CN113132292B - Dynamic monitoring method and system for botnet control channel - Google Patents
Dynamic monitoring method and system for botnet control channel Download PDFInfo
- Publication number
- CN113132292B CN113132292B CN201911390201.6A CN201911390201A CN113132292B CN 113132292 B CN113132292 B CN 113132292B CN 201911390201 A CN201911390201 A CN 201911390201A CN 113132292 B CN113132292 B CN 113132292B
- Authority
- CN
- China
- Prior art keywords
- control end
- information
- control
- monitoring
- botnet
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Abstract
The invention relates to a dynamic monitoring method and a dynamic monitoring system for a botnet control channel. The method for dynamically monitoring botnet control channels comprises the following steps: reading monitoring information corresponding to a control end to be monitored, sending the monitoring information to a plurality of measuring nodes in a control channel, updating state rule files of the measuring nodes, and executing single-point active detection on each measuring node in the measuring nodes aiming at each control end to be monitored; collecting detection results at the plurality of measurement nodes, judging the state of a control end, and outputting active information of the control end; and acquiring sampling data interacted with the active control end in the control channel based on the information of the flow data system and the active control end, and estimating a host numerical value corresponding to the control end by using a biological statistical model based on the sampling data.
Description
Technical Field
The present invention relates to the field of communications network security, and more particularly, to a method and system for dynamically monitoring botnet control channels.
Background
At present, internet attack events of the DDoS based on the botnet are endless. The botnet rapidly spreads to the Internet of things equipment from the PC end, and the scale and the attack strength of the induced DDoS attack continuously refresh the historical records. Various large-area network breaking events caused by the attack of the infrastructure and attack extant events aiming at enterprises and institutions are continuously generated, and become one of the most serious security threats of the internet at present.
The dynamic state of the mainstream botnet in the backbone network is mastered practically and effectively, DDoS attack events can be sensed more sensitively, and a foundation is provided for handling of the botnet.
Therefore, designing a multipoint and multitask concurrent monitoring scheme for botnets becomes a technical problem to be solved urgently in the field.
Disclosure of Invention
Most of the existing methods utilize the active measurement means of protocol detection to identify and detect the activity of the control end of the botnet. Protocol probing is a common active measurement means, namely: and constructing a sending data packet according to a communication protocol of the detection object, and analyzing and matching the characteristics of the received data. However, these methods lack dynamic monitoring and in-depth analysis of the control end and do not provide further measurement and evaluation of the botnet host scale.
The invention aims to provide a monitoring scheme aiming at botnet aiming at the defects in the prior art, the method utilizes the sample reverse engineering and the protocol detection technology to implement deep interaction with the control end of the botnet, and the state of the control end is judged and recorded; and the controlled host scale of the botnet is evaluated using a biometric model (such as the Chapman model) and sampling statistics within the control channel.
The following presents a simplified summary of the invention in order to provide a basic understanding of some aspects of the invention. It should be understood, however, that this summary is not an exhaustive overview of the invention. It is not intended to identify key or critical elements of the invention or to delineate the scope of the invention. Its sole purpose is to present some concepts of the invention in a simplified form as a prelude to the more detailed description that is presented later.
One aspect of the invention relates to a method for dynamically monitoring botnet control channels, comprising: reading monitoring information corresponding to a control end to be monitored, sending the monitoring information to a plurality of measuring nodes in a control channel, updating state rule files of the measuring nodes, and executing single-point active detection at each measuring node in the measuring nodes aiming at each control end to be monitored; collecting detection results at the plurality of measurement nodes, judging the state of a control end, and outputting the information of an active control end; and acquiring sampling data interacted with the active control end in the control channel based on the information of the flow data system and the active control end, and estimating a host numerical value corresponding to the control end by using a biological statistical model based on the sampling data.
One aspect of the invention relates to a system for dynamically monitoring botnet control channels, comprising: the detection system is configured to read monitoring information corresponding to a control end to be monitored, issue the monitoring information to a plurality of measurement nodes in a control channel, update state rule files of the plurality of measurement nodes, and execute single-point active detection on each measurement node in the plurality of measurement nodes for each control end to be monitored; the judging system is configured to collect and analyze detection results of the plurality of measuring nodes, judge the state of the control end and output active information of the control end; and the evaluation system is configured to acquire sampling data interacting with the control end in the control channel based on the information of the flow data system and the active control end, and estimate a host value corresponding to the control end by using a biological statistical model based on the sampling data.
One aspect of the invention relates to an apparatus for dynamically monitoring botnet control channels, comprising: a memory; and a processor coupled to the memory and configured to perform the above-described method for dynamically monitoring botnet control channels.
One aspect of the present invention relates to a computer-readable storage medium having stored thereon executable instructions that, when executed by an information processing apparatus, cause the information processing apparatus to perform the above-described method for dynamically monitoring botnet control channels.
The method and the system for dynamically monitoring the botnet control channel are beneficial to better monitoring the state of the botnet, so that the perception of the DDoS attack situation in the backbone network is improved.
Other features of the present invention and advantages thereof will become more apparent from the following detailed description of exemplary embodiments thereof, which proceeds with reference to the accompanying drawings.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate exemplary embodiments of the invention and together with the description, serve to explain the principles of the invention.
The invention will be more clearly understood from the following detailed description, taken with reference to the accompanying drawings, in which:
FIG. 1 is a flowchart illustrating a method of dynamically monitoring botnet control channels in accordance with an exemplary embodiment of the present invention;
FIG. 2 is a flowchart illustrating a method of dynamically monitoring botnet control channels in accordance with another exemplary embodiment of the present invention;
FIG. 3 is a flowchart illustrating a method of dynamically monitoring botnet control channels in accordance with yet another exemplary embodiment of the present invention; and
figure 4 is a schematic diagram illustrating a system for dynamically monitoring botnet control channels, according to an illustrative embodiment of the present invention.
Detailed Description
Hereinafter, preferred exemplary embodiments of the present disclosure will be described in detail with reference to the accompanying drawings. Note that in this specification and the drawings, the same reference numerals are used in common between different drawings to denote the same portions or portions having the same functions, and therefore, a repetitive description thereof will be omitted. In this specification, like reference numerals and letters are used to designate like items, and therefore, once an item is defined in one drawing, further discussion thereof is not required in subsequent drawings.
For convenience of understanding, the positions, sizes, ranges, and the like of the respective structures shown in the drawings and the like do not sometimes indicate actual positions, sizes, ranges, and the like. Therefore, the disclosed invention is not limited to the positions, dimensions, ranges, etc., disclosed in the drawings and the like.
Exemplary embodiments of the present invention will be described in detail below with reference to the accompanying drawings. It should be noted that: the relative arrangement of the components and steps, the numerical expressions, and numerical values set forth in these exemplary embodiments do not limit the scope of the present invention unless specifically stated otherwise.
The following description of at least one exemplary embodiment is merely illustrative in nature and is in no way intended to limit the invention, its application, or uses. That is, the communication apparatus and the communication method herein are shown by way of example to explain exemplary embodiments of the structures and methods in the present invention. Those skilled in the art will appreciate, however, that they are merely illustrative of ways in which the invention may be practiced and not exhaustive. Furthermore, the figures are not necessarily to scale, some features may be exaggerated to show details of particular components.
Techniques, methods, and apparatus known to those of ordinary skill in the relevant art may not be discussed in detail but are intended to be part of the specification where appropriate.
In all examples shown and discussed herein, any particular value should be construed as merely illustrative, and not limiting. Thus, other examples of the exemplary embodiments may have different values.
Fig. 1 is a flowchart illustrating a method of dynamically monitoring botnet control channels according to an exemplary embodiment of the present invention.
As shown in fig. 1, the method for dynamically monitoring a botnet control channel according to the exemplary embodiment of the present invention analyzes and evaluates a control end and a controlled host, thereby implementing dynamic monitoring of the botnet control channel.
Specifically, the method 100 of dynamically monitoring botnet control channels according to an exemplary embodiment of the present invention mainly includes steps S102, S104, S106, S108, S110, and S112, wherein:
in step S102, the detection system reads monitoring information corresponding to a control end to be monitored, and issues the monitoring information to a plurality of measurement nodes in a control channel.
In the method of dynamically monitoring botnet control channels according to an exemplary embodiment of the present invention, the monitoring information includes control end IP, control end ports, and botnet family information.
In step S104, the probing system updates the state rule files of the plurality of measurement nodes.
At step S106, the probing system performs single-point active probing at each of the plurality of measurement nodes for each control end to be monitored.
At step S108, the determination system collects the detection results at the plurality of measurement nodes, determines the state of the control end, and outputs information of the active control end to the evaluation system.
In the method of dynamically monitoring a botnet control channel according to an exemplary embodiment of the present invention, the determination system determines the state of the terminal using a "one-pass" determination criterion based on a record of multipoint measurements. That is, the determination system determines that the control terminal is active as long as it is detected that the control terminal is in an active state at one measurement node.
In the method of dynamically monitoring a botnet control channel according to an exemplary embodiment of the present invention, the determination system performs merging and deduplication processing on collected detection results and outputs a detection process and processed detection result data to the monitoring information storage system, and
in the method of dynamically monitoring botnet control channels according to an exemplary embodiment of the present invention, the monitoring information storage system stores the probing process and the processed probing result data.
At step S110, the evaluation system obtains sampling data interacting with the active control end in the control channel based on the information of the traffic data system and the active control end.
In a method of dynamically monitoring botnet control channels according to an exemplary embodiment of the present invention, the traffic data system is a traceability system.
In the method of dynamically monitoring a botnet control channel according to an exemplary embodiment of the present invention, the sampling data is data obtained by sampling quintuple information for a certain fixed period of time at least twice.
At step S112, a host value corresponding to the control terminal is estimated using the biometric model based on the sampling data, and the estimated host value is output to the monitored information storage system.
In a method of dynamically monitoring botnet control channels according to an exemplary embodiment of the present invention, a monitoring information storage system stores estimated host values.
In the method for dynamically monitoring the botnet control channel according to the exemplary embodiment of the present invention, the host values at least include dimensions such as a timestamp, a control end IP address and port, a botnet type, a host estimation number, and a tracing range.
In the method of dynamically monitoring botnet control channels according to an exemplary embodiment of the invention, the biometric model is a Chapman model.
As described above with reference to fig. 1, the method for dynamically monitoring botnets according to the exemplary embodiment of the present invention interactively detects the control terminals to be monitored and evaluates the host scale thereof according to the state definition of the control terminals of the botnets. The method supports multi-node and multi-task concurrent execution, thereby avoiding result deviation possibly caused by single-point measurement. In addition, the method utilizes the biological statistical model and the sampling statistical data in the control channel to estimate the host scale of the botnet, thereby providing a basis for subsequent botnet treatment.
Fig. 2 is a flowchart illustrating a method of dynamically monitoring botnet control channels according to another exemplary embodiment of the present invention.
As shown in fig. 2, the method 200 of dynamically monitoring botnet control channels corresponds to the processing performed in step S104 of the method 100 shown in fig. 1. That is, the method 200 of dynamically monitoring botnet control channels is a further description of the processing performed in step S104 shown in fig. 1.
At step S202, the detection system confirms whether the state rule file contains a botnet family type to be monitored.
At step S204, the detection system determines whether the state rule file at least includes packet sending rules of three states of survival, heartbeat, attack initiation, timeout waiting time, reply packet parsing rules, and the like.
Fig. 3 is a flowchart illustrating a method of dynamically monitoring botnet control channels according to yet another exemplary embodiment of the present invention.
As shown in fig. 3, the method 300 of dynamically monitoring botnet control channels corresponds to the processing performed in step S106 of the method 100 shown in fig. 1. That is, the method 300 of dynamically monitoring botnet control channels is a further description of the process performed in step S106 shown in fig. 1.
In step S302, the detection system constructs a data packet for each control end to be monitored, sends the data packet to the control end, and monitors data packet information replied by each control end to be monitored.
In step S304, the detection system analyzes the replied packet information according to the state rule file, and determines whether the control end is in an active attack state.
In step S306, the detection system continuously sends the data packet, maintains data interaction with the control end, keeps dynamically monitoring the control end, and records the attack instruction information.
In a method of dynamically monitoring botnet control channels according to still another exemplary embodiment of the present invention, the attack instruction information includes at least: the attacked IP address, the attacked port, the attack type, the attack duration and the like.
For a more complete and complete understanding of the present invention, a specific example of a method for dynamically monitoring botnet control channels according to an exemplary embodiment of the present invention will be described in detail below, taking fig. 4 as an example. Note that this example is not intended to be construed as limiting the invention. For example, the present invention is not limited to the specific configuration shown in FIG. 4, but is applicable to all botnet control channel dynamic monitoring with the same requirements or design considerations. The method of dynamically monitoring botnet control channels described above in connection with fig. 1 is applicable to the corresponding features.
Figure 4 is a schematic diagram illustrating a system for dynamically monitoring botnet control channels according to an exemplary embodiment of the present invention.
As shown in FIG. 4, the system includes a detection system 402, a determination system 404, an evaluation system 406, and a monitoring information storage system 408, wherein
The detection system 402 is configured to read monitoring information corresponding to a control end to be monitored; sending the monitoring information to a plurality of measuring nodes in a control channel; updating the state rule files of the plurality of measurement nodes; and for each control terminal to be monitored, performing single-point active probing at each of the plurality of measurement nodes.
In the system for dynamically monitoring botnet control channels according to an exemplary embodiment of the present invention, the monitoring information includes control end IP, control end port, and botnet family information.
In the system for dynamically monitoring a botnet control channel according to the exemplary embodiment of the present invention, the detection system 402 is further configured to determine whether the state rule file includes a botnet family type to be monitored, and determine whether the state rule file at least includes a packet sending rule, a timeout waiting time, a reply packet parsing rule, and the like of three states of survival, heartbeat, and attack initiation.
In the system for dynamically monitoring a botnet control channel according to the exemplary embodiment of the present invention, the detection system 402 is further configured to construct a data packet for each control end to be monitored, send the data packet to the control end, monitor data packet information replied by each control end to be monitored, analyze the replied data packet information according to the state rule file, and determine a state of the control end; continuously sending the data packet and judging whether the control end is in an active attack state; and maintaining data interaction with the control end, keeping dynamic monitoring on the control end, and recording attack instruction information.
The determining system 404 is configured to collect the detection results at the multiple measurement nodes, and determine a state of the control end; outputting the information of the active control end to an evaluation system; merging and de-duplicating the collected detection results; and outputs the detection process and the processed detection result data to the monitoring information storage system.
In a system for dynamically monitoring botnet control channels according to an exemplary embodiment of the present invention, the determination system 404 determines the state of the terminal using a "one-pass" determination criterion based on the record of multipoint measurements. That is, the determination system 404 determines that the control terminal is active as long as the control terminal is detected to be in an active state at one measurement node.
The evaluation system 406 is configured to obtain sampling data interacting with the active control end in the control channel based on information of the flow data system and the active control end; estimating a host value corresponding to the control terminal by using a biological statistical model based on the sampling data; and outputting the estimated host value to the monitoring information storage system
In a system for dynamically monitoring botnet control channels according to an exemplary embodiment of the present invention, the traffic data system is a traceability system.
In the system for dynamically monitoring the botnet control channel according to the exemplary embodiment of the present invention, the sampling data is data obtained by sampling the quintuple information for a certain fixed period of time at least twice.
In the system for dynamically monitoring the botnet control channel according to the exemplary embodiment of the present invention, the host values at least include dimensions such as a timestamp, a control end IP address and port, a botnet type, a host estimation number, and a tracing range.
In a system for dynamically monitoring botnet control channels according to an exemplary embodiment of the present invention, the biometric model is a Chapman model.
The monitoring information storage system 408 is used to store the probing process, the processed probing result data, and the estimated host value.
As shown in fig. 1, 2, 3 and 4, the method and system for dynamically monitoring botnet control channels according to the present invention deeply identifies the state of the control end through interactive monitoring, continuously tracks the state of the control end, and estimates the scale of a host of a botnet using a biometric model.
With reference to the foregoing description of exemplary embodiments of the invention, those skilled in the art will initially realize that the invention has the following advantages and technical effects:
the method and the system for dynamically monitoring the botnet control channel not only statically compare the botnet feature codes, but also support multiple rounds of active depth interaction. In addition, the method and the system for dynamically monitoring the botnet control channel not only consider the state of the botnet control end, but also estimate the host scale of the botnet by utilizing the biological statistical model. In the method and the system for dynamically monitoring the botnet control channel, the analysis instruction types are richer and more comprehensive, and comprise online, heartbeat, attack initiation instructions, attack stopping and the like in the control channel. The method can accurately and meticulously master the actual situation of the control end by tracking the instruction details of the botnet, thereby providing a foundation for subsequent botnet treatment.
One skilled in the art will appreciate that the present disclosure may be embodied as a method, system, apparatus, or computer-readable medium (e.g., non-transitory storage medium) as a computer program product. Accordingly, the present disclosure may be embodied in various forms, such as an entirely hardware embodiment, an entirely software embodiment (including firmware, resident software, micro-program code, etc.) or an embodiment combining software and hardware aspects that may all be referred to hereinafter as a "circuit," module "or" system. Furthermore, the present disclosure may also be embodied in any tangible media as a computer program product having computer usable program code stored thereon.
The description of the present disclosure is described with reference to flowchart illustrations and/or block diagrams of methods, systems, apparatus, and computer program products according to embodiments of the disclosure. It will be understood that each block of the flowchart illustrations and/or block diagrams, and any combination of blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be executed by a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, implement the functions or acts specified in the flowchart and/or block diagram block or blocks.
The flowchart and block diagrams of the architecture, functionality, and operation of a method, system, apparatus, and computer program product that may be implemented according to various embodiments of the present disclosure are shown in the accompanying drawings. Accordingly, each block in the flowchart or block diagrams may represent a module, segment, or portion of program code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in the drawings may be executed substantially concurrently, or in some cases, in the reverse order from the drawing depending on the functions involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
As used herein, the word "exemplary" means "serving as an example, instance, or illustration," and not as a "model" that is to be replicated accurately. Any implementation exemplarily described herein is not necessarily to be construed as preferred or advantageous over other implementations. Furthermore, there is no intention to be bound by any expressed or implied theory presented in the preceding technical field, background, brief summary or the following detailed description.
As used herein, the word "substantially" is intended to encompass any minor variations due to design or manufacturing imperfections, tolerances of the devices or components, environmental influences and/or other factors. The word "substantially" also allows for differences from a perfect or ideal situation due to parasitic effects, noise, and other practical considerations that may exist in a practical implementation.
In addition, "first," "second," and like terms may also be used herein for reference purposes only, and thus are not intended to be limiting. For example, the terms "first," "second," and other such numerical terms referring to structures or elements do not imply a sequence or order unless clearly indicated by the context.
It will be further understood that the terms "comprises/comprising," "includes" and/or "including," when used herein, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.
In the present invention, the term "providing" is used broadly to encompass all ways of obtaining an object, and thus "providing an object" includes, but is not limited to, "purchasing," "preparing/manufacturing," "arranging/setting," "installing/assembling," and/or "ordering" the object, and the like.
Those skilled in the art will appreciate that the boundaries between the above described operations merely illustrative. Multiple operations may be combined into a single operation, single operations may be distributed in additional operations, and operations may be performed at least partially overlapping in time. Moreover, alternative exemplary embodiments may include multiple instances of a particular operation, and the order of operations may be altered in other various exemplary embodiments. However, other modifications, variations, and alternatives are also possible. The specification and drawings are, accordingly, to be regarded in an illustrative rather than a restrictive sense.
In addition, embodiments of the present invention may also include the following examples:
(1) a method for dynamically monitoring botnet control channels, the method comprising:
reading monitoring information corresponding to a control end to be monitored, sending the monitoring information to a plurality of measuring nodes in a control channel, updating state rule files of the measuring nodes, and executing single-point active detection at each measuring node in the measuring nodes aiming at each control end to be monitored;
collecting detection results at the plurality of measurement nodes, judging the state of a control end, and outputting active information of the control end; and
and acquiring sampling data interacted with the active control end in the control channel based on the information of the flow data system and the active control end, and estimating a host numerical value corresponding to the control end by using a biological statistical model based on the sampling data.
(2) The method of (1), wherein updating the state rule file of the plurality of measurement nodes comprises:
determining whether the state rule file contains a botnet family type to be monitored; and
and determining whether the state rule file at least comprises a packet sending rule, a timeout waiting time, a reply packet analysis rule and the like of three states of survival, heartbeat and attack initiation.
(3) The method according to (1), wherein the single-point active probing performed on the control end comprises:
constructing a data packet for each control terminal to be monitored, sending the data packet to the control terminal, and monitoring data packet information replied by each control terminal to be monitored;
analyzing the replied data packet information according to the state rule file, and judging whether the control end is in an active state; and
and continuously sending the data packet, maintaining data interaction with the control end, keeping dynamic monitoring on the control end, and recording attack instruction information.
(4) The method according to (3), wherein the attack instruction information includes at least: the attacked IP address, the attacked port, the attack type, the attack duration and the like.
(5) The method according to (1), wherein the control end is determined to be active whenever the control end is detected to be active at one of the measurement nodes.
(6) The method according to (1), wherein the sampling data is data obtained by sampling quintuple information for a certain fixed period of time at least twice.
(7) The method of (1), wherein the traffic data system is a traceability system, and the host values at least include dimensions such as timestamp, control IP address and port, botnet type, number of host estimates, and traceability range.
(8) The method of (1), further comprising:
merging and de-duplicating the collected detection result data, and outputting a detection process and the processed detection result data;
outputting the estimated host value; and
storing the probing process, the processed probing result data, and the estimated host value.
(9) The method according to (1),
the monitoring information comprises control end IP, control end ports and botnet family information; and
the biometric model is a Chapman model.
(10) A system for dynamically monitoring botnet control channels, the system comprising:
the detection system is configured to read monitoring information corresponding to a control end to be monitored, issue the monitoring information to a plurality of measurement nodes in a control channel, update state rule files of the plurality of measurement nodes, and execute single-point active detection at each of the plurality of measurement nodes for each control end to be monitored;
the judging system is configured to collect and analyze detection results of the plurality of measuring nodes, judge the state of the control end and output active information of the control end; and
and the evaluation system is configured to acquire sampling data interacting with the control end in the control channel based on the information of the flow data system and the active control end, and estimate a host value corresponding to the control end by using a biological statistical model based on the sampling data.
(11) The system of (10), wherein the detection system is further configured to:
determining whether the state rule file contains a botnet family type to be monitored; and
and determining whether the state rule file at least comprises a packet sending rule, a timeout waiting time, a reply packet analysis rule and the like of three states of survival, heartbeat and attack initiation.
(12) The system of (10), wherein the detection system is further configured to:
constructing a data packet for each control terminal to be monitored, sending the data packet to the control terminal, and monitoring data packet information replied by each control terminal to be monitored;
analyzing the replied data packet information according to the state rule file, and judging whether the control end is in an active state; and
and continuously sending the data packet, maintaining data interaction with the control end, keeping dynamic monitoring on the control end and recording attack instruction information.
(13) The system according to (10), characterized in that,
the judgment system is also configured to perform merging and deduplication processing on the collected detection result data and output the detection process and the processed detection result data to the monitoring information storage system; and
the evaluation system is further configured to output the estimated host value to a monitoring information storage system.
(14) The system of (13), further comprising the monitoring information storage system configured to store the probing process, the processed probing result data, and the estimated host value.
(15) An apparatus for dynamically monitoring botnet control channels, comprising:
a memory; and
a processor coupled to the memory and configured to perform the method of any of (1) through (9).
(16) A computer-readable storage medium having stored thereon executable instructions that, when executed by an information processing apparatus, cause the information processing apparatus to execute the method according to any one of (1) to (9).
Although certain specific exemplary embodiments of this invention have been described in detail by way of illustration, it should be understood by those skilled in the art that the foregoing examples are for purposes of illustration only and are not intended to limit the scope of the invention. The various exemplary embodiments disclosed herein may be combined in any combination without departing from the spirit and scope of the present invention. Those skilled in the art will also appreciate that various modifications may be made to the exemplary embodiments without departing from the scope and spirit of the invention. The scope of the invention is defined by the appended claims.
Claims (16)
1. A method for dynamically monitoring botnet control channels, the method comprising:
reading monitoring information corresponding to a control end to be monitored, sending the monitoring information to a plurality of measuring nodes in a control channel, updating state rule files of the measuring nodes, and executing single-point active detection on each measuring node in the measuring nodes aiming at each control end to be monitored;
collecting detection results at the plurality of measurement nodes, judging the state of a control end, and outputting the information of an active control end; and
and acquiring sampling data interacted with the active control end in the control channel based on the information of the traceability system and the active control end, and estimating a host value corresponding to the control end by using a biological statistical model based on the sampling data.
2. The method of claim 1, wherein updating the state rule file for the plurality of measurement nodes comprises:
determining whether the state rule file contains a botnet family type to be monitored; and
and determining whether the state rule file at least comprises a packet sending rule, a timeout waiting time and a reply packet analysis rule of three states of survival, heartbeat and attack initiation.
3. The method of claim 1, wherein the single-point active probing performed on the control end comprises:
constructing a data packet for each control terminal to be monitored, sending the data packet to the control terminal, and monitoring data packet information replied by each control terminal to be monitored;
analyzing the replied data packet information according to the state rule file, and judging whether the control end is in an active state; and
and continuously sending the data packet, maintaining data interaction with the control end, keeping dynamic monitoring on the control end, and recording attack instruction information.
4. The method according to claim 3, wherein the attack instruction information includes at least: the attacked IP address, the attacked port, the attack type, and the attack duration.
5. The method of claim 1, wherein the control node is determined to be active whenever the control node is detected to be active at a measurement node.
6. The method according to claim 1, wherein the sampling data is data obtained by sampling quintuple information for a certain fixed period of time at least twice.
7. The method of claim 1, wherein the host values comprise at least the following dimensions: timestamp, control end IP address and port, botnet type, host estimate number, traceability range.
8. The method of claim 1, further comprising:
merging and de-duplicating the collected detection result data, and outputting a detection process and the processed detection result data;
outputting the estimated host value; and
storing the probing process, the processed probing result data, and the estimated host value.
9. The method of claim 1,
the monitoring information comprises control end IP, control end ports and botnet family information; and
the biometric model is a Chapman model.
10. A system for dynamically monitoring botnet control channels, the system comprising:
the detection system is configured to read monitoring information corresponding to a control end to be monitored, issue the monitoring information to a plurality of measurement nodes in a control channel, update state rule files of the plurality of measurement nodes, and execute single-point active detection on each measurement node in the plurality of measurement nodes for each control end to be monitored;
the judging system is configured to collect and analyze detection results of the plurality of measuring nodes, judge the state of the control end and output active information of the control end; and
and the evaluation system is configured to acquire sampling data interacting with the active control end in the control channel based on the information of the traceability system and the active control end, and estimate a host value corresponding to the control end by using a biological statistical model based on the sampling data.
11. The system of claim 10, wherein the detection system is further configured to:
under the condition of updating the state rule files of the plurality of measurement nodes, determining whether the state rule files contain botnet family types to be monitored; and
and determining whether the state rule file at least comprises a packet sending rule, a timeout waiting time and a reply packet analysis rule of three states of survival, heartbeat and attack initiation.
12. The system of claim 10, wherein the detection system is further configured to:
constructing a data packet for each control terminal to be monitored, sending the data packet to the control terminal, and monitoring data packet information replied by each control terminal to be monitored;
analyzing the replied data packet information according to the state rule file, and judging whether the control end is in an active state; and
and continuously sending the data packet, maintaining data interaction with the control end, keeping dynamic monitoring on the control end and recording attack instruction information.
13. The system of claim 10,
the judgment system is also configured to perform merging and deduplication processing on the collected detection result data, and output the detection process and the processed detection result data to the monitoring information storage system; and
the evaluation system is further configured to output the estimated host value to a monitoring information storage system.
14. The system of claim 13, further comprising the monitoring information storage system configured to store the probing process, the processed probing result data, and the estimated host value.
15. An apparatus for dynamically monitoring botnet control channels, comprising:
a memory; and
a processor coupled to the memory and configured to perform the method of any of claims 1-9.
16. A computer-readable storage medium having stored thereon executable instructions that, when executed by an information processing apparatus, cause the information processing apparatus to perform the method of any one of claims 1-9.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911390201.6A CN113132292B (en) | 2019-12-30 | 2019-12-30 | Dynamic monitoring method and system for botnet control channel |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911390201.6A CN113132292B (en) | 2019-12-30 | 2019-12-30 | Dynamic monitoring method and system for botnet control channel |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113132292A CN113132292A (en) | 2021-07-16 |
| CN113132292B true CN113132292B (en) | 2022-09-06 |
Family
ID=76767339
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911390201.6A Active CN113132292B (en) | 2019-12-30 | 2019-12-30 | Dynamic monitoring method and system for botnet control channel |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113132292B (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102571487A (en) * | 2011-12-20 | 2012-07-11 | 东南大学 | Distributed bot network scale measuring and tracking method based on multiple data sources |
| CN103685230A (en) * | 2013-11-01 | 2014-03-26 | 上海交通大学 | Distributed cooperation detection system and method for botnet malicious domain name |
| CN104618377A (en) * | 2015-02-04 | 2015-05-13 | 上海交通大学 | NetFlow based botnet network detection system and detection method |
| CN106603521A (en) * | 2016-12-09 | 2017-04-26 | 北京安天电子设备有限公司 | Network control node detection method and system |
| CN109962898A (en) * | 2017-12-26 | 2019-07-02 | 哈尔滨安天科技股份有限公司 | The detection method and device of Botnet control node |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR101010302B1 (en) * | 2008-12-24 | 2011-01-25 | 한국인터넷진흥원 | Security management system and method of irc and http botnet |
-
2019
- 2019-12-30 CN CN201911390201.6A patent/CN113132292B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102571487A (en) * | 2011-12-20 | 2012-07-11 | 东南大学 | Distributed bot network scale measuring and tracking method based on multiple data sources |
| CN103685230A (en) * | 2013-11-01 | 2014-03-26 | 上海交通大学 | Distributed cooperation detection system and method for botnet malicious domain name |
| CN104618377A (en) * | 2015-02-04 | 2015-05-13 | 上海交通大学 | NetFlow based botnet network detection system and detection method |
| CN106603521A (en) * | 2016-12-09 | 2017-04-26 | 北京安天电子设备有限公司 | Network control node detection method and system |
| CN109962898A (en) * | 2017-12-26 | 2019-07-02 | 哈尔滨安天科技股份有限公司 | The detection method and device of Botnet control node |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113132292A (en) | 2021-07-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP3166266B1 (en) | Method and device for discovering network topology | |
| US8954550B2 (en) | Service dependency discovery in enterprise networks | |
| CN107124289B (en) | Weblog time alignment method, device and host | |
| US9276819B2 (en) | Network traffic monitoring | |
| CN108092854B (en) | Test method and device for train-level Ethernet equipment based on IEC61375 protocol | |
| EP3456081B1 (en) | Methods and systems for optimizing wireless network performance using behavioral profiling of network devices | |
| CN106104556A (en) | Log analysis system | |
| US10341182B2 (en) | Method and system for detecting network upgrades | |
| CN105282152A (en) | Abnormal flow detection method | |
| EP3460769B1 (en) | System and method for managing alerts using a state machine | |
| CN113132292B (en) | Dynamic monitoring method and system for botnet control channel | |
| CN108307414B (en) | Wi-Fi connection abnormity processing method and device of application program, terminal and storage medium | |
| CN106411951B (en) | Network attack behavior detection method and device | |
| CN107888394B (en) | Method and device for positioning network fault reason | |
| CN111064729B (en) | Message processing method and device, storage medium and electronic device | |
| JP5484376B2 (en) | Log collection automation device, log collection automation test system, and log collection control method | |
| CN111010362B (en) | Monitoring method and device for abnormal host | |
| CN103581162A (en) | System and method for continuously updating event results and statistical information based on cloud | |
| CN111278022A (en) | Internet of things WiFi module performance test method and system | |
| CN114500247B (en) | Industrial control network fault diagnosis method and device, electronic equipment and readable storage medium | |
| CN111901174B (en) | Service state notification method, related device and storage medium | |
| CN113141376B (en) | Malicious IP scanning detection method and device, electronic equipment and storage medium | |
| CN113923272A (en) | Data analysis method and device and server equipment | |
| CN107342917B (en) | Method and apparatus for detecting network device performance | |
| CN111258845A (en) | Detection of event storms |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |