CN112910920A - Malicious communication detection method, system, storage medium and electronic device - Google Patents
Malicious communication detection method, system, storage medium and electronic device Download PDFInfo
- Publication number
- CN112910920A CN112910920A CN202110224943.2A CN202110224943A CN112910920A CN 112910920 A CN112910920 A CN 112910920A CN 202110224943 A CN202110224943 A CN 202110224943A CN 112910920 A CN112910920 A CN 112910920A
- Authority
- CN
- China
- Prior art keywords
- communication
- malicious
- traffic
- malicious communication
- detected
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application provides a malicious communication detection method, which comprises the following steps: acquiring communication traffic to be detected; performing traffic addition and decoding on the communication traffic to be detected to obtain communication characteristics; judging whether the communication characteristics have a matched malicious communication mode; and if so, confirming that the communication traffic to be detected is malicious communication traffic. When the communication traffic to be detected is detected, the traffic analysis is executed by performing traffic addition and decoding on the communication traffic to obtain the communication characteristics of the communication traffic to be detected, and the communication characteristics are matched with a known malicious communication mode based on the communication characteristics, so that whether the communication traffic to be detected is malicious communication traffic is judged. The method and the device aim at detecting the communication mode of the hacker tool, and can detect the hacker flow which cannot be identified by static characteristics. And static characteristics can be combined, so that the detection success rate of a hacker tool can be obviously improved. The application also provides a detection system, a computer readable storage medium and an electronic device, which have the beneficial effects.
Description
Technical Field
The present application relates to the field of network security, and in particular, to a malicious communication detection method, system, storage medium, and electronic device.
Background
For the detection of the hacking tool, currently, the static features of the hacking tool need to be extracted for matching, but in the using process of the hacking tool, the configuration file can be defined by a user, and most of people using the hacking tool can modify the default configuration. Secondly, the static features of some hacker tools themselves imitate normal traffic, for example, the common url (Uniform Resource Locator) is set to bootstrap.min.js or jquery.min.js, which causes a lot of false alarm situations in feature extraction. Therefore, the detection based on the static characteristics of the hacker tool has larger false negative rate and false positive rate.
Therefore, how to improve the detection success rate for the hacker tool so as to avoid the false alarm and the false alarm is a technical problem that needs to be solved urgently by those skilled in the art.
Disclosure of Invention
An object of the present application is to provide a malicious communication detection method, a malicious communication detection system, a computer-readable storage medium, and an electronic device, which improve a detection success rate for a hacking tool by recognizing a communication pattern of communication traffic.
In order to solve the technical problem, the application provides a malicious communication detection method, which has the following specific technical scheme:
acquiring communication traffic to be detected;
performing traffic addition and decoding on the communication traffic to be detected to obtain communication characteristics;
judging whether the communication characteristics have a matched malicious communication mode;
and if so, confirming that the communication traffic to be detected is malicious communication traffic.
Optionally, the determining whether the communication features have the matched malicious communication pattern includes:
and calling a malicious communication mode data table to judge whether a malicious communication mode containing all communication characteristics exists.
Optionally, before determining whether the communication feature has the matching malicious communication pattern, the method further includes:
acquiring a configuration file of a hacker tool;
analyzing a data packet encryption mode corresponding to the hacker tool configuration file to obtain encryption characteristics; the encryption characteristics comprise an encryption method, encryption time and an encryption object;
adding the encryption characteristics as malicious communication patterns to the malicious communication pattern data table.
Optionally, the method further includes:
acquiring hacker traffic of a hacker tool;
analyzing the hacker flow, integrating weak features of the hacker flow to obtain the malicious communication mode, and adding the malicious communication mode to the malicious communication mode data table; the weak features comprise any one or any combination of URL information, flow time stamps and coding values.
Optionally, if the communication feature of the communication traffic to be detected has a matching malicious communication pattern, before determining that the communication traffic to be detected is the malicious communication traffic, the method further includes:
reversely decrypting the communication traffic to be detected according to the encryption mode corresponding to the malicious communication mode matched with the communication traffic to be detected;
and if the decryption is successful, executing a step of confirming that the communication traffic to be detected is malicious communication traffic.
Optionally, the determining whether the communication features have the matched malicious communication pattern includes:
judging whether the specific characteristics have matched undetermined malicious communication modes;
if not, confirming that the communication traffic to be detected is normal traffic;
if yes, judging whether the communication mode to be determined maliciously contains the weak features;
if the undetermined malicious communication pattern has a target malicious communication pattern containing the weak features, taking the target malicious communication pattern as a malicious communication pattern correspondingly matched with the communication features;
wherein the specific features include communication mode features and communication traffic features.
Optionally, after confirming that the communication traffic to be detected is malicious communication traffic, the method further includes:
and generating alarm information corresponding to the malicious communication traffic, wherein the alarm information is used for indicating that the malicious communication traffic is hacker tool communication traffic.
The application provides a malicious communication detection system, includes:
the acquisition module is used for acquiring the communication flow to be detected;
the communication feature extraction module is used for carrying out flow addition decoding on the communication flow to be detected to obtain communication features;
the judging module is used for judging whether the communication characteristics have a matched malicious communication mode;
and the confirming module is used for confirming that the communication traffic to be detected is malicious communication traffic when the judgment result of the judging module is yes.
Optionally, the determining module is a module for calling a malicious communication mode data table to determine whether a malicious communication mode including all communication features exists.
Optionally, the malicious communication detection system further includes:
the first data table generation module is used for acquiring a configuration file of a hacking tool before judging whether the communication characteristics have the matched malicious communication mode; analyzing a data packet encryption mode corresponding to the hacker tool configuration file to obtain encryption characteristics; the encryption characteristics comprise an encryption method, encryption time and an encryption object; adding the encryption characteristics as malicious communication patterns to the malicious communication pattern data table.
Optionally, the malicious communication detection system further includes:
the second data table generation module is used for acquiring the hacker flow of the hacker tool; analyzing the hacker flow, integrating weak features of the hacker flow to obtain the malicious communication mode, and adding the malicious communication mode to the malicious communication mode data table; the weak features comprise any one or any combination of URL information, flow time stamps and coding values.
Optionally, if the determining module determines that the communication characteristics of the measured communication traffic conform to the malicious communication mode, the method further includes:
the decryption module is used for reversely decrypting the communication traffic to be detected according to the encryption mode corresponding to the malicious communication mode before confirming that the communication traffic to be detected is the malicious communication traffic; and if the decryption is successful, executing a step of confirming that the communication traffic to be detected is malicious communication traffic.
Optionally, the determining module is configured to perform the following steps:
judging whether the specific characteristics have matched undetermined malicious communication modes; if not, confirming that the communication traffic to be detected is normal traffic; if yes, judging whether the communication mode to be determined maliciously contains weak features; if the undetermined malicious communication pattern has a target malicious communication pattern containing the weak features, taking the target malicious communication pattern as a malicious communication pattern correspondingly matched with the communication features;
wherein the specific features comprise communication mode features and communication traffic features, and the weak features comprise URL features and traffic timestamps.
Optionally, the malicious communication detection system further includes:
and the warning module is used for generating warning information corresponding to the malicious communication flow.
The present application also provides a computer-readable storage medium having stored thereon a computer program which, when being executed by a processor, carries out the steps of the malicious communication detection method as described above.
The present application further provides an electronic device, which includes a memory and a processor, where the memory stores a computer program, and the processor implements the steps of the malicious communication detection method described above when calling the computer program in the memory.
The application provides a malicious communication detection method, which comprises the following steps: acquiring communication traffic to be detected; performing traffic addition and decoding on the communication traffic to be detected to obtain communication characteristics; judging whether the communication characteristics have a matched malicious communication mode; and if so, confirming that the communication traffic to be detected is malicious communication traffic.
When the communication traffic to be detected is detected, the traffic analysis is executed by performing traffic addition and decoding on the communication traffic to obtain the communication characteristics of the communication traffic to be detected, and the communication characteristics are matched with a known malicious communication mode based on the communication characteristics, so that whether the communication traffic to be detected is malicious communication traffic is judged. The method and the device aim at detecting the communication mode of the hacker tool, and can detect the hacker traffic which cannot be identified by static characteristics as long as the communication mode is unchanged no matter what change is adopted by the configuration file in the hacker traffic communication process. On the basis, weak features can be combined, and the detection efficiency of the hacker tool can be obviously improved.
The application further provides a malicious communication detection system, a computer readable storage medium and an electronic device, which have the beneficial effects and are not repeated herein.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, it is obvious that the drawings in the following description are only embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
Fig. 1 is a flowchart of a malicious communication detection method according to an embodiment of the present disclosure;
fig. 2 is a flowchart of another malicious communication detection method according to an embodiment of the present disclosure;
fig. 3 is a schematic structural diagram of a malicious communication detection system according to an embodiment of the present disclosure:
fig. 4 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are some embodiments of the present application, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
The method and the device only adopt static characteristics for the current hacker tool detection and hacker flow, namely, the detection of the configuration file only has high false alarm rate, so that the detection of the hacker tool is difficult, and even the normal flow is mistaken for the hacker flow, thereby causing false detection.
To solve the above-mentioned drawback, referring to fig. 1, fig. 1 is a flowchart of a malicious communication detection method provided in an embodiment of the present application, where the method includes:
s101: acquiring communication traffic to be detected;
this step aims to obtain the communication traffic to be detected, which may be the traffic at any stage. When a hacker tool executes malicious communication operation, the hacker tool usually includes several processes, such as a heartbeat stage, a task execution stage, and an execution result stage, where the heartbeat stage refers to a process of establishing a connection with an attacked end, the task execution stage refers to a process of inputting hacker traffic to the attacked end to steal or replace data, and the execution result stage refers to a process of returning a malicious attack result. The communication traffic to be detected in this step may be communication traffic at any stage.
Secondly, the triggering condition during the execution of the step can be from the system setting operation of the detection equipment, and can also be the manual triggering of the detection personnel. When the system setting operation is adopted, the present embodiment may be continuously executed to ensure that the target device is not invaded by the hacker traffic. The malicious communication detection can be performed periodically, and can be set freely by those skilled in the art.
S102: performing traffic addition and decoding on the communication traffic to be detected to obtain communication characteristics;
the step aims to perform traffic addition and decoding on the communication traffic to be detected so as to obtain the communication characteristics of the communication traffic. Since the hacker traffic usually includes an encryption and encoding process performed according to the configuration file, this step is intended to decode and decrypt the acquired communication traffic to be detected, so as to obtain the communication characteristics of the communication traffic to be detected. The decoding and decryption modes used in the traffic encryption and decoding process are not particularly limited, and may include an AES encryption and decryption process, or may be decoded for an exclusive or encoding, a Base64 encoding, or even a custom encoding process, so as to obtain the communication characteristics required by this step.
The communication characteristics in this step are taken as communication characterization phenomena of the communication traffic to be detected. The communication characteristics may include any information that characterizes the communication, including but not limited to traffic encryption, handshaking, timestamp information for the traffic, traffic format, and so forth. The communication features may be classified into specific features including a communication mode feature and a communication traffic feature, which may be obtained by parsing a configuration file of a hacking tool, and weak features including a URL feature, a traffic timestamp, an encoding value, and the like. The communication mode characteristics comprise a handshaking mode, an encryption mode, a traffic transmission mode and the like, and the communication traffic characteristics comprise whether the traffic contains a header characteristic, a data structure of the communication traffic and the like. The weak features may include static features, which mainly include a traffic timestamp and URL features, such as URL length, URL length variation, and the like, and the encoding value may obtain different encoding values depending on the encoding method used.
It should be noted that the communication characteristics obtained in this step may be multiple, and each hacking tool may contain multiple communication characteristics, but does not necessarily contain all communication characteristics.
Since the communication traffic to be detected acquired in step S101 may be traffic in different stages, the communication features included therein are not necessarily all features of the hacking tool. It is readily understood that the more communication characteristics that are determined, the more accurate the determination and confirmation of its communication mode. In addition, part of the communication characteristics need to be confirmed by a monitoring party for communication traffic within a time period, for example, a timestamp range of malicious traffic request initiation time, and usually malicious communication traffic steals data after successful handshake, which results in a large number of requests being sent in a short time and data being received. Therefore, step S101 may be continuously executed to obtain as many communication features as possible in this step, thereby facilitating determination of a malicious communication pattern corresponding to the communication features in S103.
S103: judging whether the communication characteristics have a matched malicious communication mode; if yes, entering S104;
currently, each hacking tool is provided with at least one malicious communication pattern. The present embodiment defaults to determining known malicious communication patterns prior to performing this step. What is called a malicious communication pattern actually corresponds to the malicious communication means of the hacking tool, which may comprise one or several of the communication characteristics described above, means that the hacking tool, when performing malicious communication, should at least comprise the corresponding communication characteristics if such a malicious communication pattern is employed. The determination of whether the communication characteristics have the matching malicious communication patterns is not limited, and the malicious communication pattern data table may be invoked to determine whether the communication characteristics have the matching malicious communication patterns. The malicious communication pattern data table summarizes the confirmed malicious communication patterns, and a person skilled in the art may also use other data storage structures or storage media containing the confirmed malicious communication patterns to perform the determination process of this step, which is not limited herein by way of example. How to confirm the malicious communication pattern is not limited, and the embodiment provides two confirmation methods:
the first confirmation method is as follows:
the first step is to obtain the configuration file of the hacker tool;
secondly, analyzing a data packet encryption mode corresponding to the hacker tool configuration file to obtain encryption characteristics;
and thirdly, adding the encryption characteristics as malicious communication modes to a malicious communication mode data table.
The first method for confirming the malicious communication mode is to analyze a configuration file of a hacking tool, at this time, a configuration file of a common hacking tool needs to be collected so as to determine a packet encryption manner therein, and an encryption characteristic of the packet encryption manner is used as a communication characteristic of the malicious communication mode. And the encryption characteristics may include an encryption method, an encryption time, an encryption object, and the like. For example, when a hacker tool transmits, for example, a command and a command execution result by using the HTTP protocol, the hacker tool performs an encryption process to avoid detection of the plaintext content by a part of the detection rule. And part of hacker tools can choose to mutually transmit random numbers in the first few packets of communication, after negotiation is completed, the random numbers obtained by the two parties are used for generating an encryption key in the same key generation mode, and all the subsequent contents are encrypted and transmitted through the key. The encryption method in the process adopts a key generated by a random number, the encryption time refers to the initial time period of communication, the encryption object is transmitted data, and a malicious communication mode can be determined according to the configuration file. In the malicious communication mode, the method does not require other irrelevant features except the core encryption feature, such as the generation mode of the random number, the specific number of the first few data packets of the communication and the like. The malicious communication encryption mode belongs to the malicious communication encryption mode as long as the transmission of the random number exists in the first few packets of the communication and the data encryption transmission is carried out by using the key generated by the random number, namely, the communication characteristic obtained in the step S102 is matched with the encryption characteristic.
The second confirmation method is as follows:
the first step, obtaining the hacker flow of the hacker tool;
and secondly, analyzing the hacker flow, integrating the URL information, the coding value and the flow timestamp of the hacker flow to obtain the malicious communication mode, and adding the malicious communication mode to a malicious communication mode data table.
The second confirmed malicious communication mode is mainly analyzed and identified through confirmed hacker traffic, namely, the hacker traffic is analyzed to identify the weak characteristics of URL information and the like of the hacker traffic. Unlike the above analysis of the configuration file, the configuration file corresponds to a set specific feature, and the traffic information in the actual communication process is affected by the specific feature, so that the configuration file has a weak feature expression. The URL information mainly comprises flow length, platform ID and the like, wherein the flow length refers to the flow length of hacker flow, and the platform ID is a marking attribute of a hacker tool; the flow timestamp generally refers to a sending timestamp of a hacker flow data packet, and the sending frequency, the flow timestamp range and the like of the black passenger flow data packet can be determined according to the sending time recorded by each flow timestamp; the coded values may include exclusive-or values or coded values obtained by other coding methods, which are all reflected in the hacker traffic, but are not necessarily recorded in the configuration file, so that other communication characteristics can be determined by analyzing the hacker traffic, so as to improve the communication characteristic content included in the malicious communication mode. It should be noted that the weak features in this embodiment include not only the static features in the current hacking tool detection process, but also information that is not included in the static features, such as the traffic timestamp.
It should be noted that feature matching of communication features corresponding to communication traffic to be detected is performed, that is, whether a malicious communication pattern including the communication features exists is determined, rather than all the communication features including the malicious communication pattern. Specifically, the following relations exist between the traffic characteristics obtained by traffic addition and decoding and the malicious communication mode:
firstly, flow characteristics are a subset of communication characteristics corresponding to a certain malicious communication mode;
secondly, the flow characteristics are the same as partial characteristics contained in a certain malicious communication mode, and the partial characteristics are different;
thirdly, the traffic characteristics are completely the same as the characteristics contained in a certain malicious communication mode, but also contain the characteristics not contained in the malicious communication mode;
and fourthly, the traffic characteristics are different from the characteristics contained in any malicious communication mode.
When the first situation occurs, the malicious communication pattern can be directly determined to be the malicious communication pattern matched with the traffic characteristics.
When the second situation occurs, typically a new malicious communication pattern, can also be analyzed based on the same traffic characteristics. Taking the example that the traffic characteristics include specific characteristics and weak characteristics, if the specific characteristics are completely the same and the weak characteristics are different, the traffic characteristics can be regarded as a new malicious communication mode with a similar change of the malicious communication mode, and then reverse decryption, alarm and the like can be performed based on the similar malicious communication mode. If the specific characteristics differ, new malicious communication patterns may occur.
When the third situation occurs, it usually means that a new change occurs in the configuration file of the hacking tool, so that a new traffic characteristic occurs in the hacked traffic, and at this time, it can still be determined that the malicious communication pattern is a malicious communication pattern matched with the traffic characteristic, and the malicious communication pattern can also be updated.
When the fourth situation occurs, it can be considered that the communication traffic to be detected is not the hacked traffic.
Therefore, the malicious communication mode data table or other data structures summarizing the malicious communication modes can be updated aiming at the malicious communication modes so as to meet the matching requirement of the communication modes.
In this embodiment, the malicious communication pattern data table includes a mapping relationship between the communication characteristics and the malicious communication patterns, and each hacking tool generally corresponds to one or a few communication patterns, that is, if the malicious communication pattern is determined, the corresponding one or more hacking tools may also be determined, so that the hacking traffic is directly analyzed according to information such as a configuration file of the hacking tool. Thus, the malicious communication pattern data may also contain a mapping between communication characteristics, malicious communication patterns, and hacking tools.
S104: and confirming that the communication traffic to be detected is malicious communication traffic.
When it is confirmed that the communication characteristics of the communication traffic to be detected have the matched malicious communication pattern, which means that the communication traffic to be detected executes hacker communication according to the known malicious communication pattern, the communication traffic to be detected can be used as the malicious communication traffic. It should be noted that, although the malicious communication traffic confirmed in this step is usually in units of data packets, the malicious communication traffic is usually transmitted in a normal traffic to avoid detection, and therefore the actual confirmed malicious communication traffic refers to the existence of the malicious communication traffic in the communication process, and it is not necessary to confirm whether the malicious communication traffic is malicious or not one by one.
As a preferred implementation manner of this embodiment, after it is determined that the communication traffic to be detected is malicious communication traffic, alarm information corresponding to the malicious communication traffic may be generated, where the alarm information is used to indicate that the malicious communication traffic is hacker tool communication traffic.
When the communication traffic to be detected is detected, the communication traffic is subjected to traffic addition and decoding to perform traffic analysis, so that the communication characteristics of the communication traffic to be detected are obtained, and the communication characteristics are matched with a known malicious communication mode based on the communication characteristics, so that whether the communication traffic to be detected is malicious communication traffic is judged. The method and the device aim at detecting the communication mode of the hacker tool, and can detect the hacker traffic which cannot be identified by static characteristics as long as the communication mode is unchanged no matter what change is adopted by the configuration file in the hacker traffic communication process.
On the basis of the above embodiment, as a preferred embodiment, when the communication characteristics include the specific characteristics and the weak characteristics described above, the execution process of determining whether the communication characteristics have the matching malicious communication patterns may be as follows:
s1031: judging whether the specific characteristics have matched undetermined malicious communication modes; if not, the process goes to S1032; if yes, go to S1033;
s1032: confirming that the communication traffic to be detected is normal traffic;
s1033: judging whether the undetermined malicious communication mode contains weak features;
s1034: and if the target malicious communication mode containing the weak characteristics exists in the undetermined malicious communication mode, taking the target malicious communication mode as the malicious communication mode with the correspondingly matched communication characteristics.
Specific meanings of specific features and weak features in the present embodiment can be referred to the above one embodiment, and will not be described repeatedly herein. In the matching process aiming at the specific characteristics, whether the malicious communication modes containing all the specific characteristics exist in the malicious communication modes is mainly judged, and if the malicious communication modes exist, the malicious communication modes are regarded as undetermined malicious communication modes.
As can be seen from the above process, both the specific features and the weak features can be used as reference features in the malicious communication pattern matching process, but the specific features are more significant and distinctive because they include communication mode features and communication traffic features, and the weak features are convenient to be used as matching references for malicious communication patterns. The number of the undetermined malicious communication patterns containing the specific features is far smaller than that of the malicious communication patterns containing the weak features, so that the characteristic features and the weak features are judged in sequence, and the malicious communication patterns can be determined quickly.
For example, if there are 10 malicious communication patterns and there are 3 pending malicious communication patterns including specific features, there are 6 malicious communication patterns including weak features. When the matching process of the embodiment is adopted, the specific characteristics are judged firstly, 3 undetermined malicious communication modes containing the specific characteristics are determined, and then the target malicious communication mode containing the weak characteristics is determined from the 3 undetermined malicious communication modes, so that the required matching times can be obviously reduced, and the matching efficiency is improved.
Based on the foregoing embodiment, as a preferred embodiment, in order to ensure the detection success rate, if there is a malicious communication pattern matching with the communication feature, before confirming that the communication traffic to be detected is malicious communication traffic, the following steps may be performed:
reversely decrypting the communication traffic to be detected according to the encryption mode corresponding to the malicious communication mode matched with the communication traffic to be detected;
and if the decryption is successful, confirming that the communication traffic to be detected is malicious communication traffic.
Although the malicious communication mode of the communication flow to be detected is confirmed, in order to ensure that false alarm does not occur, reverse decryption is performed on the communication flow to be detected according to communication characteristics contained in the malicious communication mode, and if the decryption is successful, the communication flow to be detected can be naturally confirmed to be the malicious communication flow, so that the false alarm rate is reduced, and the detection success rate of hacker flow is improved.
Referring to fig. 2 for the complete execution steps at this time, fig. 2 is a flowchart of another malicious communication detection method provided in the embodiment of the present application:
s201: acquiring communication traffic to be detected;
s202: performing traffic addition and decoding on the communication traffic to be detected to obtain communication characteristics;
s203: judging whether the communication characteristics have a matched malicious communication mode; if yes, entering S204;
s204: reversely decrypting the communication traffic to be detected according to the encryption mode corresponding to the malicious communication mode matched with the communication traffic to be detected;
s205: and if the decryption is successful, confirming that the communication traffic to be detected is malicious communication traffic.
If the reverse decryption fails, the malicious communication patterns need to be matched again, and if the corresponding malicious communication patterns cannot be matched again, it is indicated that the communication traffic to be detected may not be malicious communication traffic or be a new malicious communication pattern.
Fig. 3 is a schematic structural diagram of a malicious communication detection system according to an embodiment of the present application, where the malicious communication detection system includes:
the acquisition module is used for acquiring the communication flow to be detected;
the communication feature extraction module is used for carrying out flow addition decoding on the communication flow to be detected to obtain communication features;
the judging module is used for judging whether the communication characteristics have a matched malicious communication mode;
and the confirming module is used for confirming that the communication traffic to be detected is malicious communication traffic when the judgment result of the judging module is yes.
Based on the above embodiment, as a preferred embodiment, the determining module is a module for calling a malicious communication pattern data table to determine whether a malicious communication pattern including all communication features exists.
Based on the above embodiment, as a preferred embodiment, the malicious communication detection system may further include:
the first data table generation module is used for acquiring a configuration file of a hacking tool before judging whether the communication characteristics have the matched malicious communication mode; analyzing a data packet encryption mode corresponding to the hacker tool configuration file to obtain encryption characteristics; the encryption characteristics comprise an encryption method, encryption time and an encryption object; adding the encryption characteristics as malicious communication patterns to the malicious communication pattern data table.
Based on the above embodiment, as a preferred embodiment, the malicious communication detection system further includes:
the second data table generation module is used for acquiring the hacker flow of the hacker tool; analyzing the hacker flow, integrating weak features of the hacker flow to obtain the malicious communication mode, and adding the malicious communication mode to the malicious communication mode data table; the weak features comprise any one or any combination of URL information, flow time stamps and coding values.
Based on the foregoing embodiment, as a preferred embodiment, if the determining module determines that the communication characteristics of the measured communication traffic conform to the malicious communication mode, the method further includes:
the decryption module is used for reversely decrypting the communication traffic to be detected according to the encryption mode corresponding to the malicious communication mode before confirming that the communication traffic to be detected is the malicious communication traffic; and if the decryption is successful, executing a step of confirming that the communication traffic to be detected is malicious communication traffic.
Based on the foregoing embodiment, as a preferred embodiment, the determining module is configured to perform the following steps:
judging whether the specific characteristics have matched undetermined malicious communication modes; if not, confirming that the communication traffic to be detected is normal traffic; if yes, judging whether the communication mode to be determined maliciously contains the weak features; if the undetermined malicious communication pattern has a target malicious communication pattern containing the weak features, taking the target malicious communication pattern as a malicious communication pattern correspondingly matched with the communication features;
wherein the specific features include communication mode features and communication traffic features.
Based on the above embodiment, as a preferred embodiment, the malicious communication detection system may further include:
and the warning module is used for generating warning information corresponding to the malicious communication flow.
The present application further provides a computer-readable storage medium, on which a computer program is stored, where the computer program can implement the steps of the malicious communication detection method provided by the foregoing embodiments when executed. The storage medium may include: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
The application also provides an electronic device, which may include a memory and a processor, where the memory stores a computer program, and when the processor calls the computer program in the memory, the steps of the malicious communication detection method provided in the foregoing embodiment may be implemented. Of course, the electronic device may also include various network interfaces, power supplies, and the like. Referring to fig. 4, fig. 4 is a schematic structural diagram of an electronic device according to an embodiment of the present disclosure, where the electronic device according to the embodiment may include: a processor 2101 and a memory 2102.
Optionally, the electronic device may further comprise a communication interface 2103, an input unit 2104 and a display 2105 and a communication bus 2106.
The processor 2101, the memory 2102, the communication interface 2103, the input unit 2104, the display 2105, and the like communicate with each other via the communication bus 2106.
In the embodiment of the present application, the processor 2101 may be a Central Processing Unit (CPU), an application specific integrated circuit (asic), a digital signal processor, an off-the-shelf programmable gate array (fpga) or other programmable logic device.
The processor may call a program stored in the memory 2102. In particular, the processor may perform the operations performed by the electronic device in the above embodiments.
The memory 2102 stores one or more programs, which may include program code including computer operating instructions, and in this embodiment, at least one program for implementing the following functions is stored in the memory:
acquiring communication traffic to be detected;
performing traffic addition and decoding on the communication traffic to be detected to obtain communication characteristics;
judging whether the communication characteristics have a matched malicious communication mode;
and if so, confirming that the communication traffic to be detected is malicious communication traffic.
In one possible implementation, the memory 2102 may include a program storage area and a data storage area, wherein the program storage area may store an operating system, an application program required by at least one function (such as a topic detection function, etc.), and the like; the storage data area may store data created according to the use of the computer.
Further, the memory 2102 may include high speed random access memory, and may also include non-volatile memory, such as at least one disk storage device or other volatile solid state storage device.
The communication interface 2103 may be an interface of a communication module, such as an interface of a GSM module.
The present application may also include a display 2105 and an input unit 2104, among others.
The structure of the electronic device shown in fig. 4 does not constitute a limitation of the electronic device in the embodiment of the present application, and in practical applications, the electronic device may include more or less components than those shown in fig. 4, or some components may be combined.
The embodiments are described in a progressive manner in the specification, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. For the system provided by the embodiment, the description is relatively simple because the system corresponds to the method provided by the embodiment, and the relevant points can be referred to the method part for description.
The principles and embodiments of the present application are explained herein using specific examples, which are provided only to help understand the method and the core idea of the present application. It should be noted that, for those skilled in the art, it is possible to make several improvements and modifications to the present application without departing from the principle of the present application, and such improvements and modifications also fall within the scope of the claims of the present application.
It is further noted that, in the present specification, relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
Claims (10)
1. A malicious communication detection method, comprising:
acquiring communication traffic to be detected;
performing traffic addition and decoding on the communication traffic to be detected to obtain communication characteristics;
judging whether the communication characteristics have a matched malicious communication mode;
and if so, confirming that the communication traffic to be detected is malicious communication traffic.
2. The malicious communication detection method according to claim 1, wherein determining whether the communication features have the matching malicious communication patterns comprises:
and calling a malicious communication mode data table to judge whether a malicious communication mode containing all communication characteristics exists.
3. The malicious communication detection method according to claim 2, wherein before determining whether the communication characteristics have the matching malicious communication pattern, the method further comprises:
acquiring a configuration file of a hacker tool;
analyzing a data packet encryption mode corresponding to the hacker tool configuration file to obtain encryption characteristics; the encryption characteristics comprise an encryption method, encryption time and an encryption object;
adding the encryption characteristics as malicious communication patterns to the malicious communication pattern data table.
4. The malicious communication detection method according to claim 2, wherein before determining whether the communication characteristics have the matching malicious communication pattern, the method further comprises:
acquiring hacker traffic of a hacker tool;
analyzing the hacker flow, integrating weak features of the hacker flow to obtain the malicious communication mode, and adding the malicious communication mode to the malicious communication mode data table; the weak features comprise any one or any combination of URL information, flow time stamps and coding values.
5. The method according to claim 1, wherein if the communication characteristics of the communication traffic to be detected have a matching malicious communication pattern, before determining that the communication traffic to be detected is malicious communication traffic, the method further comprises:
reversely decrypting the communication traffic to be detected according to the encryption mode corresponding to the malicious communication mode matched with the communication traffic to be detected;
and if the decryption is successful, executing a step of confirming that the communication traffic to be detected is malicious communication traffic.
6. The malicious communication detection method according to claim 1, wherein determining whether the communication features have the matching malicious communication patterns comprises:
judging whether the specific characteristics have matched undetermined malicious communication modes;
if not, confirming that the communication traffic to be detected is normal traffic;
if yes, judging whether the communication mode to be determined maliciously contains weak features;
if the undetermined malicious communication pattern has a target malicious communication pattern containing the weak features, taking the target malicious communication pattern as a malicious communication pattern correspondingly matched with the communication features;
wherein the specific features include communication mode features and communication traffic features.
7. The malicious communication detection method according to claim 1, further comprising, after confirming that the communication traffic to be detected is malicious communication traffic:
and generating alarm information corresponding to the malicious communication traffic, wherein the alarm information is used for indicating that the malicious communication traffic is hacker tool communication traffic.
8. A malicious communication detection system, comprising:
the acquisition module is used for acquiring the communication flow to be detected;
the communication feature extraction module is used for carrying out flow addition decoding on the communication flow to be detected to obtain communication features;
the judging module is used for judging whether the communication characteristics have a matched malicious communication mode;
and the confirming module is used for confirming that the communication traffic to be detected is malicious communication traffic when the judgment result of the judging module is yes.
9. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the malicious communication detection method according to any one of claims 1 to 7.
10. An electronic device, comprising a memory in which a computer program is stored and a processor which, when invoked by the computer program in the memory, implements the steps of the malicious communication detection method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110224943.2A CN112910920A (en) | 2021-03-01 | 2021-03-01 | Malicious communication detection method, system, storage medium and electronic device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110224943.2A CN112910920A (en) | 2021-03-01 | 2021-03-01 | Malicious communication detection method, system, storage medium and electronic device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112910920A true CN112910920A (en) | 2021-06-04 |
Family
ID=76108177
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110224943.2A Pending CN112910920A (en) | 2021-03-01 | 2021-03-01 | Malicious communication detection method, system, storage medium and electronic device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112910920A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114172720A (en) * | 2021-12-03 | 2022-03-11 | 杭州安恒信息技术股份有限公司 | Ciphertext attack flow detection method and related device |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105488400A (en) * | 2014-12-13 | 2016-04-13 | 哈尔滨安天科技股份有限公司 | Comprehensive detection method and system of malicious webpage |
| CN109190376A (en) * | 2018-08-30 | 2019-01-11 | 郑州云海信息技术有限公司 | A kind of Web page wooden horse detecting method, system and electronic equipment and storage medium |
| CN110113351A (en) * | 2019-05-14 | 2019-08-09 | 辽宁途隆科技有限公司 | The means of defence and device, storage medium, computer equipment of CC attack |
| CN111277587A (en) * | 2020-01-19 | 2020-06-12 | 武汉思普崚技术有限公司 | Malicious encrypted traffic detection method and system based on behavior analysis |
| CN111737696A (en) * | 2020-06-28 | 2020-10-02 | 杭州安恒信息技术股份有限公司 | Method, system and equipment for detecting malicious file and readable storage medium |
-
2021
- 2021-03-01 CN CN202110224943.2A patent/CN112910920A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105488400A (en) * | 2014-12-13 | 2016-04-13 | 哈尔滨安天科技股份有限公司 | Comprehensive detection method and system of malicious webpage |
| CN109190376A (en) * | 2018-08-30 | 2019-01-11 | 郑州云海信息技术有限公司 | A kind of Web page wooden horse detecting method, system and electronic equipment and storage medium |
| CN110113351A (en) * | 2019-05-14 | 2019-08-09 | 辽宁途隆科技有限公司 | The means of defence and device, storage medium, computer equipment of CC attack |
| CN111277587A (en) * | 2020-01-19 | 2020-06-12 | 武汉思普崚技术有限公司 | Malicious encrypted traffic detection method and system based on behavior analysis |
| CN111737696A (en) * | 2020-06-28 | 2020-10-02 | 杭州安恒信息技术股份有限公司 | Method, system and equipment for detecting malicious file and readable storage medium |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114172720A (en) * | 2021-12-03 | 2022-03-11 | 杭州安恒信息技术股份有限公司 | Ciphertext attack flow detection method and related device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105704685B (en) | Short message safety processing method and device | |
| WO2020199603A1 (en) | Server vulnerability detection method and apparatus, device, and storage medium | |
| CN110955395A (en) | Risk assessment method and device for printing system and storage medium | |
| CN112668005A (en) | Webshell file detection method and device | |
| CN113055399A (en) | Attack success detection method, system and related device for injection attack | |
| CN112437062A (en) | ICMP tunnel detection method, device, storage medium and electronic equipment | |
| CN111756716A (en) | Flow detection method and device and computer readable storage medium | |
| CN112910920A (en) | Malicious communication detection method, system, storage medium and electronic device | |
| CN113364784B (en) | Detection parameter generation method and device, electronic equipment and storage medium | |
| CN114024709A (en) | Defense method, XSS vulnerability searching method, flow detection equipment and storage medium | |
| CN113378161A (en) | Security detection method, device, equipment and storage medium | |
| CN113141332B (en) | Command injection identification method, system, equipment and computer storage medium | |
| CN116132035B (en) | High-performance password operation method and device based on multi-parameter dynamic adjustment | |
| CN116015777A (en) | Document detection method, device, equipment and storage medium | |
| CN116561755A (en) | Vulnerability detection method and device of cloud API, computer equipment and storage medium | |
| CN109214212B (en) | Information leakage prevention method and device | |
| CN115603924A (en) | Detection method and device for phishing mails, electronic equipment and storage medium | |
| CN112565269A (en) | Server back door flow detection method and device, electronic equipment and storage medium | |
| CN114024651A (en) | Method, device and equipment for identifying coding type and readable storage medium | |
| KR101792203B1 (en) | Apparatus and method for determining voice phishing using distance between voice phishing keyword | |
| CN116305130B (en) | Dual-system intelligent switching method, system and medium based on system environment recognition | |
| CN110598426A (en) | Data communication method, device, equipment and storage medium based on information security | |
| CN113992447B (en) | SQL injection alarm processing method and device | |
| CN114070819B (en) | Malicious domain name detection method, device, electronic device and storage medium | |
| CN112688944B (en) | Local area network security state detection method, device, equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210604 |
|
| RJ01 | Rejection of invention patent application after publication |