CN109327453A - A kind of recognition methods of specific threat and electronic equipment - Google Patents
A kind of recognition methods of specific threat and electronic equipment Download PDFInfo
- Publication number
- CN109327453A CN109327453A CN201811291181.2A CN201811291181A CN109327453A CN 109327453 A CN109327453 A CN 109327453A CN 201811291181 A CN201811291181 A CN 201811291181A CN 109327453 A CN109327453 A CN 109327453A
- Authority
- CN
- China
- Prior art keywords
- hash value
- specific threat
- propagation
- record sheet
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Abstract
The present invention provides a kind of recognition methods of specific threat and electronic equipments, identify that the low efficiency of specific threat and accuracy rate are low in the prior art for solving the problems, such as.It include: that first flow data are determined in the mirror image data of internet traffic data according to pre-set agreement;It is to propagate file in response to the first flow data convert, extracts the first Hash hash value of attachment included in the first protocol information and the propagation file of the first flow data;According to first protocol information, the first Hash hash value and the propagation file, determine that rogue program propagates record sheet;According to the hash value for determining the specific threat in the rogue program propagation record sheet that imposes a condition.
Description
Technical field
The present invention relates to the recognition methods of field of computer technology more particularly to a kind of specific threat and electronic equipments.
Background technique
With the development of internet technology, government and enterprise are handled official business using internet, although it is non-to be handled official business using internet
It is often convenient, but need in face of numerous targeted attacks for being directed to state secret or corporate secret, such as advanced duration prestige
(Advanced Persistent Threat, APT) attack is coerced, above-mentioned APT attack has become network security and national security
Necessary concern, once attacking by APT, the confidential information or data of government and enterprise will suffer from encroaching on, therefore, short
Effectively find that APT attack may make country or enterprise to reduce loss in time, but above-mentioned APT is attacked often than more covert, and
And have duration, frequent feature is updated, how quickly and accurately to identify that the specific threat for carrying out APT attack is to need at present
It solves the problems, such as.
In the prior art, following two mode is generallyd use when positioning specific threat, mode one is detected by APT and filled
It sets and known rogue program and unknown file data is monitored using vulnerability exploit program and dynamic analysis, then used
Manpower analysis fixation and recognition specific threat, but since file data is very huge, identify the efficiency of specific threat very
It is low.Mode two carries out the unknown file line virtual execution that Anti- Virus Engine is unable to monitor out using manpower to file data
Analysis, and observe for a long time and carry out qualitative, identify that the efficiency of specific threat is very low, and due to carrying out APT attack
Specific threat is also very high by Anti- Virus Engine identification ratio, therefore only analyzes unknown file, and can also omit monitoring
Most data cause to identify that the accuracy rate of specific threat is low.
In conclusion how to improve identification specific threat efficiency and accuracy rate be current problem to be solved.
Summary of the invention
In view of this, the present invention provides a kind of recognition methods of specific threat and electronic equipment, for solving existing skill
The low efficiency and the low other problem of accuracy rate of specific threat are identified in art.
First aspect according to an embodiment of the present invention provides a kind of recognition methods of specific threat, comprising: according to pre-
The agreement being first arranged determines first flow data in the mirror image data of internet traffic data;In response to the first flow
Data convert is to propagate file, is extracted included in the first protocol information and the propagation file of the first flow data
Attachment the first Hash hash value;According to first protocol information, the first Hash hash value and propagation text
Part determines that rogue program propagates record sheet;According to the specific threat determined in the rogue program propagation record sheet that imposes a condition
Hash value.
In one embodiment, described according to the specific threat determined in the rogue program propagation record sheet that imposes a condition
Hash value after, this method further include: the propagation of corresponding specific threat is determined according to the hash value of the specific threat
File.
In one embodiment, according to first protocol information, the first Hash hash value and propagation text
Part determines that rogue program propagates record sheet, specifically includes: first protocol information and the first hash value are saved in the
One list;The propagation file is impended detection;It will be provided with corresponding first protocol information of the propagation file threatened
It is determined as second protocol information, and determines the 2nd hash value corresponding to the second protocol information;The second protocol is believed
Breath is saved in the rogue program with the 2nd hash value and propagates record sheet.
In one embodiment, the pre-set agreement includes: Simple Mail Transfer protocol SMTP, post office protocol version
This POP3, Mail Access Protocol IMAP, hypertext transfer protocol HTTP, Simple File Transfer Protocol TFTP, File Transfer Protocol
FTP or Server Message Block SMB agreement.
In one embodiment, first protocol information includes: source IP, destination IP, source port, destination port, transmission
Protocol type, filename, file Uniform Resource Locator URL, e-mail sender, mail recipient, mail CC people, mail are dark
Make a gift to someone, in mail matter topics data or Email attachment name at least one of.
In one embodiment, according to the specific threat hash determined in the rogue program propagation record sheet that imposes a condition
Value, specifically includes: it is right less than the second protocol information institute of given threshold to determine that the rogue program propagates propagation amount in record sheet
The hash value answered is specific threat hash value.
In one embodiment, determine that the rogue program propagates the second association that propagation amount in record sheet is less than given threshold
Discussing hash value corresponding to information is specific threat hash value, is specifically included: determining that the rogue program is propagated and passes in record sheet
The propagation times of defeated protocol type, which are less than, sets hash value corresponding to the transport protocol type of first threshold as specific prestige
Coerce hash value.
In one embodiment, determine that the rogue program propagates the second association that propagation amount in record sheet is less than given threshold
Discussing hash value corresponding to information is specific threat hash value, is specifically included: determining that the rogue program propagates postal in record sheet
The propagation times of part sender, which are less than, sets hash value corresponding to the e-mail sender of second threshold as specific threat
Hash value.
In one embodiment, determine that the rogue program propagates the second association that propagation amount in record sheet is less than given threshold
Discussing hash value corresponding to information is specific threat hash value, is specifically included: determining that the rogue program propagates postal in record sheet
It is less than after the server address duplicate removal of part addressee and sets hash value corresponding to the mail recipient of third threshold value as spy
Surely hash value is threatened, wherein the mail recipient includes that mail recipient, mail CC people and mail are secretly made a gift to someone.
In one embodiment, determine that the rogue program propagates the second association that propagation amount in record sheet is less than given threshold
Discussing hash value corresponding to information is specific threat hash value, is specifically included: determining that the rogue program propagates postal in record sheet
Part attachment name frequency of occurrence, which is less than, sets hash value corresponding to the Email attachment name of the 4th threshold value as specific threat hash
Value.
In one embodiment, determine that the rogue program propagates the second association that propagation amount in record sheet is less than given threshold
Discussing hash value corresponding to information is specific threat hash value, is specifically included: determining that the rogue program propagates postal in record sheet
Part theme frequency of occurrence, which is less than, sets hash value corresponding to the mail matter topics of the 4th threshold value as specific threat hash value.
The second aspect according to an embodiment of the present invention provides a kind of identification device of specific threat, comprising: confirmation form
Member, for determining first flow data in the mirror image data of internet traffic data according to pre-set agreement;It extracts single
Member, in response to the first flow data convert be propagate file, extract the first protocol information of the first flow data with
And the first Hash hash value for propagating attachment included in file;Storage unit, for being believed according to first agreement
Breath, the first Hash hash value and the propagation file determine that rogue program propagates record sheet;The confirmation unit is also used
According to the hash value for determining the specific threat in the rogue program propagation record sheet that imposes a condition.
In one embodiment, described according to the specific threat determined in the rogue program propagation record sheet that imposes a condition
Hash value after, the confirmation unit is also used to: determining corresponding specific threat according to the hash value of the specific threat
Propagation file.
In one embodiment, the storage unit is specifically used for: by first protocol information and the first hash
Value is saved in first list;The propagation file is impended detection;It will be provided with the propagation file threatened corresponding the
One protocol information is determined as second protocol information, and determines the 2nd hash value corresponding to the second protocol information;It will be described
Second protocol information and the 2nd hash value are saved in the rogue program and propagate record sheet.
In one embodiment, the pre-set agreement includes: Simple Mail Transfer protocol SMTP, post office protocol version
This POP3, Mail Access Protocol IMAP, hypertext transfer protocol HTTP, Simple File Transfer Protocol TFTP, File Transfer Protocol
FTP or Server Message Block SMB agreement.
In one embodiment, first protocol information includes: source IP, destination IP, source port, destination port, transmission
Protocol type, filename, file Uniform Resource Locator URL, e-mail sender, mail recipient, mail CC people, mail are dark
Make a gift to someone, in mail matter topics data or Email attachment name at least one of.
In one embodiment, the confirmation unit is specifically used for: determining that the rogue program is propagated and propagates in record sheet
It is specific threat hash value that amount, which is less than hash value corresponding to the second protocol information of given threshold,.
In one embodiment, the confirmation unit is specifically used for: determining that the rogue program is propagated and transmits in record sheet
The propagation times of protocol type, which are less than, sets hash value corresponding to the transport protocol type of first threshold as specific threat
Hash value.
In one embodiment, the confirmation unit is specifically used for: determining that the rogue program propagates mail in record sheet
The propagation times of sender, which are less than, sets hash value corresponding to the e-mail sender of second threshold as specific threat hash
Value.
In one embodiment, the confirmation unit is specifically used for: determining that the rogue program propagates mail in record sheet
It is less than after the server address duplicate removal of addressee and sets hash value corresponding to the mail recipient of third threshold value to be specific
Threaten hash value, wherein the mail recipient includes that mail recipient, mail CC people and mail are secretly made a gift to someone.
In one embodiment, the confirmation unit is specifically used for: determining that the rogue program propagates mail in record sheet
Attachment name frequency of occurrence, which is less than, sets hash value corresponding to the Email attachment name of the 4th threshold value as specific threat hash value.
In one embodiment, the confirmation unit is specifically used for: determining that the rogue program propagates mail in record sheet
Theme frequency of occurrence, which is less than, sets hash value corresponding to the mail matter topics of the 4th threshold value as specific threat hash value.
In terms of third according to an embodiment of the present invention, a kind of electronic equipment, including memory and processor, institute are provided
State memory for store one or more computer program instructions, wherein the one or more computer program instructions quilt
The processor is executed to realize the method as described in first aspect or any possibility of first aspect.
4th aspect according to an embodiment of the present invention, provides a kind of computer readable storage medium, thereon storage meter
Calculation machine program instruction, which is characterized in that the computer program instructions are realized when being executed by processor such as first aspect or the
On the one hand method described in any possibility.
The beneficial effect of the embodiment of the present invention includes: first according to pre-set agreement, in internet traffic data
First flow data are determined in mirror image data;It is to propagate file in response to the first flow data convert, extracts described first
First protocol information of data on flows and the first Hash hash value for propagating attachment included in file;According to described
First protocol information, the first Hash hash value and the propagation file determine that rogue program propagates record sheet;According to setting
Fixed condition determines that the rogue program propagates the hash value of the specific threat in record sheet.The embodiment of the present invention is through the above way
Confirm the hash value of specific threat and then determine the propagation file of the corresponding specific threat of hash value of the specific threat, is not required to
It is monitored analysis with manpower, and the data on flows that agreement is pre-set agreement is all monitored, will not be occurred
Missing inspection improves the efficiency and accuracy rate of identification specific threat.
Detailed description of the invention
By referring to the drawings to the description of the embodiment of the present invention, the above and other purposes of the present invention, feature and
Advantage will be apparent from, in the accompanying drawings:
Fig. 1 is a kind of recognition methods flow chart of specific threat provided in an embodiment of the present invention;
Fig. 2 is a kind of method flow diagram for generating rogue program and propagating record sheet provided in an embodiment of the present invention;
Fig. 3 is the recognition methods flow chart of another specific threat provided in an embodiment of the present invention;
Fig. 4 is a kind of identification device schematic diagram of specific threat provided in an embodiment of the present invention;
Fig. 5 is a kind of electronic equipment structural schematic diagram provided in an embodiment of the present invention.
Specific embodiment
Below based on embodiment, present invention is described, but the present invention is not restricted to these embodiments.Under
Text is detailed to describe some specific detail sections in datail description of the invention.Do not have for a person skilled in the art
The application can also be understood completely in the description of these detail sections.In addition, it should be understood by one skilled in the art that mentioning herein
The attached drawing of confession is provided to the purpose of explanation.
Unless the context clearly requires otherwise, "include", "comprise" otherwise throughout the specification and claims etc. are similar
Word should be construed as the meaning for including rather than exclusive or exhaustive meaning;That is, be " including but not limited to " contains
Justice.
In the description of the present invention, it is to be understood that, term " first ", " second " etc. are used for description purposes only, without
It can be interpreted as indication or suggestion relative importance.In addition, in the description of the present invention, unless otherwise indicated, the meaning of " multiple "
It is two or more.
Fig. 1 is a kind of recognition methods flow chart of specific threat of the embodiment of the present invention, as shown in Figure 1, rogue program is known
Method for distinguishing includes:
Step S100, according to pre-set agreement, first flow is determined in the mirror image data of internet traffic data
Data.
Specifically, the first flow data include agreement and transmit the data packet for propagating file, it is described to set in advance
The agreement set includes: Simple Mail Transfer protocol (Simple Mail Transfer Protocol, SMTP), post office protocol version
This 3 (Post Office Protocol Version 3, POP3), Mail Access Protocol (Internet Mail Access
Protocol, Internet, IMAP), hypertext transfer protocol (Hyper Text Transport Protocol, HTTP), letter
Monofile transport protocol (Trivial File Transfer Protocol, TFTP), File Transfer Protocol (File
Transfer Protocol, FTP) or Server Message Block (Server Message Block, SMB) agreement.
Optionally, this method further includes before the step S100, carries out mirror image to internet traffic data, obtains mutual
The mirror image data for data on flows of networking.
Step S101, it is to propagate file in response to the first flow data convert, extracts the first flow data
First protocol information and the first Hash hash value for propagating attachment included in file.
Specifically, first protocol information include: source IP, destination IP, source port, destination port, transport protocol type,
Filename, file Uniform Resource Locator (Uniform Resource Locator, URL), e-mail sender, mail addressee
People, mail CC people, mail secretly make a gift to someone, mail matter topics data and Email attachment name.
For example, judging whether the first flow data can be reduced to transmission file, if can be reduced to propagate
File, then extract attachment included in the first protocol information and the propagation file of the first flow data first breathe out
Uncommon hash value;For example, first flow data are the data on flows of mail, the agreement for propagating the mail is SMTP, and judgement receives
Mail data on flows in data packet can be reduced to mail, then extract in first flow data corresponding to the mail
First hash value of the attachment for including in the first protocol information and the mail.
Step S102, it according to first protocol information, the first Hash hash value and the propagation file, determines
Rogue program propagates record sheet.
Specifically, concrete implementation step can be as shown in Fig. 2, specific as follows:
Step S1021, first protocol information and the first hash value are saved in first list.
It illustrates, it is assumed that the first protocol information selects transport protocol type, e-mail sender, mail recipient, mail master
Topic and Email attachment name (abbreviation attachment name), the first hash value are binary numeral, it is assumed that there are the association of 10 propagation files
View, first protocol information of acquisition and the first list of the first hash value, the first list, that is, as shown in table 1.
Table 1
Transport protocol type | E-mail sender | Mail recipient | Mail matter topics | Attachment name | Hash |
SMTP | Zhang San | Money seven | Work briefing | Attachment 2 | 00001 |
POP3 | Zhang San | Money seven | Work briefing | Attachment 2 | 00010 |
IMAP | Zhang San | Money seven | Work briefing | Attachment 3 | 00011 |
TFTP | Li Si | Grandson eight | Work briefing | Attachment 2 | 00100 |
TFTP | Zhao five | Grandson eight | Work briefing | Attachment 3 | 00101 |
POP3 | Zhao five | Saturday | Preferential policy | Attachment 4 | 00110 |
IMAP | Zhao five | Wu Jiu | Preferential policy | Attachment 4 | 00111 |
TFTP | Zhao five | Money seven | Physical examination report | Attachment 4 | 01000 |
POP3 | Li Si | Grandson eight | Preferential policy | Attachment 1 | 01001 |
POP3 | Wang Yi | Zheng ten | Preferential policy | Attachment 4 | 01010 |
Step S1022, the propagation file is impended detection.
For example: propagation file corresponding to the first protocol information in table 1 is impended detection, determines and propagates text
Part 1,4,6,8,9 is the propagation file with threat.
Step S1023, corresponding first protocol information of the propagation file that will be provided with threatening is determined as second protocol letter
Breath, and determine the 2nd hash value corresponding to the second protocol information.
For example, determining the propagation file 1,4,6,8,9 corresponding second for having threat in first list
2nd hash value corresponding to protocol information.
Step S1024, the second protocol information and the 2nd hash value are saved in the rogue program and propagated and remembered
Record table.
Specifically, illustrating that the rogue program propagates record sheet such as 2 institute of table according to the concrete example of step S1024
Show.
Table 2
Transport protocol type | E-mail sender | Mail recipient | Mail matter topics | Attachment name | Hash |
SMTP | Zhang San | Money seven | Work briefing | Attachment 2 | 00001 |
TFTP | Li Si | Grandson eight | Work briefing | Attachment 2 | 00100 |
POP3 | Zhao five | Saturday | Preferential policy | Attachment 4 | 00110 |
TFTP | Zhao five | Money seven | Physical examination report | Attachment 4 | 01000 |
POP3 | Li Si | Grandson eight | Preferential policy | Attachment 1 | 01001 |
In the embodiment of the present invention, it can also connect according to first protocol information, the first Hash hash value and institute
Propagation file is stated, rogue program is directly determined and propagates record sheet, specifically, whether the detection propagation file has threat, if
With threat, then corresponding first protocol information of the propagation file and the first Hash hash value are saved in the rogue program
It propagates in record sheet.
Step S103, according to the hash value for determining the specific threat in the rogue program propagation record sheet that imposes a condition.
Specifically, determining that the rogue program propagates the second protocol information institute that propagation amount in record sheet is less than given threshold
Corresponding hash value is specific threat hash value.
For example: determine that the rogue program propagates propagation amount in record sheet and is less than setting threshold by following five kinds of modes
Hash value corresponding to the second protocol information of value is specific threat hash value.For example, true by mode in following 5 in table 2
Recognize the corresponding hash value of specific threat.
Mode one determines that the rogue program propagates the propagation times of transport protocol type described in record sheet less than setting
Hash value corresponding to the transport protocol type of first threshold is specific threat hash value.
Specifically, assume that first threshold is 2, and when the propagation times of transport protocol type are less than setting first threshold 2, institute
Stating hash value corresponding to transport protocol type is specific threat hash value, such as there was only the propagation times of smtp protocol in table 2
It is 1, is less than first threshold 2, therefore the corresponding hash value 00001 of SMTP is the corresponding hash value of specific threat, the present invention is implemented
Example in first threshold value according to practical application determine, the present invention to it without limitation.
Mode two determines that the rogue program propagates the propagation times of e-mail sender described in record sheet and is less than setting the
Hash value corresponding to the e-mail sender of two threshold values is specific threat hash value.
Specifically, assume that second threshold is 2, it is described when the propagation times of e-mail sender are less than setting second threshold 2
Hash value corresponding to transport protocol type is specific threat hash value, such as only the propagation times of ' Zhang San ' are 1 in table 2,
Less than first threshold 2, therefore ' Zhang San ' corresponding hash value 00001 is the corresponding hash value of specific threat.The embodiment of the present invention
In, the corresponding hash value possibility of the specific threat filtered out according to different setting conditions is identical may also be different, the present invention couple
Its without limitation, in the embodiment of the present invention value of second threshold according to practical application determine, the present invention to it without limitation.
Mode three, determine it is small after the rogue program propagates the server address duplicate removal of mail recipient described in record sheet
In setting hash value corresponding to the mail recipient of third threshold value as specific threat hash value, wherein the mail is received
Part people includes that mail recipient, mail CC people and mail are secretly made a gift to someone.
Specifically, assume that third threshold value is 2, it is described when the propagation times of mail recipient are less than setting third threshold value 2
Hash value corresponding to addressee is specific threat hash value, such as only the propagation times of ' Saturday ' are 1 in table 2, less than the
One threshold value 2, therefore ' Saturday ' corresponding hash value 00110 is the corresponding hash value of specific threat.Third in the embodiment of the present invention
The value of threshold value according to practical application determine, the present invention to it without limitation.
Mode four determines that the rogue program propagates Email attachment name frequency of occurrence described in record sheet and is less than setting the 4th
Hash value corresponding to the Email attachment name of threshold value is specific threat hash value.
Specifically, assume that the 4th threshold value is 2, it is described when the propagation times of Email attachment name are less than four threshold value 2 of setting
Hash value corresponding to Email attachment name is specific threat hash value, such as only ' propagation times of attachment 1 ' are 1, small in table 2
In first threshold 2, therefore ' the corresponding hash value 01001 of attachment 1 ' is the corresponding hash value of specific threat.In the embodiment of the present invention
The value of 4th threshold value according to practical application determine, the present invention to it without limitation.
Mode five determines that the rogue program propagates mail matter topics frequency of occurrence described in record sheet and is less than the 4th threshold of setting
Hash value corresponding to the mail matter topics of value is specific threat hash value.
Specifically, assume that the 5th threshold value is 2, and when the propagation times of mail matter topics are less than five threshold value 2 of setting, the postal
Hash value corresponding to part theme is specific threat hash value, such as only the propagation times of ' physical examination report ' are 1 in table 2, small
In first threshold 2, therefore ' physical examination report ' corresponding hash value 01000 is the corresponding hash value of specific threat.The present invention is implemented
Example in the 5th threshold value value according to practical application determine, the present invention to it without limitation.
In the embodiment of the present invention, after the step S103, this method further include: according to the hash of the specific threat
Value determines the propagation file of corresponding specific threat, wherein the specific threat can also be known as Advanced threat, refer to propagation
Measure the big propagation file of small but targeted and harm.
A kind of the step of recognition methods of specific threat, is described in detail below by a specific embodiment, specifically
It is as shown in Figure 3:
Step S300, mirror image is carried out to internet traffic data, obtains the mirror image data of internet traffic data.
Step S301, according to pre-set agreement, first flow is determined in the mirror image data of internet traffic data
Data.
Step S302, judge whether the first flow data can be reduced to propagate file.
If step S303, the described agreement for propagating file can be reduced to propagate file, the first flow data are extracted
The first protocol information and it is described propagate file included in attachment the first Hash hash value.
Optionally, it if the first flow data cannot be reduced to propagate file, ends processing.
Step S304, first protocol information and the first hash value are saved in first list.
Step S305, propagation file corresponding to first protocol information in the first list is impended inspection
It surveys.
Step S306, corresponding first protocol information of the propagation file that will be provided with threatening is determined as second protocol letter
Breath, and determine the 2nd hash value corresponding to the second protocol information.
Step S307, it will be provided with the second protocol information threatened and the 2nd hash value be saved in rogue program and propagate and remembers
Record table.
Step S308, according to the specific threat hash value determined in the rogue program propagation record sheet that imposes a condition.
Step S309, according to the specific threat hash value determine the specific threat hash value corresponding to specific prestige
The side of body.
Specifically, propagation file corresponding to the i.e. described specific threat hash value.
Fig. 4 is a kind of identification device schematic diagram of specific threat provided in an embodiment of the present invention.As shown in figure 3, this implementation
The rogue program identification device of example includes: confirmation unit 41, extraction unit 42 and storage unit 43.
Wherein, confirmation unit 41 are used for according to pre-set agreement, in the mirror image data of internet traffic data really
Determine first flow data;Extraction unit 42 is to propagate file in response to the first flow data convert, extracts described first-class
Measure the first Hash hash value of attachment included in the first protocol information and the propagation file of data;Storage unit
43, for determining that rogue program is passed according to first protocol information, the first Hash hash value and the propagation file
Broadcast record sheet;The confirmation unit is also used to according to the specific threat determined in the rogue program propagation record sheet that imposes a condition
Hash value.
In one embodiment, described according to the specific threat determined in the rogue program propagation record sheet that imposes a condition
Hash value after, the confirmation unit is also used to: determining corresponding specific threat according to the hash value of the specific threat
Propagation file.
In one embodiment, the storage unit is specifically used for: by first protocol information and the first hash
Value is saved in first list;The propagation file is impended detection;It will be provided with the propagation file threatened corresponding the
One protocol information is determined as second protocol information, and determines the 2nd hash value corresponding to the second protocol information;It will be described
Second protocol information and the 2nd hash value are saved in the rogue program and propagate record sheet.
In one embodiment, the pre-set agreement includes: Simple Mail Transfer protocol SMTP, post office protocol version
This POP3, Mail Access Protocol IMAP, hypertext transfer protocol HTTP, Simple File Transfer Protocol TFTP, File Transfer Protocol
FTP or Server Message Block SMB agreement.
In one embodiment, first protocol information includes: source IP, destination IP, source port, destination port, transmission
Protocol type, filename, file Uniform Resource Locator URL, e-mail sender, mail recipient, mail CC people, mail are dark
Make a gift to someone, in mail matter topics data or Email attachment name at least one of.
In one embodiment, the confirmation unit is specifically used for: determining that the rogue program is propagated and propagates in record sheet
It is specific threat hash value that amount, which is less than hash value corresponding to the second protocol information of given threshold,.
In one embodiment, the confirmation unit is specifically used for: determining that the rogue program is propagated and transmits in record sheet
The propagation times of protocol type, which are less than, sets hash value corresponding to the transport protocol type of first threshold as specific threat
Hash value.
In one embodiment, the confirmation unit is specifically used for: determining that the rogue program propagates mail in record sheet
The propagation times of sender, which are less than, sets hash value corresponding to the e-mail sender of second threshold as specific threat hash
Value.
In one embodiment, the confirmation unit is specifically used for: determining that the rogue program propagates mail in record sheet
It is less than after the server address duplicate removal of addressee and sets hash value corresponding to the mail recipient of third threshold value to be specific
Threaten hash value, wherein the mail recipient includes that mail recipient, mail CC people and mail are secretly made a gift to someone.
In one embodiment, the confirmation unit is specifically used for: determining that the rogue program propagates mail in record sheet
Attachment name frequency of occurrence, which is less than, sets hash value corresponding to the Email attachment name of the 4th threshold value as specific threat hash value.
In one embodiment, the confirmation unit is specifically used for: determining that the rogue program propagates mail in record sheet
Theme frequency of occurrence, which is less than, sets hash value corresponding to the mail matter topics of the 4th threshold value as specific threat hash value.
Fig. 5 is the schematic diagram of the electronic equipment of the embodiment of the present invention.Electronic equipment shown in fig. 5 is general rogue program
Identification device comprising general computer hardware structure includes at least processor 51 and memory 52.It processor 51 and deposits
Reservoir 52 is connected by bus 53.Memory 52 is suitable for the instruction or program that storage processor 51 can be performed.Processor 51 can be with
It is independent microprocessor, is also possible to one or more microprocessor set.Processor 51 is by executing memory as a result,
52 instructions stored are realized thereby executing the method flow of embodiment present invention as described above for the processing of data and right
In the control of other devices.Bus 53 links together above-mentioned multiple components, while said modules are connected to display control
Device 54 and display device and input/output (I/O) device 55.Input/output (I/O) device 55 can be mouse, keyboard, tune
Modulator-demodulator, network interface, touch-control input device, body-sensing input unit, printer and other devices well known in the art.Allusion quotation
Type, input/output device 55 is connected by input/output (I/O) controller 56 with system.
As skilled in the art will be aware of, the various aspects of the embodiment of the present invention may be implemented as system, side
Method or computer program product.Therefore, the various aspects of the embodiment of the present invention can take following form: complete hardware embodiment party
Formula, complete software embodiment (including firmware, resident software, microcode etc.) can usually be referred to as " electricity herein
The embodiment that software aspects are combined with hardware aspect on road ", " module " or " system ".In addition, the embodiment of the present invention
Various aspects can take following form: the computer program product realized in one or more computer-readable medium, meter
Calculation machine readable medium has the computer readable program code realized on it.
It can use any combination of one or more computer-readable mediums.Computer-readable medium can be computer
Readable signal medium or computer readable storage medium.Computer readable storage medium can be such as (but not limited to) electronics,
Magnetic, optical, electromagnetism, infrared or semiconductor system, device or any suitable combination above-mentioned.Meter
The more specific example (exhaustive to enumerate) of calculation machine readable storage medium storing program for executing will include the following terms: with one or more electric wire
Electrical connection, hard disk, random access memory (RAM), read-only memory (ROM), erasable is compiled portable computer diskette
Journey read-only memory (EPROM or flash memory), optical fiber, portable optic disk read-only storage (CD-ROM), light storage device,
Magnetic memory apparatus or any suitable combination above-mentioned.In the context of the embodiment of the present invention, computer readable storage medium
It can be that can include or store the program used by instruction execution system, device or combine instruction execution system, set
Any tangible medium for the program that standby or device uses.
Computer-readable signal media may include the data-signal propagated, and the data-signal of the propagation has wherein
The computer readable program code realized such as a part in a base band or as carrier wave.The signal of such propagation can use
Any form in diversified forms, including but not limited to: electromagnetism, optical or its any combination appropriate.It is computer-readable
Signal media can be following any computer-readable medium: not be computer readable storage medium, and can be to by instructing
Program that is that execution system, device use or combining instruction execution system, device to use is communicated, is propagated
Or transmission.
Including but not limited to wireless, wired, fiber optic cables, RF etc. or above-mentioned any appropriately combined any can be used
Suitable medium transmits the program code realized on a computer-readable medium.
Computer program code for executing the operation for being directed to various aspects of the embodiment of the present invention can be with one or more
Any combination of programming language is write, the programming language include: object-oriented programming language such as Java, Smalltalk,
C++ etc.;And conventional process programming language such as " C " programming language or similar programming language.Program code can be used as independence
Software package fully on the user computer, partly executes on the user computer;Partly on the user computer and portion
Ground is divided to execute on the remote computer;Or it fully executes on a remote computer or server.In the latter case, may be used
Remote computer to be calculated by any type of network connection including local area network (LAN) or wide area network (WAN) to user
Machine, or (such as internet by using ISP) can be attached with outer computer.
It is above-mentioned according to the method for the embodiment of the present invention, the flow chart legend of equipment (system) and computer program product and/
Or block diagram describes the various aspects of the embodiment of the present invention.It will be appreciated that each of flow chart legend and/or block diagram piece with
And the combination of the block in flow chart legend and/or block diagram can be realized by computer program instructions.These computer programs refer to
The processor that can be provided to general purpose computer, special purpose computer or other programmable data processing devices is enabled, to generate machine
Device, so that (executing via computer or the processor of other programmable data processing devices) instruction creates for realizing process
The device for the function action specified in figure and/or block diagram or block.
These computer program instructions can also be stored in can instruct computer, other programmable data processing devices
Or in the computer-readable medium that runs in a specific way of other devices, so that the instruction stored in computer-readable medium produces
Raw includes the product for realizing the instruction for the function action specified in flowchart and or block diagram block or block.
Computer program instructions can also be loaded on computer, other programmable data processing devices or other devices
On so that executed on computer, other programmable devices or other devices it is a series of can operating procedure come generate computer reality
Existing process, so that the instruction executed on computer or other programmable devices is provided for realizing in flow chart and/or frame
The process for the function action specified in segment or block.
The above description is only a preferred embodiment of the present invention, is not intended to restrict the invention, for those skilled in the art
For, the invention can have various changes and changes.All any modifications made within the spirit and principles of the present invention are equal
Replacement, improvement etc., should all be included in the protection scope of the present invention.
Claims (13)
1. a kind of recognition methods of specific threat characterized by comprising
According to pre-set agreement, first flow data are determined in the mirror image data of internet traffic data;
In response to the first flow data convert be propagate file, extract the first protocol information of the first flow data with
And the first Hash hash value for propagating attachment included in file;
According to first protocol information, the first Hash hash value and the propagation file, determine that rogue program is propagated
Record sheet;
According to the hash value for determining the specific threat in the rogue program propagation record sheet that imposes a condition.
2. the method as described in claim 1, which is characterized in that described to determine that the rogue program propagates note according to imposing a condition
After the hash value for recording the specific threat in table, this method further include:
The propagation file of corresponding specific threat is determined according to the hash value of the specific threat.
3. the method as described in claim 1, which is characterized in that according to first protocol information, the first Hash hash
Value and the propagation file determine that rogue program propagates record sheet, specifically include:
First protocol information and the first hash value are saved in first list;
The propagation file is impended detection;
Corresponding first protocol information of the propagation file that will be provided with threatening is determined as second protocol information, and determines described the
2nd hash value corresponding to two protocol informations;
The second protocol information and the 2nd hash value are saved in the rogue program and propagate record sheet.
4. the method as described in claim 1, which is characterized in that the pre-set agreement includes: simple mail transmission association
Discuss SMTP, post office protocol version POP3, Mail Access Protocol IMAP, hypertext transfer protocol HTTP, Simple File Transfer Protocol
TFTP, File Transfer Protocol FTP or Server Message Block SMB agreement.
5. the method as described in claim 1, which is characterized in that first protocol information includes: source IP, destination IP, source
Mouth, destination port, transport protocol type, filename, file Uniform Resource Locator URL, e-mail sender, mail recipient,
Mail CC people, mail secretly make a gift to someone, in mail matter topics data or Email attachment name at least one of.
6. the method as described in claim 1, which is characterized in that determine that the rogue program propagates record sheet according to imposing a condition
In specific threat hash value, specifically include:
Determine that the rogue program propagates propagation amount in record sheet and is less than hash corresponding to the second protocol information of given threshold
Value is specific threat hash value.
7. method as claimed in claim 6, which is characterized in that determine that the rogue program is propagated propagation amount in record sheet and is less than
Hash value corresponding to the second protocol information of given threshold is specific threat hash value, is specifically included:
Determine that the propagation times of transport protocol type in the rogue program propagation record sheet are less than the described of setting first threshold
Hash value corresponding to transport protocol type is specific threat hash value.
8. method as claimed in claim 6, which is characterized in that determine that the rogue program is propagated propagation amount in record sheet and is less than
Hash value corresponding to the second protocol information of given threshold is specific threat hash value, is specifically included:
Determine that the rogue program propagates the postal of the propagation times less than setting second threshold of e-mail sender in record sheet
Hash value corresponding to part sender is specific threat hash value.
9. method as claimed in claim 6, which is characterized in that determine that the rogue program is propagated propagation amount in record sheet and is less than
Hash value corresponding to the second protocol information of given threshold is specific threat hash value, is specifically included:
It determines that the rogue program is propagated and is less than setting third threshold value in record sheet after the server address duplicate removal of mail recipient
The mail recipient corresponding to hash value be specific threat hash value, wherein the mail recipient include mail receive
Part people, mail CC people and mail are secretly made a gift to someone.
10. method as claimed in claim 6, which is characterized in that it is small to determine that the rogue program propagates propagation amount in record sheet
The hash value corresponding to the second protocol information of given threshold is specific threat hash value, is specifically included:
Determine that the rogue program propagates the mail that Email attachment name frequency of occurrence in record sheet is less than the 4th threshold value of setting
Hash value corresponding to attachment name is specific threat hash value.
11. method as claimed in claim 6, which is characterized in that it is small to determine that the rogue program propagates propagation amount in record sheet
The hash value corresponding to the second protocol information of given threshold is specific threat hash value, is specifically included:
Determine that the rogue program propagates the mail master that mail matter topics frequency of occurrence in record sheet is less than the 4th threshold value of setting
The corresponding hash value of topic is specific threat hash value.
12. a kind of electronic equipment, including memory and processor, which is characterized in that the memory is for storing one or more
Computer program instructions, wherein one or more computer program instructions are executed by the processor to realize such as power
Benefit requires method described in any one of 1-11.
13. a kind of computer readable storage medium, stores computer program instructions thereon, which is characterized in that the computer journey
Such as the described in any item methods of claim 1-11 are realized in sequence instruction when being executed by processor.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811291181.2A CN109327453B (en) | 2018-10-31 | 2018-10-31 | Specific threat identification method and electronic equipment |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811291181.2A CN109327453B (en) | 2018-10-31 | 2018-10-31 | Specific threat identification method and electronic equipment |
Publications (2)
Publication Number | Publication Date |
---|---|
CN109327453A true CN109327453A (en) | 2019-02-12 |
CN109327453B CN109327453B (en) | 2021-04-13 |
Family
ID=65260482
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201811291181.2A Active CN109327453B (en) | 2018-10-31 | 2018-10-31 | Specific threat identification method and electronic equipment |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109327453B (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112087294A (en) * | 2020-08-13 | 2020-12-15 | 中国电子科技集团公司第三十研究所 | Portable security computer architecture based on secret hash label protection |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102821002A (en) * | 2011-06-09 | 2012-12-12 | 中国移动通信集团河南有限公司信阳分公司 | Method and system for network flow anomaly detection |
CN103078752A (en) * | 2012-12-27 | 2013-05-01 | 华为技术有限公司 | Method, device and equipment for detecting e-mail attack |
CN105072137A (en) * | 2015-09-15 | 2015-11-18 | 蔡丝英 | Spear phishing mail detection method and device |
US20160275303A1 (en) * | 2015-03-19 | 2016-09-22 | Netskope, Inc. | Systems and methods of monitoring and controlling enterprise information stored on a cloud computing service (ccs) |
CN106685746A (en) * | 2017-03-28 | 2017-05-17 | 上海以弈信息技术有限公司 | Correlation analysis method for abnormal log and flow |
CN108229159A (en) * | 2016-12-09 | 2018-06-29 | 武汉安天信息技术有限责任公司 | A kind of malicious code detecting method and system |
CN108337153A (en) * | 2018-01-19 | 2018-07-27 | 论客科技(广州)有限公司 | A kind of monitoring method of mail, system and device |
-
2018
- 2018-10-31 CN CN201811291181.2A patent/CN109327453B/en active Active
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102821002A (en) * | 2011-06-09 | 2012-12-12 | 中国移动通信集团河南有限公司信阳分公司 | Method and system for network flow anomaly detection |
CN103078752A (en) * | 2012-12-27 | 2013-05-01 | 华为技术有限公司 | Method, device and equipment for detecting e-mail attack |
US20160275303A1 (en) * | 2015-03-19 | 2016-09-22 | Netskope, Inc. | Systems and methods of monitoring and controlling enterprise information stored on a cloud computing service (ccs) |
CN105072137A (en) * | 2015-09-15 | 2015-11-18 | 蔡丝英 | Spear phishing mail detection method and device |
CN108229159A (en) * | 2016-12-09 | 2018-06-29 | 武汉安天信息技术有限责任公司 | A kind of malicious code detecting method and system |
CN106685746A (en) * | 2017-03-28 | 2017-05-17 | 上海以弈信息技术有限公司 | Correlation analysis method for abnormal log and flow |
CN108337153A (en) * | 2018-01-19 | 2018-07-27 | 论客科技(广州)有限公司 | A kind of monitoring method of mail, system and device |
Non-Patent Citations (1)
Title |
---|
许佳等: "APT攻击及其检测技术综述", 《保密科学技术》 * |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112087294A (en) * | 2020-08-13 | 2020-12-15 | 中国电子科技集团公司第三十研究所 | Portable security computer architecture based on secret hash label protection |
CN112087294B (en) * | 2020-08-13 | 2022-03-18 | 中国电子科技集团公司第三十研究所 | Portable safety computer system based on secret hash label protection |
Also Published As
Publication number | Publication date |
---|---|
CN109327453B (en) | 2021-04-13 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11516248B2 (en) | Security system for detection and mitigation of malicious communications | |
US11102223B2 (en) | Multi-host threat tracking | |
US10467411B1 (en) | System and method for generating a malware identifier | |
US9824216B1 (en) | Susceptible environment detection system | |
US20190215335A1 (en) | Method and system for delaying message delivery to users categorized with low level of awareness to suspicius messages | |
US10243989B1 (en) | Systems and methods for inspecting emails for malicious content | |
AU2012347793B2 (en) | Detecting malware using stored patterns | |
US8839401B2 (en) | Malicious message detection and processing | |
JP2019153336A (en) | Automatic reduction in security threat of electronic message basis | |
US9185121B2 (en) | Detecting malicious circumvention of virtual private network | |
US8443447B1 (en) | Apparatus and method for detecting malware-infected electronic mail | |
CN104052722A (en) | Web address security detection method, apparatus and system | |
WO2013091435A1 (en) | File type identification method and file type identification device | |
US10244109B2 (en) | Detection of a spear-phishing phone call | |
CN109150790B (en) | Web page crawler identification method and device | |
US8910281B1 (en) | Identifying malware sources using phishing kit templates | |
CN109327453A (en) | A kind of recognition methods of specific threat and electronic equipment | |
CN111181967B (en) | Data stream identification method, device, electronic equipment and medium | |
US9740858B1 (en) | System and method for identifying forged emails | |
CN114143079B (en) | Verification device and method for packet filtering strategy | |
US9363293B2 (en) | Image monitoring framework | |
US10965693B2 (en) | Method and system for detecting movement of malware and other potential threats | |
CN103632069B (en) | Terminal safety managing method and device in internal network | |
EP2648384B1 (en) | Information security management | |
EP3989622A1 (en) | Using signed tokens to verify short message service (sms) message bodies |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |