CN112261029A

CN112261029A - DDoS malicious code detection and tracing method based on breeding

Info

Publication number: CN112261029A
Application number: CN202011112201.2A
Authority: CN
Inventors: 杜飞; 尹天阳; 张兴睿
Original assignee: Beijing Ruichi Xinan Technology Co ltd
Current assignee: Beijing Ruichi Xinan Technology Co ltd
Priority date: 2020-10-16
Filing date: 2020-10-16
Publication date: 2021-01-22
Anticipated expiration: 2040-10-16
Also published as: CN112261029B

Abstract

The invention discloses a DDoS malicious code detection and tracing method based on breeding, relating to the technical field of network security; the method specifically comprises the following steps: firstly, existing DDoS malicious codes or suspicious files in a Linux system are used as samples to be detected for long-term culture; constructing a Docker mirror image of a Linux system, then running the Docker mirror image into each virtual environment of each server to form a container, successfully starting each container, warehousing running information and configuring a monitoring program of each container; then, putting each sample to be detected into a corresponding container, and carrying out multi-dimensional monitoring on the behavior of the sample to be detected by using a monitoring program; and judging whether all the flow of each sample exceeds a DDoS attack flow threshold value, if so, calling a DDoS event analysis function, cutting off the found DDoS attack event, and simultaneously, comprehensively analyzing, tracking and tracing to locate the IP of the botnet main control end. Otherwise, the sample to be detected is a safe sample and is not processed. The invention can effectively track the master control end of the puppet machine.

Description

DDoS malicious code detection and tracing method based on breeding

Technical Field

The invention relates to the technical field of network security, in particular to a DDoS malicious code detection and tracing method based on breeding.

Background

Distributed denial of service attack (DDoS), which is an attack means for sending an abnormal request to a target through a large puppet, causes the target to be unable to receive and respond to the normal request due to excessive occupation of system hosts and network resources. Wherein the puppet is a machine remotely controlled by an attacker, and the attacker often collects the puppet from the network by means of scanning, vulnerability utilization, weak password blasting, or the like, and implants malicious codes in a successfully intruding server, so as to manipulate the puppet by using a C/S mode to launch a DDoS attack, or perform scanning propagation, or the like.

The existing DDoS malicious code detection and tracing has the following problems: firstly, most of the DDoS attacks around the victim end, and the DDoS attacks are located downstream of the whole attack chain, so that it is difficult to trace the puppet machine master control end; secondly, tracing based on the main control end of the victim end, and stripping attack related flow from the full flow, wherein a certain error exists; thirdly, the method comprises the following steps: the method is limited to the passive discovery of DDoS attack events, is difficult to accurately correlate malicious codes, DDoS attacks and information of a main control end of the DDoS attacks, and cannot perform active defense based on existing conditions.

The existing DDoS attack detection method mainly comprises a statistical classification detection method, an artificial intelligence detection method and an information theory detection method, and the DDoS tracing method mainly comprises the following steps: log trace methods and packet marker trace methods. However, the above method cannot solve the three problems in DDoS detection and tracing, so how to fully utilize the existing resources, run the sample in an environment with relatively pure traffic, and perform long-term detection, analysis and tracing on the generated traffic becomes a technical problem to be solved urgently.

Disclosure of Invention

Aiming at the problems of the existing methods, the invention provides a DDoS malicious code detection and tracing method based on breeding, which improves the active defense level facing DDoS malicious codes and has universality and stability on the DDoS malicious code detection and tracing method.

The DDoS malicious code detection and tracing method specifically comprises the following steps:

step one, taking existing DDoS malicious codes or suspicious files in a Linux system as samples to be detected to carry out long-term culture on the basis of a virtualization technology;

step two, aiming at a plurality of servers, respectively installing a plurality of virtual environments on each server;

and step three, after a Docker mirror image of the Linux system is constructed, the Docker mirror image is operated to each virtual environment, and each virtual environment forms a container.

The method specifically comprises the following steps: each sample to be detected is respectively provided with a respective fixed IP, when each virtual environment runs a respective Docker mirror image, the IP of the sample to be detected corresponding to each virtual environment is taken as a parameter, and the front 20 characters of the mirror image are intercepted and taken as the container name formed by each virtual environment;

step four, operating each container by using a command of' docker run-name ═ container _ name-M256M-net shadow net-IP $ IP-memory-swap-1-v $ PATH $ image _ name: "latest &", and warehousing the operation time, container IP, sample hash value, container operation system, breeding physical machine IP and other information of each container which are successfully started;

step five, configuring the monitoring program of each container by utilizing the corresponding relation of the container network card, the container ID, the mirror image name, the container IP, the sample hash and the breeding environment IP;

putting each sample to be detected into a corresponding container, and carrying out multi-dimensional monitoring on the behavior of the sample to be detected by using a configured monitoring program;

the multidimensional monitoring comprises:

1) first ligation monitoring of each sample generation: monitoring the flow of the container network card, and continuously identifying and recording TCP communication opposite-end information of the sample appearing for the first time;

2) and DNS query and DNS response monitoring of the acquisition of each sample: identifying and analyzing DNS related flow generated by the sample;

3) retention of each sample resulting in full flow: distinguishing according to the container network card, and respectively retaining the flow generated by each sample in a pcap file form;

4) all flow monitoring of each sample: monitoring through multiple threads, wherein each thread corresponds to a sample;

step seven, judging whether all the flow of each sample exceeds a DDoS attack flow threshold value or not aiming at all the flow monitoring indexes of each sample to be detected, if so, calling a DDoS event analysis function, and entering the step eight; otherwise, the sample to be detected is a safe sample and is not processed.

The DDoS event analysis specifically comprises the following steps:

firstly, counting five-element groups of attack messages of each flow, namely a source IP, a destination IP, a source port, a destination port and a protocol, aiming at all flow monitoring indexes of a certain sample to be detected, and storing the five-element groups;

then, counting and ranking the proportion of each flow, setting DDoS attack flow threshold values, and if at least one flow exceeds the DDoS attack flow threshold values, determining the sample to be detected as an attacked DDoS malicious code; meanwhile, the attacked IP, port and protocol are recorded;

and step eight, cutting off the found DDoS attack event, comprehensively analyzing, tracking and tracing, and positioning the IP of the botnet main control end.

The method specifically comprises the following steps:

firstly, according to the attack occurrence time of a sample to be detected, searching the full-flow retention index of the sample, and finding two pcap files before the attack time point;

then reading the pcap file closest to the attack time point, and traversing the file from the beginning until the attack message is read or the time exceeds the attack occurrence time;

and finally, for the non-attack traffic with the top rank, before attacking the message, finding the TCP message with the target IP as the container IP, wherein the load length of the TCP message is greater than the load length of the previous conversation TCP message, and the length of the TCP message is greater than 20, and the target IP is the IP of the main control end.

Compared with the prior art, the invention has the following advantages:

(1) a DDoS malicious code detection and tracing method based on cultivation is characterized in that samples are respectively cultivated based on a virtualization environment, and relatively independent cultivation environments are provided for the samples, so that flow-based event analysis can be accurately performed;

(2) a DDoS malicious code detection and tracing method based on cultivation is based on a virtualization technology, and realizes the operation of multiple architectures and instruction set samples such as ARM, MIPS, Powerpc and the like on a general 86 architecture machine, so that the application range of the traditional environment is improved and expanded, and meanwhile, the light-weight cultivation based on Docker greatly improves the single-machine cultivation efficiency;

(3) a DDoS malicious code detection and tracing method based on cultivation is characterized in that a puppet computer end is used for DDoS attack detection and tracing, compared with the traditional monitoring based on a victim end, the detection position and time are advanced in an attack chain, and the master control end of the puppet computer can be effectively tracked;

(4) a DDoS malicious code detection and tracing method based on cultivation fully utilizes the existing resources to perform active and controllable long-term cultivation on malicious codes, realizes active defense, and can effectively capture more DDoS attack events and puppet computer master control ends.

Drawings

FIG. 1 is a flow chart of a DDoS malicious code detection and tracing method based on breeding according to the present invention;

fig. 2 is a flowchart of the DDoS detection and tracing relationship implemented after the flow of each sample to be detected is monitored according to the present invention.

Detailed Description

The present invention will be described in further detail and with reference to the accompanying drawings so that those skilled in the art can understand and practice the invention.

The invention provides a DDoS malicious code detection and tracing method based on cultivation, which comprises the steps of carrying out long-term cultivation on a sample to be detected under Linux; monitoring the flow change of the culture environment, and detecting and identifying DDoS attack flow; and carrying out DDoS tracking and tracing on the found attack events, and positioning a botnet main control end.

As shown in fig. 1, the specific steps are as follows:

the malicious code architecture supported by breeding includes: x86_64, x86, MIPS, MIPSEL, ARM, Powerpc, SPARC, Renesas SH and Motorola 68020, constructing a breeding mirror image based on virtualization technologies Docker and Qemu;

firstly, manufacturing a basic mirror image;

for the samples to be cultured, in order to facilitate sample culture environment management and DDoS tracking and tracing, Docker mirror images are respectively constructed for each sample, so that the samples are respectively provided with independent virtual network cards, and the tracking and tracing accuracy of a single physical environment is improved. The basic mirror image is used for manufacturing a sample mirror image, and a Docker is installed in a deployment environment;

the base image operating system may be a CentOS or Ubuntu, in which the QEMU ring is deployed. The CentOS installs QEMU with the "yum install QEMU", Ubuntu using the "apt-get install QEMU" command. In the general 86 architecture, user layer simulation can be carried out on various architectures and instruction sets through the functions of qemu-arm, qemu-mips and the like, so that multi-architecture samples are cultured;

mirror images are uploaded through a docker push command, and subsequent use is facilitated.

Then, constructing a sample breeding mirror image;

compiling a mirror image description file Dockerfile according to a sample to be cultured, wherein the content comprises the following steps: obtaining a basic mirror image, copying a sample to a specified position of a culture container, and carrying out network configuration and sample operation commands. The sample command needs to be combined with a sample architecture queried by the file command, and a qemu-architecture command is called to run the sample on a user layer.

Wherein Dockerfile is exemplified below, wherein registry. cn-hang zhou. aliyuncs. com/lanimei/centros-qemu: v0.3 is the base image of the fabrication:

FROM registry.cn-hangzhou.aliyuncs.com/lanimei/centos-qemu:v0.3

ADD$sample_name/home/

RUN chmod 777/home/$sample_name

ADD start.sh/home/

ADD monitor/home/

RUN chmod a+x/home/monitor

RUN chmod a+x/home/start.sh

CMD["/home/start.sh"]

sh example of operation therein is as follows:

#！/bin/bash

echo"search 114.114.114.114">/etc/resolv.conf

echo"nameserver 8.8.8.8">>/etc/resolv.conf

nohup/home/monitor$2$3/share&

sleep 600

qemu-mips/home/$sample_name$4

qemu-mipsel/home/$sample_name$4

qemu-arm/home/$sample_name$4

qemu-sparc/home/$sample_name$4

qemu-ppc/home/$sample_name$4

qemu-m68k/home/$sample_name$4

qemu-sh4/home/$sample_name$4

qemu-armeb/home/$sample_name$4

/home/$sample_name

echo"run.........."

where $4 is the parameter required for sample run.

Step two, aiming at a plurality of servers, respectively installing a plurality of virtual environments on each server; each virtual environment runs a single sample to realize isolation among samples;

step three, after a Docker mirror image of the Linux system is constructed, the Docker mirror image is operated to each virtual environment, each virtual environment forms a container, and the samples are cultured and operated in the container mode;

step four, operating each container by using a command of' docker run-name ═ container _ name-M256M-net shadow net-IP $ IP-memory-swap-1-v $ PATH $ image _ name: "latest &", judging whether the containers are started successfully, and if so, warehousing the operation time, container IP, sample hash value, container operation system, breeding physical machine IP and other information of each container; otherwise, recording the log if the starting fails;

in the operating process of the Docker container, the network card name of the container can be randomly distributed, so that the corresponding relation between the IP and the network card needs to be recorded, and the corresponding relation is important for the subsequent tracing and the operation of a monitoring program;

if the container is started successfully, storing information such as container running time, container IP, sample hash value, container operating system, cultivation physical machine IP and the like in a warehouse; using the corresponding relation of the container IP and the container network card as the configuration 1 of the monitoring program; or the corresponding relation among a container network card, a container ID, a mirror image name, a container IP, a sample hash and a breeding environment IP is used as the configuration 2 of the monitoring program; if the starting fails, recording a log; the information required for each configuration is set by the customer according to individual needs.

Pausing the container through a docker pause command, running the monitoring program, and re-running the container through a docker unpause command after the program is successfully started; after all sample images are run with containers, all container information can be viewed through "docker ps".

the multidimensional monitoring comprises:

this behavior is typically associated with the DDoS coming online. Monitoring the network card flow of the container based on the libpcap, and continuously identifying and recording the TCP communication opposite terminal IP of the sample appearing for the first time through a hash table; the reason for continuous recording is that the IP of the main control end may change during the running process of the sample, and the IP may change through domain name query described below or through a command of the main control end;

when finding out the IP of the opposite communication terminal which does not exist in the hash table, associating the IP with the malicious code and storing the IP in a database;

the behavior is usually related to DDoS attack and sample online, some attack instructions do not directly provide attack IP but provide attack domain names, and meanwhile malicious codes usually support simultaneous attack on multiple IPs;

3) retention of each sample resulting in full flow: distinguishing according to the container network card, and respectively retaining the generated flow of each sample;

the sample generates the retention of the full flow, the network cards of all containers are respectively captured and packaged through tcpdump, the sample generates the flow in a pcap file form, the flow falls into a pcap file every 2 minutes, and the file is used for DDoS tracing;

4) all flow monitoring of each sample: by multithreading, one thread corresponds to one sample;

step seven, detecting and identifying DDoS attack flow by using all flow monitoring indexes of each sample to be detected;

monitoring the traffic change of all running samples, carrying out DDoS attack detection based on a threshold value, and calling a DDoS event analysis function once the DDoS attack detection exceeds the threshold value, wherein the DDoS attack detection specifically comprises the following steps: judging whether all the flow of each sample exceeds a DDoS attack flow threshold value, if so, calling a DDoS event analysis function; otherwise, the sample to be detected is a safe sample and is not processed.

As shown in the upper part of fig. 2, monitoring of the flow change of all samples in the run is achieved based on libpcap. Setting and adjusting a flow threshold according to expert experience, when the flow of a certain network card is increased suddenly, analyzing 10000 or 20s of messages after the sudden increase is found, counting and analyzing the quintuple quantity of the messages, carrying out ranking and proportion statistics, considering that the messages are attacked if the number of the messages exceeds 5%, and recording the attacked IP and the attacked port for the next step of tracing.

In the flow statistic analysis, setting conditions of flag bits of SYN, ACK, RST and FIN in TCP communication messages can be further identified and recorded, and the occupation ratio is counted to determine the attack type; the UDP FLOOD can be identified by counting the ratio of UDP protocol messages; the method can identify reflection amplification attack, namely forge source IP, the source IP is a few or fixed source IPs, and the source IP sends request flow to a UDP service; the attack of forging source IP can be identified, the source IP is generally more, but the destination IP is relatively centralized;

After a DDoS attack event is found, a message for analyzing the attack event is reserved, and the attack is intercepted through an Iptables firewall configuration rule, a docker pause command and the like. The firewall configures the attacked IP and protocol obtained by analysis to the firewall, and the command is iptables-A OUTPUT-p udp/tcp-d $ { IP } -j DROP "; in the control of Docker, the container pause time is recorded in the database, and at the same time, the container start program continuously scans the table, and the container meeting the operation requirement is operated through a command of Docker unpause, wherein the operation of the container is controlled by increasing the time rule, namely, the container is paused for 5 minutes for the first time and 10 minutes for the second time. Therefore, more attack events can be captured, and meanwhile, repeated data and damage to an attacked end are reduced.

The method specifically comprises the following steps:

first, when DDoS attack is monitored, the tracing program is called to perform tracing, as shown in the lower half of fig. 2. Firstly, reading DDoS event data and acquiring related original messages;

reading a DDoS attack event log analyzed and retained by a flow change detection program, and searching two pcaps before the time point in full-flow retained data according to attack occurrence time and an attack occurrence sample;

then, traversing the original message, and counting quintuple data;

reading the pcap file closest to the attack time point, and traversing the file from the beginning until the attack message is read or the time exceeds the attack occurrence time; and counting the read TCP messages, if the source IP or the target IP is the IP of the culture container:

string＝ip.src+tcp.srcport+ip.dst+tcp.dstport

map[string]++

because the main control end and the malicious code have the keep-alive messages, the communication interval of the keep-alive messages is usually short, and the tcp load is also short, the main control end and the malicious code should perform continuous and stable communication before an attack occurs, and are bidirectional. Finally, counting the first two data in the map, and obtaining a source tracing preliminary conclusion if the character strings are consistent after the source and destination information is exchanged;

finally, tracing based on message length statistics;

when the statistics is carried out, a TCP session generated before an attack occurs is recorded, the TCP load content and the length of the TCP session are analyzed, if the string is found, the TCP load of the associated IP communication message is longer (more than 20 bytes, because before the attack occurs, the main control end can send attack implementation information including information of an attack mode, an attack target, an attack port, attack duration, attack intermittence and the like to a puppet in a TCP load form), and the IP of the main control end can be considered to be found if a stable communication message exists, or the TCP load has an attacked message IP in a character string form and a long form.

And finally, summarizing the obtained IP and the associated samples to a database for comprehensive analysis.

The embodiment of the invention uses a lightweight virtualization technology Docker to carry out long-term culture on DDoS malicious codes, wherein each virtual environment only cultures one malicious code; monitoring the flow change of the culture environment, and detecting and identifying DDoS attack flow; and on the basis of full flow, DDoS tracking and tracing are carried out on the found attack events, and a botnet main control end is positioned. Compared with the traditional detection based on a victim end, the DDoS detection position is advanced, the event analysis difficulty is reduced, the analysis result precision is improved, the active discovery capability of a DDoS event and a zombie network main control end is realized, and the universality and the stability are realized in DDoS malicious code detection and tracing.

Although the present invention has been described with reference to a preferred embodiment, it should be understood that various changes, substitutions and alterations can be made herein without departing from the spirit and scope of the invention as defined by the appended claims.

Claims

1. A DDoS malicious code detection and tracing method based on cultivation is characterized by comprising the following specific steps:

step three, after a Docker mirror image of the Linux system is constructed, the Docker mirror image is operated to each virtual environment, and each virtual environment forms a container;

step four, operating each container by using a command of' docker run-name ═ container _ name-M256M-net shadow net-IP $ IP-memory-swap-1-v $ PATH $ image _ name: "latest &", and warehousing the operating time, container IP, sample hash value, container operating system and aquaculture physical machine IP of each container which are successfully started;

step seven, judging whether all the flow of each sample exceeds a DDoS attack flow threshold value or not aiming at all the flow monitoring indexes of each sample to be detected, if so, calling a DDoS event analysis function, and entering the step eight; otherwise, the sample to be detected is a safe sample and is not processed;

the DDoS event analysis specifically comprises the following steps:

2. The DDoS malicious code detection and tracing method based on breeding according to claim 1, wherein the third step specifically is: and each sample to be detected is respectively provided with a respective fixed IP, when each virtual environment runs a respective Docker mirror image, the IP of the sample to be detected corresponding to each virtual environment is taken as a parameter, and the front 20 characters of the mirror image are intercepted and taken as the container name formed by each virtual environment.

3. The DDoS malicious code detection and tracing method based on breeding as claimed in claim 1, wherein the multidimensional monitoring in step six comprises:

4) all flow monitoring of each sample: and monitoring through multiple threads, wherein each thread corresponds to one sample.

4. The DDoS malicious code detection and tracing method based on breeding according to claim 1, wherein the eighth step specifically comprises: