CN110445802A - Threat based on digital certificate finds model construction techniques - Google Patents
Threat based on digital certificate finds model construction techniques Download PDFInfo
- Publication number
- CN110445802A CN110445802A CN201910759084.XA CN201910759084A CN110445802A CN 110445802 A CN110445802 A CN 110445802A CN 201910759084 A CN201910759084 A CN 201910759084A CN 110445802 A CN110445802 A CN 110445802A
- Authority
- CN
- China
- Prior art keywords
- certificate
- port
- model construction
- construction techniques
- digital certificate
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
Abstract
The present invention relates to network protection technical field, especially a kind of threat based on digital certificate finds model construction techniques, the steps include: that (1) detects the port at the specified end IP: the details of (1.1) acquisition port certificate;(1.2) the connection response time difference is obtained;(1.3) it obtains port and connects First page information;(1.4) other port informations are obtained;(2) analyze the data of acquisition: (2.1) analyze certificate;(2.2) homepage hyper linking amount is calculated;(2.3) the connection response time is analyzed;(2.4) size of data analysis is carried out for First page information;(2.5) corresponding other ports detected carry out screening analysis, and the present invention can construct suspicious fingerprint analysis model of stealing secret information, and realize specific aim monitoring and discovery to special scenes.
Description
Technical field
The present invention relates to network protection technical field, specific field is a kind of threat discovery model structure based on digital certificate
Build technology.
Background technique
In recent years, the network facilities and data of key unit, China organize attack to steal by espionage agency overseas and anti-communism hacker
Close event takes place frequently, and overseas spy's tissue, can be light using a series of extremely advanced attacking ways such as APT attack, 0day loopholes
Loose ground breaks through traditional network safety prevention facility, carries out attack to my important sensitive department and emphasis infrastructure, control, steals
It is close, destroy, and network security response knows aftersensation, situation passive and vulnerable to attack after being always at, and lacks to high-level derived from overseas
Attack timely respond to the ability with early warning in advance.
Summary of the invention
The threat based on digital certificate that the purpose of the present invention is to provide a kind of finds model construction techniques, existing to solve
The problem of data safety is passively checked in technology.
To achieve the above object, the invention provides the following technical scheme: a kind of threat based on digital certificate finds model
Constructing technology the steps include:
(1) port at the specified end IP is detected:
(1.1) details of port certificate are obtained;
(1.2) the connection response time difference is obtained;
(1.3) it obtains port and connects First page information;
(1.4) other port informations are obtained;
(2) data of acquisition are analyzed:
(2.1) certificate is analyzed;
(2.2) homepage hyper linking amount is calculated;
(2.3) the connection response time is analyzed;
(2.4) size of data analysis is carried out for First page information;
(2.5) corresponding other ports detected carry out screening analysis.
Preferably, the port in step (1.1) is 443 ports.
Preferably, the details of the certificate information of 443 ports, including the certificate acquisition time, certificate version, sequence number,
Signature algorithm, signature hash algorithm, issuer, user, user's key identifier, authorization key identifier.
Preferably, response time difference is after https connection is established in step (1.2), and client sends http get and asks
The time interval that server responds after asking.
Preferably, First page information includes server-side IP address, port numbers, ttl value, protocol type, geography in step (1.3)
Position, operator, time, service type, application component.
Preferably, in step (2.1), modeling analysis, the certificate confirmed the validity, with existing card are carried out for information is obtained
Stack room compare, and form the black, white of certificate, gray list,
The main confirmation method of black, white, the grey label of certificate are as follows:
White certificate: the normal website of legal entity or using certificate
Black certificate: wooden horse communicates the certificate used
Grey certificate: the expired certificate of non-black non-white certificate, loom structure.
Preferably, step (2.2) its specific method is to calculate homepage hyper linking amount, carries out feature judgement, screens 5 connections
Measure IP below.
Preferably, its concrete analysis mode of step (2.3) is after https connection is established, and client sends http get
The time interval that server responds after request, part wooden horse can be long to response time interval, the sound more than 1 minute or more
Between seasonable, and general locator includes that common shodan is obtained less than homepage.
Preferably, step (2.4) homepage size analysis is that the homepage of general wooden horse did not included multi information, and normal use
Or the page of website includes that content is more, general normal page is based on this, can sift out and be less than all more than 500K size
The page of 500K is suspicious target.
Preferably, according to step (1.4) and step (2.5), the opening status of other ports is detected, other open ports
IP may be normal target, then carry out port discarding, and filter out the IP for only opening 443 ports.
Compared with prior art, the beneficial effects of the present invention are: changing existing passive monitoring to actively discover, carry out and continue
Monitoring obtains the data such as 443 port certificate informations, the homepage response message of Target IP, while carrying out to the target after screening complete
Port depth detection obtains its system information.For acquisition data according to the novel attack occurred in current network Spatial Countermeasure
Technology constructs suspicious fingerprint analysis model of stealing secret information, and realizes specific aim monitoring and discovery to special scenes.
Detailed description of the invention
Fig. 1 is detection analysis flow diagram of the invention.
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete
Site preparation description, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on
Embodiment in the present invention, it is obtained by those of ordinary skill in the art without making creative efforts every other
Embodiment shall fall within the protection scope of the present invention.
Referring to Fig. 1, the present invention provides a kind of technical solution: a kind of threat discovery model construction skill based on digital certificate
Art the steps include:
(1) port at the specified end IP is detected:
(1.1) details of port certificate are obtained;
(1.2) the connection response time difference is obtained;
(1.3) it obtains port and connects First page information;
(1.4) other port informations are obtained;
(2) data of acquisition are analyzed:
(2.1) certificate is analyzed;
(2.2) homepage hyper linking amount is calculated;
(2.3) the connection response time is analyzed;
(2.4) size of data analysis is carried out for First page information;
(2.5) corresponding other ports detected carry out screening analysis.
Port in step (1.1) is 443 ports.
The details of the certificate information of 443 ports, including certificate acquisition time, certificate version, sequence number, signature calculation
Method, signature hash algorithm, issuer, user, user's key identifier, authorization key identifier.
The details of the certificate information of 443 ports, including
The certificate acquisition time (timestamp),
Version (version), as V3,
Sequence number (serial_number), such as 00 a8,60 38 e5,04 78 3e 43,
Signature algorithm (signature_algorithm.name), as sha256RS,
It signs hash algorithm (signature_algorithm.oid), such as sha256, public key, such as RSA (2048Bits)
Algorithm and digit,
Issuer (issuer_dn),
User (subject_dn),
User's key identifier, (extensions.subject_key_id),
Authorization key identifier (extensions.authority_key_id), i.e. issuer, time started validity period
(validity.start) etc..
Response time difference is after https connection is established in step (1.2), and client takes after sending http get request
The time interval of business device response.
First page information includes server-side IP address, port numbers, ttl value, protocol type, geographical location, fortune in step (1.3)
Seek quotient, time, service type, application component.
First page information
Server-side IP address
Port numbers, such as 443
Ttl value
Protocol type, such as tcp, http, https
The information such as geographical location, including country, city, longitude and latitude
Operator
Time, including sweep time, addition time
Service type
Application component.
In step (2.1), for obtain information carry out modeling analysis, the certificate confirmed the validity, with existing certificate repository into
Row comparison, forms the black, white of certificate, gray list,
The main confirmation method of black, white, the grey label of certificate are as follows:
White certificate: the normal website of legal entity or using certificate, mainly from mechanism, usage amount issued etc. tie up
Degree is analyzed.
White certificate is mostly from the certificate issued in CA authoritative institution.
Usage amount: the website visiting amount counted according to www.alexa.cn, the certificate of ten thousand mechanism of amount of access top100 can base
Originally it is confirmed as white certificate
Black certificate: wooden horse communicates the certificate used, and main source includes:
Sample analysis: by the sample of acquisition, the certificate that wooden horse or Botnet use is analyzed, black card is determined it as
Book.
The certificate of the APT attack used Malware institute band of tissue.The APT that we persistently track attacking ways for many years is attacked
Hit 50, tissue or more, comprising: TeleBots, TA554, Apt-c-06, Apt-c-27, TA505, Muddywater, APT32,
BRONZE BUTLER, WhiteElephant, DustSquad, FruityArmor, Gallmaker etc..
Outside source: SSL blacklist (SSLBL) is the project safeguarded by abuse.ch, main to provide abuse.ch mark
" bad " SSL certificate list known, these lists are associated with Malware or Botnet activity.SLBL provides malice SSL card
The SHA1 fingerprint of book.
The Model On Relationship Analysis such as certificate of utility information, open-ended, the abnormal certificate determined.
Grey certificate: non-black non-white certificate can be grouped into grey certificate, need further to analyze.
At present mainly include the expired certificate of organization in grey certificate repository: CNNIC, T-Systems,
Retired (expired) certificate that the mechanisms such as Symantec, google are issued.
Step (2.2) its specific method is to calculate homepage hyper linking amount, carries out feature judgement, screens 5 connection amounts or less
IP, the number of links of general website or application is decidedly superior to this numerical value.
Its concrete analysis mode of step (2.3) is after https connection is established, and client is sent after http get request
The time interval of server response, part wooden horse can be long to response time interval, the response time more than 1 minute or more,
And general locator includes that common shodan is obtained less than homepage.
The analysis of step (2.4) homepage size is that the homepage of general wooden horse did not included multi information, and normal use or website
The page include content it is more, general normal page all more than 500K size, be based on this, the page less than 500K can be sifted out
Face is suspicious target.
According to step (1.4) and step (2.5), the opening status of other ports is detected, the IP of other open ports may
For normal target, then port discarding is carried out, and filters out the IP for only opening 443 ports.
443 ports that target can be opened when wherein attacking by analyzing the related protocol attacked in U.S. discovery are counted
According to agency transmission and control, wherein use HTTPS agreement.443 or 993 ports can be opened when by transfer for target
HTTPS channel case carries out these IP to continue detection transmission probe data packet, receives target by obtaining network objectives IP
The response data of return, carries out signature analysis and fingerprint comparison finds accurate information and made when extracting HTTPS encryption communication
Digital certificate can effectively find controlled target.
The acquisition of depth scan and digital certificate to particular port, and the analysis for carrying out system to certificate format is extracted,
Based on scanning and analyzing, result is carried out abnormality detection and clue is excavated.According to our analyses to some typical case's APT events, especially
It is to carry out encryption communication using ssl tunneling, corresponding PORT COM is only swashing in some attacks in the APT attack to China
It is just opened after work, after use 1 to a few houres, the end of transmission, corresponding port shutdown, every time there is centainly the certificate that uses in communication
Variation, such as validity period, in time period, the working time is substantially secured to the local corresponding working time, separately
It is also to belong to a kind of abnormal situation that agreement in outer ssl tunneling, which is the agreements such as non-common https,.In conjunction with port responses spy
Sign, certificate characteristic etc., can accomplish the equipment to note abnormalities.
It although an embodiment of the present invention has been shown and described, for the ordinary skill in the art, can be with
A variety of variations, modification, replacement can be carried out to these embodiments without departing from the principles and spirit of the present invention by understanding
And modification, the scope of the present invention is defined by the appended.
Claims (10)
1. a kind of threat based on digital certificate finds model construction techniques, it is characterised in that: the steps include:
(1) port at the specified end IP is detected:
(1.1) details of port certificate are obtained;
(1.2) the connection response time difference is obtained;
(1.3) it obtains port and connects First page information;
(1.4) other port informations are obtained;
(2) data of acquisition are analyzed:
(2.1) certificate is analyzed;
(2.2) homepage hyper linking amount is calculated;
(2.3) the connection response time is analyzed;
(2.4) size of data analysis is carried out for First page information;
(2.5) corresponding other ports detected carry out screening analysis.
2. the threat according to claim 1 based on digital certificate finds model construction techniques, it is characterised in that: step
(1.1) port in is 443 ports.
3. the threat according to claim 2 based on digital certificate finds model construction techniques, it is characterised in that: 443 ends
The details of the certificate information of mouth, including certificate acquisition time, certificate version, sequence number, signature algorithm, signature Hash calculation
Method, issuer, user, user's key identifier, authorization key identifier.
4. the threat according to claim 1 based on digital certificate finds model construction techniques, it is characterised in that: step
(1.2) in response time difference be https connection establish after, client send http get request after server response when
Between be spaced.
5. the threat according to claim 1 based on digital certificate finds model construction techniques, it is characterised in that: step
(1.3) First page information includes server-side IP address, port numbers, ttl value, protocol type, geographical location, operator, time, clothes in
Service type, application component.
6. the threat according to claim 1 based on digital certificate finds model construction techniques, it is characterised in that: step
(2.1) in, modeling analysis is carried out for information is obtained, the certificate confirmed the validity is compared with existing certificate repository, forms card
The black, white of book, gray list,
The main confirmation method of black, white, the grey label of certificate are as follows:
White certificate: the normal website of legal entity or using certificate
Black certificate: wooden horse communicates the certificate used
Grey certificate: the expired certificate of non-black non-white certificate, loom structure.
7. the threat according to claim 1 based on digital certificate finds model construction techniques, it is characterised in that: step
(2.2) its specific method is to calculate homepage hyper linking amount, carries out feature judgement, screens 5 connection amount IP below.
8. the threat according to claim 1 based on digital certificate finds model construction techniques, it is characterised in that: step
(2.3) it is after https connection is established that it, which makes a concrete analysis of mode, and client sends what server after http get is requested responded
Time interval, part wooden horse can be long to response time interval, the response time more than 1 minute or more, and general detection
Program includes that common shodan is obtained less than homepage.
9. the threat according to claim 1 based on digital certificate finds model construction techniques, it is characterised in that: step
(2.4) analysis of homepage size is that the homepage of general wooden horse did not included multi information, and the page of normal use or website includes interior
Hold more, general normal page is based on this, can sift out the page less than 500K, to be suspicious all more than 500K size
Target.
10. the threat according to claim 1 based on digital certificate finds model construction techniques, it is characterised in that: according to
Step (1.4) and step (2.5) detect the opening status of other ports, and the IP of other open ports may be normal target,
Port discarding is then carried out, and filters out the IP for only opening 443 ports.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910759084.XA CN110445802A (en) | 2019-08-16 | 2019-08-16 | Threat based on digital certificate finds model construction techniques |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910759084.XA CN110445802A (en) | 2019-08-16 | 2019-08-16 | Threat based on digital certificate finds model construction techniques |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN110445802A true CN110445802A (en) | 2019-11-12 |
Family
ID=68436060
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910759084.XA Pending CN110445802A (en) | 2019-08-16 | 2019-08-16 | Threat based on digital certificate finds model construction techniques |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110445802A (en) |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101141243A (en) * | 2006-09-08 | 2008-03-12 | 飞塔信息科技(北京)有限公司 | Device and method for carrying out security check and content filtering on communication data |
| US20150007302A1 (en) * | 2013-06-26 | 2015-01-01 | Yoshinaga Kato | Communication apparatus, communication system, and recording medium |
| US20150106889A1 (en) * | 2013-10-13 | 2015-04-16 | Skycure Ltd | Potential attack detection based on dummy network traffic |
| CN104933362A (en) * | 2015-06-15 | 2015-09-23 | 福州大学 | Automatic detection method of API (Application Program Interface) misuse-type bug of Android application software |
| CN107623695A (en) * | 2017-09-30 | 2018-01-23 | 亚数信息科技(上海)有限公司 | HTTPS web page resources safety evaluation method and equipment |
| WO2018030289A1 (en) * | 2016-08-08 | 2018-02-15 | 株式会社エヌティーアイ | Ssl communication system, client, server, ssl communication method, and computer program |
| CN108769086A (en) * | 2018-08-31 | 2018-11-06 | 连尚(新昌)网络科技有限公司 | A kind of method and apparatus for detecting man-in-the-middle attack by user equipment |
| CN108768989A (en) * | 2018-05-18 | 2018-11-06 | 刘勇 | It is a kind of using the APT attack defense methods of mimicry technology, system |
| CN109413196A (en) * | 2018-11-13 | 2019-03-01 | 四川长虹电器股份有限公司 | A kind of method of intelligent Matching HTTPS access certificate |
| CN109450931A (en) * | 2018-12-14 | 2019-03-08 | 北京知道创宇信息技术有限公司 | A kind of secure internet connection method, apparatus and PnP device |
-
2019
- 2019-08-16 CN CN201910759084.XA patent/CN110445802A/en active Pending
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101141243A (en) * | 2006-09-08 | 2008-03-12 | 飞塔信息科技(北京)有限公司 | Device and method for carrying out security check and content filtering on communication data |
| US20150007302A1 (en) * | 2013-06-26 | 2015-01-01 | Yoshinaga Kato | Communication apparatus, communication system, and recording medium |
| US20150106889A1 (en) * | 2013-10-13 | 2015-04-16 | Skycure Ltd | Potential attack detection based on dummy network traffic |
| CN104933362A (en) * | 2015-06-15 | 2015-09-23 | 福州大学 | Automatic detection method of API (Application Program Interface) misuse-type bug of Android application software |
| WO2018030289A1 (en) * | 2016-08-08 | 2018-02-15 | 株式会社エヌティーアイ | Ssl communication system, client, server, ssl communication method, and computer program |
| CN107623695A (en) * | 2017-09-30 | 2018-01-23 | 亚数信息科技(上海)有限公司 | HTTPS web page resources safety evaluation method and equipment |
| CN108768989A (en) * | 2018-05-18 | 2018-11-06 | 刘勇 | It is a kind of using the APT attack defense methods of mimicry technology, system |
| CN108769086A (en) * | 2018-08-31 | 2018-11-06 | 连尚(新昌)网络科技有限公司 | A kind of method and apparatus for detecting man-in-the-middle attack by user equipment |
| CN109413196A (en) * | 2018-11-13 | 2019-03-01 | 四川长虹电器股份有限公司 | A kind of method of intelligent Matching HTTPS access certificate |
| CN109450931A (en) * | 2018-12-14 | 2019-03-08 | 北京知道创宇信息技术有限公司 | A kind of secure internet connection method, apparatus and PnP device |
Non-Patent Citations (1)
| Title |
|---|
| 戴震等: "基于通信特征的APT攻击检测方法", 《计算机工程与应用》 * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Wang et al. | Delving into internet DDoS attacks by botnets: characterization and analysis | |
| CN107682331B (en) | Block chain-based Internet of things identity authentication method | |
| US9106695B2 (en) | Method and system for user authentication using DNSSEC | |
| CN106603519B (en) | SSL/TLS encrypted malicious service discovery method based on certificate feature generalization and server transition behavior | |
| KR101689299B1 (en) | Automated verification method of security event and automated verification apparatus of security event | |
| US20100235917A1 (en) | System and method for detecting server vulnerability | |
| US9203856B2 (en) | Methods, systems, and computer program products for detecting communication anomalies in a network based on overlap between sets of users communicating with entities in the network | |
| Ahmed et al. | ECU-IoHT: A dataset for analyzing cyberattacks in Internet of Health Things | |
| CN103155487A (en) | Methods and systems for detecting suspected data leakage using traffic samples | |
| Mangino et al. | Internet-scale insecurity of consumer internet of things: An empirical measurements perspective | |
| JP6524789B2 (en) | Network monitoring method, network monitoring program and network monitoring device | |
| KR101623068B1 (en) | System for collecting and analyzing traffic on network | |
| CN109474568A (en) | For the detection method and system for realizing malicious attack using the preposition technology in domain | |
| CN106982188B (en) | Malicious propagation source detection method and device | |
| US9661002B2 (en) | Method for user authentication using DNSSEC | |
| Xu et al. | Secure the Internet, one home at a time | |
| CN111478892A (en) | Attacker portrait multi-dimensional analysis method based on browser fingerprints | |
| Tsow et al. | Warkitting: the drive-by subversion of wireless home routers | |
| CN106790073B (en) | Blocking method and device for malicious attack of Web server and firewall | |
| KR20110029340A (en) | Protection system against ddos | |
| KR20070072835A (en) | Web hacking responses through real time web log collection | |
| CN110445802A (en) | Threat based on digital certificate finds model construction techniques | |
| US11789743B2 (en) | Host operating system identification using transport layer probe metadata and machine learning | |
| Volarević et al. | Network forensics | |
| Asaka et al. | Local attack detection and intrusion route tracing |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20191112 |
|
| RJ01 | Rejection of invention patent application after publication |