CN113645191B - Method, device and equipment for determining suspicious host and computer readable storage medium - Google Patents
Method, device and equipment for determining suspicious host and computer readable storage medium Download PDFInfo
- Publication number
- CN113645191B CN113645191B CN202110790445.4A CN202110790445A CN113645191B CN 113645191 B CN113645191 B CN 113645191B CN 202110790445 A CN202110790445 A CN 202110790445A CN 113645191 B CN113645191 B CN 113645191B
- Authority
- CN
- China
- Prior art keywords
- hosts
- suspicious
- access
- host
- determining
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4505—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
- H04L61/4511—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/168—Implementing security features at a particular protocol layer above the transport layer
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/06—Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/14—Session management
Abstract
Embodiments of the present disclosure provide a method, apparatus, device and computer-readable storage medium for determining a suspicious host. The method comprises the following steps: capturing network interface communication traffic of each host to be analyzed; analyzing the network interface communication flow to obtain an access log of each host to be analyzed; and determining suspicious hosts from the hosts to be analyzed according to the access log. In this way, the suspected hosts which may be infected can be automatically determined from the hosts to be analyzed by accessing the log, so that the suspected hosts can be promptly and quickly picked out according to the communication traffic of the hosts to be analyzed.
Description
Technical Field
Embodiments of the present disclosure relate generally to the field of internet communication technology, and more particularly, to a method, an apparatus, a device, and a computer-readable storage medium for determining a suspicious host.
Background
The attacker uses a command and control server (also referred to as C & C or C2) to maintain communication with the infected host in the target network. The C & C server issues commands and controls to the infected host. These communications may be like maintaining a timed beacon or "heartbeat" so that an attacker can keep an inventory of systems within the target network that have been attacked or use them for more malicious operations, such as remote control or data acquisition, cross-penetration, etc. While the C & C server is used to control hosts inside the target organization, it is usually the infected host that initiates access to the C & C server on the Internet from inside the network on its own initiative.
The main ways to find an infected host are now as follows:
determining an infected host depending on the risk domain name and risk IP already recorded in the threat intelligence, and whether there is a record of the C & C tag; depending on the way the information is threatened, there is hysteresis and unknown infected hosts cannot be discovered.
Therefore, how to discover an unknown infected host in time becomes an urgent technical problem to be solved.
Disclosure of Invention
According to an embodiment of the present disclosure, a determination scheme of a suspicious host is provided.
In a first aspect of the disclosure, a method of determination of a suspicious host is provided. The method comprises the following steps:
capturing network interface communication traffic of each host to be analyzed;
analyzing the network interface communication flow to obtain access logs of the hosts to be analyzed;
and determining suspicious hosts from the hosts to be analyzed according to the access log.
The aspects and any possible implementations described above, further provide an implementation,
the access log includes: a DNS log;
the determining suspicious hosts from the hosts to be analyzed according to the access log comprises:
determining the access characteristics of the hosts to be analyzed according to the DNS log;
determining the suspicious host according to the access characteristics of the hosts to be analyzed; wherein:
the access characteristic comprises at least one of:
domain name access frequency, access time period, and the opposite-end host accessed by each host to be analyzed.
The above aspects, and any possible implementations, further provide an implementation,
the determining the suspicious host according to the access characteristics of the hosts to be analyzed includes:
determining access characteristics matched with preset access conditions from the access characteristics of the hosts to be analyzed;
determining an access address corresponding to the access characteristics matched with the preset access conditions;
determining one or more hosts which initiate the access address in the hosts to be analyzed as candidate hosts;
and determining the suspicious host from the candidate hosts.
The above aspects, and any possible implementations, further provide an implementation,
the access log includes: http access logs and/or ssl access logs;
the determining the suspicious host from the candidate hosts includes:
and analyzing the http access log and/or the ssl access log of the candidate host relative to the opposite host responding to the access address to determine the suspicious host from the candidate host.
The aspects and any possible implementations described above, further provide an implementation,
the analyzing the http access log and/or the ssl access log of the candidate host relative to the peer host responding to the access address to determine the suspicious host from the candidate host includes:
judging whether suspicious behaviors are recorded in http access logs and/or ssl access logs of each host in the candidate hosts relative to the opposite host responding to the access address;
when suspicious behaviors are recorded, determining the suspicious scores of all hosts in the candidate hosts according to the corresponding suspicious degrees of the suspicious behaviors;
and determining the suspicious host from the candidate hosts according to the suspicious scores of all the candidate hosts.
The above aspects, and any possible implementations, further provide an implementation,
the determining the suspicious host from the candidate hosts according to the suspicious scores of the hosts in the candidate hosts comprises:
determining the suspicious grade of each host of the candidate host according to the relation between the suspicious score of each host in the candidate host and a plurality of preset suspicious score ranges;
screening out hosts with the suspicious grades higher than a preset grade from the candidate hosts as the suspicious hosts; and/or
And determining the hosts with the suspicious scores higher than the preset scores in the candidate hosts as the suspicious hosts.
The above aspects, and any possible implementations, further provide an implementation,
the suspicious behavior comprises at least one of:
downloading a file;
establishing and maintaining a long connection;
frequent connection;
initiating an abnormal http request;
initiating an http request based on an ip address;
the certificate of the opposite-end host is a self-signed certificate.
In a second aspect of the present disclosure, a device for determining a suspicious host is provided. The device includes:
the capturing module is used for capturing the network interface communication flow of each host to be analyzed;
the analysis module is used for analyzing the network interface communication flow to obtain an access log of each host to be analyzed;
and the determining module is used for determining the suspicious host from the hosts to be analyzed according to the access log.
In a third aspect of the disclosure, an electronic device is provided. The electronic device includes: a memory having a computer program stored thereon and a processor implementing the method as described above when executing the program.
In a fourth aspect of the present disclosure, a computer-readable storage medium is provided, on which a computer program is stored which, when being executed by a processor, carries out the method as according to the first and/or second aspect of the present disclosure.
It should be understood that the statements herein reciting aspects are not intended to limit the critical or essential features of the embodiments of the present disclosure, nor are they intended to limit the scope of the present disclosure. Other features of the present disclosure will become apparent from the following description.
Drawings
The above and other features, advantages and aspects of embodiments of the present disclosure will become more apparent upon consideration of the following detailed description, taken in conjunction with the accompanying drawings. In the drawings, like or similar reference characters designate like or similar elements, and wherein:
FIG. 1 illustrates a flow diagram of a method of suspicious host determination according to one embodiment of the present disclosure;
FIG. 2 illustrates a flow chart of a method of suspicious host determination according to another embodiment of the present disclosure;
FIG. 3 illustrates a block diagram of a suspicious host determination apparatus according to an embodiment of the present disclosure;
FIG. 4 illustrates a block diagram of an exemplary electronic device capable of implementing embodiments of the present disclosure.
Detailed Description
To make the objects, technical solutions and advantages of the embodiments of the present disclosure more clear, the technical solutions of the embodiments of the present disclosure will be described clearly and completely with reference to the drawings in the embodiments of the present disclosure, and it is obvious that the described embodiments are some, but not all embodiments of the present disclosure. All other embodiments, which can be derived by a person skilled in the art from the embodiments disclosed herein without making any creative effort, shall fall within the protection scope of the present disclosure.
In addition, the term "and/or" herein is only one kind of association relationship describing an associated object, and means that there may be three kinds of relationships, for example, a and/or B, which may mean: a exists alone, A and B exist simultaneously, and B exists alone. In addition, the character "/" herein generally indicates that the former and latter related objects are in an "or" relationship.
In this disclosure, through snatching the network interface communication flow of each host computer that waits to analyze, can carry out DPI deep analysis to network interface communication flow, and then according to its self visit log, follow each suspicious host computer that waits to analyze that the automated determination probably is infected in to can in time snatch out suspicious host computer fast according to the communication flow of each host computer that waits to analyze.
Fig. 1 shows a flow diagram of a method 100 of suspicious host determination according to an embodiment of the present disclosure.
As shown in fig. 1, the determination method 100 includes:
And the network interface communication flow is used for representing the record of interaction between each host to be analyzed and the external equipment.
Through snatching the network interface communication flow of each host computer that waits to analyze, can carry out DPI Deep analysis (Deep Packet Inspection, a Deep detection technique based on data Packet) to network interface communication flow to obtain the access log of each host computer that waits to analyze, and then according to its own access log, the suspicious host computer that probably is infected is decided automatically in the host computer that waits to analyze from each, so that can snatch out suspicious host computer in time fast according to the communication flow of each host computer that waits to analyze.
In one embodiment, the access log comprises: a DNS log;
the determining suspicious hosts from the hosts to be analyzed according to the access log includes:
determining the access characteristics of the hosts to be analyzed according to the DNS log;
determining the suspicious host according to the access characteristics of the hosts to be analyzed; wherein:
the access characteristic comprises at least one of:
domain name access frequency, access time period, and the opposite-end host accessed by each host to be analyzed.
Through the DNS log, the specific access characteristics of each host to be analyzed can be determined, and then the specific suspicious host can be accurately positioned according to the access characteristics of each host to be analyzed, namely the host which has C & C communication with an external control server can be accurately captured.
In an embodiment, the determining the suspicious host according to the access characteristics of the hosts to be analyzed includes:
determining access characteristics matched with preset access conditions from the access characteristics of the hosts to be analyzed;
the preset access condition may be that the domain name has a high access frequency but does not belong to the alexa-top1m website (i.e. a white list of domain names with global access volume ranking top 100 ten thousand), or may be that the access time period is early morning, the host of the opposite end is a suspicious server marked multiple times, etc.
Determining an access address corresponding to the access characteristic matching the preset access condition (namely, an access address used by an access process with the access characteristic);
determining one or more hosts which initiate the access address in the hosts to be analyzed as candidate hosts;
and determining the suspicious host from the candidate hosts.
The access characteristics matching the preset access conditions are the access characteristics which are easy to appear in the suspicious hosts, so the access address corresponding to the access characteristics matching the preset access conditions is the IP address corresponding to the suspicious domain name, and one or more hosts initiating access requests to the access address are some infected hosts, so that the one or more hosts can be determined as candidate hosts, and the suspicious hosts can be determined more accurately from the small-range candidate hosts.
In one embodiment, the access log comprises: http access logs and/or ssl access logs;
the determining the suspicious host from the candidate hosts includes:
and analyzing the http access log and/or the ssl access log of the candidate host relative to the opposite host responding to the access address to determine the suspicious host from the candidate host.
The opposite end host responds to various requests initiated by the candidate host through the access address, and is also the host accessed by the candidate host through the access address.
By automatically analyzing the http access log and/or the ssl access log of the candidate host relative to the opposite host responding to the access address, the candidate host can be further and accurately locked through the access log.
In one embodiment, the analyzing the http access log and/or the ssl access log of the candidate host with respect to the peer host responding to the access address to determine the suspicious host from the candidate hosts includes:
judging whether suspicious behaviors are recorded in http access logs and/or ssl access logs of each host in the candidate hosts relative to the opposite-end host responding to the access address;
when suspicious behaviors are recorded, determining the suspicious scores of all hosts in the candidate hosts according to the corresponding suspicious degrees of the suspicious behaviors;
different suspicious behaviors can have different suspicious degrees, so that different suspicious scores can be calculated according to different suspicious behaviors, and the higher the suspicious score is, the higher the suspicious grade of the host is, the more likely the host is to be a suspicious host.
And determining the suspicious host from the candidate hosts according to the suspicious scores of all the candidate hosts.
Since various access behaviors of the user such as what access protocol is used, specific pages accessed, specific operations on the pages, whether the accessed website has an official certificate or not and the like are recorded in the access log in the access process that the user accesses the opposite-end host from the candidate host through the access address, whether suspicious behaviors are recorded or not can be judged through the http access log and/or the ssl access log, the suspicious scores of all hosts in the candidate hosts are determined according to the corresponding suspicious degrees of the suspicious behaviors, and then the suspicious hosts are automatically determined from the candidate hosts according to the suspicious scores of all the hosts.
In one embodiment, the determining the suspicious host from the candidate hosts according to the suspicious scores of the hosts in the candidate hosts includes:
determining the suspicious grade of each host of the candidate host according to the relation between the suspicious score of each host in the candidate host and a plurality of preset suspicious score ranges;
screening out hosts with the suspicious grades higher than a preset grade from the candidate hosts as the suspicious hosts; and/or
And determining the hosts with the suspicious scores higher than the preset scores in the candidate hosts as the suspicious hosts.
Determining which preset suspicious score range each host in the candidate hosts is located in according to the relation between the suspicious score of each host in the candidate hosts and a plurality of preset suspicious score ranges, then determining the suspicious grade of each host in the candidate hosts, and further screening out the hosts with the suspicious grade higher than the preset grade from the candidate hosts as the suspicious hosts; and/or determining the host with the suspicious score higher than the preset score in the candidate hosts as the suspicious host, so that the selected suspicious host has higher accuracy and is prevented from being selected by mistake.
In one embodiment, the suspicious behavior comprises at least one of:
downloading the file; because the candidate host may be a compromised/infected host group, for such a host, a hacker may download a corresponding trojan file or virus file to the local candidate host according to the system version of the candidate host, so as to perform the next intrusion operation.
Establishing and maintaining a long connection;
frequent connection; for example, within a certain time, a certain host in the candidate hosts initiates a connection request to a certain opposite end host for multiple times.
Initiating an abnormal http request; the abnormal http request is an http request with an http protocol analysis error.
Initiating an http request based on an ip address; normal access is typically http request initiated via the domain name, so if http request is initiated via the ip address, it is suspicious.
The certificate of the opposite-end host is a self-signed certificate. If a host in the candidate hosts requires to access the opposite-end host through the ssl, whether the host is a trusted website is prompted, and whether the access is continued, the certificate of the opposite-end host is a self-signed certificate, that is, the authority issuing the certificate is not an authority.
The technical solution of the present invention will be further explained in detail with reference to the method 200 of fig. 2:
flow acquisition: and capturing network interface traffic (access records/communication traffic on a switch, including certificates, protocols, page content and the like), performing DPI (deep packet analysis), and recording long connection logs, dns logs, http logs, ssl logs and the like.
Domain name frequency analysis: analyzing a dns log in a period of time, counting domain name access frequencies, listing domain names which have higher access frequencies and do not belong to an alexa-top1m website (the alexa-top1m website such as a domain name white list with the top 100 ten thousand of global access volume ranking) as suspicious domain names (locally accessed domain names), recording response ip addresses (marked as RA) of the domain name dns request, wherein the suspicious domain names correspond to the response ip addresses one to one, and marking local hosts initiating the dns request as LA.
Follow-up traffic of the LA is tracked and analyzed.
Analyzing whether the http traffic has the following suspicious behaviors:
a) Downloading a file: the local host LA downloads files to the remote host RA.
b) Long connection: the local host LA initiates a long connection to the remote host (RA/RB/RC, etc.).
c) Regularly and frequently connecting: the local host LA initiates a periodic frequent connection to the remote host (RA/RB/RC, etc.).
d) Abnormal http request: the local host LA initiates an abnormal http request to the remote host (RA/RB/RC, etc.). Such as: the legitimacy is checked and then the http protocol resolves errors (not http requests initiated according to the http standard, which is already recorded).
e) Http request based on ip address access: the local host LA initiates an http request for ip address based access to the remote host (RA/RB/RC, etc.).
Analyze the ssl traffic for suspicious behavior as follows:
a) Self-signed certificate: the local host LA initiates a ssl request to the remote host RA, whose certificate is a self-signed certificate.
b) Long connection: the local host LA initiates a ssl long connection to the remote host (RA/RB/RC, etc.). E.g. over 5 minutes
c) Regularly and frequently connecting: the local host LA initiates a regular frequent ssl connection to the remote host (RA/RB/RC, etc.).
And (4) conclusion: if the local host LA has the above suspicious behavior, the local host LA is a suspicious host that is likely to be infected with trojans or viruses, and the remote addresses RA/RB/RC (respectively remote hosts corresponding to different remote addresses) and the like are suspicious C & C communication addresses.
It is noted that while for simplicity of explanation, the foregoing method embodiments have been described as a series of acts or combination of acts, it will be appreciated by those skilled in the art that the present disclosure is not limited by the order of acts, as some steps may, in accordance with the present disclosure, occur in other orders and concurrently. Further, those skilled in the art will appreciate that the embodiments described in the specification are exemplary embodiments and that acts and modules are not necessarily required for the disclosure.
The above is a description of embodiments of the method, and the embodiments of the apparatus are further described below.
Fig. 3 shows a block diagram of a suspicious host determination apparatus 500 according to an embodiment of the present disclosure. The apparatus 300 comprises:
the capturing module 310 is configured to capture network interface communication traffic of each host to be analyzed;
the analysis module 320 is configured to analyze the network interface communication traffic to obtain an access log of each host to be analyzed;
the determining module 330 is configured to determine suspicious hosts from the hosts to be analyzed according to the access log.
It can be clearly understood by those skilled in the art that, for convenience and simplicity of description, the specific working process of the described module may refer to the corresponding process in the foregoing method embodiment, and details are not described herein again.
FIG. 4 shows a schematic block diagram of an electronic device 400 that may be used to implement embodiments of the present disclosure. The apparatus 400 may be used to implement the suspicious host determination apparatus 300 of fig. 3. As shown in fig. 4, the device 400 includes a CPU401, which can perform various appropriate actions and processes according to computer program instructions stored in a ROM402 or loaded from a storage unit 408 into a RAM 403. In the RAM403, various programs and data required for the operation of the device 400 can also be stored. The CPU401, ROM402, and RAM403 are connected to each other via a bus 404. An I/O interface 405 is also connected to bus 404.
A number of components in the device 400 are connected to the I/O interface 405, including: an input unit 406 such as a keyboard, a mouse, or the like; an output unit 407 such as various types of displays, speakers, and the like; a storage unit 408 such as a magnetic disk, optical disk, or the like; and a communication unit 409 such as a network card, modem, wireless communication transceiver, etc. The communication unit 409 allows the device 400 to exchange information/data with other devices via a computer network, such as the internet, and/or various telecommunication networks.
The processing unit 401 performs the various methods and processes described above, such as the methods 100, 200. For example, in some embodiments, the methods 100, 200 may be implemented as a computer software program tangibly embodied in a machine-readable medium, such as the storage unit 408. In some embodiments, part or all of the computer program may be loaded and/or installed onto the device 400 via the ROM402 and/or the communication unit 409. When loaded into RAM403 and executed by CPU401, may perform one or more of the steps of methods 100, 200 described above. Alternatively, in other embodiments, the CPU401 may be configured to perform the methods 100, 200 in any other suitable manner (e.g., by way of firmware).
The functions described herein above may be performed, at least in part, by one or more hardware logic components. For example, without limitation, exemplary types of hardware logic components that may be used include: field Programmable Gate Arrays (FPGAs), application Specific Integrated Circuits (ASICs), application Specific Standard Products (ASSPs), systems on a chip (SOCs), complex Programmable Logic Devices (CPLDs), and the like.
Program code for implementing the methods of the present disclosure may be written in any combination of one or more programming languages. These program code may be provided to a processor or controller of a general purpose computer, special purpose computer, or other programmable data processing apparatus, such that the program code, when executed by the processor or controller, causes the functions/acts specified in the flowchart and/or block diagram to be performed. The program code may execute entirely on the machine, partly on the machine, as a stand-alone software package partly on the machine and partly on a remote machine or entirely on the remote machine or server.
In the context of this disclosure, a machine-readable medium may be a tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. The machine-readable medium may be a machine-readable signal medium or a machine-readable storage medium. A machine-readable medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a RAM, a ROM, an EPROM, an optical fiber, a CD-ROM, an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
Further, while operations are depicted in a particular order, this should be understood as requiring that such operations be performed in the particular order shown or in sequential order, or that all illustrated operations be performed, to achieve desirable results. Under certain circumstances, multitasking and parallel processing may be advantageous. Likewise, while several specific implementation details are included in the above discussion, these should not be construed as limitations on the scope of the disclosure. Certain features that are described in the context of separate embodiments can also be implemented in combination in a single implementation. Conversely, various features that are described in the context of a single implementation can also be implemented in multiple implementations separately or in any suitable subcombination.
Although the subject matter has been described in language specific to structural features and/or methodological acts, it is to be understood that the subject matter defined in the appended claims is not necessarily limited to the specific features or acts described above. Rather, the specific features and acts described above are disclosed as example forms of implementing the claims.
Claims (6)
1. A method for determining a suspicious host, comprising:
capturing network interface communication traffic of each host to be analyzed;
analyzing the network interface communication flow to obtain access logs of the hosts to be analyzed, wherein the access logs comprise DNS (domain name system) logs, http (hyper text transport protocol) access logs and/or ssl (structured query language) access logs;
determining the access characteristics of the hosts to be analyzed according to the DNS log; the access characteristics comprise at least one of domain name access frequency, access time period or opposite end host accessed by each host to be analyzed;
determining access characteristics matched with preset access conditions from the access characteristics of the hosts to be analyzed;
determining an access address corresponding to the access characteristics matching the preset access conditions;
determining one or more hosts which initiate the access address in the hosts to be analyzed as candidate hosts;
judging whether suspicious behaviors are recorded in http access logs and/or ssl access logs of each host in the candidate hosts relative to the opposite-end host responding to the access address;
when suspicious behaviors are recorded, determining the suspicious scores of all hosts in the candidate hosts according to the suspicious degrees corresponding to the suspicious behaviors;
and determining the suspicious host from the candidate hosts according to the suspicious scores of all the candidate hosts.
2. The method of claim 1,
the determining the suspicious host from the candidate hosts according to the suspicious scores of the hosts in the candidate hosts includes:
determining the suspicious grade of each host of the candidate hosts according to the relation between the suspicious score of each host in the candidate hosts and a plurality of preset suspicious score ranges;
screening out hosts with the suspicious grades higher than a preset grade from the candidate hosts as the suspicious hosts; and/or
And determining the hosts with the suspicious scores higher than the preset scores in the candidate hosts as the suspicious hosts.
3. The method of claim 1, wherein the suspicious behavior comprises at least one of:
downloading a file;
establishing and maintaining a long connection;
frequent connection;
initiating an abnormal http request;
initiating an http request based on an ip address;
the certificate of the opposite-end host is a self-signed certificate.
4. An apparatus for determining a suspicious host, comprising:
the capturing module is used for capturing the network interface communication flow of each host to be analyzed;
the analysis module is used for analyzing the network interface communication flow to obtain access logs of the hosts to be analyzed, wherein the access logs comprise DNS logs, http access logs and/or ssl access logs;
the determining module is used for determining the access characteristics of the hosts to be analyzed according to the DNS log; the access characteristics comprise at least one of domain name access frequency, access time period or opposite end host accessed by each host to be analyzed; determining access characteristics matched with preset access conditions from the access characteristics of the hosts to be analyzed; determining an access address corresponding to the access characteristics matched with the preset access conditions; determining one or more hosts which initiate the access address in the hosts to be analyzed as candidate hosts; judging whether suspicious behaviors are recorded in http access logs and/or ssl access logs of each host in the candidate hosts relative to the opposite host responding to the access address; when suspicious behaviors are recorded, determining the suspicious scores of all hosts in the candidate hosts according to the corresponding suspicious degrees of the suspicious behaviors; and determining the suspicious host from the candidate hosts according to the suspicious scores of all the candidate hosts.
5. An electronic device comprising a memory and a processor, the memory having stored thereon a computer program, wherein the processor, when executing the program, implements the method of any of claims 1-3.
6. A computer-readable storage medium, on which a computer program is stored, which program, when being executed by a processor, carries out the method according to any one of claims 1 to 3.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110790445.4A CN113645191B (en) | 2021-07-13 | 2021-07-13 | Method, device and equipment for determining suspicious host and computer readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110790445.4A CN113645191B (en) | 2021-07-13 | 2021-07-13 | Method, device and equipment for determining suspicious host and computer readable storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113645191A CN113645191A (en) | 2021-11-12 |
| CN113645191B true CN113645191B (en) | 2023-02-28 |
Family
ID=78417205
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110790445.4A Active CN113645191B (en) | 2021-07-13 | 2021-07-13 | Method, device and equipment for determining suspicious host and computer readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113645191B (en) |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111371735A (en) * | 2018-12-26 | 2020-07-03 | 中兴通讯股份有限公司 | Botnet detection method, system and storage medium |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP2222048A1 (en) * | 2009-02-24 | 2010-08-25 | BRITISH TELECOMMUNICATIONS public limited company | Detecting malicious behaviour on a computer network |
| US9419992B2 (en) * | 2014-08-13 | 2016-08-16 | Palantir Technologies Inc. | Unwanted tunneling alert system |
| US10944770B2 (en) * | 2018-10-25 | 2021-03-09 | EMC IP Holding Company LLC | Protecting against and learning attack vectors on web artifacts |
| CN110912902B (en) * | 2019-11-27 | 2022-04-19 | 杭州安恒信息技术股份有限公司 | Method, system, equipment and readable storage medium for processing access request |
-
2021
- 2021-07-13 CN CN202110790445.4A patent/CN113645191B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111371735A (en) * | 2018-12-26 | 2020-07-03 | 中兴通讯股份有限公司 | Botnet detection method, system and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113645191A (en) | 2021-11-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9900344B2 (en) | Identifying a potential DDOS attack using statistical analysis | |
| US10063574B2 (en) | Apparatus method and medium for tracing the origin of network transmissions using N-gram distribution of data | |
| US9781144B1 (en) | Determining duplicate objects for malware analysis using environmental/context information | |
| US10944784B2 (en) | Identifying a potential DDOS attack using statistical analysis | |
| US9215245B1 (en) | Exploration system and method for analyzing behavior of binary executable programs | |
| US11277429B2 (en) | Cybersecurity vulnerability classification and remediation based on network utilization | |
| CN113489713B (en) | Network attack detection method, device, equipment and storage medium | |
| US11647037B2 (en) | Penetration tests of systems under test | |
| US11025660B2 (en) | Impact-detection of vulnerabilities | |
| US11050777B2 (en) | Method and system for remediating cybersecurity vulnerabilities based on utilization | |
| US9992214B1 (en) | Generating malware signatures based on developer fingerprints in debug information | |
| CN111131320B (en) | Asset identification method, device, system and medium | |
| CN110943984B (en) | Asset safety protection method and device | |
| US11550920B2 (en) | Determination apparatus, determination method, and determination program | |
| CN113645191B (en) | Method, device and equipment for determining suspicious host and computer readable storage medium | |
| US11163882B2 (en) | Analysis apparatus, analysis method, and analysis program | |
| CN115643044A (en) | Data processing method, device, server and storage medium | |
| CN114793204A (en) | Network asset detection method | |
| CN110493224B (en) | Sub-domain name hijacking vulnerability detection method, device and equipment | |
| WO2017110099A1 (en) | Information processing device, information processing method, and program | |
| WO2017110100A1 (en) | Information processing device, information processing method, and program | |
| US9049170B2 (en) | Building filter through utilization of automated generation of regular expression | |
| TWI761122B (en) | Cyber security protection system and related proactive suspicious domain alert system | |
| CN114697057B (en) | Method, device and storage medium for acquiring layout script information | |
| CN116506212A (en) | IPS white sample collection method, device and processing equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |