CN109327453A - A kind of recognition methods of specific threat and electronic equipment - Google Patents

A kind of recognition methods of specific threat and electronic equipment Download PDF

Info

Publication number
CN109327453A
CN109327453A CN201811291181.2A CN201811291181A CN109327453A CN 109327453 A CN109327453 A CN 109327453A CN 201811291181 A CN201811291181 A CN 201811291181A CN 109327453 A CN109327453 A CN 109327453A
Authority
CN
China
Prior art keywords
hash value
mail
specific threat
propagation
record sheet
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201811291181.2A
Other languages
Chinese (zh)
Other versions
CN109327453B (en
Inventor
秦梦姣
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beidou Zhigu (beijing) Safety Technology Co Ltd
Original Assignee
Beidou Zhigu (beijing) Safety Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beidou Zhigu (beijing) Safety Technology Co Ltd filed Critical Beidou Zhigu (beijing) Safety Technology Co Ltd
Priority to CN201811291181.2A priority Critical patent/CN109327453B/en
Publication of CN109327453A publication Critical patent/CN109327453A/en
Application granted granted Critical
Publication of CN109327453B publication Critical patent/CN109327453B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Abstract

The present invention provides a kind of recognition methods of specific threat and electronic equipments, identify that the low efficiency of specific threat and accuracy rate are low in the prior art for solving the problems, such as.It include: that first flow data are determined in the mirror image data of internet traffic data according to pre-set agreement;It is to propagate file in response to the first flow data convert, extracts the first Hash hash value of attachment included in the first protocol information and the propagation file of the first flow data;According to first protocol information, the first Hash hash value and the propagation file, determine that rogue program propagates record sheet;According to the hash value for determining the specific threat in the rogue program propagation record sheet that imposes a condition.

Description

A kind of recognition methods of specific threat and electronic equipment
Technical field
The present invention relates to the recognition methods of field of computer technology more particularly to a kind of specific threat and electronic equipments.
Background technique
With the development of internet technology, government and enterprise are handled official business using internet, although it is non-to be handled official business using internet It is often convenient, but need in face of numerous targeted attacks for being directed to state secret or corporate secret, such as advanced duration prestige (Advanced Persistent Threat, APT) attack is coerced, above-mentioned APT attack has become network security and national security Necessary concern, once attacking by APT, the confidential information or data of government and enterprise will suffer from encroaching on, therefore, short Effectively find that APT attack may make country or enterprise to reduce loss in time, but above-mentioned APT is attacked often than more covert, and And have duration, frequent feature is updated, how quickly and accurately to identify that the specific threat for carrying out APT attack is to need at present It solves the problems, such as.
In the prior art, following two mode is generallyd use when positioning specific threat, mode one is detected by APT and filled It sets and known rogue program and unknown file data is monitored using vulnerability exploit program and dynamic analysis, then used Manpower analysis fixation and recognition specific threat, but since file data is very huge, identify the efficiency of specific threat very It is low.Mode two carries out the unknown file line virtual execution that Anti- Virus Engine is unable to monitor out using manpower to file data Analysis, and observe for a long time and carry out qualitative, identify that the efficiency of specific threat is very low, and due to carrying out APT attack Specific threat is also very high by Anti- Virus Engine identification ratio, therefore only analyzes unknown file, and can also omit monitoring Most data cause to identify that the accuracy rate of specific threat is low.
In conclusion how to improve identification specific threat efficiency and accuracy rate be current problem to be solved.
Summary of the invention
In view of this, the present invention provides a kind of recognition methods of specific threat and electronic equipment, for solving existing skill The low efficiency and the low other problem of accuracy rate of specific threat are identified in art.
First aspect according to an embodiment of the present invention provides a kind of recognition methods of specific threat, comprising: according to pre- The agreement being first arranged determines first flow data in the mirror image data of internet traffic data;In response to the first flow Data convert is to propagate file, is extracted included in the first protocol information and the propagation file of the first flow data Attachment the first Hash hash value;According to first protocol information, the first Hash hash value and propagation text Part determines that rogue program propagates record sheet;According to the specific threat determined in the rogue program propagation record sheet that imposes a condition Hash value.
In one embodiment, described according to the specific threat determined in the rogue program propagation record sheet that imposes a condition Hash value after, this method further include: the propagation of corresponding specific threat is determined according to the hash value of the specific threat File.
In one embodiment, according to first protocol information, the first Hash hash value and propagation text Part determines that rogue program propagates record sheet, specifically includes: first protocol information and the first hash value are saved in the One list;The propagation file is impended detection;It will be provided with corresponding first protocol information of the propagation file threatened It is determined as second protocol information, and determines the 2nd hash value corresponding to the second protocol information;The second protocol is believed Breath is saved in the rogue program with the 2nd hash value and propagates record sheet.
In one embodiment, the pre-set agreement includes: Simple Mail Transfer protocol SMTP, post office protocol version This POP3, Mail Access Protocol IMAP, hypertext transfer protocol HTTP, Simple File Transfer Protocol TFTP, File Transfer Protocol FTP or Server Message Block SMB agreement.
In one embodiment, first protocol information includes: source IP, destination IP, source port, destination port, transmission Protocol type, filename, file Uniform Resource Locator URL, e-mail sender, mail recipient, mail CC people, mail are dark Make a gift to someone, in mail matter topics data or Email attachment name at least one of.
In one embodiment, according to the specific threat hash determined in the rogue program propagation record sheet that imposes a condition Value, specifically includes: it is right less than the second protocol information institute of given threshold to determine that the rogue program propagates propagation amount in record sheet The hash value answered is specific threat hash value.
In one embodiment, determine that the rogue program propagates the second association that propagation amount in record sheet is less than given threshold Discussing hash value corresponding to information is specific threat hash value, is specifically included: determining that the rogue program is propagated and passes in record sheet The propagation times of defeated protocol type, which are less than, sets hash value corresponding to the transport protocol type of first threshold as specific prestige Coerce hash value.
In one embodiment, determine that the rogue program propagates the second association that propagation amount in record sheet is less than given threshold Discussing hash value corresponding to information is specific threat hash value, is specifically included: determining that the rogue program propagates postal in record sheet The propagation times of part sender, which are less than, sets hash value corresponding to the e-mail sender of second threshold as specific threat Hash value.
In one embodiment, determine that the rogue program propagates the second association that propagation amount in record sheet is less than given threshold Discussing hash value corresponding to information is specific threat hash value, is specifically included: determining that the rogue program propagates postal in record sheet It is less than after the server address duplicate removal of part addressee and sets hash value corresponding to the mail recipient of third threshold value as spy Surely hash value is threatened, wherein the mail recipient includes that mail recipient, mail CC people and mail are secretly made a gift to someone.
In one embodiment, determine that the rogue program propagates the second association that propagation amount in record sheet is less than given threshold Discussing hash value corresponding to information is specific threat hash value, is specifically included: determining that the rogue program propagates postal in record sheet Part attachment name frequency of occurrence, which is less than, sets hash value corresponding to the Email attachment name of the 4th threshold value as specific threat hash Value.
In one embodiment, determine that the rogue program propagates the second association that propagation amount in record sheet is less than given threshold Discussing hash value corresponding to information is specific threat hash value, is specifically included: determining that the rogue program propagates postal in record sheet Part theme frequency of occurrence, which is less than, sets hash value corresponding to the mail matter topics of the 4th threshold value as specific threat hash value.
The second aspect according to an embodiment of the present invention provides a kind of identification device of specific threat, comprising: confirmation form Member, for determining first flow data in the mirror image data of internet traffic data according to pre-set agreement;It extracts single Member, in response to the first flow data convert be propagate file, extract the first protocol information of the first flow data with And the first Hash hash value for propagating attachment included in file;Storage unit, for being believed according to first agreement Breath, the first Hash hash value and the propagation file determine that rogue program propagates record sheet;The confirmation unit is also used According to the hash value for determining the specific threat in the rogue program propagation record sheet that imposes a condition.
In one embodiment, described according to the specific threat determined in the rogue program propagation record sheet that imposes a condition Hash value after, the confirmation unit is also used to: determining corresponding specific threat according to the hash value of the specific threat Propagation file.
In one embodiment, the storage unit is specifically used for: by first protocol information and the first hash Value is saved in first list;The propagation file is impended detection;It will be provided with the propagation file threatened corresponding the One protocol information is determined as second protocol information, and determines the 2nd hash value corresponding to the second protocol information;It will be described Second protocol information and the 2nd hash value are saved in the rogue program and propagate record sheet.
In one embodiment, the pre-set agreement includes: Simple Mail Transfer protocol SMTP, post office protocol version This POP3, Mail Access Protocol IMAP, hypertext transfer protocol HTTP, Simple File Transfer Protocol TFTP, File Transfer Protocol FTP or Server Message Block SMB agreement.
In one embodiment, first protocol information includes: source IP, destination IP, source port, destination port, transmission Protocol type, filename, file Uniform Resource Locator URL, e-mail sender, mail recipient, mail CC people, mail are dark Make a gift to someone, in mail matter topics data or Email attachment name at least one of.
In one embodiment, the confirmation unit is specifically used for: determining that the rogue program is propagated and propagates in record sheet It is specific threat hash value that amount, which is less than hash value corresponding to the second protocol information of given threshold,.
In one embodiment, the confirmation unit is specifically used for: determining that the rogue program is propagated and transmits in record sheet The propagation times of protocol type, which are less than, sets hash value corresponding to the transport protocol type of first threshold as specific threat Hash value.
In one embodiment, the confirmation unit is specifically used for: determining that the rogue program propagates mail in record sheet The propagation times of sender, which are less than, sets hash value corresponding to the e-mail sender of second threshold as specific threat hash Value.
In one embodiment, the confirmation unit is specifically used for: determining that the rogue program propagates mail in record sheet It is less than after the server address duplicate removal of addressee and sets hash value corresponding to the mail recipient of third threshold value to be specific Threaten hash value, wherein the mail recipient includes that mail recipient, mail CC people and mail are secretly made a gift to someone.
In one embodiment, the confirmation unit is specifically used for: determining that the rogue program propagates mail in record sheet Attachment name frequency of occurrence, which is less than, sets hash value corresponding to the Email attachment name of the 4th threshold value as specific threat hash value.
In one embodiment, the confirmation unit is specifically used for: determining that the rogue program propagates mail in record sheet Theme frequency of occurrence, which is less than, sets hash value corresponding to the mail matter topics of the 4th threshold value as specific threat hash value.
In terms of third according to an embodiment of the present invention, a kind of electronic equipment, including memory and processor, institute are provided State memory for store one or more computer program instructions, wherein the one or more computer program instructions quilt The processor is executed to realize the method as described in first aspect or any possibility of first aspect.
4th aspect according to an embodiment of the present invention, provides a kind of computer readable storage medium, thereon storage meter Calculation machine program instruction, which is characterized in that the computer program instructions are realized when being executed by processor such as first aspect or the On the one hand method described in any possibility.
The beneficial effect of the embodiment of the present invention includes: first according to pre-set agreement, in internet traffic data First flow data are determined in mirror image data;It is to propagate file in response to the first flow data convert, extracts described first First protocol information of data on flows and the first Hash hash value for propagating attachment included in file;According to described First protocol information, the first Hash hash value and the propagation file determine that rogue program propagates record sheet;According to setting Fixed condition determines that the rogue program propagates the hash value of the specific threat in record sheet.The embodiment of the present invention is through the above way Confirm the hash value of specific threat and then determine the propagation file of the corresponding specific threat of hash value of the specific threat, is not required to It is monitored analysis with manpower, and the data on flows that agreement is pre-set agreement is all monitored, will not be occurred Missing inspection improves the efficiency and accuracy rate of identification specific threat.
Detailed description of the invention
By referring to the drawings to the description of the embodiment of the present invention, the above and other purposes of the present invention, feature and Advantage will be apparent from, in the accompanying drawings:
Fig. 1 is a kind of recognition methods flow chart of specific threat provided in an embodiment of the present invention;
Fig. 2 is a kind of method flow diagram for generating rogue program and propagating record sheet provided in an embodiment of the present invention;
Fig. 3 is the recognition methods flow chart of another specific threat provided in an embodiment of the present invention;
Fig. 4 is a kind of identification device schematic diagram of specific threat provided in an embodiment of the present invention;
Fig. 5 is a kind of electronic equipment structural schematic diagram provided in an embodiment of the present invention.
Specific embodiment
Below based on embodiment, present invention is described, but the present invention is not restricted to these embodiments.Under Text is detailed to describe some specific detail sections in datail description of the invention.Do not have for a person skilled in the art The application can also be understood completely in the description of these detail sections.In addition, it should be understood by one skilled in the art that mentioning herein The attached drawing of confession is provided to the purpose of explanation.
Unless the context clearly requires otherwise, "include", "comprise" otherwise throughout the specification and claims etc. are similar Word should be construed as the meaning for including rather than exclusive or exhaustive meaning;That is, be " including but not limited to " contains Justice.
In the description of the present invention, it is to be understood that, term " first ", " second " etc. are used for description purposes only, without It can be interpreted as indication or suggestion relative importance.In addition, in the description of the present invention, unless otherwise indicated, the meaning of " multiple " It is two or more.
Fig. 1 is a kind of recognition methods flow chart of specific threat of the embodiment of the present invention, as shown in Figure 1, rogue program is known Method for distinguishing includes:
Step S100, according to pre-set agreement, first flow is determined in the mirror image data of internet traffic data Data.
Specifically, the first flow data include agreement and transmit the data packet for propagating file, it is described to set in advance The agreement set includes: Simple Mail Transfer protocol (Simple Mail Transfer Protocol, SMTP), post office protocol version This 3 (Post Office Protocol Version 3, POP3), Mail Access Protocol (Internet Mail Access Protocol, Internet, IMAP), hypertext transfer protocol (Hyper Text Transport Protocol, HTTP), letter Monofile transport protocol (Trivial File Transfer Protocol, TFTP), File Transfer Protocol (File Transfer Protocol, FTP) or Server Message Block (Server Message Block, SMB) agreement.
Optionally, this method further includes before the step S100, carries out mirror image to internet traffic data, obtains mutual The mirror image data for data on flows of networking.
Step S101, it is to propagate file in response to the first flow data convert, extracts the first flow data First protocol information and the first Hash hash value for propagating attachment included in file.
Specifically, first protocol information include: source IP, destination IP, source port, destination port, transport protocol type, Filename, file Uniform Resource Locator (Uniform Resource Locator, URL), e-mail sender, mail addressee People, mail CC people, mail secretly make a gift to someone, mail matter topics data and Email attachment name.
For example, judging whether the first flow data can be reduced to transmission file, if can be reduced to propagate File, then extract attachment included in the first protocol information and the propagation file of the first flow data first breathe out Uncommon hash value;For example, first flow data are the data on flows of mail, the agreement for propagating the mail is SMTP, and judgement receives Mail data on flows in data packet can be reduced to mail, then extract in first flow data corresponding to the mail First hash value of the attachment for including in the first protocol information and the mail.
Step S102, it according to first protocol information, the first Hash hash value and the propagation file, determines Rogue program propagates record sheet.
Specifically, concrete implementation step can be as shown in Fig. 2, specific as follows:
Step S1021, first protocol information and the first hash value are saved in first list.
It illustrates, it is assumed that the first protocol information selects transport protocol type, e-mail sender, mail recipient, mail master Topic and Email attachment name (abbreviation attachment name), the first hash value are binary numeral, it is assumed that there are the association of 10 propagation files View, first protocol information of acquisition and the first list of the first hash value, the first list, that is, as shown in table 1.
Table 1
Transport protocol type E-mail sender Mail recipient Mail matter topics Attachment name Hash
SMTP Zhang San Money seven Work briefing Attachment 2 00001
POP3 Zhang San Money seven Work briefing Attachment 2 00010
IMAP Zhang San Money seven Work briefing Attachment 3 00011
TFTP Li Si Grandson eight Work briefing Attachment 2 00100
TFTP Zhao five Grandson eight Work briefing Attachment 3 00101
POP3 Zhao five Saturday Preferential policy Attachment 4 00110
IMAP Zhao five Wu Jiu Preferential policy Attachment 4 00111
TFTP Zhao five Money seven Physical examination report Attachment 4 01000
POP3 Li Si Grandson eight Preferential policy Attachment 1 01001
POP3 Wang Yi Zheng ten Preferential policy Attachment 4 01010
Step S1022, the propagation file is impended detection.
For example: propagation file corresponding to the first protocol information in table 1 is impended detection, determines and propagates text Part 1,4,6,8,9 is the propagation file with threat.
Step S1023, corresponding first protocol information of the propagation file that will be provided with threatening is determined as second protocol letter Breath, and determine the 2nd hash value corresponding to the second protocol information.
For example, determining the propagation file 1,4,6,8,9 corresponding second for having threat in first list 2nd hash value corresponding to protocol information.
Step S1024, the second protocol information and the 2nd hash value are saved in the rogue program and propagated and remembered Record table.
Specifically, illustrating that the rogue program propagates record sheet such as 2 institute of table according to the concrete example of step S1024 Show.
Table 2
Transport protocol type E-mail sender Mail recipient Mail matter topics Attachment name Hash
SMTP Zhang San Money seven Work briefing Attachment 2 00001
TFTP Li Si Grandson eight Work briefing Attachment 2 00100
POP3 Zhao five Saturday Preferential policy Attachment 4 00110
TFTP Zhao five Money seven Physical examination report Attachment 4 01000
POP3 Li Si Grandson eight Preferential policy Attachment 1 01001
In the embodiment of the present invention, it can also connect according to first protocol information, the first Hash hash value and institute Propagation file is stated, rogue program is directly determined and propagates record sheet, specifically, whether the detection propagation file has threat, if With threat, then corresponding first protocol information of the propagation file and the first Hash hash value are saved in the rogue program It propagates in record sheet.
Step S103, according to the hash value for determining the specific threat in the rogue program propagation record sheet that imposes a condition.
Specifically, determining that the rogue program propagates the second protocol information institute that propagation amount in record sheet is less than given threshold Corresponding hash value is specific threat hash value.
For example: determine that the rogue program propagates propagation amount in record sheet and is less than setting threshold by following five kinds of modes Hash value corresponding to the second protocol information of value is specific threat hash value.For example, true by mode in following 5 in table 2 Recognize the corresponding hash value of specific threat.
Mode one determines that the rogue program propagates the propagation times of transport protocol type described in record sheet less than setting Hash value corresponding to the transport protocol type of first threshold is specific threat hash value.
Specifically, assume that first threshold is 2, and when the propagation times of transport protocol type are less than setting first threshold 2, institute Stating hash value corresponding to transport protocol type is specific threat hash value, such as there was only the propagation times of smtp protocol in table 2 It is 1, is less than first threshold 2, therefore the corresponding hash value 00001 of SMTP is the corresponding hash value of specific threat, the present invention is implemented Example in first threshold value according to practical application determine, the present invention to it without limitation.
Mode two determines that the rogue program propagates the propagation times of e-mail sender described in record sheet and is less than setting the Hash value corresponding to the e-mail sender of two threshold values is specific threat hash value.
Specifically, assume that second threshold is 2, it is described when the propagation times of e-mail sender are less than setting second threshold 2 Hash value corresponding to transport protocol type is specific threat hash value, such as only the propagation times of ' Zhang San ' are 1 in table 2, Less than first threshold 2, therefore ' Zhang San ' corresponding hash value 00001 is the corresponding hash value of specific threat.The embodiment of the present invention In, the corresponding hash value possibility of the specific threat filtered out according to different setting conditions is identical may also be different, the present invention couple Its without limitation, in the embodiment of the present invention value of second threshold according to practical application determine, the present invention to it without limitation.
Mode three, determine it is small after the rogue program propagates the server address duplicate removal of mail recipient described in record sheet In setting hash value corresponding to the mail recipient of third threshold value as specific threat hash value, wherein the mail is received Part people includes that mail recipient, mail CC people and mail are secretly made a gift to someone.
Specifically, assume that third threshold value is 2, it is described when the propagation times of mail recipient are less than setting third threshold value 2 Hash value corresponding to addressee is specific threat hash value, such as only the propagation times of ' Saturday ' are 1 in table 2, less than the One threshold value 2, therefore ' Saturday ' corresponding hash value 00110 is the corresponding hash value of specific threat.Third in the embodiment of the present invention The value of threshold value according to practical application determine, the present invention to it without limitation.
Mode four determines that the rogue program propagates Email attachment name frequency of occurrence described in record sheet and is less than setting the 4th Hash value corresponding to the Email attachment name of threshold value is specific threat hash value.
Specifically, assume that the 4th threshold value is 2, it is described when the propagation times of Email attachment name are less than four threshold value 2 of setting Hash value corresponding to Email attachment name is specific threat hash value, such as only ' propagation times of attachment 1 ' are 1, small in table 2 In first threshold 2, therefore ' the corresponding hash value 01001 of attachment 1 ' is the corresponding hash value of specific threat.In the embodiment of the present invention The value of 4th threshold value according to practical application determine, the present invention to it without limitation.
Mode five determines that the rogue program propagates mail matter topics frequency of occurrence described in record sheet and is less than the 4th threshold of setting Hash value corresponding to the mail matter topics of value is specific threat hash value.
Specifically, assume that the 5th threshold value is 2, and when the propagation times of mail matter topics are less than five threshold value 2 of setting, the postal Hash value corresponding to part theme is specific threat hash value, such as only the propagation times of ' physical examination report ' are 1 in table 2, small In first threshold 2, therefore ' physical examination report ' corresponding hash value 01000 is the corresponding hash value of specific threat.The present invention is implemented Example in the 5th threshold value value according to practical application determine, the present invention to it without limitation.
In the embodiment of the present invention, after the step S103, this method further include: according to the hash of the specific threat Value determines the propagation file of corresponding specific threat, wherein the specific threat can also be known as Advanced threat, refer to propagation Measure the big propagation file of small but targeted and harm.
A kind of the step of recognition methods of specific threat, is described in detail below by a specific embodiment, specifically It is as shown in Figure 3:
Step S300, mirror image is carried out to internet traffic data, obtains the mirror image data of internet traffic data.
Step S301, according to pre-set agreement, first flow is determined in the mirror image data of internet traffic data Data.
Step S302, judge whether the first flow data can be reduced to propagate file.
If step S303, the described agreement for propagating file can be reduced to propagate file, the first flow data are extracted The first protocol information and it is described propagate file included in attachment the first Hash hash value.
Optionally, it if the first flow data cannot be reduced to propagate file, ends processing.
Step S304, first protocol information and the first hash value are saved in first list.
Step S305, propagation file corresponding to first protocol information in the first list is impended inspection It surveys.
Step S306, corresponding first protocol information of the propagation file that will be provided with threatening is determined as second protocol letter Breath, and determine the 2nd hash value corresponding to the second protocol information.
Step S307, it will be provided with the second protocol information threatened and the 2nd hash value be saved in rogue program and propagate and remembers Record table.
Step S308, according to the specific threat hash value determined in the rogue program propagation record sheet that imposes a condition.
Step S309, according to the specific threat hash value determine the specific threat hash value corresponding to specific prestige The side of body.
Specifically, propagation file corresponding to the i.e. described specific threat hash value.
Fig. 4 is a kind of identification device schematic diagram of specific threat provided in an embodiment of the present invention.As shown in figure 3, this implementation The rogue program identification device of example includes: confirmation unit 41, extraction unit 42 and storage unit 43.
Wherein, confirmation unit 41 are used for according to pre-set agreement, in the mirror image data of internet traffic data really Determine first flow data;Extraction unit 42 is to propagate file in response to the first flow data convert, extracts described first-class Measure the first Hash hash value of attachment included in the first protocol information and the propagation file of data;Storage unit 43, for determining that rogue program is passed according to first protocol information, the first Hash hash value and the propagation file Broadcast record sheet;The confirmation unit is also used to according to the specific threat determined in the rogue program propagation record sheet that imposes a condition Hash value.
In one embodiment, described according to the specific threat determined in the rogue program propagation record sheet that imposes a condition Hash value after, the confirmation unit is also used to: determining corresponding specific threat according to the hash value of the specific threat Propagation file.
In one embodiment, the storage unit is specifically used for: by first protocol information and the first hash Value is saved in first list;The propagation file is impended detection;It will be provided with the propagation file threatened corresponding the One protocol information is determined as second protocol information, and determines the 2nd hash value corresponding to the second protocol information;It will be described Second protocol information and the 2nd hash value are saved in the rogue program and propagate record sheet.
In one embodiment, the pre-set agreement includes: Simple Mail Transfer protocol SMTP, post office protocol version This POP3, Mail Access Protocol IMAP, hypertext transfer protocol HTTP, Simple File Transfer Protocol TFTP, File Transfer Protocol FTP or Server Message Block SMB agreement.
In one embodiment, first protocol information includes: source IP, destination IP, source port, destination port, transmission Protocol type, filename, file Uniform Resource Locator URL, e-mail sender, mail recipient, mail CC people, mail are dark Make a gift to someone, in mail matter topics data or Email attachment name at least one of.
In one embodiment, the confirmation unit is specifically used for: determining that the rogue program is propagated and propagates in record sheet It is specific threat hash value that amount, which is less than hash value corresponding to the second protocol information of given threshold,.
In one embodiment, the confirmation unit is specifically used for: determining that the rogue program is propagated and transmits in record sheet The propagation times of protocol type, which are less than, sets hash value corresponding to the transport protocol type of first threshold as specific threat Hash value.
In one embodiment, the confirmation unit is specifically used for: determining that the rogue program propagates mail in record sheet The propagation times of sender, which are less than, sets hash value corresponding to the e-mail sender of second threshold as specific threat hash Value.
In one embodiment, the confirmation unit is specifically used for: determining that the rogue program propagates mail in record sheet It is less than after the server address duplicate removal of addressee and sets hash value corresponding to the mail recipient of third threshold value to be specific Threaten hash value, wherein the mail recipient includes that mail recipient, mail CC people and mail are secretly made a gift to someone.
In one embodiment, the confirmation unit is specifically used for: determining that the rogue program propagates mail in record sheet Attachment name frequency of occurrence, which is less than, sets hash value corresponding to the Email attachment name of the 4th threshold value as specific threat hash value.
In one embodiment, the confirmation unit is specifically used for: determining that the rogue program propagates mail in record sheet Theme frequency of occurrence, which is less than, sets hash value corresponding to the mail matter topics of the 4th threshold value as specific threat hash value.
Fig. 5 is the schematic diagram of the electronic equipment of the embodiment of the present invention.Electronic equipment shown in fig. 5 is general rogue program Identification device comprising general computer hardware structure includes at least processor 51 and memory 52.It processor 51 and deposits Reservoir 52 is connected by bus 53.Memory 52 is suitable for the instruction or program that storage processor 51 can be performed.Processor 51 can be with It is independent microprocessor, is also possible to one or more microprocessor set.Processor 51 is by executing memory as a result, 52 instructions stored are realized thereby executing the method flow of embodiment present invention as described above for the processing of data and right In the control of other devices.Bus 53 links together above-mentioned multiple components, while said modules are connected to display control Device 54 and display device and input/output (I/O) device 55.Input/output (I/O) device 55 can be mouse, keyboard, tune Modulator-demodulator, network interface, touch-control input device, body-sensing input unit, printer and other devices well known in the art.Allusion quotation Type, input/output device 55 is connected by input/output (I/O) controller 56 with system.
As skilled in the art will be aware of, the various aspects of the embodiment of the present invention may be implemented as system, side Method or computer program product.Therefore, the various aspects of the embodiment of the present invention can take following form: complete hardware embodiment party Formula, complete software embodiment (including firmware, resident software, microcode etc.) can usually be referred to as " electricity herein The embodiment that software aspects are combined with hardware aspect on road ", " module " or " system ".In addition, the embodiment of the present invention Various aspects can take following form: the computer program product realized in one or more computer-readable medium, meter Calculation machine readable medium has the computer readable program code realized on it.
It can use any combination of one or more computer-readable mediums.Computer-readable medium can be computer Readable signal medium or computer readable storage medium.Computer readable storage medium can be such as (but not limited to) electronics, Magnetic, optical, electromagnetism, infrared or semiconductor system, device or any suitable combination above-mentioned.Meter The more specific example (exhaustive to enumerate) of calculation machine readable storage medium storing program for executing will include the following terms: with one or more electric wire Electrical connection, hard disk, random access memory (RAM), read-only memory (ROM), erasable is compiled portable computer diskette Journey read-only memory (EPROM or flash memory), optical fiber, portable optic disk read-only storage (CD-ROM), light storage device, Magnetic memory apparatus or any suitable combination above-mentioned.In the context of the embodiment of the present invention, computer readable storage medium It can be that can include or store the program used by instruction execution system, device or combine instruction execution system, set Any tangible medium for the program that standby or device uses.
Computer-readable signal media may include the data-signal propagated, and the data-signal of the propagation has wherein The computer readable program code realized such as a part in a base band or as carrier wave.The signal of such propagation can use Any form in diversified forms, including but not limited to: electromagnetism, optical or its any combination appropriate.It is computer-readable Signal media can be following any computer-readable medium: not be computer readable storage medium, and can be to by instructing Program that is that execution system, device use or combining instruction execution system, device to use is communicated, is propagated Or transmission.
Including but not limited to wireless, wired, fiber optic cables, RF etc. or above-mentioned any appropriately combined any can be used Suitable medium transmits the program code realized on a computer-readable medium.
Computer program code for executing the operation for being directed to various aspects of the embodiment of the present invention can be with one or more Any combination of programming language is write, the programming language include: object-oriented programming language such as Java, Smalltalk, C++ etc.;And conventional process programming language such as " C " programming language or similar programming language.Program code can be used as independence Software package fully on the user computer, partly executes on the user computer;Partly on the user computer and portion Ground is divided to execute on the remote computer;Or it fully executes on a remote computer or server.In the latter case, may be used Remote computer to be calculated by any type of network connection including local area network (LAN) or wide area network (WAN) to user Machine, or (such as internet by using ISP) can be attached with outer computer.
It is above-mentioned according to the method for the embodiment of the present invention, the flow chart legend of equipment (system) and computer program product and/ Or block diagram describes the various aspects of the embodiment of the present invention.It will be appreciated that each of flow chart legend and/or block diagram piece with And the combination of the block in flow chart legend and/or block diagram can be realized by computer program instructions.These computer programs refer to The processor that can be provided to general purpose computer, special purpose computer or other programmable data processing devices is enabled, to generate machine Device, so that (executing via computer or the processor of other programmable data processing devices) instruction creates for realizing process The device for the function action specified in figure and/or block diagram or block.
These computer program instructions can also be stored in can instruct computer, other programmable data processing devices Or in the computer-readable medium that runs in a specific way of other devices, so that the instruction stored in computer-readable medium produces Raw includes the product for realizing the instruction for the function action specified in flowchart and or block diagram block or block.
Computer program instructions can also be loaded on computer, other programmable data processing devices or other devices On so that executed on computer, other programmable devices or other devices it is a series of can operating procedure come generate computer reality Existing process, so that the instruction executed on computer or other programmable devices is provided for realizing in flow chart and/or frame The process for the function action specified in segment or block.
The above description is only a preferred embodiment of the present invention, is not intended to restrict the invention, for those skilled in the art For, the invention can have various changes and changes.All any modifications made within the spirit and principles of the present invention are equal Replacement, improvement etc., should all be included in the protection scope of the present invention.

Claims (13)

1. a kind of recognition methods of specific threat characterized by comprising
According to pre-set agreement, first flow data are determined in the mirror image data of internet traffic data;
In response to the first flow data convert be propagate file, extract the first protocol information of the first flow data with And the first Hash hash value for propagating attachment included in file;
According to first protocol information, the first Hash hash value and the propagation file, determine that rogue program is propagated Record sheet;
According to the hash value for determining the specific threat in the rogue program propagation record sheet that imposes a condition.
2. the method as described in claim 1, which is characterized in that described to determine that the rogue program propagates note according to imposing a condition After the hash value for recording the specific threat in table, this method further include:
The propagation file of corresponding specific threat is determined according to the hash value of the specific threat.
3. the method as described in claim 1, which is characterized in that according to first protocol information, the first Hash hash Value and the propagation file determine that rogue program propagates record sheet, specifically include:
First protocol information and the first hash value are saved in first list;
The propagation file is impended detection;
Corresponding first protocol information of the propagation file that will be provided with threatening is determined as second protocol information, and determines described the 2nd hash value corresponding to two protocol informations;
The second protocol information and the 2nd hash value are saved in the rogue program and propagate record sheet.
4. the method as described in claim 1, which is characterized in that the pre-set agreement includes: simple mail transmission association Discuss SMTP, post office protocol version POP3, Mail Access Protocol IMAP, hypertext transfer protocol HTTP, Simple File Transfer Protocol TFTP, File Transfer Protocol FTP or Server Message Block SMB agreement.
5. the method as described in claim 1, which is characterized in that first protocol information includes: source IP, destination IP, source Mouth, destination port, transport protocol type, filename, file Uniform Resource Locator URL, e-mail sender, mail recipient, Mail CC people, mail secretly make a gift to someone, in mail matter topics data or Email attachment name at least one of.
6. the method as described in claim 1, which is characterized in that determine that the rogue program propagates record sheet according to imposing a condition In specific threat hash value, specifically include:
Determine that the rogue program propagates propagation amount in record sheet and is less than hash corresponding to the second protocol information of given threshold Value is specific threat hash value.
7. method as claimed in claim 6, which is characterized in that determine that the rogue program is propagated propagation amount in record sheet and is less than Hash value corresponding to the second protocol information of given threshold is specific threat hash value, is specifically included:
Determine that the propagation times of transport protocol type in the rogue program propagation record sheet are less than the described of setting first threshold Hash value corresponding to transport protocol type is specific threat hash value.
8. method as claimed in claim 6, which is characterized in that determine that the rogue program is propagated propagation amount in record sheet and is less than Hash value corresponding to the second protocol information of given threshold is specific threat hash value, is specifically included:
Determine that the rogue program propagates the postal of the propagation times less than setting second threshold of e-mail sender in record sheet Hash value corresponding to part sender is specific threat hash value.
9. method as claimed in claim 6, which is characterized in that determine that the rogue program is propagated propagation amount in record sheet and is less than Hash value corresponding to the second protocol information of given threshold is specific threat hash value, is specifically included:
It determines that the rogue program is propagated and is less than setting third threshold value in record sheet after the server address duplicate removal of mail recipient The mail recipient corresponding to hash value be specific threat hash value, wherein the mail recipient include mail receive Part people, mail CC people and mail are secretly made a gift to someone.
10. method as claimed in claim 6, which is characterized in that it is small to determine that the rogue program propagates propagation amount in record sheet The hash value corresponding to the second protocol information of given threshold is specific threat hash value, is specifically included:
Determine that the rogue program propagates the mail that Email attachment name frequency of occurrence in record sheet is less than the 4th threshold value of setting Hash value corresponding to attachment name is specific threat hash value.
11. method as claimed in claim 6, which is characterized in that it is small to determine that the rogue program propagates propagation amount in record sheet The hash value corresponding to the second protocol information of given threshold is specific threat hash value, is specifically included:
Determine that the rogue program propagates the mail master that mail matter topics frequency of occurrence in record sheet is less than the 4th threshold value of setting The corresponding hash value of topic is specific threat hash value.
12. a kind of electronic equipment, including memory and processor, which is characterized in that the memory is for storing one or more Computer program instructions, wherein one or more computer program instructions are executed by the processor to realize such as power Benefit requires method described in any one of 1-11.
13. a kind of computer readable storage medium, stores computer program instructions thereon, which is characterized in that the computer journey Such as the described in any item methods of claim 1-11 are realized in sequence instruction when being executed by processor.
CN201811291181.2A 2018-10-31 2018-10-31 Specific threat identification method and electronic equipment Active CN109327453B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811291181.2A CN109327453B (en) 2018-10-31 2018-10-31 Specific threat identification method and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811291181.2A CN109327453B (en) 2018-10-31 2018-10-31 Specific threat identification method and electronic equipment

Publications (2)

Publication Number Publication Date
CN109327453A true CN109327453A (en) 2019-02-12
CN109327453B CN109327453B (en) 2021-04-13

Family

ID=65260482

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811291181.2A Active CN109327453B (en) 2018-10-31 2018-10-31 Specific threat identification method and electronic equipment

Country Status (1)

Country Link
CN (1) CN109327453B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112087294A (en) * 2020-08-13 2020-12-15 中国电子科技集团公司第三十研究所 Portable security computer architecture based on secret hash label protection

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102821002A (en) * 2011-06-09 2012-12-12 中国移动通信集团河南有限公司信阳分公司 Method and system for network flow anomaly detection
CN103078752A (en) * 2012-12-27 2013-05-01 华为技术有限公司 Method, device and equipment for detecting e-mail attack
CN105072137A (en) * 2015-09-15 2015-11-18 蔡丝英 Spear phishing mail detection method and device
US20160275303A1 (en) * 2015-03-19 2016-09-22 Netskope, Inc. Systems and methods of monitoring and controlling enterprise information stored on a cloud computing service (ccs)
CN106685746A (en) * 2017-03-28 2017-05-17 上海以弈信息技术有限公司 Correlation analysis method for abnormal log and flow
CN108229159A (en) * 2016-12-09 2018-06-29 武汉安天信息技术有限责任公司 A kind of malicious code detecting method and system
CN108337153A (en) * 2018-01-19 2018-07-27 论客科技(广州)有限公司 A kind of monitoring method of mail, system and device

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102821002A (en) * 2011-06-09 2012-12-12 中国移动通信集团河南有限公司信阳分公司 Method and system for network flow anomaly detection
CN103078752A (en) * 2012-12-27 2013-05-01 华为技术有限公司 Method, device and equipment for detecting e-mail attack
US20160275303A1 (en) * 2015-03-19 2016-09-22 Netskope, Inc. Systems and methods of monitoring and controlling enterprise information stored on a cloud computing service (ccs)
CN105072137A (en) * 2015-09-15 2015-11-18 蔡丝英 Spear phishing mail detection method and device
CN108229159A (en) * 2016-12-09 2018-06-29 武汉安天信息技术有限责任公司 A kind of malicious code detecting method and system
CN106685746A (en) * 2017-03-28 2017-05-17 上海以弈信息技术有限公司 Correlation analysis method for abnormal log and flow
CN108337153A (en) * 2018-01-19 2018-07-27 论客科技(广州)有限公司 A kind of monitoring method of mail, system and device

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
许佳等: "APT攻击及其检测技术综述", 《保密科学技术》 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112087294A (en) * 2020-08-13 2020-12-15 中国电子科技集团公司第三十研究所 Portable security computer architecture based on secret hash label protection
CN112087294B (en) * 2020-08-13 2022-03-18 中国电子科技集团公司第三十研究所 Portable safety computer system based on secret hash label protection

Also Published As

Publication number Publication date
CN109327453B (en) 2021-04-13

Similar Documents

Publication Publication Date Title
US11516248B2 (en) Security system for detection and mitigation of malicious communications
US11102223B2 (en) Multi-host threat tracking
US10467411B1 (en) System and method for generating a malware identifier
US9824216B1 (en) Susceptible environment detection system
US20190215335A1 (en) Method and system for delaying message delivery to users categorized with low level of awareness to suspicius messages
US10243989B1 (en) Systems and methods for inspecting emails for malicious content
AU2012347793B2 (en) Detecting malware using stored patterns
US8839401B2 (en) Malicious message detection and processing
JP2019153336A (en) Automatic reduction in security threat of electronic message basis
US9185121B2 (en) Detecting malicious circumvention of virtual private network
US8443447B1 (en) Apparatus and method for detecting malware-infected electronic mail
CN104052722A (en) Web address security detection method, apparatus and system
WO2013091435A1 (en) File type identification method and file type identification device
US10244109B2 (en) Detection of a spear-phishing phone call
CN109150790B (en) Web page crawler identification method and device
US8910281B1 (en) Identifying malware sources using phishing kit templates
CN109327453A (en) A kind of recognition methods of specific threat and electronic equipment
CN111181967B (en) Data stream identification method, device, electronic equipment and medium
US9740858B1 (en) System and method for identifying forged emails
CN114143079B (en) Verification device and method for packet filtering strategy
US9363293B2 (en) Image monitoring framework
US10965693B2 (en) Method and system for detecting movement of malware and other potential threats
CN103632069B (en) Terminal safety managing method and device in internal network
EP2648384B1 (en) Information security management
EP3989622A1 (en) Using signed tokens to verify short message service (sms) message bodies

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant