CN115134096A - RAT connection detection method, flow audit equipment and medium - Google Patents

RAT connection detection method, flow audit equipment and medium Download PDF

Info

Publication number
CN115134096A
CN115134096A CN202110264329.9A CN202110264329A CN115134096A CN 115134096 A CN115134096 A CN 115134096A CN 202110264329 A CN202110264329 A CN 202110264329A CN 115134096 A CN115134096 A CN 115134096A
Authority
CN
China
Prior art keywords
data
session
rat
session data
threshold
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202110264329.9A
Other languages
Chinese (zh)
Inventor
吴铸轩
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sangfor Technologies Co Ltd
Original Assignee
Sangfor Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sangfor Technologies Co Ltd filed Critical Sangfor Technologies Co Ltd
Priority to CN202110264329.9A priority Critical patent/CN115134096A/en
Publication of CN115134096A publication Critical patent/CN115134096A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/16Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
    • H04L69/163In-band adaptation of TCP data exchange; In-band control procedures

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application discloses a RAT connection detection method, flow audit equipment and a medium, wherein the method takes flow data between an external network and an internal network based on TCP as a detection object, so that related deployment on each host is not needed, the deployment cost is reduced, and after suspicious flow data which accord with RAT connection conditions in the flow data are analyzed, the detection result of the suspicious flow data is determined according to threat information, so that the accuracy of the detection result is improved through the combination of flow side characteristic detection and the threat information, multi-layer evidence-making information is obtained, and the safety of the internal network is improved. In addition, the flow auditing equipment and the medium disclosed by the application correspond to the method and have the same effects.

Description

RAT connection detection method, flow audit equipment and medium
Technical Field
The present application relates to the field of network communications technologies, and in particular, to a RAT connection detection method, a traffic auditing device, and a medium.
Background
Remote Access Trojan (RAT) is malicious software which can remotely Access control equipment and steal information. The RAT is connected, namely the RAT is connected with a server of an attacker, when the RAT is connected, information stolen from the attacked device can be transmitted to the server of the attacker, and the server of the attacker can issue a remote control instruction which is executed on the attacked device after being received by the RAT, so that the aim of remote illegal control is fulfilled.
In order to prevent RAT attacks, a common approach is to perform grounded RAT file detection on the host. The detection is divided into static detection and dynamic detection. For static detection, a known sample needs to be trained in advance to obtain the characteristics of an RAT file, so that an unknown sample cannot be detected accurately, the false alarm rate is high, and when the RAT file is encrypted, shelled or confused, the static detection cannot be realized. For dynamic detection, the RAT file is required to trigger malicious behaviors for perception, so the detection result is delayed. More importantly, both static detection and dynamic detection need to be deployed on each host in an intranet scene, and when the number of hosts is large, the difficulty of one-to-one deployment is high, and the deployment cost is high.
In summary, how to reduce the false alarm rate of detection and the difficulty of deployment is the difficulty that those skilled in the art will solve first.
Disclosure of Invention
The application aims to provide a RAT connection detection method, which is used for improving the accuracy of RAT connection detection in an intranet scene, and reducing the deployment difficulty without one-to-one deployment on hosts in the intranet. In addition, the purpose of the application also provides a RAT connection detection device, equipment and medium.
In order to solve the above technical problem, the present application provides a RAT connection detection method, including:
acquiring traffic data based on TCP between an outer network and an inner network;
analyzing suspicious traffic data which accord with RAT connection conditions in the traffic data;
and determining the detection result of the suspicious flow data according to the threat intelligence.
Preferably, before the analyzing the suspicious traffic data meeting RAT connection conditions in the traffic data, the method further includes:
analyzing the flow data into data with a preset structure according to the TCP;
dividing the flow data into a plurality of pieces of session data according to a TCP session format;
correspondingly, the analyzing the suspicious traffic data meeting the RAT connection condition in the traffic data includes:
determining the session duration of the session data;
if the conversation duration is not greater than a first threshold, taking the conversation data not greater than the first threshold as first conversation data;
if suspicious first session data meeting RAT reconnection conditions exist in the first session data, determining the suspicious first session data to be suspicious flow data meeting the RAT connection conditions;
and/or
If the session duration is greater than the first threshold, taking the session data greater than the first threshold as second session data;
if suspicious second session data meeting RAT long connection conditions exist in the second session data, determining that the suspicious second session data are suspicious flow data meeting the RAT connection conditions;
wherein the RAT connection condition comprises a RAT reconnection condition and a RAT long connection condition.
Preferably, the RAT reconnection condition is: and the same source address and the same destination address are continuously connected, the connection times reach preset times, and/or the same source address and the same destination address are continuously connected, and the continuous duration of the continuous connection exceeds a second threshold value.
Preferably, the determining that there is suspicious first session data satisfying the RAT reconnection condition in the first session data comprises:
screening target first session data with the same source address and the same destination address from the obtained first session data to serve as a first set;
counting session reconnection times and multiple reconnection duration corresponding to all the target first session data in the first set;
and if the session reconnection times reach preset times and the duration exceeds a second threshold, determining that the suspicious first session data meeting the RAT reconnection condition exists in the first session data.
Preferably, the RAT long connection condition is:
a master-slave connection exists between the same source address and the same destination address, wherein the master-slave connection is as follows: a session with the session duration larger than a third threshold exists between the source address and the destination address, and a plurality of pieces of session data with the session duration smaller than a fourth threshold exist within the session duration, wherein the third threshold is not smaller than the first threshold, and the fourth threshold is smaller than the third threshold;
or heartbeat interval stationarity of the data packet from the internal network to the external network is smaller than a steady threshold value, wherein the heartbeat interval stationarity is as follows: the time interval stationarity between a plurality of data packets with the data packet size within the error range;
or the session duration is greater than a fifth threshold, the cumulative byte number of the data packet size is less than a preset byte number, and the ratio of the number of the data packets with the TCP PSH zone bits to the total number of the data packets of the session data exceeds the session data of a preset ratio; wherein the fifth threshold is not less than the first threshold.
Preferably, the determining that there is suspicious second session data satisfying the RAT long connection condition in the second session data includes:
screening target session data with the same source address and the same destination address from the session data to serve as a second set, and if one piece of second session data with target session duration larger than a third threshold exists in the second set and a plurality of pieces of session data with session duration smaller than a fourth threshold exist in the target session duration range, determining that suspicious second session data meeting the RAT long connection condition exist in the second session data;
if the heartbeat gap stationarity corresponding to a plurality of pieces of session data in the second session data is not larger than a stationarity threshold, determining that suspicious second session data meeting the RAT long connection condition exists in the second session data;
if the session duration is greater than a fifth threshold value, the cumulative byte number of each data packet is less than a preset byte number, and the ratio of the number of data packets with TCP PSH zone bits to the number of total data packets of the session data exceeds a preset ratio of session data, it is determined that the suspicious second session data meeting the RAT long connection condition exists in the second session data.
Preferably, the specific case that the accumulated byte number of each data packet size is smaller than the preset byte number is: the accumulated byte number of each data packet from the internal network to the external network is less than the preset byte number; the session data in which the ratio of the number of the data packets with the TCP PSH flag bits to the total number of the data packets of the session data exceeds a preset ratio specifically includes: the ratio of the number of data packets from the internal network to the external network with TCP PSH zone bits to the total number of data packets from the internal network to the external network of the session data exceeds the session data with the preset ratio.
Preferably, the determining the detection result of the suspicious traffic data according to the threat intelligence includes:
determining an external network address of the suspicious traffic data;
searching an IP address matched with the external network address in a threat information library;
obtaining threat intelligence associated with the IP address;
and if the threat intelligence has a malicious behavior record, determining that the RAT connection exists between a source address corresponding to the suspicious flow data and the external network address.
In order to solve the above technical problem, the present application further provides a RAT connection detection apparatus, including:
the system comprises an acquisition module, a data processing module and a data processing module, wherein the acquisition module is used for acquiring traffic data based on TCP between an external network and an internal network;
the analysis module is used for analyzing suspicious traffic data which accord with RAT connection conditions in the traffic data;
and the determining module is used for determining the detection result of the suspicious flow data according to the threat intelligence.
In order to solve the above technical problem, the present application further provides a flow auditing device, including a memory for storing a computer program;
a processor for implementing the steps of the RAT connection detection method as described when executing the computer program.
To solve the above technical problem, the present application further provides a computer-readable storage medium having a computer program stored thereon, where the computer program is executed by a processor to implement the steps of the RAT connection detection method.
According to the RAT connection detection method, flow data between an outer network and an inner network based on TCP are used as detection objects, so that related deployment on each host is not needed, deployment cost is reduced, and after suspicious flow data meeting RAT connection conditions in the flow data are analyzed, detection results of the suspicious flow data are determined according to threat information, so that the accuracy of the detection results is improved through the combination of flow side characteristic detection and the threat information, multi-layer evidence-making information is obtained, and the safety of the inner network is improved.
In addition, the RAT connection detection device, the flow audit equipment and the medium provided by the application correspond to the method, and the effect is the same as that of the method.
Drawings
In order to more clearly illustrate the embodiments of the present application, the drawings needed for the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings can be obtained by those skilled in the art without inventive effort.
Fig. 1 is a block diagram of a RAT connection detection system according to the present disclosure;
fig. 2 is a flowchart of a RAT connection detection method according to an embodiment of the present disclosure;
fig. 3 is a flowchart of another RAT connection detection method according to an embodiment of the present disclosure;
fig. 4 is a schematic diagram of suspicious traffic data satisfying a RAT reconnection condition according to an embodiment of the present application;
fig. 5 is a block diagram of another RAT connection detection apparatus according to an embodiment of the present disclosure;
fig. 6 is a structural diagram of a flow audit device according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all the embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments in the present application without any creative effort belong to the protection scope of the present application.
The core of the application is to provide a RAT connection detection method, flow audit equipment and a medium.
In order that those skilled in the art will better understand the disclosure, the following detailed description is given with reference to the accompanying drawings.
In an intranet scenario, multiple hosts are usually included, and the multiple hosts cooperate to complete corresponding tasks. If the host and the server of the attacker have RAT connection, the server of the attacker can steal data from the host and can issue remote control instructions to be executed on the host by the RAT.
Since the RAT can execute the corresponding operation on the host computer only when receiving the remote control instruction, it is crucial to detect the remote control instruction, and in this application, it is determined whether there is RAT connection through traffic data based on a Transmission Control Protocol (TCP) transmitted between the external network and the internal network. It should be understood that the TCP-based traffic data transmitted between the external network and the internal network herein may be traffic data transmitted from the external network to the internal network, or may be traffic data transmitted from the internal network to the external network. For ease of understanding, the following describes a hardware architecture to which the technical solution of the present application is applied. Referring to fig. 1, a component architecture of a RAT connection detection system provided in the present application is shown. As shown in fig. 1, the intranet includes a plurality of hosts 1, the gateway 2 is in communication connection with the hosts 1 to realize data transmission between the extranet and the intranet, a flow auditing device 3 is arranged at a network port of the gateway 2, and a flow probe is used to realize collection and analysis of TCP-based flow data. TCP-based traffic data is chosen in this application because, in contrast to UDP, TCP is connection-oriented, i.e. a connection needs to be established before sending data, and this property is exactly in line with detecting RAT connections. It is understood that the number of hosts 1 and the services provided are not limited in this application, and the function of the traffic auditing device 3 may include other functions besides detecting RAT connections, and this application is not limited.
Fig. 2 is a flowchart of a RAT connection detection method according to an embodiment of the present disclosure. As shown in fig. 2, the method includes:
s10: and acquiring traffic data based on TCP between the outer network and the inner network.
The outer network mentioned in the application is a wide area network, while the inner network is a local area network, and the interconnection of the networks is realized through a gateway. Since the TCP-based traffic data includes the characteristics of TCP, it can be identified which traffic data is TCP-based traffic data by the corresponding characteristics.
In specific implementation, the acquired frequency can be set according to actual conditions, and it can be understood that the higher the acquired frequency is, the more complete the acquired flow data is, the more accurate the acquired detection result is, but more resources are consumed by data processing; conversely, the lower the frequency of acquisition, the less traffic data is obtained, and the less accurate the detection results are obtained, but the less resources are consumed for data processing. As a preferred embodiment, in S10, TCP-based traffic data between the extranet and the intranet is obtained in real time, so as to improve the real-time performance and accuracy of detection.
Further, since the traffic data is randomly distributed, for convenience of analysis, the traffic data may be preprocessed before analyzing suspicious traffic data meeting RAT connection conditions in the traffic data, which is described in detail below.
S11: and judging whether suspicious traffic data meeting the RAT connection condition exist in the acquired traffic data, if so, entering S12, otherwise, returning to S11.
In this step, the RAT connection condition may be set according to actual conditions, and is used to characterize that the traffic data conforms to relevant characteristics of RAT connection. RAT connections may be divided into long connections and short connections, depending on the length of the session. For long connections, a RAT long connection condition corresponds, and for short connections, a RAT reconnect condition corresponds, that is, the RAT connection condition includes both a RAT reconnect condition and a RAT long connection condition.
Since the traffic data is not fixed and may change every moment, there may be suspicious traffic data or no suspicious traffic data in the acquired traffic data. In this step, the purpose is to analyze suspicious traffic data in the acquired traffic data. It should be noted that the suspicious traffic data only meets the preset RAT connection condition, and if the suspicious traffic data is determined to represent that RAT connection exists without further detection, the false alarm rate of the detection result is easily high.
It is understood that if the traffic data is preprocessed before S11, the traffic data mentioned in step S11 and the following steps is not the original traffic data, but the preprocessed data, except that the source of the data is the original traffic data.
S12: and determining the detection result of the suspicious traffic data according to the threat intelligence.
In order to reduce the false alarm rate of the detection result, the suspicious traffic data obtained by analysis is combined with threat information to further determine whether the suspicious traffic data represents that the RAT connection exists. Threat intelligence refers to evidence-based knowledge about existing or potential threats faced by Internet Technology (IT) or information assets, including scenarios, mechanisms, indicators, inferences, and actionable suggestions, which can provide decision-making basis for threat response. Threat intelligence can be further classified into host information, domain name information, or file information, etc., according to the data itself. In specific implementation, after suspicious traffic data is obtained, a final detection result is determined by combining relevant information of threat intelligence. It is understood that the detection results are divided into two types, one is the presence of RAT connection and one is the absence of RAT connection.
In the RAT connection detection method provided by this embodiment, traffic data based on TCP between the extranet and the intranet is used as a detection object, so that related deployment on each host is not needed, and the deployment cost is reduced.
In a specific implementation, since the traffic data is randomly distributed, in order to facilitate analysis, the preprocessing of the traffic data is further included before analyzing suspicious traffic data that meets RAT connection conditions in the traffic data, specifically including:
analyzing the flow data into data with a preset structure according to the TCP;
the traffic data is divided into a plurality of pieces of session data according to the TCP session format.
The session data comprises a data packet field and a session field, the data packet field comprises a data packet size, a timestamp and a TCP flag bit, and the session field comprises session duration, a source address and a destination address. Furthermore, those skilled in the art should note that some parameters, such as "session duration", are not in the field of each packet of a session, but are parameters obtained by further statistical operations.
It should be noted that the size of the data packet mentioned in this application is a storage space occupied by data in the data packet, and may also be understood as a number of bytes in the data packet. The packet size included in the packet field may be the packet size of a single packet in a piece of session data, or may be the accumulation of the packet sizes of all packets in the whole piece of session data. The data parsed into the preset structure is actually data converted into a log format according to a certain preset structure, and the specific preset structure may be determined according to an actual situation, and preferably, the preset structure includes, but is not limited to, a JSON format and other self-defined log formats. After the data with the preset structure is obtained, the data divides the flow data into a plurality of pieces of session data according to the TCP session format, for example, in the TCP session, the connection establishment is completed through three segments, which is called a three-way handshake (three-way handshake), and then the three segments constitute one piece of session data.
Because format conversion and extraction of the data packet field and the session field are performed before the flow data is analyzed, only useful data is analyzed in the subsequent analysis process, and the analysis efficiency can be improved.
Further, the step of parsing the traffic data into data of a preset structure according to TCP may not be performed, but may be performed in order to ensure data processing efficiency.
In particular implementations, since traffic data is very large and complex, the type of RAT connection to which the suspicious traffic data corresponds is also different, e.g., RAT reconnection, master-slave connection, etc. Furthermore, the RAT connection condition is usually determined by combining the session field and the packet field, so there are many parameters involved, and if multiple types of determination are performed on each session data, the workload of data processing is inevitably increased. In consideration of this situation, in the present embodiment, the obtained pieces of session data are divided into two types according to the session time length. Fig. 3 is a flowchart of another RAT connection detection method according to an embodiment of the present disclosure. As shown in fig. 3, S11 includes:
s110: determining the session duration of the session data;
s111: if the conversation duration is not greater than the first threshold, taking the conversation data not greater than the first threshold as first conversation data;
s112: if suspicious first session data meeting RAT reconnection conditions exist in the first session data, determining that the suspicious first session data are suspicious flow data meeting the RAT connection conditions;
s113: if the session duration is greater than a first threshold, taking the session data greater than the first threshold as second session data;
s114: and if the second session data contains suspicious second session data meeting the RAT long connection condition, determining that the suspicious second session data is suspicious flow data meeting the RAT connection condition.
It is understood that the first threshold is a value related to the session duration, and is used to characterize whether a piece of session data is a long connection, and the specific value can be determined according to actual situations. According to the relationship between the session duration of each session data and the first threshold, all session data can be divided into two categories, one category is the first session data, and the other category is the second session data. For the first session data, since the session duration is not greater than the first threshold, the first session data is regarded as a short connection, and there is a possibility that the session data of the short connection is repeatedly connected. Similarly, for the second session data, since the session duration is greater than the first threshold, the second session data is regarded as a long connection, and then the session data of the long connection may have problems that the master-slave connection or the heartbeat behavior does not meet the requirements, and the like. The following is an example in order to make the above more clear to a person skilled in the art. For example, the session data has 6 pieces, i.e., ip1, ip2, ip3, ip4, ip5, and ip 6. The session duration of the ip3, the ip4 and the ip5 is not greater than a first threshold value and is used as first session data; the session duration of ip1, ip2 and ip6 is greater than the first threshold value as the second session data. Therefore, when determining whether the session data is full of RAT reconnection conditions, only three pieces of first session data, i.e., ip3, ip4, and ip5, need to be determined, and three pieces of second session data, i.e., ip1, ip2, and ip6, need not be determined. Similarly, when determining whether the session data is full of RAT long connection conditions, only three pieces of second session data, i.e., ip1, ip2, and ip6, need to be determined, and no more three pieces of first session data, i.e., ip3, ip4, and ip5, need to be determined.
By setting the first threshold, all session data can be divided into two types, so that in the subsequent judgment process, judgment only needs to be carried out according to the RAT connection condition corresponding to the session data, and each piece of session data does not need to be judged for multiple times, thereby reducing the workload of data processing and improving the detection efficiency.
It is to be understood that how to set the RAT reconnection condition and the RAT long connection condition is not limited in this embodiment, and the two ways mentioned below are only one of various implementations.
1) As a preferred embodiment, the RAT reconnection conditions are: the connection times between the same source address and the same destination address reach preset times, and/or the duration of multiple connections exceeds a second threshold. The duration of multiple connections as referred to herein refers to the cumulative duration of each connection in the multiple connections generated between the same source address and the same destination address, and of course, the cumulative duration may or may not include the gap duration of each connection. Fig. 4 is a schematic diagram of suspicious traffic data satisfying a RAT reconnection condition according to an embodiment of the present application. As shown in fig. 4, the traffic data includes 5 first session data, which are ip1, ip2, ip3, ip4, and ip 5. The source address and the destination address of the first session data ip1, ip2, ip3 and ip4 are the same, and the source address and the destination address of ip5 are different from those of ip1, ip2, ip3 and ip4, that is, ip1, ip2, ip3 and ip4 satisfy the continuous connection between the same source address and the same destination address, wherein the connection frequency is 4 times, and the duration of the first session data exceeds a second threshold, where the duration may be t1+ t2+ t3+ t4, or t1+ t2+ t3+ t4+ (the gap duration of ip1 and ip 2) + (the gap duration of ip2 and ip 3) + (the gap duration of ip3 and ip 4).
Further, determining that there is suspicious first session data in the first session data that satisfies the RAT reconnection condition includes:
screening target first session data with the same source address and the same destination address from the obtained first session data to serve as a first set;
counting session reconnection times and reconnection duration time for multiple times corresponding to all target first session data in the first set;
and if the session reconnection times reach the preset times and the duration exceeds a second threshold, determining that suspicious first session data meeting the RAT reconnection condition exist in the first session data.
It is to be understood that the second threshold may be determined according to actual situations, and since the second threshold is a reference value characterizing the duration of all session data in the first set, the second threshold and the first threshold have no strict magnitude relationship per se. The judgment basis of RAT reconnection is as follows: for normal procedures, reconnects are typically attempted a limited number of times and then stopped, but most RATs continue to reconnect the attacker's server at specific intervals until a successful connection. Therefore, it can be determined that the first suspicious session data, i.e. the RAT reconnection condition is satisfied, is the session data reconnected to the same destination address for a long time and many times.
2) As a preferred embodiment, the RAT long connection condition may include the following three cases:
a master-slave connection exists between the same source address and the same destination address, wherein the master-slave connection is as follows: a session with session duration greater than a third threshold exists between the source address and the destination address, and a plurality of pieces of session data with session duration less than a fourth threshold exist within the session duration, the third threshold is not less than the first threshold, and the fourth threshold is less than the third threshold.
Or heartbeat interval stability of the data packet from the inner network to the outer network is smaller than a stability threshold value, wherein the heartbeat interval stability is as follows: the time interval between a plurality of data packets with the data packet size within the error range is smooth.
Or the session duration is greater than a fifth threshold, the size of the data packet is smaller than a preset byte number, and the ratio of the number of the data packets with the TCP PSH zone bits to the total number of the data packets of the session data exceeds the session data of a preset ratio; wherein the fifth threshold is not less than the first threshold.
Further, determining that there is suspicious second session data satisfying the RAT long connection condition in the second session data includes the following three cases:
(1) and screening target second session data with the same source address and the same destination address from the session data to serve as a second set, and if a piece of second session data with the session duration of the target second session data being greater than a third threshold exists in the second set and a plurality of pieces of session data with the session duration being less than a fourth threshold exist in the target session duration range of the target second session data, determining that suspicious second session data meeting the RAT long connection condition exists in the second session data.
It is to be understood that the second set is composed of a plurality of pieces of second session data, and the session duration of any piece of session data in the set is greater than the first threshold, so the third threshold is necessarily not less than the first threshold, and usually the third threshold is greater than the first threshold. Second session data in the second set, in which the target session duration is greater than the third threshold, may be regarded as a master connection, and session data in which the existing session duration is less than the fourth threshold in a time range in which the master connection is alive may be regarded as a slave connection, so that the above session data constitutes suspicious second session data. The number of pieces of session data in which the session durations are less than the fourth threshold may be set according to actual situations, and may be 4, for example. The fourth threshold is smaller than the third threshold, and the relationship between the fourth threshold and the first threshold is not limited. Preferably, the fourth threshold is smaller than the first threshold, so that the suspicious second session data includes one piece of second session data and a plurality of pieces of first session data.
(2) And if the heartbeat gap stationarity corresponding to a plurality of pieces of session data in the second session data is not larger than the stationarity threshold, determining that suspicious second session data meeting the RAT long connection condition exists in the second session data.
As a preferred embodiment, determining that the heartbeat gap stationarity corresponding to a plurality of pieces of session data in the second session data is not greater than the stationarity threshold is implemented by:
acquiring data packet fields of each piece of second session data transmitted from the intranet to the extranet;
grouping the data packets according to a preset data packet size interval, namely grouping the data packets from inside to outside contained in each piece of second session data, wherein the size of the data packets contained in each group is approximate, namely the size of each group of data packets is within the range of W +/-alpha, and alpha is an error;
taking X k Representing all neighbors according to the k-th groupSet of arrival time intervals of data packets, wherein the ith time interval is recorded as
Figure BDA0002971466190000121
Note the book
Figure BDA0002971466190000122
n represents the total number of data packets of the kth group, and order
Figure BDA0002971466190000123
Calculating heart beat gap stationarity
Figure BDA0002971466190000124
And if the heartbeat interval stationarity is not greater than the stationarity threshold, the heartbeat behavior in the time period corresponding to the kth group is abnormal.
It is understood that the second session data corresponding to the kth group is suspicious second session data satisfying the RAT long connection condition.
It should be noted that, in the mode (2), the specific procedure when the accumulated byte number of each data packet size is less than the preset byte number is as follows: the accumulated byte number of each data packet from the internal network to the external network is less than the preset byte number.
(3) And if the session duration is greater than a fifth threshold value, the accumulated byte number of each data packet is less than the preset byte number, and the ratio of the number of the data packets with the TCP PSH zone bits to the total number of the data packets of the session data exceeds the preset ratio of the session data, determining that suspicious second session data meeting the RAT long connection condition exists in the second session data.
In a specific implementation, the preset number of bytes is not limited and may be 128, and the preset ratio is not limited and may be 90%. It is understood that the fifth threshold is not less than the first threshold. For example, the preset proportion is 90%, the session duration of a second session data is greater than the fifth threshold, the size of the data packet is less than 128, and the total number of the data packets is 20, where the number of the data packets with the TCP PSH flag is 19, and then the second session data is suspicious second session data that satisfies the RAT long connection condition. Similarly, the session duration of a second session data is greater than the fifth threshold, the size of the data packet is less than 128, and the total number of the data packets is 20, wherein the number of the data packets with the TCP PSH flag bit is 10, and then the second session data is not suspicious second session data satisfying the RAT long connection condition.
The TCP PSH zone bit is selected because some data packets only contain a TCP Header zone bit, and the data packets only have the functions of confirming, resetting the session, retransmitting control and the like and do not have data parts.
In the embodiment (3), the packet size and the ratio may be calculated from only packets from the intranet to the extranet.
On the basis of the above embodiment, determining the detection result of suspicious traffic data according to threat intelligence includes:
determining an external network address of the suspicious traffic data;
searching an IP address matched with the external network address in a threat information library;
acquiring threat information associated with the IP address;
and if the threat intelligence has a malicious behavior record, determining that the RAT connection exists between the source address corresponding to the suspicious flow data and the external network address.
Because the suspicious first session data are suspicious traffic data meeting RAT connection conditions and the suspicious second session data are suspicious traffic data meeting RAT connection conditions, the suspicious traffic data correspond to the suspicious first session data and the suspicious second session data, and the external network addresses of the suspicious traffic data are the external network addresses of the suspicious first session data and the suspicious second session data, and the addresses can be obtained through the destination addresses in the session fields. The threat intelligence library is a database for storing threat intelligence, including threat intelligence associated with IP addresses. Specifically, the threat intelligence includes one or any combination of host information, domain name information, or file information. For example, if the host information corresponding to the IP address 1 has a malicious behavior record, it is determined that the source address and the external network address corresponding to the suspicious traffic data have RAT connection.
It should be noted that after the suspicious traffic data is obtained, the corresponding detection result may be determined in real time, or after a plurality of suspicious traffic data are obtained, the corresponding detection results may be determined together. As a preferred embodiment, the detection result of the suspicious traffic is judged in real time, so that the timeliness of the detection is improved. In addition, after the detection result is obtained, if the detection result indicates that the RAT connection exists, the RAT connection is prompted according to a preset prompting mode, and the specific prompting mode is not limited.
In the foregoing embodiment, a detailed description is given of the RAT connection detection method, and the present application also provides an embodiment corresponding to the RAT connection detection apparatus, specifically described in terms of functional modules.
Fig. 5 is a block diagram of another RAT connection detection apparatus according to an embodiment of the present disclosure. As shown in fig. 5, the apparatus includes:
an obtaining module 10, configured to obtain TCP-based traffic data between an external network and an internal network;
the analysis module 11 is configured to analyze suspicious traffic data meeting RAT connection conditions in the traffic data;
and the determining module 12 is used for determining the detection result of the suspicious flow data according to the threat intelligence.
In a preferred embodiment, the apparatus further includes a preprocessing module, configured to, before the analysis module 11 analyzes suspicious traffic data meeting RAT connection conditions in the traffic data, analyze the traffic data into data with a preset structure according to the TCP; dividing the flow data into a plurality of pieces of session data according to a TCP session format; the session data comprises a data packet field and a session field, the data packet field comprises a data packet size, a timestamp and a TCP zone bit, and the session field comprises a session duration, a source address and a destination address.
Since the embodiment of the apparatus portion and the embodiment of the method portion correspond to each other, please refer to the description of the embodiment of the method portion for the embodiment of the apparatus portion, and details are not repeated here.
The RAT connection detection device provided by this embodiment is based on TCP's flow data that the extranet introduced the intranet as the detection object, so need not to carry out relevant deployment on each host computer, reduced the deployment cost, and after the suspicious flow data that accords with RAT connection condition in the flow data is analyzed, the testing result of suspicious flow data is confirmed according to the threat information, make through the combination of flow side characteristic detection and threat information promoted the accuracy of testing result, obtained the information of proving of multilateral, promoted intranet security.
In the above embodiment, a RAT connection detection method is described in detail, and the application also provides an embodiment corresponding to the traffic auditing device, which is specifically described in terms of a hardware structure. Fig. 6 is a structural diagram of a flow audit device according to an embodiment of the present application. As shown in fig. 6, the apparatus includes a memory for storing a computer program;
a processor configured to implement the steps of the RAT connection detection method in the above method embodiments when executing the computer program.
The flow auditing device provided by the embodiment may include, but is not limited to, a smart phone, a tablet computer, a notebook computer, a desktop computer, or the like.
The processor 21 may include one or more processing cores, such as a 4-core processor, an 8-core processor, and the like. The processor 21 may be implemented in at least one hardware form of a DSP (Digital Signal Processing), an FPGA (Field-Programmable Gate Array), and a PLA (Programmable Logic Array). The processor 21 may also include a main processor and a coprocessor, where the main processor is a processor for Processing data in an awake state, and is also called a Central Processing Unit (CPU); a coprocessor is a low power processor for processing data in a standby state. In some embodiments, the processor 21 may be integrated with a GPU (Graphics Processing Unit), which is responsible for rendering and drawing the content required to be displayed on the display screen. In some embodiments, the processor 21 may further include an AI (Artificial Intelligence) processor for processing a calculation operation related to machine learning.
The memory 20 may include one or more computer-readable storage media, which may be non-transitory. Memory 20 may also include high speed random access memory, as well as non-volatile memory, such as one or more magnetic disk storage devices, flash memory storage devices. In this embodiment, the memory 20 is at least used for storing a computer program 201, wherein after being loaded and executed by the processor 21, the computer program can implement the relevant steps of the RAT connection detection method disclosed in any of the foregoing embodiments. In addition, the resources stored in the memory 20 may also include an operating system 202, data 203, and the like, and the storage manner may be a transient storage manner or a permanent storage manner. Operating system 202 may include, among others, Windows, Unix, Linux, and the like. Data 203 may include, but is not limited to, the traffic data mentioned above.
In some embodiments, the flow audit device may also include a display screen 22, an input-output interface 23, a communication interface 24, a power supply 25, and a communication bus 26.
Those skilled in the art will appreciate that the configuration shown in FIG. 6 does not constitute a limitation of the flow audit device and may include more or fewer components than those shown.
The flow auditing equipment provided by the embodiment of the application comprises a memory and a processor, wherein the processor can realize the RAT connection detection method when executing a program stored in the memory, and the method takes the TCP-based flow data transmitted into an intranet by an extranet as a detection object, so that related deployment on each host is not needed, the deployment cost is reduced, and after suspicious flow data meeting the RAT connection condition in the flow data are analyzed, the detection result of the suspicious flow data is determined according to threat information, so that the accuracy of the detection result is improved through the combination of flow side characteristic detection and the threat information, multi-layer evidence proving information is obtained, and the safety of the intranet is improved.
Finally, the application also provides a corresponding embodiment of the computer readable storage medium. The computer-readable storage medium has stored thereon a computer program which, when being executed by a processor, carries out the steps as set forth in the above-mentioned method embodiments.
It is to be understood that if the method in the above embodiments is implemented in the form of software functional units and sold or used as a stand-alone product, it can be stored in a computer readable storage medium. Based on such understanding, the technical solutions of the present application may be substantially or partially implemented in the form of a software product, which is stored in a storage medium and executes all or part of the steps of the methods of the embodiments of the present application, or all or part of the technical solutions. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
The RAT connection detection method, the traffic auditing device, and the medium provided by the present application are described in detail above. The embodiments are described in a progressive manner in the specification, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. The device disclosed in the embodiment corresponds to the method disclosed in the embodiment, so that the description is simple, and the relevant points can be referred to the description of the method part. It should be noted that, for those skilled in the art, without departing from the principle of the present application, the present application can also make several improvements and modifications, and those improvements and modifications also fall into the protection scope of the claims of the present application.
It is further noted that, in the present specification, relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.

Claims (10)

1. A RAT connection detection method, comprising:
acquiring flow data based on TCP between an outer network and an inner network;
analyzing suspicious traffic data which accord with RAT connection conditions in the traffic data;
and determining the detection result of the suspicious flow data according to the threat intelligence.
2. The method of claim 1, further comprising, prior to the analyzing the traffic data for suspect RAT connection-eligible traffic data:
analyzing the flow data into data with a preset structure according to the TCP;
dividing the flow data into a plurality of pieces of session data according to a TCP session format;
correspondingly, the analyzing the suspicious traffic data meeting the RAT connection condition in the traffic data includes:
determining the session duration of the session data;
if the conversation duration is not greater than a first threshold, taking the conversation data not greater than the first threshold as first conversation data;
if suspicious first session data meeting RAT reconnection conditions exist in the first session data, determining that the suspicious first session data are suspicious flow data meeting the RAT connection conditions;
and/or
If the session duration is greater than the first threshold, taking the session data greater than the first threshold as second session data;
if suspicious second session data meeting RAT long connection conditions exist in the second session data, determining that the suspicious second session data are suspicious flow data meeting the RAT connection conditions;
wherein the RAT connection condition comprises a RAT reconnection condition and a RAT long connection condition.
3. The method of claim 2, wherein the RAT reconnect condition is: and/or the same source address and the same destination address are/is continuously connected, and the continuous duration of the continuous connection exceeds a second threshold.
4. The method of claim 3, wherein determining that there is suspicious first session data among the first session data that satisfies a RAT reconnect condition comprises:
screening out target first session data with the same source address and the same destination address from the obtained first session data to serve as a first set;
counting session reconnection times and multiple reconnection duration corresponding to all the target first session data in the first set;
and if the session reconnection times reach the preset times and the duration exceeds the second threshold, determining that the suspicious first session data meeting the RAT reconnection condition exists in the first session data.
5. The method of claim 2, wherein the RAT long connection condition is:
a master-slave connection exists between the same source address and the same destination address, wherein the master-slave connection is as follows: a session with the session duration larger than a third threshold exists between the source address and the destination address, and a plurality of pieces of session data with the session duration smaller than a fourth threshold exist within the session duration, wherein the third threshold is not smaller than the first threshold, and the fourth threshold is smaller than the third threshold;
or heartbeat interval stationarity of the data packet from the internal network to the external network is smaller than a steady threshold value, wherein the heartbeat interval stationarity is as follows: the time interval stationarity between a plurality of data packets with the data packet size within the error range;
or the session duration is greater than a fifth threshold, the cumulative byte number of the data packet is smaller than a preset byte number, and the ratio of the number of the data packets with the TCP PSH flag bits to the total number of the data packets of the session data exceeds the session data with the preset ratio; wherein the fifth threshold is not less than the first threshold.
6. The method of claim 5, wherein determining that there is suspicious second session data in the second session data that satisfies a RAT long connection condition comprises:
screening target second session data with the same source address and the same destination address from the session data to serve as a second set;
if a piece of second session data with the session duration of the target second session data being greater than the third threshold exists in the second set, and a plurality of pieces of session data with the session duration being smaller than the fourth threshold exist in the session duration range of the target second session data, determining that suspicious second session data meeting the RAT long connection condition exists in the second session data;
if heartbeat gap stationarity corresponding to a plurality of pieces of session data in the second session data is not greater than the stationarity threshold, determining that suspicious second session data meeting the RAT long connection condition exists in the second session data;
if the session duration is greater than the fifth threshold, the cumulative byte number of each data packet is less than the preset byte number, and the ratio of the number of the data packets with the TCP PSH flag bits to the total number of the data packets of the session data exceeds the preset ratio, the suspicious second session data meeting the RAT long connection condition is determined to exist in the second session data.
7. The method of claim 6, wherein the cumulative number of bytes of each packet size less than the predetermined number of bytes is specifically: the accumulated byte number of each data packet from the internal network to the external network is less than the preset byte number; the session data in which the ratio of the number of the data packets with the TCP PSH flag bits to the total number of the data packets of the session data exceeds a preset ratio specifically includes: the ratio of the number of data packets from the internal network to the external network with TCP PSH zone bits to the total number of data packets from the internal network to the external network of the session data exceeds the session data with the preset ratio.
8. The method according to any one of claims 1 to 7, wherein the determining the detection result of the suspicious traffic data according to threat intelligence comprises:
determining an external network address of the suspicious traffic data;
searching an IP address matched with the external network address in a threat information library;
obtaining threat intelligence associated with the IP address;
and if the threat intelligence has a malicious behavior record, determining that the RAT connection exists between a source address corresponding to the suspicious traffic data and the external network address.
9. A traffic auditing apparatus comprising a memory for storing a computer program;
a processor for implementing the steps of the RAT connection detection method according to any of claims 1 to 8 when executing the computer program.
10. A computer-readable storage medium, having stored thereon a computer program which, when being executed by a processor, carries out the steps of the RAT connection detection method according to any one of claims 1 to 8.
CN202110264329.9A 2021-03-11 2021-03-11 RAT connection detection method, flow audit equipment and medium Pending CN115134096A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110264329.9A CN115134096A (en) 2021-03-11 2021-03-11 RAT connection detection method, flow audit equipment and medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110264329.9A CN115134096A (en) 2021-03-11 2021-03-11 RAT connection detection method, flow audit equipment and medium

Publications (1)

Publication Number Publication Date
CN115134096A true CN115134096A (en) 2022-09-30

Family

ID=83374179

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110264329.9A Pending CN115134096A (en) 2021-03-11 2021-03-11 RAT connection detection method, flow audit equipment and medium

Country Status (1)

Country Link
CN (1) CN115134096A (en)

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103491107A (en) * 2013-10-14 2014-01-01 刘胜利 Method for quickly extracting Trojan communication characteristics based on network data stream cluster
US20150264069A1 (en) * 2014-03-11 2015-09-17 Vectra Networks, Inc. Method and system for detecting external control of compromised hosts
US20160381070A1 (en) * 2015-06-26 2016-12-29 Fortinet, Inc. Protocol based detection of suspicious network traffic
CN107360190A (en) * 2017-08-28 2017-11-17 刘胜利 Wooden horse communication behavior detection method based on sequence pattern identification
CN107592312A (en) * 2017-09-18 2018-01-16 济南互信软件有限公司 A kind of malware detection method based on network traffics
CN109379341A (en) * 2018-09-21 2019-02-22 国网湖南省电力有限公司 A kind of Recall remote control Trojan network flow detection method of Behavior-based control analysis
CN109861952A (en) * 2017-11-30 2019-06-07 北京京穗蓝盾信息安全技术有限公司 One kind being based on statistical network wooden horse Activity recognition system
CN110719291A (en) * 2019-10-16 2020-01-21 杭州安恒信息技术股份有限公司 Network threat identification method and identification system based on threat information
CN110730175A (en) * 2019-10-16 2020-01-24 杭州安恒信息技术股份有限公司 Botnet detection method and detection system based on threat information

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103491107A (en) * 2013-10-14 2014-01-01 刘胜利 Method for quickly extracting Trojan communication characteristics based on network data stream cluster
US20150264069A1 (en) * 2014-03-11 2015-09-17 Vectra Networks, Inc. Method and system for detecting external control of compromised hosts
US20160381070A1 (en) * 2015-06-26 2016-12-29 Fortinet, Inc. Protocol based detection of suspicious network traffic
CN107360190A (en) * 2017-08-28 2017-11-17 刘胜利 Wooden horse communication behavior detection method based on sequence pattern identification
CN107592312A (en) * 2017-09-18 2018-01-16 济南互信软件有限公司 A kind of malware detection method based on network traffics
CN109861952A (en) * 2017-11-30 2019-06-07 北京京穗蓝盾信息安全技术有限公司 One kind being based on statistical network wooden horse Activity recognition system
CN109379341A (en) * 2018-09-21 2019-02-22 国网湖南省电力有限公司 A kind of Recall remote control Trojan network flow detection method of Behavior-based control analysis
CN110719291A (en) * 2019-10-16 2020-01-21 杭州安恒信息技术股份有限公司 Network threat identification method and identification system based on threat information
CN110730175A (en) * 2019-10-16 2020-01-24 杭州安恒信息技术股份有限公司 Botnet detection method and detection system based on threat information

Similar Documents

Publication Publication Date Title
US10467411B1 (en) System and method for generating a malware identifier
KR102135024B1 (en) Method and apparatus for identifying category of cyber attack aiming iot devices
CN107135093B (en) Internet of things intrusion detection method and detection system based on finite automaton
US8015605B2 (en) Scalable monitor of malicious network traffic
US20200302054A1 (en) Method for detecting physical intrusion attack in industrial control system based on analysis of signals on serial communication bus
CN110912927B (en) Method and device for detecting control message in industrial control system
CN109962891A (en) Monitor method, apparatus, equipment and the computer storage medium of cloud security
US9705899B2 (en) Digital filter correlation engine
US20110185419A1 (en) Method and apparatus for detecting ssh login attacks
JP2015076863A (en) Log analyzing device, method and program
CN111935172A (en) Network abnormal behavior detection method based on network topology, computer device and computer readable storage medium
EP2854362B1 (en) Software network behavior analysis and identification system
Muhammad et al. Integrated security information and event management (siem) with intrusion detection system (ids) for live analysis based on machine learning
Osanaiye et al. Change-point cloud DDoS detection using packet inter-arrival time
JP5739034B1 (en) Attack detection system, attack detection device, attack detection method, and attack detection program
CN109144023A (en) A kind of safety detection method and equipment of industrial control system
EP3343421A1 (en) System to detect machine-initiated events in time series data
CN108712365B (en) DDoS attack event detection method and system based on flow log
KR102040371B1 (en) Apparatus and method for analyzing network attack pattern
US20120163212A1 (en) Apparatus and method for detecting abnormal traffic
JP6592196B2 (en) Malignant event detection apparatus, malignant event detection method, and malignant event detection program
CN112822223A (en) DNS hidden tunnel event automatic detection method and device and electronic equipment
CN115134096A (en) RAT connection detection method, flow audit equipment and medium
US20090276853A1 (en) Filtering intrusion detection system events on a single host
CN110784471A (en) Blacklist collection management method and device, computer equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination