CN109688092A - It falls equipment detection method and device - Google Patents

It falls equipment detection method and device Download PDF

Info

Publication number
CN109688092A
CN109688092A CN201810379276.3A CN201810379276A CN109688092A CN 109688092 A CN109688092 A CN 109688092A CN 201810379276 A CN201810379276 A CN 201810379276A CN 109688092 A CN109688092 A CN 109688092A
Authority
CN
China
Prior art keywords
falling
host
detection method
data
equipment detection
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201810379276.3A
Other languages
Chinese (zh)
Inventor
刘斐然
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing ThreatBook Technology Co Ltd
Original Assignee
Beijing ThreatBook Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing ThreatBook Technology Co Ltd filed Critical Beijing ThreatBook Technology Co Ltd
Priority to CN201810379276.3A priority Critical patent/CN109688092A/en
Publication of CN109688092A publication Critical patent/CN109688092A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Abstract

It falls equipment detection method and device the present invention provides one kind, this method comprises: step 1, the behavioural characteristic data of host is extracted according to primitive network flow, and the application data for being related to TCP/IP application are restored;Step 2, the matching that IOC security threat information is carried out using data based on reduction;Step 3, according to described matched as a result, determining host of falling.This system detects the host of falling that can not much find by traditional antivirus software by security threat information, while also including the mobile phone for having suffered wooden horse.

Description

It falls equipment detection method and device
Technical field
The present invention relates to a kind of technical field of network security, in particular to one kind is fallen equipment detection method and device.
Background technique
The usual way for detecting equipment of falling at present, is that antivirus software is installed in equipment.But antivirus software is easy to It is bypassed.For example processing free to kill can be done for specific antivirus software;In addition, the Malware of some strengths can be closed directly Antivirus software is closed, its failure is made.In addition, Malware can also hide itself process and port by the rootkit of system, Prevent antivirus software from detecting.
Summary of the invention
The technical issues of itself can be protected with various ways in view of the Malware referred in above-mentioned background technique, this Invention provides one kind and falls equipment detection method and device, and this method is lost by identifying its specific network behavior to position Fall into equipment.
It falls equipment detection method the present invention provides one kind, comprising:
Step 1, the behavioural characteristic data of host are extracted according to primitive network flow, and will be related to answering for TCP/IP application It is restored with data;
Step 2, the matching that IOC security threat information is carried out using data based on reduction;
Step 3, according to described matched as a result, determining host of falling.
It is answered preferably, carrying out the described of restoring operation using five-tuple information, the DNS request that data include common discharge Answer information, HTTP request response message.
Preferably, the step 1 includes:
Step 11, raw network data packet is filtered;
Step 12, the restoring operation for doing IP fragmentation will carry out the restoring operation of TCP segment if it is Transmission Control Protocol;
Step 13, the agreement of application layer is identified.
Preferably, step 11 obtains IP data packet, and data filtering is done to port, retains the default corresponding number of port numbers According to packet.
Preferably, step 2 further comprises: all information being loaded into memory and are matched.
Preferably, the method also includes:
Step 4, the relevant information of determining host of falling is stored, and stores corresponding PCAP file, be provided with Investigation and analysis.
Preferably, the method also includes: one Read-Write Locks of setting, the lock when updating or changing the security threat information The upper Read-Write Locks, otherwise unlock the Read-Write Locks.
Preferably, the method also includes: it falls host alarm in discovery.
It falls assembly detection apparatus the embodiment of the invention also provides one kind, including obtains module, matching module and judgement Module;
The acquisition module is configured to extract the behavioural characteristic data of host according to primitive network flow, and will be related to The application data of TCP/IP application are restored;
The matching module is configured to the matching that IOC security threat information is carried out using data according to reduction;
The judgment module is configured to according to described matched as a result, determining host of falling.
Preferably, the acquisition module is further configured to: filtering raw network data packet;It is the reduction behaviour of IP fragmentation Make, the restoring operation of TCP segment is carried out if it is Transmission Control Protocol;Identify the agreement of application layer.
It is found by actual test, this method can be detected much by security threat information through traditional antivirus software The host of falling that can not be found, while also including the mobile phone for having suffered wooden horse.
Detailed description of the invention
Fig. 1 is the principle of the present invention figure
Fig. 2 is flow chart of the invention.
Specific embodiment
Technical solution in order to enable those skilled in the art to better understand the present invention, with reference to the accompanying drawing and specific embodiment party Formula elaborates to the present invention.
Equipment of falling refers to the equipment captured by hacker, and hacker used can fall equipment as springboard, to falling Enterprise where equipment is further to be permeated.Network flow mirror image refers to through interchanger or light-dividing device, flows through all Primitive network flow all duplication portion is sent to specified device port.Enterprise's existing network frame can not changed in this way On the basis of structure, by analyzing mirror image network flow, the network behavior of computer is identified.
IOC information (Indicators of Compromise, index of falling) is also referred to as security threat information, once host Behavior has matched index of falling, and indicates that this host has been fallen.Index of falling includes many kinds, such as: domain name, ip, Url, the hash of wooden horse file, the key assignments of registration table, the title etc. of semaphore used when wooden horse is run.Recently as mobile phone The outburst of virus, mobile device also become the target of attack of hacker.Traditional kill soft can not cover existing mobile device.
Although Malware can protect itself with various ways, non-PC equipment can be infected, its network triggered Behavior can not hide.On this basis, it falls equipment detection method and device the present invention provides one kind, this method is logical Analysis network flow is crossed to detect the fall method of equipment of enterprise and can carry out combined with Figure 1 and Figure 2, as follows to reach this target Several steps:
(1) the behavioural characteristic data that host is extracted according to primitive network flow are related to the application data of TCP/IP application High speed restores, and goes back the five-tuple information that raw content includes common discharge;DNS request response message;HTTP request response message etc. Data.
(2) the application data based on reduction carry out the matching of IOC security threat information, are lost according to matched as a result, determining Fall into host.I.e. if successful match, show to find host of falling.In one embodiment, by the application data of reduction and in advance The characteristic first stored is matched, and showing that this applies the corresponding host of data if successful match is host of falling.
(3) the automatic acquisition and replacement problem of IOC security threat information.Since the real-time of security threat information is higher, Renewal frequency also can be with height, so cannot influence ongoing detection function while updating information.
(4) malicious traffic stream storage problem, for analyzing and investigating and collecting evidence.
It mainly include following module: application layer traffic recovery module, security threat in the system for implementing this method Information matching module and warning message and PCAP memory module.
Application layer traffic recovery module: being responsible for reduction application layer protocol, and the agreement mainly restored is HTTP and DNS.Work When, firstly, filtering raw network data packet, obtains IP data packet, and do data filtering to port, it is corresponding to retain default port numbers Data packet.It is specifically as follows and port is filtered, the data packet that remaining end slogan is 80,443,53;Secondly, doing IP fragmentation Restoring operation;The restoring operation of TCP segment is carried out if it is Transmission Control Protocol.Finally, the agreement of identification application layer.This module Key data structure is as follows:
Five-tuple data structure:
DNS data structure:
HTTP data structure:
Information matching module is threatened to be mainly responsible for matching security threat information.Due to towards enterprise customer, so threatening feelings Report matching module needs to ensure matching speed, also needs to solve the problems, such as intelligence update.Due to needing to ensure matching speed, so this System is loaded into memory the matched mode that carries out using by all information, improves matching efficiency, the data structure of specific information is such as Under:
It includes the information such as the ID of IOC, type, content, menace level and confidence level.
It is as follows to match code:
Due to needing to solve hot replacement problem, so having added Read-Write Locks:
When updating or changing iocMap, the Read-Write Locks only need to be locked, prevent from leading to data (such as since operation is chaotic Security threat information) damage:
Warning message and pcap memory module: the relevant information for being mainly responsible for the host of falling that will be seen that stores, together When store relevant PCAP file, for investigation and analysis, furthermore fall host alarm in discovery to remind user.
This system stores warning message with log mode, and key code is as follows:
It is as follows that PCAP stores key code:
By adopting the above-described technical solution, the corresponding whole system of this method can be developed by Golang in aspect of performance, It ensure that performance can be used in business network.From the point of view of actual test result, on the low dispensing computer of single CPU 1G memory The flow that 10Gb/s or more can be analyzed threatens the matching speed of information to can reach 20W/s.
It is found by actual test, this method is detected by security threat information much can not by traditional antivirus software It was found that host of falling detection target is not defined, as long as being related to original net simultaneously because using step as above Network flow and its electronic equipment of relevant data can be detected as target device, as target device also includes The mobile phone etc. of wooden horse may have been suffered.
It falls assembly detection apparatus the embodiment of the invention also provides one kind, including obtains module, matching module and judgement Module;It obtains module to be configured to extract the behavioural characteristic data of host according to primitive network flow, and TCP/IP will be related to and answered It is restored using data;Matching module is configured to that IOC security threat information is carried out using data according to reduction Match;The matched host as a result, determination is fallen.
In conjunction with Fig. 1, specifically, the behavioural characteristic data that module extracts host according to primitive network flow is obtained, are related to And the application data high-speed of TCP/IP application restores, and goes back the five-tuple information that raw content includes common discharge;DNS request response letter Breath;The data such as HTTP request response message.
Matching module carries out the matching of IOC security threat information according to the application message of reduction.Judgment module is according to matching Fall host as a result, determining.I.e. if successful match, show to find host of falling.In one embodiment, by reduction It is matched using data with pre-stored characteristic, shows that this is using the corresponding host of data if successful match It falls host.
And for IOC security threat information it is automatic acquisition and replacement problem, due to security threat information real-time compared with Height, renewal frequency also can be with height, so cannot influence ongoing detection function while updating information.Malicious traffic stream is deposited Storage problem, for analyzing and investigating and collecting evidence.
In one embodiment of the invention, judgment module is configured to be further configured to according to acquisition module: filtering is former Beginning network packet;The restoring operation for doing IP fragmentation will carry out the restoring operation of TCP segment if it is Transmission Control Protocol;Identification application The agreement of layer.Specifically, application layer traffic recovery module is equipped in judgment module.Application layer traffic recovery module is responsible for reduction Application layer protocol, the agreement mainly restored are HTTP and DNS.For example, raw network data packet is filtered first when work, IP data packet is obtained, and data filtering is done to port, retains the default corresponding data packet of port numbers.It is specifically as follows and port is done Filtering, the data packet that remaining end slogan is 80,443,53;Next does the restoring operation of IP fragmentation;It is carried out again if it is Transmission Control Protocol The restoring operation of TCP segment.
Above embodiments are only exemplary embodiment of the present invention, are not used in the limitation present invention, protection scope of the present invention It is defined by the claims.Those skilled in the art can within the spirit and scope of the present invention make respectively the present invention Kind modification or equivalent replacement, this modification or equivalent replacement also should be regarded as being within the scope of the present invention.

Claims (10)

  1. The equipment detection method 1. one kind is fallen characterized by comprising
    Step 1, the behavioural characteristic data of host are extracted according to primitive network flow, and will be related to the application number of TCP/IP application According to being restored;
    Step 2, the matching that IOC security threat information is carried out using data based on reduction;
    Step 3, according to described matched as a result, determining host of falling.
  2. 2. equipment detection method according to claim 1 of falling, which is characterized in that carry out the application number of restoring operation According to five-tuple information, the DNS request response message, HTTP request response message for including common discharge.
  3. 3. equipment detection method according to claim 1 of falling, which is characterized in that the step 1 includes:
    Step 11, raw network data packet is filtered;
    Step 12, the restoring operation for doing IP fragmentation will carry out the restoring operation of TCP segment if it is Transmission Control Protocol;
    Step 13, the agreement of application layer is identified.
  4. 4. equipment detection method according to claim 3 of falling, which is characterized in that step 11 obtains IP data packet, and right Data filtering is done in port, retains the default corresponding data packet of port numbers.
  5. 5. equipment detection method according to claim 1 of falling, which is characterized in that step 2 further comprises: institute is in love Reports of newspaper, which enter in memory, to be matched.
  6. 6. equipment detection method according to claim 1 of falling, which is characterized in that the method also includes:
    Step 4, the relevant information of determining host of falling is stored, and stores corresponding PCAP file, be provided with investigating Analysis.
  7. 7. equipment detection method according to claim 1 of falling, which is characterized in that the method also includes: setting one is read Lock is write, the Read-Write Locks are locked when updating or changing the security threat information, otherwise unlocks the Read-Write Locks.
  8. 8. equipment detection method according to claim 1 of falling, which is characterized in that the method also includes: it is lost in discovery Fall into host alarm.
  9. The assembly detection apparatus 9. one kind is fallen, including obtain module, matching module and judgment module;
    The acquisition module is configured to extract the behavioural characteristic data of host according to primitive network flow, and will be related to TCP/IP The application data of application are restored;
    The matching module is configured to the matching that IOC security threat information is carried out using data according to reduction;
    The judgment module is configured to according to described matched as a result, determining host of falling.
  10. 10. device according to claim 9, the acquisition module is further configured to: filtering raw network data packet;It does The restoring operation of IP fragmentation will carry out the restoring operation of TCP segment if it is Transmission Control Protocol;Identify the agreement of application layer.
CN201810379276.3A 2018-04-25 2018-04-25 It falls equipment detection method and device Pending CN109688092A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810379276.3A CN109688092A (en) 2018-04-25 2018-04-25 It falls equipment detection method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810379276.3A CN109688092A (en) 2018-04-25 2018-04-25 It falls equipment detection method and device

Publications (1)

Publication Number Publication Date
CN109688092A true CN109688092A (en) 2019-04-26

Family

ID=66184348

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810379276.3A Pending CN109688092A (en) 2018-04-25 2018-04-25 It falls equipment detection method and device

Country Status (1)

Country Link
CN (1) CN109688092A (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110958251A (en) * 2019-12-04 2020-04-03 中电福富信息科技有限公司 Method and device for detecting and backtracking lost host based on real-time stream processing
CN111818073A (en) * 2020-07-16 2020-10-23 深信服科技股份有限公司 Method, device, equipment and medium for detecting defect host
CN112073362A (en) * 2020-06-19 2020-12-11 北京邮电大学 APT (advanced persistent threat) organization flow identification method based on flow characteristics
CN112769775A (en) * 2020-12-25 2021-05-07 深信服科技股份有限公司 Threat information correlation analysis method, system, equipment and computer medium
CN113726818A (en) * 2021-11-01 2021-11-30 北京微步在线科技有限公司 Method and device for detecting lost host
CN114095217A (en) * 2021-11-06 2022-02-25 北京天融信网络安全技术有限公司 Evidence obtaining and tracing method and system for failing host snapshot
CN116886452A (en) * 2023-09-08 2023-10-13 北京安博通科技股份有限公司 Method and system for judging host computer collapse

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103634306A (en) * 2013-11-18 2014-03-12 北京奇虎科技有限公司 Security detection method and security detection server for network data
US20170048260A1 (en) * 2015-08-12 2017-02-16 Wizard Tower TechnoServices Ltd. Method and system for network resource attack detection using a client identifier
CN106921608A (en) * 2015-12-24 2017-07-04 华为技术有限公司 One kind detection terminal security situation method, apparatus and system
CN107360170A (en) * 2017-07-18 2017-11-17 百色闻远网络科技有限公司 A kind of computer network security detection method
CN107579995A (en) * 2017-09-30 2018-01-12 北京奇虎科技有限公司 The network protection method and device of onboard system
CN107800685A (en) * 2017-07-03 2018-03-13 南京骏腾信息技术有限公司 Based on the intelligent security defense platform for threatening information

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103634306A (en) * 2013-11-18 2014-03-12 北京奇虎科技有限公司 Security detection method and security detection server for network data
US20170048260A1 (en) * 2015-08-12 2017-02-16 Wizard Tower TechnoServices Ltd. Method and system for network resource attack detection using a client identifier
CN106921608A (en) * 2015-12-24 2017-07-04 华为技术有限公司 One kind detection terminal security situation method, apparatus and system
CN107800685A (en) * 2017-07-03 2018-03-13 南京骏腾信息技术有限公司 Based on the intelligent security defense platform for threatening information
CN107360170A (en) * 2017-07-18 2017-11-17 百色闻远网络科技有限公司 A kind of computer network security detection method
CN107579995A (en) * 2017-09-30 2018-01-12 北京奇虎科技有限公司 The network protection method and device of onboard system

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110958251A (en) * 2019-12-04 2020-04-03 中电福富信息科技有限公司 Method and device for detecting and backtracking lost host based on real-time stream processing
CN112073362A (en) * 2020-06-19 2020-12-11 北京邮电大学 APT (advanced persistent threat) organization flow identification method based on flow characteristics
CN111818073A (en) * 2020-07-16 2020-10-23 深信服科技股份有限公司 Method, device, equipment and medium for detecting defect host
CN111818073B (en) * 2020-07-16 2022-08-09 深信服科技股份有限公司 Method, device, equipment and medium for detecting defect host
CN112769775A (en) * 2020-12-25 2021-05-07 深信服科技股份有限公司 Threat information correlation analysis method, system, equipment and computer medium
CN112769775B (en) * 2020-12-25 2023-05-12 深信服科技股份有限公司 Threat information association analysis method, system, equipment and computer medium
CN113726818A (en) * 2021-11-01 2021-11-30 北京微步在线科技有限公司 Method and device for detecting lost host
CN113726818B (en) * 2021-11-01 2022-02-15 北京微步在线科技有限公司 Method and device for detecting lost host
CN114095217A (en) * 2021-11-06 2022-02-25 北京天融信网络安全技术有限公司 Evidence obtaining and tracing method and system for failing host snapshot
CN116886452A (en) * 2023-09-08 2023-10-13 北京安博通科技股份有限公司 Method and system for judging host computer collapse
CN116886452B (en) * 2023-09-08 2023-12-08 北京安博通科技股份有限公司 Method and system for judging host computer collapse

Similar Documents

Publication Publication Date Title
CN109688092A (en) It falls equipment detection method and device
US10867034B2 (en) Method for detecting a cyber attack
US7434261B2 (en) System and method of identifying the source of an attack on a computer network
US9501639B2 (en) Methods, systems, and media for baiting inside attackers
US7084760B2 (en) System, method, and program product for managing an intrusion detection system
US8931099B2 (en) System, method and program for identifying and preventing malicious intrusions
Perdisci et al. Alarm clustering for intrusion detection systems in computer networks
US7260844B1 (en) Threat detection in a network security system
KR101292501B1 (en) Aggregating the knowledge base of computer systems to proactively protect a computer from malware
KR100910761B1 (en) Anomaly Malicious Code Detection Method using Process Behavior Prediction Technique
JP2019082989A5 (en)
CN102594825A (en) Method and device for detecting intranet Trojans
CN109587179A (en) A kind of SSH agreement behavior pattern recognition and alarm method based on bypass network full flow
DE602006012479D1 (en) SYSTEM AND METHOD FOR DETECTING IMPORTS INTO A COMPUTER NETWORK
CN107154939B (en) Data tracking method and system
CN107046535B (en) A kind of abnormality sensing and method for tracing and system
CN104038466B (en) Intruding detection system, method and apparatus for cloud computing environment
CN105959290A (en) Detection method and device of attack message
CN109600362A (en) Zombie host recognition methods, identification equipment and medium based on identification model
US20140344931A1 (en) Systems and methods for extracting cryptographic keys from malware
KR100656351B1 (en) Method for risk management analysis based on vulnerability assessment and apparatus thereof
EP3190767B1 (en) Technique for detecting malicious electronic messages
CN112532636A (en) Malicious domain name detection method and device based on T-Pot honeypot and backbone network flow
CN106973051B (en) Establish the method, apparatus and storage medium of detection Cyberthreat model
Giacinto et al. Alarm clustering for intrusion detection systems in computer networks

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20190426

RJ01 Rejection of invention patent application after publication