CN108769034A - A kind of method and device of real time on-line monitoring remote control Trojan control terminal IP address - Google Patents

A kind of method and device of real time on-line monitoring remote control Trojan control terminal IP address Download PDF

Info

Publication number
CN108769034A
CN108769034A CN201810561442.1A CN201810561442A CN108769034A CN 108769034 A CN108769034 A CN 108769034A CN 201810561442 A CN201810561442 A CN 201810561442A CN 108769034 A CN108769034 A CN 108769034A
Authority
CN
China
Prior art keywords
access requests
address
malice
dns
dns access
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201810561442.1A
Other languages
Chinese (zh)
Other versions
CN108769034B (en
Inventor
王世晋
范渊
莫金友
黄进
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
DBAPPSecurity Co Ltd
Hangzhou Dbappsecurity Technology Co Ltd
Original Assignee
Hangzhou Dbappsecurity Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou Dbappsecurity Technology Co Ltd filed Critical Hangzhou Dbappsecurity Technology Co Ltd
Priority to CN201810561442.1A priority Critical patent/CN108769034B/en
Publication of CN108769034A publication Critical patent/CN108769034A/en
Application granted granted Critical
Publication of CN108769034B publication Critical patent/CN108769034B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention provides a kind of method and devices of real time on-line monitoring remote control Trojan control terminal IP address, this method can obtain mirror image flow in real time, and mirror image flow is analyzed in real time, obtain the corresponding response message of malice DNS access requests, and then the corresponding target ip address of information that meets with a response is parsed, and target ip address domain name corresponding with its is preserved to database.This method can carry out on-line analysis, accuracy is good, remote control Trojan control terminal IP can be tracked and be traced to the source, it is poor to alleviate the IP address accuracy that the acquisition methods of existing remote control Trojan control terminal IP address acquire, real-time is poor, can not be tracked the technical issues of tracing to the source to control terminal IP.

Description

A kind of method and device of real time on-line monitoring remote control Trojan control terminal IP address
Technical field
The present invention relates to the technical fields of network security, more particularly, to a kind of real time on-line monitoring remote control Trojan control terminal The method and device of IP address.
Background technology
According to a large amount of APT cases, remote control Trojan is the main Types of current Botnet wooden horse, such wooden horse is in order to escape Keep away the monitoring of Security Officer, it will usually in conjunction with domain name generating algorithm, be continuously generated thousands of a C&C domain names up to ten thousand, this is to invading thing It the tracking of part and traces to the source and causes great interference.
After infecting remote control Trojan, the host invaded will become a part for Botnet.Remote control Trojan utilizes deadlock The network and hardware resource of corpse host, can initiate big flow DDOS attack, influence to network security and very harmful.Safety The C&C domain names of domain name generating algorithm generation can not be analyzed in personnel's short time in time, and prevents and destroys a remote control Trojan The most effective method of Botnet is exactly to find the server ip address of wooden horse control terminal.
It is existing carry out remote control Trojan control terminal IP address acquisition when, generally have following two schemes:One is roots It is oral to pass to Security Officer according to the remote control Trojan server domain name (namely domain name blacklist) grasped, so that safe people Member parses domain name to obtain IP address by hand;Another kind is to run wireshark or tcpdump classes on compromised machine to grab Job contract tool, captures flow information, and then analyze abnormal flow by artificial mode, and record remote control Trojan generates upper Ten thousand C&C domain names go to parse all C&C domain names by hand.
The first scheme is larger to existing information data dependence, and existing information data be easy it is out-of-date, to lead Cause the IP address accuracy rate that parsing obtains low;Second scheme takes and laborious, and because IP and the mapping mode of domain name can be through It often changes, when subsequent domain name mapping hardly results in true wooden horse control terminal IP address, cannot be satisfied the peace of emergency event Full demand, work of tracking and trace to the source afterwards are also extremely difficult.
To sum up, in the acquisition methods of existing remote control Trojan control terminal IP address, the IP address accuracy got is poor, Real-time is poor, can not be tracked and trace to the source to control terminal IP.
Invention content
In view of this, the purpose of the present invention is to provide a kind of sides of real time on-line monitoring remote control Trojan control terminal IP address Method and device, the IP address accuracy that the acquisition methods to alleviate existing remote control Trojan control terminal IP address acquire is poor, Real-time is poor, can not be tracked the technical issues of tracing to the source to control terminal IP.
In a first aspect, an embodiment of the present invention provides a kind of sides of real time on-line monitoring remote control Trojan control terminal IP address Method, the method includes:
The mirror image flow that mirror image router is sent is obtained in real time, wherein the mirror image router is connect with by infringement equipment, It is described by infringement equipment refer to the equipment invaded by remote control Trojan;
Judge whether the access request in the mirror image flow is DNS access requests;
If it is the DNS access requests, then the DNS access requests are judged according to the domain name of the DNS access requests Whether it is malice DNS access requests;
If it is the malice DNS access requests, then obtained and the malice DNS access requests in the mirror image flow Corresponding response message;
The response message is parsed, corresponding target ip address is obtained, wherein the target ip address is remote control The IP address of wooden horse control terminal;
The target ip address is preserved in real time with corresponding domain name to database, to record the remote control Trojan control terminal IP address variation.
With reference to first aspect, an embodiment of the present invention provides the first possible embodiments of first aspect, wherein institute The method of stating further includes:
If the access request in the mirror image flow is not the DNS access requests, the mirror image flow is abandoned.
With reference to first aspect, an embodiment of the present invention provides second of possible embodiments of first aspect, wherein root Judge whether the DNS access requests are that malice DNS access requests include according to the domain name of the DNS access requests:
Malice domain name detection algorithm is used whether to detect the domain name of the DNS access requests for malice domain name;
If it is the malice domain name, then the DNS access requests are the malice DNS access requests;
If not the malice domain name, then the DNS access requests are not the malice DNS access requests.
With reference to first aspect, an embodiment of the present invention provides the third possible embodiments of first aspect, wherein institute The method of stating further includes:
If the DNS access requests are not the malice DNS access requests, it includes the DNS access requests to abandon Mirror image flow.
With reference to first aspect, an embodiment of the present invention provides the 4th kind of possible embodiments of first aspect, wherein After being parsed to the response message, the method further includes:
Judge whether that parsing obtains the corresponding IP address of the response message;
If parsing obtains the IP address, using the IP address as the target ip address;
If not parsing to obtain the IP address, the mirror image flow for including the response message is abandoned.
Second aspect, the embodiment of the present invention additionally provide a kind of dress of real time on-line monitoring remote control Trojan control terminal IP address It sets, described device includes:
First acquisition module, the mirror image flow sent for obtaining mirror image router in real time, wherein the mirror image router With by infringement equipment connect, it is described by encroach on equipment refer to the equipment invaded by remote control Trojan;
First judgment module, for judging whether the access request in the mirror image flow is DNS access requests;
Second judgment module then judges institute if it is the DNS access requests according to the domain name of the DNS access requests State whether DNS access requests are malice DNS access requests;
Second acquisition module then obtains and the evil in the mirror image flow if it is the malice DNS access requests The corresponding response message of DNS access requests of anticipating;
Parsing module obtains corresponding target ip address for being parsed to the response message, wherein the mesh Mark the IP address that IP address is remote control Trojan control terminal;
Preserving module, for being preserved in real time the target ip address to database, described in record with corresponding domain name The variation of the IP address of remote control Trojan control terminal.
In conjunction with second aspect, an embodiment of the present invention provides the first possible embodiments of second aspect, wherein institute Stating device further includes:
First discard module abandons institute if the access request in the mirror image flow is not the DNS access requests State mirror image flow.
In conjunction with second aspect, an embodiment of the present invention provides second of possible embodiments of second aspect, wherein institute Stating the second judgment module includes:
Detection unit, for using malice domain name detection algorithm whether to detect the domain name of the DNS access requests for malice Domain name;
First setup unit, if it is the malice domain name, then the DNS access requests are that malice DNS access is asked It asks;
Second setup unit, if not the malice domain name, then the DNS access requests are not that the malice DNS is visited Ask request.
In conjunction with second aspect, an embodiment of the present invention provides the third possible embodiments of second aspect, wherein institute Stating device further includes:
Second discard module, if the DNS access requests are not the malice DNS access requests, it includes institute to abandon State the mirror image flow of DNS access requests.
The third aspect, the embodiment of the present invention additionally provide a kind of electronic equipment, including memory, processor, the storage The computer program that can be run on the processor is stored on device, the processor is realized when executing the computer program The step of method described in above-mentioned first aspect.
The embodiment of the present invention brings following advantageous effect:
In the acquisition methods of existing remote control Trojan control terminal IP address, the IP address accuracy acquired is poor, in real time Property is poor, can not be tracked and trace to the source to control terminal IP.The side of the real time on-line monitoring remote control Trojan control terminal IP address of the present invention In method, the mirror image flow that mirror image router is sent is obtained in real time, and then judges whether the access request in mirror image flow is that DNS is visited It asks request, if it is DNS access requests, then judges whether DNS access requests are malice DNS according to the domain name of DNS access requests Access request then obtains response corresponding with malice DNS access requests if it is malice DNS access requests in mirror image flow Information, and then response message is parsed, corresponding target ip address is obtained, finally by target ip address and corresponding domain name It is preserved in real time to database.This method can obtain mirror image flow in real time, and analyze in real time mirror image flow, obtain malice The corresponding response message of DNS access requests, and then obtain corresponding target ip address, and by target ip address domain corresponding with its Name is preserved to database, and the mode accuracy of on-line analysis is good, and real-time is good, can be tracked to remote control Trojan control terminal IP It traces to the source, it is poor to alleviate the IP address accuracy that the acquisition methods of existing remote control Trojan control terminal IP address acquire, in real time Property is poor, can not be tracked the technical issues of tracing to the source to control terminal IP.
Other features and advantages of the present invention will illustrate in the following description, also, partly become from specification It obtains it is clear that understand through the implementation of the invention.The purpose of the present invention and other advantages are in specification, claims And specifically noted structure is realized and is obtained in attached drawing.
To enable the above objects, features and advantages of the present invention to be clearer and more comprehensible, preferred embodiment cited below particularly, and coordinate Appended attached drawing, is described in detail below.
Description of the drawings
It, below will be to specific in order to illustrate more clearly of the specific embodiment of the invention or technical solution in the prior art Embodiment or attached drawing needed to be used in the description of the prior art are briefly described, it should be apparent that, in being described below Attached drawing is some embodiments of the present invention, for those of ordinary skill in the art, before not making the creative labor It puts, other drawings may also be obtained based on these drawings.
Fig. 1 is a kind of method flow of real time on-line monitoring remote control Trojan control terminal IP address provided in an embodiment of the present invention Figure;
Fig. 2 is the method stream of another real time on-line monitoring remote control Trojan control terminal IP address provided in an embodiment of the present invention Cheng Tu;
Fig. 3 is that the domain name provided in an embodiment of the present invention according to DNS access requests judges whether DNS access requests are malice The method flow diagram of DNS access requests;
Fig. 4 is a kind of work(of the device of real time on-line monitoring remote control Trojan control terminal IP address provided in an embodiment of the present invention It can module map;
Fig. 5 is the schematic diagram of a kind of electronic equipment provided in an embodiment of the present invention.
Specific implementation mode
In order to make the object, technical scheme and advantages of the embodiment of the invention clearer, below in conjunction with attached drawing to the present invention Technical solution be clearly and completely described, it is clear that described embodiments are some of the embodiments of the present invention, rather than Whole embodiments.Based on the embodiments of the present invention, those of ordinary skill in the art are not making creative work premise Lower obtained every other embodiment, shall fall within the protection scope of the present invention.
It is remote to a kind of real time on-line monitoring disclosed in the embodiment of the present invention first for ease of understanding the present embodiment The method of control wooden horse control terminal IP address describes in detail.
Embodiment one:
A kind of method of real time on-line monitoring remote control Trojan control terminal IP address, with reference to figure 1, this method includes:
S102, the mirror image flow that mirror image router is sent is obtained in real time, wherein mirror image router connects with by infringement equipment It connects, is referred to the equipment invaded by remote control Trojan by infringement equipment;
In embodiments of the present invention, the executive agent of this method holds the monitoring device of IP address in order to control.It is remote when work The equipment that control wooden horse is invaded is connect with mirror image router, and the equipment invaded by remote control Trojan is when being communicated, a way It is communicated it is believed that breath walks normal channel, another way includes the prison of the mirror image flow controlled terminal IP address of identical data information Measurement equipment obtains.
Remote control Trojan refers to combining the malice trojan horse program of remote computer control technology, and remote control Trojan is logical with control terminal When letter, C&C domain names are generated usually using domain name generating algorithm scheduling algorithm to escape to monitor.Wherein, remote control Trojan and wooden horse When control terminal server ip is communicated, used domain name is known as C&C domain names.
S104, judge whether the access request in mirror image flow is DNS access requests;
After acquiring mirror image flow, judge whether the access request in mirror image flow is DNS access requests.
Specifically, the agreement of parsing mirror image flow, if the agreement of mirror image flow is DNS Protocol, in mirror image flow Access request be DNS access requests;If the agreement of mirror image flow is not DNS Protocol, the access in mirror image flow Request is nor DNS access requests.
S106, if it is DNS access requests, then judge whether DNS access requests are evil according to the domain name of DNS access requests Meaning DNS access requests;
If it is DNS access requests, then judge whether DNS access requests are malice DNS according to the domain name of DNS access requests Access request.It hereinafter describes in detail again to the differentiation process of malice DNS access requests, details are not described herein.
S108, if it is malice DNS access requests, then in mirror image flow obtain it is corresponding with malice DNS access requests Response message;
If DNS access requests are malice DNS access requests, obtained and malice DNS access requests in mirror image flow Corresponding response message.
S110, response message is parsed, obtains corresponding target ip address, wherein target ip address is remote control wood The IP address of horse control terminal;
S112, target ip address is preserved in real time with corresponding domain name to database, to record remote control Trojan control terminal The variation of IP address.
In the acquisition methods of existing remote control Trojan control terminal IP address, the IP address accuracy acquired is poor, in real time Property is poor, can not be tracked and trace to the source to control terminal IP.The side of the real time on-line monitoring remote control Trojan control terminal IP address of the present invention In method, the mirror image flow that mirror image router is sent is obtained in real time, and then judges whether the access request in mirror image flow is that DNS is visited It asks request, if it is DNS access requests, then judges whether DNS access requests are malice DNS according to the domain name of DNS access requests Access request then obtains response corresponding with malice DNS access requests if it is malice DNS access requests in mirror image flow Information, and then response message is parsed, corresponding target ip address is obtained, finally by target ip address and corresponding domain name It is preserved in real time to database.This method can obtain mirror image flow in real time, and analyze in real time mirror image flow, obtain malice The corresponding response message of DNS access requests, and then obtain corresponding target ip address, and by target ip address domain corresponding with its Name is preserved to database, and the mode accuracy of on-line analysis is good, and real-time is good, can be tracked to remote control Trojan control terminal IP It traces to the source, it is poor to alleviate the IP address accuracy that the acquisition methods of existing remote control Trojan control terminal IP address acquire, in real time Property is poor, can not be tracked the technical issues of tracing to the source to control terminal IP.
The above is described the partial content of the method for real time on-line monitoring remote control Trojan control terminal IP address, Other contents therein are introduced below.
Optionally, with reference to figure 2, this method further includes:
If the access request in S105, mirror image flow is not DNS access requests, mirror image flow is abandoned.
Optionally, with reference to figure 2, this method further includes:
If S107, DNS access request are not malice DNS access requests, the mirror image stream for including DNS access requests is abandoned Amount.
Optionally, after being parsed to response message, with reference to figure 2, this method further includes:
S1110, judge whether to parse the corresponding IP address of information that meets with a response;
If S1111, parsing obtain IP address, using IP address as target ip address;
If S1112, not parsing to obtain IP address, the mirror image flow for including response message is abandoned.
The above is the process of the method for real time on-line monitoring remote control Trojan control terminal IP address, below to wherein relating to And to the processes of differentiation malice DNS access requests describe in detail.
Optionally, with reference to figure 3, judge whether DNS access requests are that malice DNS is accessed according to the domain name of DNS access requests Request includes:
S301, use the domain name of malice domain name detection algorithm detection DNS access requests whether for malice domain name;
Specifically, malice domain name detection algorithm exists in the prior art, the detection process of malice domain name uses in the present invention Be malice domain name detection algorithm in the prior art.
Citing introduction is carried out to several malice domain names below:
Super long type domain name is generally malice domain name, and random character serial type domain name is generally malice domain name, such as .zqa1234, Foreign country's class domain name of exempting to put on record is generally malice domain name, such as .cc.
S302, if it is malice domain name, then DNS access requests are malice DNS access requests;
S303, if not malice domain name, then DNS access requests are not malice DNS access requests.
In the method for the invention, it when monitoring remote control Trojan activity, is interacted to real by with dns server The now real time parsing to remote control Trojan control terminal real IP address and monitoring, and then remote control Trojan control terminal can be recorded in real time IP changes;Can it is online, in real time, automatic monitoring and the control terminal IP address for recording remote control Trojan, accuracy is secure, to chasing after Track, which is traced to the source, great help.
In short, this method carries out in real time a large amount of C&C domain names (i.e. malice domain name) that remote control Trojan in mirror image flow generates Online analyzing, the accurate recording IP address of remote control Trojan server, reduces spot, to arresting illegal invasion person meaning It is great.
Embodiment two:
A kind of device of real time on-line monitoring remote control Trojan control terminal IP address, with reference to figure 4, which includes:
First acquisition module 20, in real time obtain mirror image router send mirror image flow, wherein mirror image router with Referred to the equipment invaded by remote control Trojan by infringement equipment by infringement equipment connection;
First judgment module 21, for judging whether the access request in mirror image flow is DNS access requests;
Second judgment module 22 then judges that DNS access is asked if it is DNS access requests according to the domain name of DNS access requests No Seeking Truth is malice DNS access requests;
Second acquisition module 23 is then obtained in mirror image flow and is accessed with malice DNS if it is malice DNS access requests Ask corresponding response message;
Parsing module 24 obtains corresponding target ip address for being parsed to response message, wherein Target IP Location is the IP address of remote control Trojan control terminal;
Preserving module 25, for being preserved target ip address in real time to database with corresponding domain name, to record remote control wood The variation of the IP address of horse control terminal.
In the device of the real time on-line monitoring remote control Trojan control terminal IP address of the present invention, mirror image router hair is obtained in real time The mirror image flow sent, and then judge whether the access request in mirror image flow is DNS access requests, if it is DNS access requests, Then judge whether DNS access requests are malice DNS access requests according to the domain name of DNS access requests, is accessed if it is malice DNS Request then obtains response message corresponding with malice DNS access requests in mirror image flow, and then is solved to response message Analysis, obtains corresponding target ip address, finally preserves target ip address to database in real time with corresponding domain name.The device energy It is enough to obtain mirror image flow in real time, and mirror image flow is analyzed in real time, obtain the corresponding response letter of malice DNS access requests Breath, and then corresponding target ip address is obtained, and target ip address domain name corresponding with its is preserved to database, on-line analysis Mode accuracy it is good, real-time is good, can be tracked and trace to the source to remote control Trojan control terminal IP, alleviates existing remote control wood The IP address accuracy that the acquisition methods of horse control terminal IP address acquire is poor, and real-time is poor, can not be carried out to control terminal IP The technical issues of tracking is traced to the source.
Optionally, which further includes:
First discard module abandons mirror image flow if the access request in mirror image flow is not DNS access requests.
Optionally, the second judgment module includes:
Detection unit, for using malice domain name detection algorithm whether to detect the domain name of DNS access requests for malice domain name;
First setup unit, if it is malice domain name, then DNS access requests are malice DNS access requests;
Second setup unit, if not malice domain name, then DNS access requests are not malice DNS access requests.
Optionally, which further includes:
Second discard module, if DNS access requests are not malice DNS access requests, it includes DNS access requests to abandon Mirror image flow.
Optionally, which further includes:
Third judgment module parses the corresponding IP address of information that meets with a response for judging whether;
Setting module, if parsing obtains IP address, using IP address as target ip address;
Third discard module abandons the mirror image flow for including response message if not parsing to obtain IP address.
The particular content that can be referred in above-described embodiment one is specifically described in the embodiment two, details are not described herein.
Embodiment three:
An embodiment of the present invention provides a kind of electronic equipment, and with reference to figure 5, which includes:Processor 30, memory 31, bus 32 and communication interface 33, processor 30, communication interface 33 and memory 31 are connected by bus 32;Processor 30 is used In executing the executable module stored in memory 31, such as computer program.Processor is realized such as when executing extreme and program The step of method described in embodiment of the method.
Wherein, memory 31 may include high-speed random access memory (RAM, Random Access Memory), May further include non-labile memory (non-volatile memory), for example, at least a magnetic disk storage.By extremely A few communication interface 33 (can be wired or wireless) is realized logical between the system network element and at least one other network element Letter connection can use internet, wide area network, local network, Metropolitan Area Network (MAN) etc..
Bus 32 can be isa bus, pci bus or eisa bus etc..It is total that bus can be divided into address bus, data Line, controlling bus etc..For ease of indicating, only indicated with a four-headed arrow in Fig. 5, it is not intended that an only bus or one The bus of type.
Wherein, memory 31 is for storing program, and processor 30 executes program after receiving and executing instruction, aforementioned The method performed by device that the stream process that inventive embodiments any embodiment discloses defines can be applied in processor 30, or Person is realized by processor 30.
Processor 30 may be a kind of IC chip, the processing capacity with signal.During realization, above-mentioned side Each step of method can be completed by the integrated logic circuit of the hardware in processor 30 or the instruction of software form.Above-mentioned Processor 30 can be general processor, including central processing unit (Central Processing Unit, abbreviation CPU), network Processor (Network Processor, abbreviation NP) etc.;It can also be digital signal processor (Digital Signal Processing, abbreviation DSP), application-specific integrated circuit (Application Specific Integrated Circuit, referred to as ASIC), ready-made programmable gate array (Field-Programmable Gate Array, abbreviation FPGA) or other are programmable Logical device, discrete gate or transistor logic, discrete hardware components.It may be implemented or execute in the embodiment of the present invention Disclosed each method, step and logic diagram.General processor can be microprocessor or the processor can also be to appoint What conventional processor etc..The step of method in conjunction with disclosed in the embodiment of the present invention, can be embodied directly in hardware decoding processing Device executes completion, or in decoding processor hardware and software module combination execute completion.Software module can be located at Machine memory, flash memory, read-only memory, programmable read only memory or electrically erasable programmable memory, register etc. are originally In the storage medium of field maturation.The storage medium is located at memory 31, and processor 30 reads the information in memory 31, in conjunction with Its hardware completes the step of above method.
The meter of the method and device for the real time on-line monitoring remote control Trojan control terminal IP address that the embodiment of the present invention is provided Calculation machine program product, including the computer readable storage medium of program code is stored, the instruction that said program code includes can For executing the method described in previous methods embodiment, specific implementation can be found in embodiment of the method, and details are not described herein.
It is apparent to those skilled in the art that for convenience and simplicity of description, the system of foregoing description It with the specific work process of device, can refer to corresponding processes in the foregoing method embodiment, details are not described herein.
In addition, in the description of the embodiment of the present invention unless specifically defined or limited otherwise, term " installation ", " phase Even ", " connection " shall be understood in a broad sense, for example, it may be being fixedly connected, may be a detachable connection, or be integrally connected;It can Can also be electrical connection to be mechanical connection;It can be directly connected, can also indirectly connected through an intermediary, Ke Yishi Connection inside two elements.For the ordinary skill in the art, above-mentioned term can be understood at this with concrete condition Concrete meaning in invention.
It, can be with if the function is realized in the form of SFU software functional unit and when sold or used as an independent product It is stored in a computer read/write memory medium.Based on this understanding, technical scheme of the present invention is substantially in other words The part of the part that contributes to existing technology or the technical solution can be expressed in the form of software products, the meter Calculation machine software product is stored in a storage medium, including some instructions are used so that a computer equipment (can be People's computer, server or network equipment etc.) it performs all or part of the steps of the method described in the various embodiments of the present invention. And storage medium above-mentioned includes:USB flash disk, mobile hard disk, read-only memory (ROM, Read-Only Memory), arbitrary access are deposited The various media that can store program code such as reservoir (RAM, Random Access Memory), magnetic disc or CD.
In the description of the present invention, it should be noted that term "center", "upper", "lower", "left", "right", "vertical", The orientation or positional relationship of the instructions such as "horizontal", "inner", "outside" be based on the orientation or positional relationship shown in the drawings, merely to Convenient for the description present invention and simplify description, do not indicate or imply the indicated device or element must have a particular orientation, With specific azimuth configuration and operation, therefore it is not considered as limiting the invention.In addition, term " first ", " second ", " third " is used for description purposes only, and is not understood to indicate or imply relative importance.
Finally it should be noted that:Embodiment described above, only specific implementation mode of the invention, to illustrate the present invention Technical solution, rather than its limitations, scope of protection of the present invention is not limited thereto, although with reference to the foregoing embodiments to this hair It is bright to be described in detail, it will be understood by those of ordinary skill in the art that:Any one skilled in the art In the technical scope disclosed by the present invention, it can still modify to the technical solution recorded in previous embodiment or can be light It is readily conceivable that variation or equivalent replacement of some of the technical features;And these modifications, variation or replacement, do not make The essence of corresponding technical solution is detached from the spirit and scope of technical solution of the embodiment of the present invention, should all cover the protection in the present invention Within the scope of.Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.

Claims (10)

1. a kind of method of real time on-line monitoring remote control Trojan control terminal IP address, which is characterized in that the method includes:
The mirror image flow that mirror image router is sent is obtained in real time, wherein the mirror image router is connect with by infringement equipment, described Referred to the equipment invaded by remote control Trojan by infringement equipment;
Judge whether the access request in the mirror image flow is DNS access requests;
If it is the DNS access requests, then whether the DNS access requests are judged according to the domain name of the DNS access requests For malice DNS access requests;
If it is the malice DNS access requests, then obtained in the mirror image flow corresponding with the malice DNS access requests Response message;
The response message is parsed, corresponding target ip address is obtained, wherein the target ip address is remote control Trojan The IP address of control terminal;
The target ip address is preserved in real time with corresponding domain name to database, to record the IP of the remote control Trojan control terminal The variation of address.
2. according to the method described in claim 1, it is characterized in that, the method further includes:
If the access request in the mirror image flow is not the DNS access requests, the mirror image flow is abandoned.
3. according to the method described in claim 1, it is characterized in that, judging the DNS according to the domain name of the DNS access requests Whether access request is that malice DNS access requests include:
Malice domain name detection algorithm is used whether to detect the domain name of the DNS access requests for malice domain name;
If it is the malice domain name, then the DNS access requests are the malice DNS access requests;
If not the malice domain name, then the DNS access requests are not the malice DNS access requests.
4. according to the method described in claim 1, it is characterized in that, the method further includes:
If the DNS access requests are not the malice DNS access requests, the mirror for including the DNS access requests is abandoned As flow.
5. according to the method described in claim 1, it is characterized in that, after being parsed to the response message, the side Method further includes:
Judge whether that parsing obtains the corresponding IP address of the response message;
If parsing obtains the IP address, using the IP address as the target ip address;
If not parsing to obtain the IP address, the mirror image flow for including the response message is abandoned.
6. a kind of device of real time on-line monitoring remote control Trojan control terminal IP address, which is characterized in that described device includes:
First acquisition module, in real time obtain mirror image router send mirror image flow, wherein the mirror image router with by Encroach on equipment connection, it is described by infringement equipment refer to the equipment invaded by remote control Trojan;
First judgment module, for judging whether the access request in the mirror image flow is DNS access requests;
Second judgment module then judges the DNS if it is the DNS access requests according to the domain name of the DNS access requests Whether access request is malice DNS access requests;
Second acquisition module then obtains and the malice in the mirror image flow if it is the malice DNS access requests The corresponding response message of DNS access requests;
Parsing module obtains corresponding target ip address for being parsed to the response message, wherein the Target IP Address is the IP address of remote control Trojan control terminal;
Preserving module, for being preserved the target ip address in real time to database, to record the remote control with corresponding domain name The variation of the IP address of wooden horse control terminal.
7. device according to claim 6, which is characterized in that described device further includes:
First discard module abandons the mirror if the access request in the mirror image flow is not the DNS access requests As flow.
8. device according to claim 6, which is characterized in that second judgment module includes:
Detection unit, for using malice domain name detection algorithm whether to detect the domain name of the DNS access requests for malice domain name;
First setup unit, if it is the malice domain name, then the DNS access requests are the malice DNS access requests;
Second setup unit, if not the malice domain name, then the DNS access requests are not that the malice DNS access is asked It asks.
9. device according to claim 6, which is characterized in that described device further includes:
Second discard module, if the DNS access requests are not the malice DNS access requests, it includes the DNS to abandon The mirror image flow of access request.
10. a kind of electronic equipment, including memory, processor, it is stored with and can runs on the processor on the memory Computer program, which is characterized in that the processor is realized when executing the computer program in the claims 1 to 5 The step of any one of them method.
CN201810561442.1A 2018-06-01 2018-06-01 Method and device for monitoring IP address of remote control Trojan control end on line in real time Active CN108769034B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810561442.1A CN108769034B (en) 2018-06-01 2018-06-01 Method and device for monitoring IP address of remote control Trojan control end on line in real time

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810561442.1A CN108769034B (en) 2018-06-01 2018-06-01 Method and device for monitoring IP address of remote control Trojan control end on line in real time

Publications (2)

Publication Number Publication Date
CN108769034A true CN108769034A (en) 2018-11-06
CN108769034B CN108769034B (en) 2021-02-26

Family

ID=64002314

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810561442.1A Active CN108769034B (en) 2018-06-01 2018-06-01 Method and device for monitoring IP address of remote control Trojan control end on line in real time

Country Status (1)

Country Link
CN (1) CN108769034B (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109274676A (en) * 2018-10-07 2019-01-25 杭州安恒信息技术股份有限公司 The method and system of wooden horse control terminal IP address are obtained based on self study mode
CN110233831A (en) * 2019-05-21 2019-09-13 深圳壹账通智能科技有限公司 The detection method and device of malicious registration
CN110300193A (en) * 2019-07-01 2019-10-01 北京微步在线科技有限公司 A kind of method and apparatus obtaining entity domain name
CN111030979A (en) * 2019-06-20 2020-04-17 哈尔滨安天科技集团股份有限公司 Malicious domain name detection method and device and storage device
CN111212039A (en) * 2019-12-23 2020-05-29 杭州安恒信息技术股份有限公司 Host mining behavior detection method based on DNS flow
CN112640392A (en) * 2020-11-20 2021-04-09 华为技术有限公司 Trojan horse detection method, device and equipment
CN113992442A (en) * 2021-12-28 2022-01-28 北京微步在线科技有限公司 Trojan horse communication success detection method and device
CN116016479A (en) * 2022-12-05 2023-04-25 北京天融信网络安全技术有限公司 Server control method, device, electronic equipment and computer readable storage medium

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102202064A (en) * 2011-06-13 2011-09-28 刘胜利 Method for extracting behavior characteristics of Trojan communication based on network data flow analysis
US20150281259A1 (en) * 2012-07-05 2015-10-01 Tenable Network Security, Inc. System and method for strategic anti-malware monitoring
CN105024969A (en) * 2014-04-17 2015-11-04 北京启明星辰信息安全技术有限公司 Method and device for realizing malicious domain name identification
CN105187393A (en) * 2015-08-10 2015-12-23 济南大学 Mobile terminal malicious software network behavior reconstruction method and system thereof
US20160261625A1 (en) * 2014-07-30 2016-09-08 Zscaler, Inc. Zero day threat detection based on fast flux detection and aggregation
CN106101088A (en) * 2016-06-04 2016-11-09 北京兰云科技有限公司 The method that cleaning equipment, detection equipment, routing device and strick precaution DNS attack
CN107592312A (en) * 2017-09-18 2018-01-16 济南互信软件有限公司 A kind of malware detection method based on network traffics

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102202064A (en) * 2011-06-13 2011-09-28 刘胜利 Method for extracting behavior characteristics of Trojan communication based on network data flow analysis
US20150281259A1 (en) * 2012-07-05 2015-10-01 Tenable Network Security, Inc. System and method for strategic anti-malware monitoring
CN105024969A (en) * 2014-04-17 2015-11-04 北京启明星辰信息安全技术有限公司 Method and device for realizing malicious domain name identification
US20160261625A1 (en) * 2014-07-30 2016-09-08 Zscaler, Inc. Zero day threat detection based on fast flux detection and aggregation
CN105187393A (en) * 2015-08-10 2015-12-23 济南大学 Mobile terminal malicious software network behavior reconstruction method and system thereof
CN106101088A (en) * 2016-06-04 2016-11-09 北京兰云科技有限公司 The method that cleaning equipment, detection equipment, routing device and strick precaution DNS attack
CN107592312A (en) * 2017-09-18 2018-01-16 济南互信软件有限公司 A kind of malware detection method based on network traffics

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109274676A (en) * 2018-10-07 2019-01-25 杭州安恒信息技术股份有限公司 The method and system of wooden horse control terminal IP address are obtained based on self study mode
CN109274676B (en) * 2018-10-07 2020-12-11 杭州安恒信息技术股份有限公司 Method, system and storage device for acquiring IP address of Trojan control terminal based on self-learning mode
CN110233831A (en) * 2019-05-21 2019-09-13 深圳壹账通智能科技有限公司 The detection method and device of malicious registration
CN111030979A (en) * 2019-06-20 2020-04-17 哈尔滨安天科技集团股份有限公司 Malicious domain name detection method and device and storage device
CN110300193A (en) * 2019-07-01 2019-10-01 北京微步在线科技有限公司 A kind of method and apparatus obtaining entity domain name
CN110300193B (en) * 2019-07-01 2021-07-06 北京微步在线科技有限公司 Method and device for acquiring entity domain name
CN111212039A (en) * 2019-12-23 2020-05-29 杭州安恒信息技术股份有限公司 Host mining behavior detection method based on DNS flow
CN112640392A (en) * 2020-11-20 2021-04-09 华为技术有限公司 Trojan horse detection method, device and equipment
CN113992442A (en) * 2021-12-28 2022-01-28 北京微步在线科技有限公司 Trojan horse communication success detection method and device
CN113992442B (en) * 2021-12-28 2022-03-18 北京微步在线科技有限公司 Trojan horse communication success detection method and device
CN116016479A (en) * 2022-12-05 2023-04-25 北京天融信网络安全技术有限公司 Server control method, device, electronic equipment and computer readable storage medium

Also Published As

Publication number Publication date
CN108769034B (en) 2021-02-26

Similar Documents

Publication Publication Date Title
CN108769034A (en) A kind of method and device of real time on-line monitoring remote control Trojan control terminal IP address
US9755919B2 (en) Traffic analysis for HTTP user agent based device category mapping
US9660833B2 (en) Application identification in records of network flows
Cao et al. Identifying high cardinality internet hosts
CN108848067A (en) The OPC protocol security means of defence of intelligence learning and preset read-only white list rule
CN104601570A (en) Network security monitoring method based on bypass monitoring and software packet capturing technology
CN104135474B (en) Intrusion Detection based on host goes out the Network anomalous behaviors detection method of in-degree
CN107465667A (en) The safe synergic monitoring method and device of power network industry control based on stipulations deep analysis
CN111181978B (en) Abnormal network traffic detection method and device, electronic equipment and storage medium
CN106921671B (en) network attack detection method and device
US20190104144A1 (en) Enhanced flow-based computer network threat detection
CN104486320B (en) Intranet sensitive information leakage evidence-obtaining system and method based on sweet network technology
CN111198804B (en) Gateway-based industrial Internet platform third-party micro-service monitoring and early warning method
CN106790073B (en) Blocking method and device for malicious attack of Web server and firewall
CN104580090B (en) The method and device that security strategy O&M is assessed
US9917858B2 (en) Honey user
CN108234431A (en) A kind of backstage logs in behavioral value method and detection service device
CN112422486B (en) SDK-based safety protection method and device
CN113765850B (en) Internet of things abnormality detection method and device, computing equipment and computer storage medium
CN113238923A (en) Service behavior tracing method and system based on state machine
CN106375351B (en) A kind of method and device of abnormal domain name detection
CN107613462A (en) Data analysing method, device and electronic equipment
CN112272176A (en) Network security protection method and system based on big data platform
CN112769739A (en) Database operation violation processing method, device and equipment
JP6871372B2 (en) Methods and devices for detecting page redirect loops

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information
CB02 Change of applicant information

Address after: No. 188, Lianhui street, Xixing street, Binjiang District, Hangzhou City, Zhejiang Province

Applicant after: Hangzhou Anheng Information Technology Co.,Ltd.

Address before: 310000 15-storey Zhejiang Zhongcai Building, No. 68 Tonghe Road, Binjiang District, Hangzhou City, Zhejiang Province

Applicant before: Hangzhou Anheng Information Technology Co.,Ltd.

GR01 Patent grant
GR01 Patent grant
EE01 Entry into force of recordation of patent licensing contract
EE01 Entry into force of recordation of patent licensing contract

Application publication date: 20181106

Assignee: Hangzhou Anheng Information Security Technology Co., Ltd

Assignor: Hangzhou Anheng Information Technology Co.,Ltd.

Contract record no.: X2021330000118

Denomination of invention: A method and device for real-time online monitoring IP address of remote control Trojan horse control end

Granted publication date: 20210226

License type: Common License

Record date: 20210823