain name, such as .zqa1234,
Foreign country's class domain name of exempting to put on record is generally malice domain name, such as .cc.
S302, if it is malice domain name, then DNS access requests are malice DNS access requests;
S303, if not malice domain name, then DNS access requests are not malice DNS access requests.
In the method for the invention, it when monitoring remote control Trojan activity, is interacted to real by with dns server
The now real time parsing to remote control Trojan control terminal real IP address and monitoring, and then remote control Trojan control terminal can be recorded in real time
IP changes;Can it is online, in real time, automatic monitoring and the control terminal IP address for recording remote control Trojan, accuracy is secure, to chasing after
Track, which is traced to the source, great help.
In short, this method carries out in real time a large amount of C&C domain names (i.e. malice domain name) that remote control Trojan in mirror image flow generates
Online analyzing, the accurate recording IP address of remote control Trojan server, reduces spot, to arresting illegal invasion person meaning
It is great.
Embodiment two:
A kind of device of real time on-line monitoring remote control Trojan control terminal IP address, with reference to figure 4, which includes:
First acquisition module 20, in real time obtain mirror image router send mirror image flow, wherein mirror image router with
Referred to the equipment invaded by remote control Trojan by infringement equipment by infringement equipment connection;
First judgment module 21, for judging whether the access request in mirror image flow is DNS access requests;
Second judgment module 22 then judges that DNS access is asked if it is DNS access requests according to the domain name of DNS access requests
No Seeking Truth is malice DNS access requests;
Second acquisition module 23 is then obtained in mirror image flow and is accessed with malice DNS if it is malice DNS access requests
Ask corresponding response message;
Parsing module 24 obtains corresponding target ip address for being parsed to response message, wherein Target IP
Location is the IP address of remote control Trojan control terminal;
Preserving module 25, for being preserved target ip address in real time to database with corresponding domain name, to record remote control wood
The variation of the IP address of horse control terminal.
In the device of the real time on-line monitoring remote control Trojan control terminal IP address of the present invention, mirror image router hair is obtained in real time
The mirror image flow sent, and then judge whether the access request in mirror image flow is DNS access requests, if it is DNS access requests,
Then judge whether DNS access requests are malice DNS access requests according to the domain name of DNS access requests, is accessed if it is malice DNS
Request then obtains response message corresponding with malice DNS access requests in mirror image flow, and then is solved to response message
Analysis, obtains corresponding target ip address, finally preserves target ip address to database in real time with corresponding domain name.The device energy
It is enough to obtain mirror image flow in real time, and mirror image flow is analyzed in real time, obtain the corresponding response letter of malice DNS access requests
Breath, and then corresponding target ip address is obtained, and target ip address domain name corresponding with its is preserved to database, on-line analysis
Mode accuracy it is good, real-time is good, can be tracked and trace to the source to remote control Trojan control terminal IP, alleviates existing remote control wood
The IP address accuracy that the acquisition methods of horse control terminal IP address acquire is poor, and real-time is poor, can not be carried out to control terminal IP
The technical issues of tracking is traced to the source.
Optionally, which further includes:
First discard module abandons mirror image flow if the access request in mirror image flow is not DNS access requests.
Optionally, the second judgment module includes:
Detection unit, for using malice domain name detection algorithm whether to detect the domain name of DNS access requests for malice domain name;
First setup unit, if it is malice domain name, then DNS access requests are malice DNS access requests;
Second setup unit, if not malice domain name, then DNS access requests are not malice DNS access requests.
Optionally, which further includes:
Second discard module, if DNS access requests are not malice DNS access requests, it includes DNS access requests to abandon
Mirror image flow.
Optionally, which further includes:
Third judgment module parses the corresponding IP address of information that meets with a response for judging whether;
Setting module, if parsing obtains IP address, using IP address as target ip address;
Third discard module abandons the mirror image flow for including response message if not parsing to obtain IP address.
The particular content that can be referred in above-described embodiment one is specifically described in the embodiment two, details are not described herein.
Embodiment three:
An embodiment of the present invention provides a kind of electronic equipment, and with reference to figure 5, which includes:Processor 30, memory
31, bus 32 and communication interface 33, processor 30, communication interface 33 and memory 31 are connected by bus 32;Processor 30 is used
In executing the executable module stored in memory 31, such as computer program.Processor is realized such as when executing extreme and program
The step of method described in embodiment of the method.
Wherein, memory 31 may include high-speed random access memory (RAM, Random Access Memory),
May further include non-labile memory (non-volatile memory), for example, at least a magnetic disk storage.By extremely
A few communication interface 33 (can be wired or wireless) is realized logical between the system network element and at least one other network element
Letter connection can use internet, wide area network, local network, Metropolitan Area Network (MAN) etc..
Bus 32 can be isa bus, pci bus or eisa bus etc..It is total that bus can be divided into address bus, data
Line, controlling bus etc..For ease of indicating, only indicated with a four-headed arrow in Fig. 5, it is not intended that an only bus or one
The bus of type.
Wherein, memory 31 is for storing program, and processor 30 executes program after receiving and executing instruction, aforementioned
The method performed by device that the stream process that inventive embodiments any embodiment discloses defines can be applied in processor 30, or
Person is realized by processor 30.
Processor 30 may be a kind of IC chip, the processing capacity with signal.During realization, above-mentioned side
Each step of method can be completed by the integrated logic circuit of the hardware in processor 30 or the instruction of software form.Above-mentioned
Processor 30 can be general processor, including central processing unit (Central Processing Unit, abbreviation CPU), network
Processor (Network Processor, abbreviation NP) etc.;It can also be digital signal processor (Digital Signal
Processing, abbreviation DSP), application-specific integrated circuit (Application Specific Integrated Circuit, referred to as
ASIC), ready-made programmable gate array (Field-Programmable Gate Array, abbreviation FPGA) or other are programmable
Logical device, discrete gate or transistor logic, discrete hardware components.It may be implemented or execute in the embodiment of the present invention
Disclosed each method, step and logic diagram.General processor can be microprocessor or the processor can also be to appoint
What conventional processor etc..The step of method in conjunction with disclosed in the embodiment of the present invention, can be embodied directly in hardware decoding processing
Device executes completion, or in decoding processor hardware and software module combination execute completion.Software module can be located at
Machine memory, flash memory, read-only memory, programmable read only memory or electrically erasable programmable memory, register etc. are originally
In the storage medium of field maturation.The storage medium is located at memory 31, and processor 30 reads the information in memory 31, in conjunction with
Its hardware completes the step of above method.
The meter of the method and device for the real time on-line monitoring remote control Trojan control terminal IP address that the embodiment of the present invention is provided
Calculation machine program product, including the computer readable storage medium of program code is stored, the instruction that said program code includes can
For executing the method described in previous methods embodiment, specific implementation can be found in embodiment of the method, and details are not described herein.
It is apparent to those skilled in the art that for convenience and simplicity of description, the system of foregoing description
It with the specific work process of device, can refer to corresponding processes in the foregoing method embodiment, details are not described herein.
In addition, in the description of the embodiment of the present invention unless specifically defined or limited otherwise, term " installation ", " phase
Even ", " connection " shall be understood in a broad sense, for example, it may be being fixedly connected, may be a detachable connection, or be integrally connected;It can
Can also be electrical connection to be mechanical connection;It can be directly connected, can also indirectly connected through an intermediary, Ke Yishi
Connection inside two elements.For the ordinary skill in the art, above-mentioned term can be understood at this with concrete condition
Concrete meaning in invention.
It, can be with if the function is realized in the form of SFU software functional unit and when sold or used as an independent product
It is stored in a computer read/write memory medium.Based on this understanding, technical scheme of the present invention is substantially in other words
The part of the part that contributes to existing technology or the technical solution can be expressed in the form of software products, the meter
Calculation machine software product is stored in a storage medium, including some instructions are used so that a computer equipment (can be
People's computer, server or network equipment etc.) it performs all or part of the steps of the method described in the various embodiments of the present invention.
And storage medium above-mentioned includes:USB flash disk, mobile hard disk, read-only memory (ROM, Read-Only Memory), arbitrary access are deposited
The various media that can store program code such as reservoir (RAM, Random Access Memory), magnetic disc or CD.
In the description of the present invention, it should be noted that term "center", "upper", "lower", "left", "right", "vertical",
The orientation or positional relationship of the instructions such as "horizontal", "inner", "outside" be based on the orientation or positional relationship shown in the drawings, merely to
Convenient for the description present invention and simplify description, do not indicate or imply the indicated device or element must have a particular orientation,
With specific azimuth configuration and operation, therefore it is not considered as limiting the invention.In addition, term " first ", " second ",
" third " is used for description purposes only, and is not understood to indicate or imply relative importance.
Finally it should be noted that:Embodiment described above, only specific implementation mode of the invention, to illustrate the present invention
Technical solution, rather than its limitations, scope of protection of the present invention is not limited thereto, although with reference to the foregoing embodiments to this hair
It is bright to be described in detail, it will be understood by those of ordinary skill in the art that:Any one skilled in the art
In the technical scope disclosed by the present invention, it can still modify to the technical solution recorded in previous embodiment or can be light
It is readily conceivable that variation or equivalent replacement of some of the technical features;And these modifications, variation or replacement, do not make
The essence of corresponding technical solution is detached from the spirit and scope of technical solution of the embodiment of the present invention, should all cover the protection in the present invention
Within the scope of.Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.