CN108810028A - A kind of detection method and system of the whole network wooden horse control terminal - Google Patents
A kind of detection method and system of the whole network wooden horse control terminal Download PDFInfo
- Publication number
- CN108810028A CN108810028A CN201810809216.0A CN201810809216A CN108810028A CN 108810028 A CN108810028 A CN 108810028A CN 201810809216 A CN201810809216 A CN 201810809216A CN 108810028 A CN108810028 A CN 108810028A
- Authority
- CN
- China
- Prior art keywords
- remote control
- trojan
- control terminal
- target
- doubtful
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention provides a kind of detection methods and system of the whole network wooden horse control terminal, are related to field of information security technology, and the detection method of the whole network wooden horse control terminal includes:Receive the object to be measured network segment input by user;Port scan is carried out to all targets to be detected of target network section to be measured, to determine doubtful detection target according to scanning result;Doubtful detection target is detected using the remote control Trojan exploration policy of pre-configuration, whether is remote control Trojan control terminal with the doubtful detection target of determination.The present invention under network environment it can be found that remote control Trojan control terminal and understand its distribution situation, degree of being beneficial for improving user experience, alleviating in the prior art can not be to the discovery demand of remote control Trojan control terminal distribution situation under network environment, the technical problem for causing user experience not high.
Description
Technical field
The present invention relates to field of information security technology, more particularly, to a kind of detection method of the whole network wooden horse control terminal be
System.
Background technology
Remote control Trojan is the common attacker of hacker, and information security is the discovery that the distributed awareness of remote control Trojan control terminal
The important action in one, field must threaten intelligence value with very high.
It is that wood is perceived by way of flow monitoring mostly in the method that existing remote control Trojan threatens information to obtain
The upper line process of horse is matched in advance for example, by corporate intranet, private network Intranet or the other traffic mirroring of carrier-class and monitoring
Known remote control Trojan is set to reach the standard grade the information such as domain name, IP, when occurring being communicated with these sensitivity hosts in network flow,
Inform that user has been infected.Due to this method be only capable of monitoring the wooden horse within the scope of finite region activity, can not solve how
It was found that under network environment remote control Trojan control terminal distribution problem.
In another method, the control terminal network address mainly by knowing remote control Trojan to the analysis of malice sample.
For example, being analyzed capture sample by means such as sample, honey jars, so that it is determined that the network address of remote control Trojan control terminal.
Obvious this method also cannot be satisfied only with the traditional analysis means of the analysis to malice sample to remote control Trojan under network environment
The discovery demand of control terminal distribution situation.
In view of the above problems, currently no effective solution has been proposed.
Invention content
In view of this, the purpose of the present invention is to provide a kind of detection method and system of the whole network wooden horse control terminal, with slow
The discovery demand existing in the prior art that cannot be satisfied to remote control Trojan control terminal distribution situation under network environment has been solved, has been caused
The not high technical problem of user experience.
In a first aspect, an embodiment of the present invention provides a kind of detection methods of the whole network wooden horse control terminal, including:
Receive the object to be measured network segment input by user;
Port scan is carried out to all targets to be detected of the object to be measured network segment, it is doubtful to be determined according to scanning result
Detect target;
The doubtful detection target is detected using the remote control Trojan exploration policy of pre-configuration, it is described doubtful with determination
Detect whether target is remote control Trojan control terminal.
With reference to first aspect, an embodiment of the present invention provides the first possible embodiments of first aspect, wherein institute
It states and port scan is carried out to all targets to be detected of the object to be measured network segment, obtain doubtful detection target, including:
Port scan is carried out to the target to be detected;
Extract the response data that the target to be detected carries out the port of the opening got after port scan;
Judge that the port of the opening whether there is remote control Trojan control terminal fingerprint according to the response data;
If so, being the doubtful inspection there will be the target label to be detected belonging to the port of remote control Trojan control terminal fingerprint
Survey target.
The possible embodiment of with reference to first aspect the first, an embodiment of the present invention provides second of first aspect
Possible embodiment, wherein the remote control Trojan exploration policy of the pre-configuration is multiple;
It is described that the doubtful detection target is detected using the remote control Trojan exploration policy being pre-configured, described in determination
Whether doubtful detection target is remote control Trojan control terminal, including:
The doubtful detection target is detected using the remote control Trojan exploration policy of each pre-configuration, with determination
Whether the doubtful detection target is remote control Trojan control terminal.
Second of possible embodiment with reference to first aspect, an embodiment of the present invention provides the third of first aspect
Possible embodiment, wherein the remote control Trojan exploration policy using each pre-configuration is to the doubtful detection mesh
Whether mark is detected, be remote control Trojan control terminal with the determination doubtful detection target, including:
Exploration policy included in remote control Trojan exploration policy according to each pre-configuration is to the doubtful detection
Target sends probe messages, and obtains the feedback information that the doubtful detection target is sent based on the probe messages;
Judge to preset feedback information included in remote control Trojan exploration policy of the feedback information with the pre-configuration
It is whether consistent;
If consistent, confirm that the doubtful detection target is remote control Trojan control terminal.
With reference to first aspect, an embodiment of the present invention provides the 4th kind of possible embodiments of first aspect, wherein institute
The method of stating further includes:
When it is remote control Trojan control terminal to determine the doubtful detection target, the remote control Trojan exploration policy is extracted to institute
State the detection information in doubtful detection target progress detection process;The detection information include it is doubtful detection target IP address,
Port numbers, remote control Trojan type, detection time.
With reference to first aspect, an embodiment of the present invention provides the 5th kind of possible embodiments of first aspect, wherein institute
The method of stating further includes:
Using be pre-configured remote control Trojan exploration policy to all doubtful detection targets in the target to be detected into
Row detection, after determining whether all doubtful detection targets are remote control Trojan control terminal according to interaction results, based on institute
State the doubtful detection target generation distribution results for being confirmed as remote control Trojan control terminal in the object to be measured network segment, wherein institute
Distribution results are stated for analyzing the security risk trend of the object to be measured network segment.
With reference to first aspect, an embodiment of the present invention provides the 6th kind of possible embodiments of first aspect, wherein institute
The method of stating further includes:
The remote control Trojan exploration policy is pre-configured.
Second aspect, the embodiment of the present invention also provide a kind of detection system of the whole network wooden horse control terminal, including:
Receiving module, for receiving the object to be measured network segment input by user;
Scan module is carried out port scan for all targets to be detected to the object to be measured network segment, is swept with basis
It retouches result and determines doubtful detection target;
Detecting module detects the doubtful detection target for the remote control Trojan exploration policy using pre-configuration,
Whether it is remote control Trojan control terminal with the determination doubtful detection target.
In conjunction with second aspect, an embodiment of the present invention provides the first possible embodiments of second aspect, wherein institute
Scan module is stated to be specifically used for:
Port scan is carried out to the target to be detected;
Extract the response data that the target to be detected carries out the port of the opening got after port scan;
Judge that the port of the opening whether there is remote control Trojan control terminal fingerprint according to the response data;
If so, being the doubtful inspection there will be the target label to be detected belonging to the port of remote control Trojan control terminal fingerprint
Survey target.
In conjunction with the first possible embodiment of second aspect, an embodiment of the present invention provides second of second aspect
Possible embodiment, wherein the remote control Trojan exploration policy of the pre-configuration is multiple;
The detecting module is specifically used for:
The doubtful detection target is detected using the remote control Trojan exploration policy of each pre-configuration, with determination
Whether the doubtful detection target is remote control Trojan control terminal.
The third aspect, the embodiment of the present invention additionally provide a kind of electronic equipment, including memory, processor and are stored in institute
The computer program that can be run on memory and on the processor is stated, the processor executes real when the computer program
The step of detection method of existing above-mentioned the whole network wooden horse control terminal.
Fourth aspect, an embodiment of the present invention provides a kind of computer readable storage mediums, are stored thereon with computer journey
The step of sequence, the computer program realizes the detection method of above-mentioned the whole network wooden horse control terminal when being executed by processor.
The embodiment of the present invention brings following advantageous effect:The detection of the whole network wooden horse control terminal provided in an embodiment of the present invention
Method, system, electronic equipment and computer readable storage medium, wherein the detection method of the whole network wooden horse control terminal is first
By receiving the object to be measured network segment input by user, such as the whole network or other specified network segments;Then in the object to be measured net
Port scan is carried out to target to be detected in section, to determine doubtful detection target according to scanning result;Finally utilize pre-configuration
Whether remote control Trojan exploration policy detects doubtful detection target, be remote control Trojan control with the doubtful detection target of determination
End, it can be found that remote control Trojan control terminal and understanding its distribution situation under network environment, degree of being beneficial for improving user experience is alleviated
In the prior art it can not lead to user experience not to the discovery demand of remote control Trojan control terminal distribution situation under network environment
High technical problem.
Other features and advantages of the present invention will illustrate in the following description, also, partly become from specification
It obtains it is clear that understand through the implementation of the invention.The purpose of the present invention and other advantages are in specification, claims
And specifically noted structure is realized and is obtained in attached drawing.
To enable the above objects, features and advantages of the present invention to be clearer and more comprehensible, preferred embodiment cited below particularly, and coordinate
Appended attached drawing, is described in detail below.
Description of the drawings
It, below will be to specific in order to illustrate more clearly of the specific embodiment of the invention or technical solution in the prior art
Embodiment or attached drawing needed to be used in the description of the prior art are briefly described, it should be apparent that, in being described below
Attached drawing is some embodiments of the present invention, for those of ordinary skill in the art, before not making the creative labor
It puts, other drawings may also be obtained based on these drawings.
Fig. 1 is a kind of flow chart of the detection method of the whole network wooden horse control terminal provided in an embodiment of the present invention;
Fig. 2 is a kind of flow of the step S102 of the detection method of the whole network wooden horse control terminal provided in an embodiment of the present invention
Figure;
Fig. 3 is the flow chart of the detection method of another the whole network wooden horse control terminal provided in an embodiment of the present invention;
Fig. 4 is a kind of application principle figure of the detection method of the whole network wooden horse control terminal provided in an embodiment of the present invention;
Fig. 5 is a kind of structure chart of the detection system of the whole network wooden horse control terminal provided in an embodiment of the present invention;
Fig. 6 is the schematic diagram of a kind of electronic equipment provided in an embodiment of the present invention.
Specific implementation mode
In order to make the object, technical scheme and advantages of the embodiment of the invention clearer, below in conjunction with attached drawing to the present invention
Technical solution be clearly and completely described, it is clear that described embodiments are some of the embodiments of the present invention, rather than
Whole embodiments.Based on the embodiments of the present invention, those of ordinary skill in the art are not making creative work premise
Lower obtained every other embodiment, shall fall within the protection scope of the present invention.
Remote control Trojan is the common attacker of hacker, and information security is the discovery that the distributed awareness of remote control Trojan control terminal
The important action in one, field must threaten intelligence value with very high.
One of prior art is:By to corporate intranet, private network Intranet or the other traffic mirroring of carrier-class and prison
Control, in advance the good known remote control Trojan of configuration reach the standard grade the information such as domain name, IP, when occur in network flow with these sensitive hosts into
When row communication, inform that user has been infected.
The two of prior art are:By the control terminal network address for knowing remote control Trojan to the analysis of malice sample.
But there are shortcomings for existing technical solution, it is specific as follows:
1) can only perceive in network environment has abnormal host to carry out communication activity with known remote control Trojan control terminal.
2) sensing capability is lacked to unknown remote control Trojan control terminal, when the remote control Trojan infected in network environment replaces with
When the domain name of line, IP, sensing capability will be lost.
3) rate of false alarm is high, can not active perception remote control Trojan control terminal distribution.
4) each malice sample can only analyze a corresponding remote control Trojan control terminal network address, cannot be satisfied to complete
The discovery demand of net remote control Trojan control terminal distribution situation.
Based on this, a kind of detection method and system of the whole network wooden horse control terminal provided in an embodiment of the present invention can be alleviated
Or part alleviate it is above-mentioned can not active perception remote control Trojan control terminal distribution, lead to the technical problem that user experience is poor.
Term remote control Trojan is briefly described first below:
Remote control technology is a kind of technology controlled operating system using network remote, remote control Trojan here
Refer to the trojan horse program that hacker has used for reference that traditional remote control technology making controls other people computers for unauthorized remote, when aggrieved
After person infects trojan horse program, " reaching the standard grade " contact can be actively carried out with control terminal.
For ease of understanding the present embodiment, first to a kind of the whole network wooden horse control terminal disclosed in the embodiment of the present invention
Detection method describe in detail.
Embodiment one:
Fig. 1 is a kind of flow chart of the detection method of the whole network wooden horse control terminal provided in an embodiment of the present invention.
In embodiments of the present invention, this method is applied to the detection system of the whole network wooden horse control terminal of simulation controlled terminal
System, includes the following steps:
Step S101 receives the object to be measured network segment input by user;
The above-mentioned object to be measured network segment can be the whole network, can also be the arbitrary network segment that user specifies.
Step S102 carries out port scan, with true according to scanning result to all targets to be detected of target network section to be measured
Fixed doubtful detection target;
Wherein, above-mentioned target to be detected is the network equipment in the above-mentioned object to be measured network segment, and the network equipment includes IP address
With multiple ports;Specifically, target to be detected is primarily referred to as the IP address of the network equipment.
Above-mentioned doubtful detection target be include target to be detected there are the port of remote control Trojan fingerprint;It sweeps above-mentioned port
It retouches and is detected using active iterative scans.It is more efficient compared to traditional port scan mode.
When specific implementation, include the following steps with reference to Fig. 2, step S102:
Step S1021 carries out port scan to target to be detected;
Step S1022 extracts the response data that target to be detected carries out the port of the opening got after port scan;
Step S1023, the open port of data judgement is with the presence or absence of remote control Trojan control terminal fingerprint according to response;
If so, S1024 is thened follow the steps, if it is not, thening follow the steps S1025;
Step S1024 is doubtful inspection there will be the target label to be detected belonging to the port of remote control Trojan control terminal fingerprint
Survey target.
Step S1025 is abandoned.
Step S103 detects doubtful detection target using the remote control Trojan exploration policy of pre-configuration, is doubted with determining
Whether it is remote control Trojan control terminal like detection target.
The remote control Trojan exploration policy of above-mentioned pre-configuration is the known remote control Trojan sample of simulation in control terminal and is controlled
The interactive strategy reached the standard grade between end processed, upper line process include handshake procedure, verification process, communication data packet, wherein according to controlled
End processed is sent to the exploration policy of the remote control Trojan exploration policy of the communication message generation pre-configuration of control terminal during reaching the standard grade;
The remote control Trojan exploration policy being pre-configured is generated to the response of the communication message of controlled terminal during reaching the standard grade according to control terminal
Feedback information.It should be noted that the remote control Trojan exploration policy of above-mentioned pre-configuration can by manually configuring completion,
It can also be trained and be realized by machine.
In the present embodiment, the remote control Trojan exploration policy of above-mentioned pre-configuration is multiple;
At this point, step S103 is realized by following steps:
A detects above-mentioned doubtful detection target using the remote control Trojan exploration policy of each above-mentioned pre-configuration, with true
Whether fixed above-mentioned doubtful detection target is remote control Trojan control terminal.
Specifically, step A can be executed by following steps:
Exploration policy included in remote control Trojan exploration policies of the A1 according to each above-mentioned pre-configuration is to above-mentioned doubtful inspection
It surveys target and sends probe messages, and obtain the feedback information that above-mentioned doubtful detection target is sent based on above-mentioned probe messages;
A2 judges to preset feedback letter included in remote control Trojan exploration policy of the above-mentioned feedback information with above-mentioned pre-configuration
Whether breath is consistent;
If consistent, A3 is thened follow the steps;If it is inconsistent, executing step A4.
A3 confirms that above-mentioned doubtful detection target is remote control Trojan control terminal.
A4 is abandoned.
The detection method of the whole network wooden horse control terminal provided in an embodiment of the present invention, including:Receive mesh to be measured input by user
Mark the network segment;Port scan is carried out to all targets to be detected of target network section to be measured, to determine doubtful detection according to scanning result
Target;Wherein, target to be detected is the network equipment in the object to be measured network segment;Utilize the remote control Trojan exploration policy pair of pre-configuration
Whether doubtful detection target is detected, be remote control Trojan control terminal with the doubtful detection target of determination.Therefore, the embodiment of the present invention
The technical solution of offer, first by receiving the object to be measured network segment input by user, such as the whole network or other specified network segments;
Then port scan is carried out to target to be detected in the object to be measured network segment, to determine doubtful detection mesh according to scanning result
Mark;Finally doubtful detection target is detected using the remote control Trojan exploration policy of pre-configuration, with the doubtful detection target of determination
Whether it is remote control Trojan control terminal, it can be found that remote control Trojan control terminal and understanding its distribution situation under network environment, is conducive to
Improve user experience, alleviating in the prior art can not need the discovery of remote control Trojan control terminal distribution situation under network environment
It asks, the technical problem for causing user experience not high.
It should be noted that in one embodiment, which can obtain a doubtful detection target acquisition
One doubtful detection target;Specifically, port scan is carried out to all targets to be detected of the above-mentioned object to be measured network segment successively, when
It scans to a doubtful detection target, then the doubtful detection target is visited using the remote control Trojan exploration policy of pre-configuration
It surveys;Then port scan is carried out to next target to be detected.
In another embodiment, which can also be and obtains all doubtful detection targets to be detected successively;That is,
Port scan is carried out to all targets to be detected of the above-mentioned object to be measured network segment successively, scanning is got in the object to be measured network segment
All doubtful detection targets;Then the remote control Trojan exploration policy of pre-configuration is recycled to be carried out successively to each doubtful detection target
Detection.
Embodiment two:
As shown in figure 3, on the basis of embodiment one, an embodiment of the present invention provides another the whole network wooden horse control terminals
Detection method, difference lies in this method further includes with embodiment one:
Step S301 is pre-configured remote control Trojan exploration policy.
Specifically, step S301 includes mainly:
1, client, the server-side of existing remote control Trojan sample are put into virtual machine, and the IP address of virtual machine is set
For address of reaching the standard grade.
Specifically, receiving client (i.e. control terminal) in known remote control Trojan sample and above-mentioned known using virtual machine
Remote control Trojan sample in server-side (i.e. controlled terminal), and set the IP address of above-mentioned virtual machine to the upper of remote control Trojan
Line address;Server-side can actively reach the standard grade with client and connect at this time.
2, above-mentioned client and server-side communication message in communication process are obtained;
Specifically, carrying out packet capturing to client and server-side respectively, the communication message of client and server-side interaction is recorded,
Acquire the communication message that above-mentioned client and server-side generate in the interactive communication process that reach the standard grade;The communication report
Text includes the communication message (referred to herein as exploration policy) of server-side and the communication message (referred to herein as feedback information) of client;
3, communication packet analog detection process is extracted and utilized, judges that test is reached the standard grade according to analog result and whether succeeds;
Specifically, detection system simulates controlled terminal, pass through the server-side for extracting above-mentioned known remote control Trojan sample
Communication message and utilize the communication message of above-mentioned known remote control Trojan sample server-side and above-mentioned known remote control Trojan
The client of sample carries out interaction of reaching the standard grade, to simulate the detection process of controlled terminal, according to the sound of control terminal in the detection process
Should result judge that the test of detection system simulation controlled terminal reaches the standard grade and whether succeeds, wherein above-mentioned detection process includes shaking hands
Process, verification process, communication data packet;It should be noted that the interaction that interaction of reaching the standard grade is primarily referred to as in service layer, i.e. business
Interaction.
If success, thens follow the steps 4;It is abandoned if unsuccessful.
4, the detection process simulated to success records;
5, above-mentioned detection process is stored as remote control Trojan exploration policy with preset data form.
In view of known remote control Trojan sample is multiple, therefore, remote control Trojan exploration policy here is multiple and right
In different remote control Trojan samples, the interactive particular content of reaching the standard grade of different remote control Trojan exploration policies (including communication message,
Such as business password etc.) be also different.
Step S301 passes through the interactive process that known remote control Trojan is reached the standard grade between controlled terminal and control terminal, configuration
Remote control Trojan exploration policy is generated, specifically, by carrying out data to the handshake procedure of reaching the standard grade of remote control Trojan under experimental situation
Packet interaction analysis converts the exchange method extracted and protocol procedures to the interactive strategy that remote control Trojan is reached the standard grade, consequently facilitating
In actual detection, simulates controlled terminal and carries out interaction of reaching the standard grade using the remote control Trojan exploration policy of generation and detection target,
Determined whether for remote control Trojan control terminal according to the response of detection target.
Step S302 extracts remote control Trojan exploration policy pair when it is remote control Trojan control terminal to determine doubtful detection target
Doubtful detection target carries out the detection information in detection process;
Above-mentioned detection information includes the doubtful IP address for detecting target, port numbers, remote control Trojan type, detection time.
Further, this method further includes:Detection information is stored with preset format to database.
Using be pre-configured remote control Trojan exploration policy to all doubtful detection targets in above-mentioned target to be detected into
Row detection, to determine whether above-mentioned all doubtful detection targets are this method after remote control Trojan control terminal according to interaction results
Further include:
Step S303 is generated based on the doubtful detection target for being confirmed as remote control Trojan control terminal in the object to be measured network segment and is divided
Cloth result.
Wherein, above-mentioned distribution results are for analyzing the security risk trend of the above-mentioned object to be measured network segment.
The present invention is implemented the detection method provided and is detected using active iterative scans, such as is for the object to be measured network segment
Active iteration the whole network scanning probe is used when the whole network, and remote control Trojan control is detected and found according to remote control Trojan fingerprint characteristic
End, may further analyze security risk trend of the remote control Trojan to the whole network.It is different from traditional port detection scanning (syn+
The modes such as ack), this method using simulation remote control Trojan communication message as probe messages come active probe, and with more efficient
The whole network speed of detection detects internet to ensure detection data validity.
In order to make it easy to understand, with reference to Fig. 4 to the detection method of the whole network wooden horse control terminal provided in an embodiment of the present invention
Practical application scene be illustrated:
Step S401 receives the network segment input by user that carry out remote control Trojan distribution detection;
Step S402 carries out network port scanning to target to be detected;
Step S403 extracts the response data of open port, judges whether remote control Trojan control terminal fingerprint.
And if so, entering in next step, i.e. step S404, if there is no S409 is thened follow the steps, abandon.
Step S404 is loaded into the interactive strategy that the remote control Trojan of pre-configuration is reached the standard grade, to there are remote control Trojan control terminal fingerprints
Port reach the standard grade simulation interactive operation;
Here the interactive strategy that remote control Trojan is reached the standard grade refers to remote control Trojan exploration policy.
Whether the response of step S405, the simulation interactive operation that judges to reach the standard grade configure in the interactive strategy reached the standard grade with remote control Trojan
Response it is consistent;
Specifically, judgement is reached the standard grade, there are the masters of the port of remote control Trojan control terminal fingerprint detected in simulation interactive operation
Whether the response results of the known remote control Trojan control terminal configured in the interactive strategy that the response results of machine are reached the standard grade with remote control Trojan
Unanimously.
If consistent, S406 is thened follow the steps, if inconsistent then follow the steps S410, is abandoned.
Step S406 confirms that detected host is the control terminal that remote control Trojan is reached the standard grade;
The detection information of the remote control Trojan control terminal detected is stored in database by step S407 with preset format;
Here detection information includes but not limited to IP address, port numbers, remote control Trojan type, detection time information.
Specifically, when by the IP address of the remote control Trojan control terminal detected, port numbers, remote control Trojan type, detection
Between etc. information with json (JavaScript Object Notation, JS objects numbered musical notation) format be stored in MongoDB databases,
Middle json formats are a kind of data interchange formats of lightweight;MongoDB databases are a kind of based on distributed document storage
Database.
Step S408, judges whether detection mission is completed.
Specifically, judging whether detection mission is completed by the way that whether the object queue to be detected judged in the network segment is completed.
If completed, S410 is thened follow the steps, if do not completed, continues detection operation back to step S402.
Step S409 terminates detection.
The present embodiments relate to a kind of detection sides of the whole network wooden horse control terminal of wooden horse control terminal in detection network environment
Method and system, by carrying out data-bag interacting analysis to the handshake procedure of reaching the standard grade of remote control Trojan under experimental situation, by what is extracted
Exchange method and protocol procedures are converted into the interactive strategy that remote control Trojan is reached the standard grade, in the network segment specified to the whole network target or user
Detection target when being detected, friendship of reaching the standard grade is carried out with target is detected as probe messages using simulation remote control Trojan communication message
Mutually, while according to the feedback information (including far controlling program fingerprint) of detection target response to determine whether being controlled for remote control Trojan
End.
Embodiment three:
As shown in figure 5, an embodiment of the present invention provides a kind of detection systems of the whole network wooden horse control terminal, including:Receive mould
Block 501, scan module 502 and detecting module 503.
Wherein, receiving module 501 is for receiving the object to be measured network segment input by user;
Scan module 502 is used to carry out port scan to all targets to be detected of the above-mentioned object to be measured network segment, with basis
Scanning result determines doubtful detection target, wherein above-mentioned target to be detected is the network equipment in the above-mentioned object to be measured network segment;
Detecting module 503 is for visiting above-mentioned doubtful detection target using the remote control Trojan exploration policy of pre-configuration
It surveys, whether is remote control Trojan control terminal with the above-mentioned doubtful detection target of determination.
Further, above-mentioned scan module is specifically used for:Port scan is carried out to above-mentioned target to be detected;Extract above-mentioned wait for
Detection target carries out the response data of the port of the opening got after port scan;Judged according to above-mentioned response data above-mentioned
Open port whether there is remote control Trojan control terminal fingerprint;If so, there will be the port institutes of remote control Trojan control terminal fingerprint
The target label to be detected belonged to is above-mentioned doubtful detection target.
Further, the remote control Trojan exploration policy of above-mentioned pre-configuration is multiple;
Above-mentioned detecting module is specifically used for:Using the remote control Trojan exploration policy of each above-mentioned pre-configuration to above-mentioned doubtful inspection
It surveys target to be detected, whether is remote control Trojan control terminal with the above-mentioned doubtful detection target of determination.
The detection system of the whole network wooden horse control terminal provided in an embodiment of the present invention, is stored with and carries out simulation friendship with control terminal
Mutual exploration policy can simulate controlled terminal in remote control Trojan control terminal detection process in a network environment, pass through simulation
Various remote control Trojan communication messages determine whether the detection target in network environment is remote control Trojan control as probe messages
End, can active probe know the distribution situation of remote control Trojan control terminal in network environment, solve existing in the prior art
How active probe remote control Trojan control terminal distribution situation the problem of.
The detection system of the whole network wooden horse control terminal provided in an embodiment of the present invention, the whole network wooden horse provided with above-described embodiment
The detection method technical characteristic having the same of control terminal reaches identical technology so can also solve identical technical problem
Effect.
The detection method of the whole network wooden horse control terminal provided in an embodiment of the present invention passes through with system to the whole network or specified network
Environment carries out active probe, is capable of detecting when to be currently running the malicious host of the control terminal program of remote control Trojan in target network,
Can solve the problems, such as how active probe remote control Trojan control terminal distribution situation, provide height for the work of the network information security
The threat information and data of value.
The technique effect and preceding method embodiment phase of the system that the embodiment of the present invention is provided, realization principle and generation
Together, to briefly describe, system embodiment part does not refer to place, can refer to corresponding contents in preceding method embodiment.
It is apparent to those skilled in the art that for convenience and simplicity of description, the system of foregoing description
It with the specific work process of device, can refer to corresponding processes in the foregoing method embodiment, details are not described herein.
Flow chart and block diagram in attached drawing show the system, method and computer journey of multiple embodiments according to the present invention
The architecture, function and operation in the cards of sequence product.In this regard, each box in flowchart or block diagram can generation
A part for a part for one module, section or code of table, above-mentioned module, section or code includes one or more uses
The executable instruction of the logic function as defined in realization.It should also be noted that in some implementations as replacements, being marked in box
The function of note can also occur in a different order than that indicated in the drawings.For example, two continuous boxes can essentially base
Originally it is performed in parallel, they can also be executed in the opposite order sometimes, this is depended on the functions involved.It is also noted that
It is the combination of each box in block diagram and or flow chart and the box in block diagram and or flow chart, can uses and execute rule
The dedicated hardware based system of fixed function or action is realized, or can use the group of specialized hardware and computer instruction
It closes to realize.
Referring to Fig. 6, the embodiment of the present invention also provides a kind of electronic equipment 100, including:Processor 40, memory 41, bus
42 and communication interface 43, above-mentioned processor 40, communication interface 43 and memory 41 connected by bus 42;Processor 40 is for holding
The executable module stored in line storage 41, such as computer program.
Wherein, memory 41 may include high-speed random access memory (RAM, Random Access Memory),
May further include nonvolatile memory (non-volatile memory), for example, at least a magnetic disk storage.By at least
One communication interface 43 (can be wired or wireless) realizes the communication between the system network element and at least one other network element
Connection can use internet, wide area network, local network, Metropolitan Area Network (MAN) etc..
Bus 42 can be isa bus, pci bus or eisa bus etc..Above-mentioned bus can be divided into address bus, data
Bus, controlling bus etc..Only indicated with a four-headed arrow for ease of indicating, in Fig. 6, it is not intended that an only bus or
A type of bus.
Wherein, memory 41 is for storing program, and above-mentioned processor 40 executes above-mentioned journey after receiving and executing instruction
Sequence, the method performed by system that the stream process that aforementioned any embodiment of the embodiment of the present invention discloses defines can be applied to handle
In device 40, or realized by processor 40.
Processor 40 may be a kind of IC chip, the processing capacity with signal.During realization, above-mentioned side
Each step of method can be completed by the integrated logic circuit of the hardware in processor 40 or the instruction of software form.Above-mentioned
Processor 40 can be general processor, including central processing unit (Central Processing Unit, abbreviation CPU), network
Processor (Network Processor, abbreviation NP) etc.;It can also be digital signal processor (Digital Signal
Processing, abbreviation DSP), application-specific integrated circuit (Application Specific Integrated Circuit, referred to as
ASIC), ready-made programmable gate array (Field-Programmable Gate Array, abbreviation FPGA) or other are programmable
Logical device, discrete gate or transistor logic, discrete hardware components.It may be implemented or execute in the embodiment of the present invention
Disclosed each method, step and logic diagram.General processor can be microprocessor or the processor can also be to appoint
What conventional processor etc..The step of method in conjunction with disclosed in the embodiment of the present invention, can be embodied directly in hardware decoding processing
Device executes completion, or in decoding processor hardware and software module combination execute completion.Software module can be located at
Machine memory, flash memory, read-only memory, programmable read only memory or electrically erasable programmable memory, register etc. are originally
In the storage medium of field maturation.The storage medium is located at memory 41, and processor 40 reads the information in memory 41, in conjunction with
Its hardware completes the step of above method.
In another embodiment, an embodiment of the present invention provides a kind of non-volatile programs that can perform with processor
The computer-readable medium of code, above procedure code make the processor execute method described in above method embodiment.
In addition, in the description of the embodiment of the present invention unless specifically defined or limited otherwise, term " installation ", " phase
Even ", " connection " shall be understood in a broad sense, for example, it may be being fixedly connected, may be a detachable connection, or be integrally connected;It can
Can also be electrical connection to be mechanical connection;It can be directly connected, can also indirectly connected through an intermediary, Ke Yishi
Connection inside two elements.For the ordinary skill in the art, above-mentioned term can be understood at this with concrete condition
Concrete meaning in invention.
In the description of the present invention, it should be noted that term "center", "upper", "lower", "left", "right", "vertical",
The orientation or positional relationship of the instructions such as "horizontal", "inner", "outside" be based on the orientation or positional relationship shown in the drawings, merely to
Convenient for the description present invention and simplify description, do not indicate or imply the indicated system or element must have a particular orientation,
With specific azimuth configuration and operation, therefore it is not considered as limiting the invention.In addition, term " first ", " second ",
" third " is used for description purposes only, and is not understood to indicate or imply relative importance.
It is apparent to those skilled in the art that for convenience and simplicity of description, the system of foregoing description,
The specific work process of system and unit, can refer to corresponding processes in the foregoing method embodiment, and details are not described herein.
In several embodiments provided herein, it should be understood that disclosed system, system and method, it can be with
It realizes by another way.System embodiment described above is only schematical, for example, the division of the unit,
Only a kind of division of logic function, formula that in actual implementation, there may be another division manner, in another example, multiple units or component can
To combine or be desirably integrated into another system, or some features can be ignored or not executed.Another point, it is shown or beg for
The mutual coupling, direct-coupling or communication connection of opinion can be by some communication interfaces, system or unit it is indirect
Coupling or communication connection can be electrical, machinery or other forms.
The unit illustrated as separating component may or may not be physically separated, aobvious as unit
The component shown may or may not be physical unit, you can be located at a place, or may be distributed over multiple
In network element.Some or all of unit therein can be selected according to the actual needs to realize the mesh of this embodiment scheme
's.
In addition, each functional unit in each embodiment of the present invention can be integrated in a processing unit, it can also
It is that each unit physically exists alone, it can also be during two or more units be integrated in one unit.
It, can be with if the function is realized in the form of SFU software functional unit and when sold or used as an independent product
It is stored in the executable non-volatile computer read/write memory medium of a processor.Based on this understanding, of the invention
Technical solution substantially the part of the part that contributes to existing technology or the technical solution can be with software in other words
The form of product embodies, which is stored in a storage medium, including some instructions use so that
One computer equipment (can be personal computer, server or the network equipment etc.) executes each embodiment institute of the present invention
State all or part of step of method.And storage medium above-mentioned includes:USB flash disk, mobile hard disk, read-only memory (ROM, Read-
Only Memory), random access memory (RAM, Random Access Memory), magnetic disc or CD etc. are various can be with
Store the medium of program code.
Finally it should be noted that:Embodiment described above, only specific implementation mode of the invention, to illustrate the present invention
Technical solution, rather than its limitations, scope of protection of the present invention is not limited thereto, although with reference to the foregoing embodiments to this hair
It is bright to be described in detail, it will be understood by those of ordinary skill in the art that:Any one skilled in the art
In the technical scope disclosed by the present invention, it can still modify to the technical solution recorded in previous embodiment or can be light
It is readily conceivable that variation or equivalent replacement of some of the technical features;And these modifications, variation or replacement, do not make
The essence of corresponding technical solution is detached from the spirit and scope of technical solution of the embodiment of the present invention, should all cover the protection in the present invention
Within the scope of.Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
Claims (10)
1. a kind of detection method of the whole network wooden horse control terminal, which is characterized in that including:
Receive the object to be measured network segment input by user;
Port scan is carried out to all targets to be detected of the object to be measured network segment, to determine doubtful detection according to scanning result
Target;
The doubtful detection target is detected using the remote control Trojan exploration policy of pre-configuration, with the determination doubtful detection
Whether target is remote control Trojan control terminal.
2. according to the method described in claim 1, it is characterized in that, all mesh to be detected to the object to be measured network segment
Mark carries out port scan, obtains doubtful detection target, including:
Port scan is carried out to the target to be detected;
Extract the response data that the target to be detected carries out the port of the opening got after port scan;
Judge that the port of the opening whether there is remote control Trojan control terminal fingerprint according to the response data;
If so, being the doubtful detection mesh there will be the target label to be detected belonging to the port of remote control Trojan control terminal fingerprint
Mark.
3. according to the method described in claim 2, it is characterized in that, the remote control Trojan exploration policy of the pre-configuration is multiple;
It is described that the doubtful detection target is detected using the remote control Trojan exploration policy being pre-configured, it is described doubtful with determination
Detect whether target is remote control Trojan control terminal, including:
The doubtful detection target is detected using the remote control Trojan exploration policy of each pre-configuration, described in determination
Whether doubtful detection target is remote control Trojan control terminal.
4. according to the method described in claim 3, it is characterized in that, the remote control Trojan using each pre-configuration detects
Whether strategy detects the doubtful detection target, be remote control Trojan control terminal with the determination doubtful detection target, packet
It includes:
Exploration policy included in remote control Trojan exploration policy according to each pre-configuration is to the doubtful detection target
Probe messages are sent, and obtain the feedback information that the doubtful detection target is sent based on the probe messages;
Judge whether preset feedback information included in remote control Trojan exploration policy of the feedback information with the pre-configuration
Unanimously;
If consistent, confirm that the doubtful detection target is remote control Trojan control terminal.
5. according to the method described in claim 1, it is characterized in that, the method further includes:
When it is remote control Trojan control terminal to determine the doubtful detection target, extracts the remote control Trojan exploration policy and doubted to described
The detection information in detection process is carried out like detection target;Wherein, the detection information include it is doubtful detection target IP address,
Port numbers, remote control Trojan type, detection time.
6. according to the method described in claim 1, it is characterized in that, the method further includes:
All doubtful detection targets in the target to be detected are being visited using the remote control Trojan exploration policy of pre-configuration
It surveys, after determining whether all doubtful detection targets are remote control Trojan control terminal according to interaction results, is waited for based on described
Survey the doubtful detection target generation distribution results for being confirmed as remote control Trojan control terminal in the target network segment, wherein described point
Cloth result is for analyzing the security risk trend of the object to be measured network segment.
7. according to the method described in claim 1, it is characterized in that, the method further includes:
The remote control Trojan exploration policy is pre-configured.
8. a kind of detection system of the whole network wooden horse control terminal, which is characterized in that including:
Receiving module, for receiving the object to be measured network segment input by user;
Scan module carries out port scan, to be tied according to scanning for all targets to be detected to the object to be measured network segment
Fruit determines doubtful detection target;
Detecting module detects the doubtful detection target for the remote control Trojan exploration policy using pre-configuration, with true
Whether the fixed doubtful detection target is remote control Trojan control terminal.
9. system according to claim 8, which is characterized in that the scan module is specifically used for:
Port scan is carried out to the target to be detected;
Extract the response data that the target to be detected carries out the port of the opening got after port scan;
Judge that the port of the opening whether there is remote control Trojan control terminal fingerprint according to the response data;
If so, being the doubtful detection mesh there will be the target label to be detected belonging to the port of remote control Trojan control terminal fingerprint
Mark.
10. system according to claim 9, which is characterized in that the remote control Trojan exploration policy of the pre-configuration is multiple;
The detecting module is specifically used for:
The doubtful detection target is detected using the remote control Trojan exploration policy of each pre-configuration, described in determination
Whether doubtful detection target is remote control Trojan control terminal.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810809216.0A CN108810028A (en) | 2018-07-20 | 2018-07-20 | A kind of detection method and system of the whole network wooden horse control terminal |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810809216.0A CN108810028A (en) | 2018-07-20 | 2018-07-20 | A kind of detection method and system of the whole network wooden horse control terminal |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN108810028A true CN108810028A (en) | 2018-11-13 |
Family
ID=64077558
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810809216.0A Pending CN108810028A (en) | 2018-07-20 | 2018-07-20 | A kind of detection method and system of the whole network wooden horse control terminal |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108810028A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112491817A (en) * | 2020-11-12 | 2021-03-12 | 中国联合网络通信集团有限公司 | Honeypot technology-based tracing method and device and honeypot equipment |
| CN113949748A (en) * | 2021-10-15 | 2022-01-18 | 北京知道创宇信息技术股份有限公司 | Network asset identification method and device, storage medium and electronic equipment |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101567884A (en) * | 2009-05-26 | 2009-10-28 | 西北工业大学 | Method for detecting network theft Trojan |
| CN103532957A (en) * | 2013-10-18 | 2014-01-22 | 电子科技大学 | Device and method for detecting trojan remote shell behavior |
| CN103701777A (en) * | 2013-12-11 | 2014-04-02 | 长春理工大学 | Remote network attack and defense virtual simulation system based on virtualization and cloud technology |
| US20140366088A1 (en) * | 2004-04-07 | 2014-12-11 | Fortinet, Inc. | Systems and methods for passing network traffic content |
-
2018
- 2018-07-20 CN CN201810809216.0A patent/CN108810028A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20140366088A1 (en) * | 2004-04-07 | 2014-12-11 | Fortinet, Inc. | Systems and methods for passing network traffic content |
| CN101567884A (en) * | 2009-05-26 | 2009-10-28 | 西北工业大学 | Method for detecting network theft Trojan |
| CN103532957A (en) * | 2013-10-18 | 2014-01-22 | 电子科技大学 | Device and method for detecting trojan remote shell behavior |
| CN103701777A (en) * | 2013-12-11 | 2014-04-02 | 长春理工大学 | Remote network attack and defense virtual simulation system based on virtualization and cloud technology |
Non-Patent Citations (1)
| Title |
|---|
| 天绍文化,田元: "《看图学 电脑优化、软硬件升级、系统检测、故障排除》", 31 August 2008 * |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112491817A (en) * | 2020-11-12 | 2021-03-12 | 中国联合网络通信集团有限公司 | Honeypot technology-based tracing method and device and honeypot equipment |
| CN113949748A (en) * | 2021-10-15 | 2022-01-18 | 北京知道创宇信息技术股份有限公司 | Network asset identification method and device, storage medium and electronic equipment |
| CN113949748B (en) * | 2021-10-15 | 2023-11-28 | 北京知道创宇信息技术股份有限公司 | Network asset identification method and device, storage medium and electronic equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11265334B1 (en) | Methods and systems for detecting malicious servers | |
| Rao et al. | Using the middle to meddle with mobile | |
| US10193929B2 (en) | Methods and systems for improving analytics in distributed networks | |
| CN113705619A (en) | Malicious traffic detection method, system, computer and medium | |
| CN109951436B (en) | Trusted terminal verification method and device | |
| AU2015403433A1 (en) | System and method for high speed threat intelligence management using unsupervised machine learning and prioritization algorithms | |
| Tambe et al. | Detection of threats to IoT devices using scalable VPN-forwarded honeypots | |
| US20230179619A1 (en) | System and Method for Device Context and Device Security | |
| CN107547490B (en) | Scanner identification method, device and system | |
| JP6674036B2 (en) | Classification device, classification method and classification program | |
| CN107332804B (en) | Method and device for detecting webpage bugs | |
| CN108076041A (en) | A kind of DNS flow rate testing methods and DNS flow quantity detecting systems | |
| CN108429653A (en) | A kind of test method, equipment and system | |
| CN107330326A (en) | A kind of malice trojan horse detection processing method and processing device | |
| US20230344846A1 (en) | Method for network traffic analysis | |
| CN108810028A (en) | A kind of detection method and system of the whole network wooden horse control terminal | |
| CN106911665B (en) | Method and system for identifying malicious code weak password intrusion behavior | |
| CN113497807A (en) | Method and device for detecting user login risk and computer readable storage medium | |
| CN108768934A (en) | Rogue program issues detection method, device and medium | |
| CN109359467B (en) | Precise identification and full-network linkage defense method and system for unknown Lesox virus | |
| US20200089877A1 (en) | Malicious event detection device, malicious event detection method, and malicious event detection program | |
| KR101854981B1 (en) | Method for generating data set for cyber warface exercise and technology verification and apparatus thereof | |
| WO2024007615A1 (en) | Model training method and apparatus, and related device | |
| US11509657B2 (en) | Determination device, determination method, and determination program | |
| KR20190073481A (en) | Fingerprint determination for network mapping |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20181113 |