CN112565162B

CN112565162B - Method and device for detecting account stealing behavior

Info

Publication number: CN112565162B
Application number: CN201910913734.1A
Authority: CN
Inventors: 孟翔; 张斌
Original assignee: Sangfor Technologies Co Ltd
Current assignee: Sangfor Technologies Co Ltd
Priority date: 2019-09-25
Filing date: 2019-09-25
Publication date: 2023-09-08
Anticipated expiration: 2039-09-25
Also published as: CN112565162A

Abstract

The application provides a method and a device for detecting account stealing behavior, wherein the method comprises the following steps: and acquiring authentication flow between the intranet equipment and the domain control equipment in the AD domain and flow passing through a target port of the domain control equipment, and executing at least one of password blasting behavior detection, password hash stealing behavior detection and process injection behavior detection. The password explosion behavior detection, the password hash stealing behavior detection and the process injection behavior detection are determined aiming at typical behavior of account stealing by an attacker, so that the password explosion behavior detection, the password hash stealing behavior detection and the process injection behavior detection are more specific, the account stealing behavior in the AD domain is detected with better detection rate, the omission rate can be effectively reduced, and the false detection rate can be effectively reduced.

Description

Method and device for detecting account stealing behavior

Technical Field

The present application relates to the field of information security, and in particular, to a method and apparatus for detecting account theft behavior.

Background

Currently, in order to facilitate management of intranet devices, an AD (Active Directory) domain is usually built for an intranet, as shown in fig. 1. In fig. 1, the device includes a domain control device and an intranet device, where the domain control device may be a domain control host or a domain control server (in practice, the domain control device in the AD domain may include a plurality of domain control devices, and in fig. 1, the AD domain includes one domain control device as an example), and the intranet device may be an intranet host or an intranet server. The centralized management of the intranet equipment in the AD domain can be realized through the domain control equipment. For example, only a certain setting needs to be performed on the domain control device, so that the setting can be performed on each intranet device. In the AD domain, the domain control device may not only perform centralized management on the intranet device in the AD domain, but also manage a plurality of preset accounts, for example, for any account, allocate resources that can be accessed in the AD domain by the intranet device that successfully logs in the account in advance.

After the authentication of the domain control device to the account name and the account password logged in by the intranet device is passed, the intranet device can successfully log in the account, and after the account is successfully logged in, the resources corresponding to the account can be accessed without authentication to the domain control device. Therefore, once a hacker steals an account, the hacker can access the resource corresponding to the account in the AD domain, which is a serious hazard. Therefore, detecting account theft behavior in AD domains is of great importance to prevent hackers from stealing accounts.

At present, the detection mode of account stealing behavior in an AD domain has lower detection result accuracy (including high omission rate and high false detection rate).

Disclosure of Invention

The application provides a method and a device for detecting account stealing behavior, and aims to solve the problem that the accuracy of detection results of the existing detection method is low.

In order to achieve the above object, the present application provides the following technical solutions:

the application provides a method for detecting account stealing behavior, which comprises the following steps:

acquiring authentication flow between intranet equipment and domain control equipment in an AD domain and flow passing through a target port of the domain control equipment;

executing at least one of password blasting behavior detection, password hash stealing behavior detection and process injection behavior detection;

The password explosion behavior detection is used for detecting the password explosion behavior according to the characteristics of the authentication flow in the time window; the password hash stealing behavior detection is used for detecting password hash stealing behavior according to the characteristics of the authentication flow; and the process injection behavior detection is used for detecting the process injection behavior according to the flow passing through the target port of the domain control device.

Optionally, the password blasting behavior detection includes:

if the preset condition is met, determining that the password blasting behavior is detected;

the preset conditions include: the number of first target flows in each time window of the preset number of continuous time windows is larger than a first preset threshold value, the flows in the preset number of continuous time windows are similar, the first target flows are flows sent to domain control equipment by first equipment in the authentication flows, and the first equipment is any intranet equipment in the AD domain.

Optionally, the process of determining that the flow rate within the preset number of continuous time windows is similar includes:

extracting the flow belonging to the first stage and the second stage in the kerberos protocol from the flow in the preset number of continuous time windows as the flow to be processed;

Clustering the flow to be processed to obtain a clustering center of each class and the quantity of the flow contained in each class;

if the distance between the clustering centers is smaller than a preset distance threshold, determining that the flow in the continuous time windows with the preset number is similar;

if the distance between the clustering centers is not smaller than the preset distance threshold and the obtained class has the target class, determining that the flow in the continuous time windows with the preset number is similar; the target class is a class in which the difference between the number of contained flows and the number of contained flows of any other class is larger than a preset threshold.

Optionally, the preset conditions further include:

and in each time window of the preset number of continuous time windows, the number of authentication traffic which indicates authentication failure in the authentication traffic sent to the first device by the domain control device is larger than a second preset threshold value.

Optionally, the detecting of the password hash stealing behavior includes:

under the condition that a second target flow exists in the authentication flow, determining that password hash stealing behavior is detected; and the second target flow is a flow with the highest supported encryption level lower than the preset encryption level.

Optionally, the preset encryption level is the highest encryption level among the levels of encryption modes supported by the authentication flow in the preset learning time period, where the internal network device and the domain control device in the AD domain.

Optionally, the process injection behavior detection includes:

if a third target flow is detected from the flows passing through the target ports, determining that a process injection behavior is detected, wherein the target ports are ports used for remote control on the domain control equipment; and the third target flow is a flow containing remote calling operation information.

Optionally, after the determining that the process injection behavior is detected, the method further includes:

if the target intranet equipment has the flow containing the information indicating that the target intranet equipment has the login behavior in the flow generated in the preset time period after the third target flow is detected, determining that the target intranet equipment has the login behavior in the preset time period after the process injection behavior; and the target intranet equipment is intranet equipment indicated by the third target flow.

if the target intranet equipment does not have the flow containing the information indicating that the target intranet equipment has the login behavior in the flow generated in the preset time period after the third target flow is detected, determining that the target intranet equipment does not have the login behavior in the preset time period after the process injection behavior; and the target intranet equipment is intranet equipment indicated by the third target flow.

The application also provides a device for detecting the account stealing behavior, which comprises:

the acquisition module is used for acquiring authentication flow between the intranet equipment and the domain control equipment in the AD domain and flow passing through a target port of the domain control equipment;

at least one of a password blasting behavior detection module, a password hash stealing behavior detection module and a process injection behavior detection module;

the password blasting behavior detection module is used for detecting password blasting behaviors according to the characteristics of the authentication flow in the time window;

the password hash stealing behavior detection module is used for detecting password hash stealing behaviors according to the characteristics of the authentication flow;

the process injection behavior detection module is used for detecting process injection behaviors according to the flow passing through the target port of the domain control device.

Optionally, the password blasting behavior detection module is configured to detect password blasting behavior according to the characteristics of the authentication flow in the time window, and includes:

the password blasting behavior detection module is specifically used for determining that the password blasting behavior is detected if a preset condition is met; the preset conditions include: the number of first target flows in each time window of the preset number of continuous time windows is larger than a first preset threshold value, the flows in the preset number of continuous time windows are similar, the first target flows are flows sent to domain control equipment by first equipment in the authentication flows, and the first equipment is any intranet equipment in the AD domain.

Optionally, the method further comprises: the determining module is used for extracting the flow belonging to the first stage and the second stage in the kerberos protocol from the flow in the preset number of continuous time windows as the flow to be processed; clustering the flow to be processed to obtain a clustering center of each class and the quantity of the flow contained in each class; if the distance between the clustering centers is smaller than a preset distance threshold, determining that the flow in the continuous time windows with the preset number is similar; if the distance between the clustering centers is not smaller than the preset distance threshold and the obtained class has the target class, determining that the flow in the continuous time windows with the preset number is similar; the target class is a class in which the difference between the number of contained flows and the number of contained flows of any other class is larger than a preset threshold.

Optionally, the preset conditions further include:

Optionally, the detecting module for detecting the password hash stealing behavior is configured to detect the password hash stealing behavior according to the characteristics of the authentication flow, and includes:

The password hash stealing behavior detection module is specifically configured to determine that a password hash stealing behavior is detected when a second target flow exists in the authentication flow; and the second target flow is a flow with the highest supported encryption level lower than the preset encryption level.

Optionally, the process injection behavior detection module is configured to detect a process injection behavior according to the flow passing through the target port of the domain control device, and includes:

Optionally, the method further comprises:

the login behavior detection module is used for determining that the target intranet equipment has login behaviors in a preset time period after the process injection behavior is detected if the target intranet equipment has the flow containing information representing the login behavior of the target intranet equipment in the flow generated in the preset time period after the third target flow is detected after the process injection behavior detection module determines that the target intranet equipment has the login behavior in the preset time period after the process injection behavior; and the target intranet equipment is intranet equipment indicated by the third target flow.

Optionally, the login behavior detection module is further configured to determine, after the process injection behavior detection module determines that the process injection behavior is detected, if, in the traffic generated by the target intranet device in the preset time period after the third target traffic is detected, no traffic including information indicating that the target intranet device has the login behavior, determining that the target intranet device has no login behavior in the preset time period after the process injection behavior; and the target intranet equipment is intranet equipment indicated by the third target flow.

The application also provides a computer readable storage medium comprising a stored program, wherein the program performs any one of the methods for detecting account theft behavior described above.

The application also provides an apparatus comprising: a processor, a memory, and a bus; the processor is connected with the memory through the bus;

the memory is used for storing a program, and the processor is used for running the program, wherein the program runs to execute any one of the method for detecting the account stealing behavior.

In the method and the device for detecting the account stealing behavior in the AD domain, the code explosion behavior detection, the code hash stealing behavior detection and the process injection behavior detection are determined aiming at typical behavior of an attacker for account stealing, so that the code explosion behavior detection, the code hash stealing behavior detection and the process injection behavior detection provided by the application have stronger pertinence, and therefore, the method and the device for detecting the account stealing behavior in the AD domain have better detection rate, thereby effectively reducing the omission rate and also effectively reducing the false detection rate.

Drawings

In order to more clearly illustrate the embodiments of the application or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described, it being obvious that the drawings in the following description are only some embodiments of the application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.

FIG. 1 is a schematic diagram of a scenario disclosed in an embodiment of the present application;

FIG. 2 is a flow chart of a method for detecting account theft behavior according to an embodiment of the present application;

FIG. 3 is a flowchart of a method for detecting a password explosion behavior according to an embodiment of the present application;

fig. 4 is a flowchart of a method for detecting a password hash stealing behavior according to an embodiment of the application;

FIG. 5 is a flowchart of a method for detecting process injection behavior according to an embodiment of the present application;

FIG. 6 is a flow chart of yet another method for detecting account theft behavior according to an embodiment of the present application;

fig. 7 is a schematic structural diagram of an apparatus for detecting account stealing behavior according to an embodiment of the application.

Detailed Description

After the hacker attacks the intranet equipment in the AD domain, the attacked intranet equipment becomes 'broiler chicken', and the hacker can control the 'broiler chicken' to acquire an account with higher authority level.

The inventor of the present application found in the study that, when hackers steal accounts with higher authority levels by manipulating "broiler chickens", the generally employed theft methods can be summarized as follows:

first, code explosion.

The password blasting refers to the violent cracking of the passwords of the account to be stolen. Specifically, when a hacker controls the broiler chicken to log in an account to be stolen, different passwords are input by adopting a program in a short time through enumerating different character strings until the domain control device successfully authenticates the input account. The difficulty of stealing accounts in this way is minimum, and is the most easy act of hackers to steal.

Second, password hash theft.

The password hash refers to a password formed by a hash string obtained by performing one-time encryption (which may be hash calculation) on the password of the account. In the process of logging in an account by the intranet equipment, when the domain control equipment authenticates the account name and the account password, the password hash effect of the account is equal to the password of the account. Therefore, in a sense, a hacker obtains a cryptographic hash of the account to be stolen, which is equivalent to obtaining a password of the account to be stolen.

And thirdly, injecting processes.

Process injection refers to the process of injecting malicious code into the authentication process of a domain control device. The function of the malicious code can disable the authentication of the domain control device to the account to be logged in, so that the domain control device can pass the authentication of the account to be logged in even if the password of the account to be logged in is wrong.

In the following embodiments of the present application, account theft behavior in the AD domain is detected, starting from the above three behaviors.

The above-mentioned fig. 1 is an application scenario of the embodiment of the present application, in which communications between an intranet device and a domain control device, and between the intranet device and the intranet device are implemented through a core switch. The method or the device for detecting the account stealing behavior in the AD domain provided by the embodiment of the application needs to acquire the interactive flow between the intranet equipment and the domain control equipment in the AD domain from the core switch, so that the device serving as a method execution main body can be arranged on the core switch. Of course, the device may also be set on other devices (including a domain control device and an intranet device) in the AD domain, or set in the AD domain as a newly added entity device, and connected to the core switch to obtain the interactive traffic between the intranet device and the domain control device in the AD domain from the core switch.

The following description of the embodiments of the present application will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present application, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.

The inventor of the present application provides a method for detecting account stealing behavior in an AD domain for three ways in which a hacker steals an account. Specifically, fig. 2 is a method for detecting account stealing behavior according to an embodiment of the present application, which may include the following steps:

s201, acquiring authentication flow between intranet equipment and domain control equipment in an AD domain, and acquiring flow passing through a target port of the domain control equipment.

Specifically, the process of obtaining the authentication flow between the intranet device and the domain control device in the AD domain may be obtaining the authentication flow between the intranet device and the domain control device once every preset time, where the preset time may be set to a smaller value, and of course, the specific value of the preset time needs to be determined according to the actual situation, and the value of the preset time is not limited in this embodiment. When the value of the preset duration is infinite, the acquiring action of the step can be regarded as real-time acquisition. The time intervals for obtaining the authentication flow between the intranet equipment and the domain control equipment in two adjacent times can be the same or different.

In the AD domain, communications between the intranet devices and communications between the intranet devices and the domain control devices all pass through the core switch, where the communications data passing through the core switch is called interactive traffic. Wherein, the authentication flow includes: the intranet equipment sends the flow which is used for the domain control equipment to carry out the account authentication request to the domain control equipment, and the response flow of the domain control equipment to the account authentication request.

In this embodiment, the manner of obtaining the interaction flow from the core switch may include: traffic from the interworking port of the core switch is directed to one other port from which the interworking traffic is acquired. In this step, an authentication flow is acquired from the acquired interaction flow. In this embodiment, a kerberos protocol is used between the intranet device and the domain control device, so the authentication flow is a flow using the kerberos protocol, and in this step, a flow with a preset flag of the kerberos protocol may be extracted from the interaction flow to be the authentication flow.

For the process of acquiring the flow passing through the target port (different from the other ports) of the domain control device, the flow may be acquired once every preset time, where the preset time may be set to a smaller value, and of course, the specific value of the preset time needs to be determined according to the actual situation, and the value of the preset time is not limited in this embodiment. When the value of the preset duration is infinite, the acquiring action of the step can be regarded as real-time acquisition. The time intervals for obtaining the authentication flow between the intranet equipment and the domain control equipment in two adjacent times can be the same or different.

The target port is one port on the domain control device, the target port is a port through which traffic needs to be sent to the domain control device in a remote mode, and the traffic sent to the domain control device through the target port is the traffic used for injecting a program into the domain control device. Specifically, the destination port may be a 135 port.

S202, executing at least one of password explosion behavior detection, password hash stealing behavior detection and process injection behavior detection.

Specifically, the password explosion behavior detection is used for detecting the password explosion behavior according to the characteristics of the authentication flow in the time window; the password hash stealing behavior detection is used for detecting password hash stealing behavior according to the characteristics of the authentication flow; the process injection behavior detection is used for detecting the process injection behavior according to the flow passing through the target port of the domain control device.

As can be seen from the detection flow shown in fig. 2, the method disclosed by the embodiment detects typical actions of the account theft obtained by the summary, and has stronger pertinence, so that the method has better detection rate, and the omission rate can be effectively reduced. In addition, the false detection rate can be effectively reduced.

In this embodiment, S201 and S202 may be implemented by a process, and specifically, after the process executes S201 once, S202 is executed based on the authentication flow acquired in the current execution of S201 and the flow passing through the target port. In this embodiment, S201 and S202 may be two separate processes, i.e., the process of implementing S201 is one process, the process of implementing S202 is one process, and the two processes are executed in parallel. In the latter case, this may be achieved by means of a probe-aware platform, where the probe is an intranet device for implementing S201, and the aware platform is for implementing S202. The probe-aware platform approach is easy to implement and compatible with existing systems.

The three detection flows described in fig. 2 will be described in detail below, respectively.

Fig. 3 is a method for detecting the password blasting behavior shown in fig. 1, which includes the following steps:

in practice, there are typically multiple intranet devices in the AD domain. In this embodiment, taking any one intranet device as an example, a process of detecting whether the intranet device has a password blasting behavior is described, and for convenience of description, the intranet device is referred to as a first device. Specifically, the process of detecting whether the first device has the password blasting behavior may include S301 to S311:

s301, acquiring authentication flow sent by a first device to a domain control device in an ith time window, and obtaining a first target flow of the first device in the ith time window.

In this embodiment, the duration of the time window may be set according to the actual situation, and the duration of the time window is not limited in this embodiment. In the present embodiment, i is a variable representing the number of the time window, and the initial value of i is 1. In this embodiment, each time window includes a start time and an end time, where, in order to improve detection efficiency and further reduce missed detection, the end time of the i-th time window may be set to be the start time of the i+1th time window.

Specifically, the method for acquiring the first target flow of the first device in the ith time window includes: and acquiring the authentication flow which is positioned in the ith time window and has the source address of the IP address of the first equipment and the destination address of the IP address of the domain control equipment.

S302, judging whether the number of the first target flows of the first device in the ith time window is larger than a preset first threshold value, if so, executing S303, and if not, executing S310.

S303, acquiring the number of authentication traffic which fails in authentication in the authentication traffic sent by the domain control device to the first device in the ith time window by the first device.

In this embodiment, the authentication traffic in the ith time window includes: the first device controls the first target traffic of the device in the ith time window and the authentication traffic sent to the first device by the device in the ith time window. The authentication flow sent by the domain control device to the first device represents: and the domain control device responds to the first target flow sent by the first device, wherein the responding result comprises the following steps: the authentication success and authentication failure, the authentication flow with the authentication failure is the authentication flow with the authentication failure, and the authentication flow with the authentication success is the authentication flow with the authentication success.

Specifically, the method for obtaining the authentication flow with authentication failure in the ith time window includes: the IP address of the domain control device at the source address, the IP address of the first device at the destination address, and the information indicating authentication failure are present within the ith time window.

In this embodiment, in order to improve the accuracy of the detection result, the number of authentication flows determined in this step, which fail to authenticate, is used as a determination condition for detecting whether the first device has a password explosion behavior, and specifically, the determination process is as follows S304.

S304, judging whether the number of authentication flow rate failing authentication is larger than a second preset threshold value, if so, executing S305, and if not, executing S310.

S305, adding 1 to the current value of the number of time windows of the first device.

In this embodiment, the number of time windows is a variable, the initial value of the variable is set to 0, and each intranet device corresponds to the variable of the number of time windows. In this step, 1 is added on the basis of the current value of the number of time windows of the first device, and the value of the number of time windows after 1 is added is taken as the current value of the number of time windows of the first device.

S306, judging whether the current value of the time window number of the first device is not larger than a preset number threshold, if yes, executing S307, and if not, executing S308.

In this embodiment, since the number of time windows of the first device is increased when the time windows of the first device satisfy yes in S302, S304, and S305, when the current value of the number of time windows of the first device is not less than the preset number threshold, it is indicated that the first device may have a password blasting behavior, and therefore, in this step, it is determined whether the current value of the number of time windows of the first device is not greater than the preset number threshold. If the current value of the number of time windows of the first device is not greater than the preset number threshold, S307 needs to be executed, otherwise S308 is executed to further determine whether the first device has a password blasting behavior.

S307, the value of the time window number is updated by i=i+1.

In this step, the value of the number of the time window is added by 1, and the value added by 1 is used as the current value of the number of the time window.

In this embodiment, the end time of the i-th time window before the update of this step is the same as the start time of the i-th time window after the update of this step.

After the execution of this step, the process returns to S301.

The starting time of the ith time window updated in this step is obtained, and then the value set for the duration of the time window according to this embodiment can obtain the ending time of the ith time window updated in this step. Thus, returning to execution S301 may result in the first target traffic of the first device in the i-th time window updated in this step.

S308, judging whether authentication traffic between the first device and the domain control device is similar in the time window sequence of the first device, if so, executing S309, and if not, executing S311.

In this step, the time window sequence of the first device refers to a preset number of time windows that are consecutive in order including the current time window. In the time window sequence of the first device, the authentication traffic between the first device and the domain control device includes: the first device controls the first target traffic in the time window sequence of the first device and the authentication traffic sent to the first device by the device in the time window sequence of the first device.

Specifically, the method for determining the similarity between the authentication traffic between the first device and the domain control device in the time window sequence of the first device may include:

And extracting authentication traffic belonging to a first stage and a second stage in the Kerberos protocol from authentication traffic between the first device and the domain control device in the time window sequence of the first device, and taking the extracted traffic as traffic to be processed. Clustering the traffic to be processed to obtain a clustering center of each class and the number of authentication traffic contained in each class. In practice, the flows to be treated are generally grouped into two categories.

If the distance between the obtained clustering centers is smaller than a preset distance threshold, determining that authentication traffic between the first device and the domain control device in the time window sequence of the first device is similar.

If the distance between the clustering centers is not smaller than the preset distance threshold and the obtained class has the target class, determining that the authentication flow between the first device and the domain control device in the time window sequence of the first device is similar. The target class is a class in which the difference between the number of contained flows and the number of contained flows in any other class is greater than a preset threshold, and the preset threshold can be determined according to practical situations, and generally takes a larger value, that is, the number of flows in the target class is far greater than any other class. The value of the preset threshold is not limited in this embodiment.

S309, determining that the first device has password blasting behavior.

Alternatively, information indicating that the first device has a cryptographic blasting action may be output.

After the present step is performed, S310 is performed again.

S310, updating the current value of the time window number of the first device to 0.

After the execution of this step, the process returns to S307.

S311, subtracting 1 from the current value of the time window number of the first device.

Assuming that the preset number threshold of the present embodiment is 5, in a first time window, a second time window … …, and a fifth time window, the number of first target traffic in each time window is greater than the first preset threshold, the number of authentication traffic failing to authenticate is greater than the second preset threshold, and the authentication traffic of the first device and the domain control device in the 5 time windows are similar. However, the number of the first target traffic of the first device in the sixth time window is greater than the first preset threshold, and the number of the authentication traffic of the authentication failure in the sixth time window is greater than the second preset threshold, and the authentication traffic of the first device and the domain control device in the second time window, the third time window … …, and the sixth time window are similar, at this time, it may be determined that the first device has the password blasting behavior.

Therefore, in order to avoid the condition of missing the password explosion behavior of the first device, that is, to improve the accuracy of detecting the password explosion behavior of the first device, in this embodiment, when the current value of the number of time windows of the first device is not less than the preset number threshold, and in the time window sequence of the first device, the authentication flow between the first device and the domain control device is dissimilar, the step is executed. And after the present step is performed, S307 is performed.

In the above S301 to S311, taking any one intranet device as an example, a process of detecting whether the intranet device has a password blasting behavior may actually detect each intranet device in the AD domain according to the above detection process.

According to the embodiment, it can be seen that the detection of the password blasting behavior of the intranet device is determined under the condition that the authentication flow between the first device and the domain control device meets the following preset conditions. The preset conditions comprise: the method comprises the steps that in each of the preset number of continuous time windows, the number of first target flows is larger than a first preset threshold value, the flows in the preset number of continuous time windows are similar, and in each of the preset number of continuous time windows, the domain control device sends authentication flows which indicate authentication failure to the first device, and the number of authentication flows which indicate authentication failure is larger than a second preset threshold value.

It should be noted that, in practice, in each of the preset number of consecutive time windows in the preset condition, the number of authentication traffic indicating authentication failure among the authentication traffic sent by the domain control device to the first device is greater than the second preset threshold value is an optional condition. And under the condition that the preset conditions comprise optional conditions, the accuracy of determining that the first device has the password blasting behavior is higher.

The embodiment has the following beneficial effects:

has the beneficial effects that,

In this embodiment, in a time window sequence of the first device, that is, in a sequential preset number of time windows, the number of first target traffic in each time window is greater than a first preset threshold, and the number of authentication traffic failing in authentication in each time window is greater than a second preset threshold, and in the sequential preset number of time windows, if the authentication traffic of the first device is similar to that of the domain control device, it is determined that the first device has a password blasting behavior. The condition required to be met for determining that the first device has the password explosion behavior is determined according to the characteristics of the password explosion used by a hacker, so that the accuracy of the detection result of the embodiment is improved.

Has the beneficial effects of,

In this embodiment, even after detecting that the first device has the password explosion behavior, the password explosion behavior detection is further performed on the authentication traffic of the first device and the domain control device in the subsequent time window. Therefore, the password explosion behavior detection provided by the embodiment is a real-time detection process, and further, the password explosion behavior detection provided by the embodiment has higher timeliness.

Fig. 4 is a method for detecting password hash stealing behavior, which is provided by the embodiment of the application, and includes the following steps:

s401, determining that the highest encryption level supported by the authentication flow of the intranet equipment and the domain control equipment in the AD domain in a preset learning time period is a preset encryption level.

In this embodiment, the starting time and the ending time of the preset learning period, and the duration between the starting time and the ending time may be determined according to the actual requirement. Specifically, the duration of the learning period may be one week, and of course, may also be other values, and the duration of the learning period is not limited in this embodiment.

In this step, for an authentication flow between the intranet device and the domain control device, the authentication flow has an encryption level field, and the value of the encryption level field includes an encryption level list. The encryption grade list consists of a plurality of encryption modes with preset grades. The value of the encryption level field further includes: information on whether each encryption scheme is supported in the encryption level list (typically, each encryption scheme corresponds to a value in the field list, 1 is used to indicate that the encryption scheme is supported by the traffic, and 0 is used to indicate that the encryption scheme is not supported by the traffic) is indicated between the intranet device and the domain control device. Therefore, the encryption level supported between the intranet device and the domain control device indicated by the authentication traffic can be determined by the value of the encryption level field in the authentication traffic (generally, the encryption modes are arranged from high to low in the list).

In this step, the highest encryption level among the encryption modes supported by the authentication flow in the preset learning period is used as the preset encryption level by the intranet device and the domain control device in the AD domain.

It should be noted that S401 in this embodiment shows a manner of determining the preset encryption level, and in practice, the preset encryption level may be manually set in addition to the determination of the preset encryption level by the manner of S401.

S402, under the condition that a second target flow exists in authentication flow generated after a preset learning time period, determining that password hash stealing behavior exists in intranet equipment indicated by the second target flow.

In this step, the second target traffic is an authentication traffic indicating an encryption level lower than a preset encryption level. In this step, for each authentication flow rate generated after the preset learning period, it is determined whether or not it is the second target flow rate.

Specifically, for any one authentication flow generated after a preset learning period, the process of determining whether the authentication flow is the second target flow includes:

a1, determining the highest encryption level supported by the authentication flow.

There is a field representing the encryption level in each authentication traffic, and in this step, the highest encryption level supported by the authentication traffic can be determined by the value of the field representing the encryption level.

A2, judging whether the highest encryption level supported by the authentication flow is lower than a preset encryption level, if not, executing A3, and if so, executing A4.

In this step, the authentication traffic with the highest encryption level supported lower than the preset encryption level is taken as the target authentication traffic.

A3, determining that the authentication flow is not the second target flow.

A4, determining the authentication flow as a second target flow.

Optionally, information indicating that the intranet device indicated by the second target flow has password hash stealing behavior may be output.

It should be noted that, under the condition of manually setting the preset encryption level, the password hash stealing behavior detection can be performed on each authentication flow between the intranet device and the domain control device, and the password hash stealing behavior detection is not limited to the authentication flow generated after the preset learning time period.

The embodiment has the following beneficial effects:

has the beneficial effects that,

The method for detecting the password hash stealing behavior provided by the embodiment is essentially as follows: the method for detecting the password hash stealing behavior provided by the embodiment has better pertinence to the password hash stealing mode adopted by the hacker, and further, the accuracy of the method for detecting the password hash stealing behavior provided by the embodiment is higher.

Has the beneficial effects of,

In this embodiment, after determining the preset encryption level, for each authentication flow, whether the second target flow is determined, so that whether the password hash stealing behavior exists in the AD domain is detected, and the timeliness is higher.

Fig. 5 is a method for detecting process injection behavior according to an embodiment of the present application, including the following steps:

s501, judging whether each flow passing through a target port of the domain control device is a third target flow, if so, executing S502, and if not, executing S501.

In this step, the third target flow rate is a flow rate at which target operation information is present. The target operation represents the operation of injecting a preset code into an authentication process, wherein the authentication process is a process of authenticating the intranet equipment by the domain control equipment. The preset code is used for enabling the domain control device to disable authentication of the intranet device, and even if an account password input by the intranet device is wrong, the domain control device can pass the authentication.

In this step, the target operation may be a net_rpclogon operation. Here, net_rpclogo is a procedure for the service to register all srv resource records for the domain controller.

In this step, each flow passing through the target port of the domain control device needs to be determined, and specifically, a method for determining whether any one flow is the third target flow includes: it is determined whether or not information indicating a target operation exists in the piece of authentication traffic. If it is determined that any one of the flows is the third target flow, S502 is executed, otherwise, an undetected flow is determined by the generation time stamp of the flow, and the undetected flow is determined.

S502, determining that the process injection behavior exists in the target intranet equipment.

In this step, the target intranet device is the intranet device indicated by the third target flow.

Optionally, information indicating that the target intranet device has a process injection behavior may also be output.

S503, judging whether the flow containing information indicating that the login behavior exists in the target intranet equipment in the flow generated in the preset time period after the third target flow is detected, if so, executing S504, and if not, executing S505.

After a preset code is injected into the authentication process of the domain control equipment, the hacker can log in the account with higher authority level to be stolen, and at the moment, the domain control equipment authenticates the account input by the hacker, so that the hacker can successfully log in the account with higher authority level, and further, the resource corresponding to the account with higher authority level can be accessed from the AD domain. Of course, a hacker may not log into the higher authority level account after injecting the preset code into the authentication process of the domain control device.

Therefore, in this step, it is determined whether or not there is a flow containing information indicating that the target intranet device has login behavior among the flows generated in the preset period after the third target flow is detected. The duration of the preset time period in this step may be set according to actual requirements, for example, may be 5 minutes, and this embodiment does not limit the duration of the preset time period.

S504, determining that the target intranet equipment has login behaviors in a preset time period after the process injection behaviors.

Optionally, information indicating that the target intranet device has login behavior in a preset time period after the process injection behavior can be output. For example, the presentation may be performed by voice or by text.

S505, determining that the target intranet equipment does not have login behavior in a preset time period after the process injection behavior.

Optionally, information indicating that the target intranet device does not have login behavior in a preset time period after the process injection behavior can be output. For example, the presentation may be performed by voice or by text.

S503-S505 are optional steps and may not be performed.

As can be seen from S503-S505: if the target intranet device has the flow containing the information indicating that the target intranet device has the login behavior in the flow generated in the preset time period after the third target flow is detected, determining that the target intranet device has the login behavior in the preset time period after the process injection behavior, wherein the target intranet device is the intranet device indicated by the third target flow.

If the target intranet equipment does not have the flow containing the information indicating that the target intranet equipment has the login behavior in the flow generated in the preset time period after the third target flow is detected, determining that the target intranet equipment does not have the login behavior in the preset time period after the process injection behavior, wherein the target intranet equipment is the intranet equipment indicated by the third target flow.

The embodiment has the following beneficial effects:

has the beneficial effects that,

The essence of the method for detecting the process injection behavior provided in this embodiment is to detect whether the flow passing through the target port of the domain control device is the flow for injecting the preset code into the authentication process, and the essence accords with the behavior that a hacker steals an account by adopting a process injection mode, so the method for detecting the process injection behavior provided in this embodiment is more specific to the process injection adopted by the hacker, and further, the accuracy of the method for detecting the process injection behavior provided in this embodiment is higher.

Has the beneficial effects of,

In this embodiment, whether each flow passing through the target port of the domain control device is the third target flow is determined, if not, the undetected flow is continuously determined, so that the determination of whether the flow passing through the target port is the third target flow in this embodiment is a real-time process, and further, the detection process of whether the process injection behavior exists in the AD domain in this embodiment is provided with higher timeliness.

The above-described password explosion behavior detection method, password hash stealing behavior detection method, and process injection behavior detection method, which are described in the embodiments corresponding to fig. 3 to fig. 5, respectively, may be executed in parallel. In this case, the detection accuracy is highest.

In practice, however, in order to save resources, when performing account stealing behavior detection on the intranet device, the password blasting behavior detection method, the password hash stealing behavior detection method, and the process injection behavior detection method may be sequentially executed. Referring to fig. 6, for another method for detecting account stealing behavior according to an embodiment of the application, taking an intranet device (referred to as a target device for convenience of description) as an example, the implementation process of the embodiment is described, and specifically includes the following steps:

S601, acquiring authentication traffic sent by the target device to the domain control device in the ith time window, acquiring first target traffic of the target device in the ith time window, and acquiring the number of authentication traffic which is failed in authentication and sent by the domain control device to the target device in the ith time window.

In this step, the authentication flow sent by the target device to the domain control device in the ith time window is obtained, and a specific implementation process of the first target flow of the target device in the ith time window is obtained, which may refer to S301 in the embodiment corresponding to fig. 3. A specific implementation process for obtaining the number of authentication traffic that is sent by the domain control device to the target device and fails to authenticate in the ith time window may refer to S303 in the embodiment corresponding to fig. 3, which is not described herein again.

S602, judging whether the number of the first target flows of the target device in the ith time window is larger than a preset first threshold value, and whether the number of the flows which are failed to be authenticated in the ith time window is larger than a preset second threshold value, if so, executing S603, and if not, executing S608.

In this step, in a specific implementation process of determining whether the number of the first target flows of the target device in the ith time window is greater than the preset first threshold, reference may be made to S302 in the embodiment corresponding to fig. 3. The specific implementation process of determining whether the number of the traffic failed in the authentication in the ith time window is greater than the preset second threshold may refer to S304 in the embodiment corresponding to fig. 3, which is not described herein again.

S603, adding 1 to the current value of the time window number of the target device.

The specific implementation process of this step may refer to S305 in the embodiment corresponding to fig. 3, which is not described herein.

S604, judging whether the current value of the time window number of the target device is not larger than a preset number threshold, if so, executing S605, and if not, executing S606.

The specific implementation process of this step may refer to S306 in the embodiment corresponding to fig. 3, which is not described herein.

S605 updates the value of the time window number by i=i+1.

For the specific implementation procedure of this step, reference may be made to S307 in the embodiment corresponding to fig. 3, which is not described herein again.

After the execution of this step, the process returns to S601.

S606, in a first time window sequence of the target device, whether the authentication flow between the target device and the domain control device is similar or not, if so, S607 is executed, and if not, S609 is executed.

In this step, the first time window sequence refers to a preset number of time windows that are consecutive in order including the current time window. For a specific implementation process, reference may be made to S308 in the corresponding embodiment of fig. 3, which is not described herein.

S607, determining that the target device has password blasting behavior, and updating the current value of the time window number of the target device to 0.

Alternatively, information indicating that the target device has password blasted may also be output.

After the present step is performed, S605 is performed.

S608, performing password hash stealing behavior detection on each authentication flow between the target device and the domain control device in a second time window sequence of the target device, and updating the current value of the time window number of the target device to 0.

In this step, the second time window sequence refers to a sequentially consecutive target number of time windows including the current time window, where the target number is the current value of the time window number of the target device plus 1.

In the step, the password hash stealing behavior is detected for each authentication flow between the target device and the domain control device in the second time window sequence. Specifically, the process of performing the password hash stealing behavior detection on any one authentication flow comprises the following steps: judging whether the encryption level of the authentication flow is lower than a preset encryption level, if so, determining that the intranet equipment indicated by the authentication flow has password hash stealing behavior, and optionally, outputting information indicating that the intranet equipment indicated by the authentication flow has password hash stealing behavior.

S609, in the first time window sequence of the target device, each authentication flow between the target device and the domain control device is subjected to password hash stealing behavior detection, and the current value of the time window number of the target device is reduced by 1.

Specifically, the process of detecting the password hash stealing behavior for each authentication flow indicated by the preset number of time windows is the same as S608, and will not be described here again.

After the present step is performed, S610 is performed.

S610, judging whether the target device has password hash stealing behavior, if so, executing S605, and if not, executing S611.

S611, detecting process injection behavior of each flow passing through a target port of the domain control device.

Specifically, if the step is executed through S608, in the step, process injection behavior detection is performed for each flow passing through the target port of the domain control device in the second time window sequence. If the step is performed in S609, in the step, process injection behavior detection is performed for each flow passing through the target port of the domain control device in the first time window sequence.

Specifically, the process of performing process injection behavior detection on any one flow may refer to the process of determining whether any one flow is the third target flow in S501 in the embodiment corresponding to fig. 5, which is not described herein.

After the present step is performed, S605 is performed.

In this embodiment, the three detection methods sequentially have the following priorities from high to low: password explosion behavior detection, password hash stealing behavior detection and process injection behavior detection. That is, in a case that the number of first target traffic of the target device in one time window is not greater than a preset first threshold value, the number of authentication traffic of the target device failing to authenticate is not greater than a preset second threshold value, or in a case that the current value of the number of time windows of the target device is not less than a preset number threshold value and the authentication traffic of the time windows of the preset number are dissimilar, it is indicated that the target device has no password explosion behavior, in this case, password hash stealing behavior detection is performed on the target device, and if the password hash stealing behavior of the target device is detected, process injection behavior detection is not required on the target device. And if the password hash stealing behavior of the target device is not detected, performing process injection behavior detection on the target device.

Therefore, compared with parallel password explosion behavior detection, password hash stealing behavior detection and process injection behavior detection for the target device, the embodiment can determine that the account stealing behavior exists for the target device under the condition that one or two of the three detection methods are executed for the target device, and at the moment, the unexecuted detection method is not needed to be executed, so that the embodiment saves more calculation resources.

Fig. 7 is a device for detecting account stealing behavior according to an embodiment of the application, including: an acquisition module 701, and at least one of a cryptographic explosion behavior detection module 702, a cryptographic hash stealing behavior detection module 703, and a process injection behavior detection module 704.

The obtaining module 701 is configured to obtain an authentication flow between an intranet device and a domain control device in an AD domain, and a flow passing through a target port of the domain control device. The password explosion behavior detection module 702 is configured to detect password explosion behavior according to characteristics of authentication traffic in a time window. The password hash stealing behavior detection module 703 is configured to detect a password hash stealing behavior according to the characteristics of the authentication traffic. The process injection behavior detection module 704 is configured to detect a process injection behavior according to a flow passing through a target port of the domain control device.

Optionally, the password explosion behavior detection module 702 is configured to detect password explosion behavior according to characteristics of authentication traffic in a time window, including:

the password blasting behavior detection module 702 is specifically configured to determine that the password blasting behavior is detected if a preset condition is satisfied, where the preset condition includes: the number of the first target flows in each of the preset number of continuous time windows is larger than a first preset threshold value, the flows in the preset number of continuous time windows are similar, the first target flows are flows sent to the domain control device by the first device in the authentication flows, and the first device is any one intranet device in the AD domain.

Optionally, the device further includes a determining module 705, where the determining module 705 is configured to extract, from the traffic in the preset number of continuous time windows, the traffic belonging to the first phase and the second phase in the kerberos protocol as the traffic to be processed; clustering the traffic to be processed to obtain a clustering center of each class and the quantity of the traffic contained in each class; if the distance between the clustering centers is smaller than a preset distance threshold, determining that the flow in a preset number of continuous time windows is similar; if the distance between the clustering centers is not smaller than a preset distance threshold value and the obtained class has the target class, determining that the flow in a preset number of continuous time windows is similar; the target class is a class in which the difference between the number of contained traffic and the number of contained traffic of any other class is greater than a preset threshold.

Optionally, the preset conditions further include: and in each time window of the preset number of continuous time windows, the number of authentication traffic which indicates authentication failure in authentication among authentication traffic sent to the first device by the domain control device is larger than a second preset threshold.

Optionally, the password hash stealing behavior detection module 703 is configured to detect password hash stealing behavior according to the characteristics of the authentication traffic, including: the password hash stealing behavior detection module 703 is specifically configured to determine that the password hash stealing behavior is detected when a second target traffic exists in the authenticated traffic, where the second target traffic is a traffic with a supported highest encryption level lower than a preset encryption level.

Optionally, the preset encryption level is the highest encryption level among the levels of the encryption modes supported by the authentication flow in the preset learning period, wherein the internal network device and the domain control device in the AD domain.

Optionally, the process injection behavior detection module 704 is configured to detect a process injection behavior according to a flow rate passing through a target port of the domain control device, including: the process injection behavior detection module 704 is specifically configured to determine that the process injection behavior is detected if a third target flow is detected from the flows passing through the target port, where the target port is a port for remote control on the domain control device, and the third target flow is a flow including remote call operation information.

Optionally, the apparatus further comprises: the login behavior detection module 706 is configured to determine, after the process injection behavior detection module 704 determines that the process injection behavior is detected, that the target intranet device has a login behavior within a preset time period after the process injection behavior, if the target intranet device has a flow including information indicating that the target intranet device has a login behavior in a preset time period after the third target flow is detected, where the target intranet device is an intranet device indicated by the third target flow.

Optionally, the login behavior detection module 706 is further configured to determine, after the process injection behavior detection module 704 determines that the process injection behavior is detected, if, in the traffic generated by the target intranet device in the preset time period after the third target traffic is detected, no traffic including information indicating that the target intranet device has the login behavior exists, determine that the target intranet device does not have the login behavior in the preset time period after the process injection behavior, and the target intranet device is the intranet device indicated by the third target traffic.

The detection principle of the device for detecting the account stealing behavior is determined according to typical account stealing behaviors, so that the device has better detection rate, and the omission ratio and the false detection rate can be effectively reduced.

In addition, the preset conditions which are required to be met by the password explosion behavior detection module when the first device is determined are determined according to the characteristics of the password explosion used by a hacker, so that the accuracy of the detection result of the password explosion behavior detection module is improved. And after the password blasting behavior detection module detects that the first device has the password blasting behavior, the authentication flow between the first device and the domain control device can be continuously detected, so that the detection has higher timeliness.

The detection principle of the password hash stealing behavior detection module has more pertinence to the password hash stealing mode adopted by a hacker, so the accuracy of the detection result is higher. Moreover, the password hash stealing behavior detection module can detect each authentication flow, so that the method has higher timeliness.

The detection principle of the process injection behavior detection module accords with the behavior that a hacker steals an account by adopting a process injection mode, so that the detection result of the process injection behavior detection module has higher accuracy. In addition, the process injection behavior detection module can detect each flow passing through the target port of the domain control equipment, so that the detection timeliness is higher.

The embodiment of the application also provides a computer readable storage medium comprising a stored program, wherein the program executes any one of the methods for detecting the account stealing behavior.

The embodiment of the application also provides equipment, which comprises: a processor, a memory, and a bus; the processor is connected with the memory through a bus;

the memory is used for storing a program, and the processor is used for running the program, wherein the program runs to execute any method for detecting the account stealing behavior.

The functions of the methods of embodiments of the present application, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored on a computing device readable storage medium. Based on such understanding, a part of the present application that contributes to the prior art or a part of the technical solution may be embodied in the form of a software product stored in a storage medium, comprising several instructions for causing a computing device (which may be a personal computer, a server, a mobile computing device or a network device, etc.) to execute all or part of the steps of the method described in the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.

In this specification, each embodiment is described in a progressive manner, and each embodiment is mainly described in a different point from other embodiments, so that the same or similar parts between the embodiments are referred to each other.

The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the application. Thus, the present application is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims

1. A method of detecting account theft behavior, comprising:

acquiring authentication flow between intranet equipment and domain control equipment in an AD domain and flow passing through a target port of the domain control equipment; the authentication traffic includes: the intranet equipment sends the flow which is used for the domain control equipment to carry out account authentication request to the domain control equipment, and the response flow of the domain control equipment to the account authentication request; the authentication traffic is traffic using Kerberos protocol;

simultaneously executing password blasting behavior detection, password hash stealing behavior detection and process injection behavior detection;

the password explosion behavior detection is used for detecting the password explosion behavior according to the characteristics of the authentication flow in the time window; the password hash stealing behavior detection is used for detecting password hash stealing behavior according to the characteristics of the authentication flow; the process injection behavior detection is used for detecting the process injection behavior according to the flow passing through the target port of the domain control device; the target port is a port through which traffic needs to be sent to the domain control device in a remote mode;

the password blasting behavior detection comprises the following steps:

the preset conditions include: the method comprises the steps that in each of a preset number of continuous time windows, the number of first target flows is larger than a first preset threshold value, in each of the preset number of continuous time windows, the number of authentication flows which indicate authentication failure in authentication flows sent to first equipment by domain control equipment is larger than a second preset threshold value, and the flows in the preset number of continuous time windows are similar; the first target flow is a flow sent to a domain control device by a first device in the authentication flow, and the first device is any intranet device in the AD domain;

the password hash stealing behavior detection comprises the following steps:

under the condition that a second target flow exists in the authentication flow, determining that password hash stealing behavior is detected; the second target flow is a flow with the highest supported encryption level lower than a preset encryption level;

the process injection behavior detection includes:

2. The method of claim 1, wherein determining that the flow within the predetermined number of consecutive time windows is similar comprises:

3. The method according to claim 1, wherein the preset encryption level is a highest encryption level among levels of encryption modes supported by authentication traffic in a preset learning period of time, the intranet device and the domain control device in the AD domain.

4. The method of claim 1, further comprising, after said determining that process injection behavior is detected:

5. The method of claim 1, further comprising, after said determining that process injection behavior is detected:

6. An apparatus for detecting account theft behavior, comprising:

The acquisition module is used for acquiring authentication flow between the intranet equipment and the domain control equipment in the AD domain and flow passing through a target port of the domain control equipment; the authentication traffic includes: the intranet equipment sends the flow which is used for the domain control equipment to carry out account authentication request to the domain control equipment, and the response flow of the domain control equipment to the account authentication request; the authentication traffic is traffic using Kerberos protocol;

the system comprises a password blasting behavior detection module, a password hash stealing behavior detection module and a process injection behavior detection module;

the process injection behavior detection module is used for detecting a process injection behavior according to the flow passing through the target port of the domain control device; the target port is a port through which traffic needs to be sent to the domain control device in a remote mode;

the password blasting behavior detection module is specifically used for:

the password hash stealing behavior detection module is specifically used for:

the process injection behavior detection module is specifically configured to:

7. A computer-readable storage medium, characterized in that the storage medium comprises a stored program, wherein the program performs the method of detecting account theft behavior according to any one of claims 1-5.

8. An apparatus, comprising: a processor, a memory, and a bus; the processor is connected with the memory through the bus;

the memory is used for storing a program, and the processor is used for running the program, wherein the method for detecting account stealing behavior according to any one of claims 1-5 is executed when the program runs.