CN115955333A - C2 server identification method and device, electronic equipment and readable storage medium - Google Patents

C2 server identification method and device, electronic equipment and readable storage medium Download PDF

Info

Publication number
CN115955333A
CN115955333A CN202211539414.2A CN202211539414A CN115955333A CN 115955333 A CN115955333 A CN 115955333A CN 202211539414 A CN202211539414 A CN 202211539414A CN 115955333 A CN115955333 A CN 115955333A
Authority
CN
China
Prior art keywords
server
preset rule
information
equipment
preset
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211539414.2A
Other languages
Chinese (zh)
Inventor
王奕雄
李艳军
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Knownsec Information Technology Co Ltd
Original Assignee
Beijing Knownsec Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Knownsec Information Technology Co Ltd filed Critical Beijing Knownsec Information Technology Co Ltd
Priority to CN202211539414.2A priority Critical patent/CN115955333A/en
Publication of CN115955333A publication Critical patent/CN115955333A/en
Pending legal-status Critical Current

Links

Images

Landscapes

  • Computer And Data Communications (AREA)

Abstract

The embodiment of the application provides a C2 server identification method, a device, electronic equipment and a readable storage medium, and relates to the technical field of communication. The method comprises the following steps: aiming at each equipment to be selected, acquiring first equipment information of each equipment to be selected through asset detection, wherein the equipment to be selected is equipment corresponding to each asset which can be searched during asset detection; and determining the C2 server from the equipment to be selected according to a preset rule and the first equipment information, wherein the preset rule is a rule set according to the known characteristics of the C2 server. Therefore, the used C2 server and the C2 server which is newly online and has not been used can be actively identified from the mass targets exposed from the Internet, and the C2 server which is newly online and has not been used can be conveniently blocked and protected in advance.

Description

C2 server identification method and device, electronic equipment and readable storage medium
Technical Field
The present application relates to the field of communications technologies, and in particular, to a C2 server identification method, apparatus, electronic device, and readable storage medium.
Background
A C2 Server (Command & Control Server), also called C & C Server, is usually found after the virus trojan Control host, and an attacker forwards a Command through the C2 Server. Existing C2 server discovery is mainly achieved by security technicians detecting the behavior of the loopback in the traffic or terminals of the victim network, thereby discovering the C2 server. The method has very low efficiency, can be found only after viruses and trojans are implanted, and cannot find the IP or domain name of the C2 server in advance, so that the protection blocking cannot be carried out in advance.
Disclosure of Invention
The embodiment of the application provides a C2 server identification method and device, electronic equipment and a readable storage medium, which can identify a C2 server from massive targets exposed from the Internet actively, so that a C2 asset which is newly online and is not used can be found, and the advanced blocking and protection can be realized conveniently.
The embodiment of the application can be realized as follows:
in a first aspect, an embodiment of the present application provides a C2 server identification method, where the method includes:
aiming at each device to be selected, acquiring first device information of each device to be selected through asset detection, wherein the device to be selected is a device corresponding to each asset which can be searched during asset detection;
and determining the C2 server from the equipment to be selected according to a preset rule and the first equipment information, wherein the preset rule is a rule set according to the known characteristics of the C2 server.
In a second aspect, an embodiment of the present application provides a C2 server identification apparatus, where the apparatus includes:
the device comprises a detection module, a first detection module and a second detection module, wherein the detection module is used for acquiring first device information of each to-be-selected device through asset detection aiming at each to-be-selected device, and the to-be-selected device is a device corresponding to each asset which can be searched in the asset detection process;
and the identification module is used for determining the C2 server from the equipment to be selected according to a preset rule and the first equipment information, wherein the preset rule is a rule set according to the known characteristics of the C2 server.
In a third aspect, an embodiment of the present application provides an electronic device, which includes a processor and a memory, where the memory stores machine executable instructions that can be executed by the processor, and the processor can execute the machine executable instructions to implement the C2 server identification method described in the foregoing embodiment.
In a fourth aspect, the present application provides a readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the C2 server identification method according to the foregoing embodiment.
According to the method, the device, the electronic equipment and the readable storage medium for identifying the C2 server, aiming at each device to be selected, first equipment information of each device to be selected is obtained through asset detection, and the device to be selected is equipment corresponding to each asset, which can be searched in the asset detection process; and then determining the C2 server from the equipment to be selected according to a preset rule and the first equipment information, wherein the preset rule is a rule set according to the known characteristics of the C2 server. Therefore, the used C2 server and the C2 server which is newly online and has not been used can be actively identified from the mass targets exposed from the Internet, and the C2 server which is newly online and has not been used can be conveniently blocked and protected in advance.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required in the embodiments will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present invention and therefore should not be considered as limiting the scope, and those skilled in the art can also obtain other related drawings based on the drawings without inventive efforts.
Fig. 1 is a block diagram of an electronic device according to an embodiment of the present disclosure;
fig. 2 is a schematic flowchart of a C2 server identification method according to an embodiment of the present disclosure;
FIG. 3 is a flowchart illustrating the sub-steps included in step S120 of FIG. 2;
FIG. 4 is a schematic flow chart of the substeps involved in substep S121 of FIG. 3;
FIG. 5 is a schematic flow chart of sub-steps included in sub-step S123 of FIG. 3;
fig. 6 is a schematic diagram of second device information provided in an embodiment of the present application;
fig. 7 is a schematic block diagram of a C2 server identification apparatus according to an embodiment of the present application.
An icon: 100-an electronic device; 110-a memory; 120-a processor; 130-a communication unit; 200-C2 server identification means; 210-a detection module; 220-identification module.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. The components of embodiments of the present invention generally described and illustrated in the figures herein may be arranged and designed in a wide variety of different configurations.
Thus, the following detailed description of the embodiments of the present application, presented in the accompanying drawings, is not intended to limit the scope of the claimed application, but is merely representative of selected embodiments of the application. All other embodiments, which can be derived by a person skilled in the art from the embodiments of the present application without making any creative effort, shall fall within the protection scope of the present application.
It is noted that relational terms such as "first" and "second," and the like, may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrases "comprising a," "8230," "8230," or "comprising" does not exclude the presence of additional like elements in a process, method, article, or apparatus that comprises the element.
C2 servers are currently generally discovered in two ways.
The first method is as follows: and (3) extracting the address of the detected virus Trojan link through analyzing the security event, and then passively discovering the C2 server through manual experience judgment.
The second method comprises the following steps: the C2 server is passively identified by collecting C2IP and domain name information in open source threat information and judging through manual experience.
The information amount of open source information is very large, and the accuracy of the collected C2IP and domain name information cannot be automatically verified in batches. The two modes are judged by combining manual experience, the requirements of the manual experience on the technical ability and experience of personnel are high, the threshold of the personnel is invisibly improved, and the efficiency is low due to the need of manual intervention. Meanwhile, the information sources of the two modes have limitations, and only the disclosed C2 server can be found, namely the C2 server can be found only after viruses and trojans are implanted, the viruses and trojans are more and more difficult to detect and find along with the development of the technology, a plurality of information systems are controlled by the C2 and are not known by themselves, the IP or domain name of the C2 server cannot be found in advance, and then the protection blocking cannot be achieved in advance.
In order to alleviate the above situation, embodiments of the present application provide a C2 server identification method, apparatus, electronic device, and readable storage medium, which can actively identify a used C2 server and a C2 server that has not been used when newly online from a massive target exposed from the internet, so as to facilitate blocking and protecting in advance, and reduce dependency on open source information and labor at the same time; moreover, the identification of the C2 server is completed in an automatic mode, so that the discovery efficiency can be improved, and the labor cost can be reduced.
It should be noted that the defects existing in the above solutions are the results obtained after the inventor has practiced and studied carefully, and therefore, the discovery process of the above problems and the solutions proposed by the following embodiments of the present application to the above problems should be the contribution of the inventor to the present application in the process of the present application.
Some embodiments of the present application will be described in detail below with reference to the accompanying drawings. The embodiments and features of the embodiments described below can be combined with each other without conflict.
Referring to fig. 1, fig. 1 is a block diagram of an electronic device 100 according to an embodiment of the present disclosure. The electronic device 100 may be, but is not limited to, a computer, a server, etc. The electronic device 100 includes a memory 110, a processor 120, and a communication unit 130. The elements of the memory 110, the processor 120 and the communication unit 130 are electrically connected to each other directly or indirectly to realize data transmission or interaction. For example, the components may be electrically connected to each other via one or more communication buses or signal lines.
The memory 110 is used to store programs or data. The Memory 110 may be, but is not limited to, a Random Access Memory (RAM), a Read Only Memory (ROM), a Programmable Read-Only Memory (PROM), an Erasable Read-Only Memory (EPROM), an electrically Erasable Read-Only Memory (EEPROM), and the like.
The processor 120 is used to read/write data or programs stored in the memory 110 and perform corresponding functions. For example, the memory 110 stores therein the C2 server identification apparatus 200, and the C2 server identification apparatus 200 includes at least one software functional module that can be stored in the memory 110 in the form of software or firmware (firmware). The processor 120 executes various functional applications and data processing by running software programs and modules stored in the memory 110, such as the C2 server identification apparatus 200 in the embodiment of the present application, so as to implement the C2 server identification method in the embodiment of the present application.
The communication unit 130 is used for establishing a communication connection between the electronic apparatus 100 and another communication terminal via a network, and for transceiving data via the network.
It should be understood that the structure shown in fig. 1 is only a schematic structural diagram of the electronic device 100, and the electronic device 100 may also include more or fewer components than shown in fig. 1, or have a different configuration than shown in fig. 1. The components shown in fig. 1 may be implemented in hardware, software, or a combination thereof.
Referring to fig. 2, fig. 2 is a flowchart illustrating a C2 server identification method according to an embodiment of the present disclosure. The method may be applied to the electronic device 100 described above. The specific flow of the C2 server identification method is described in detail below. In this embodiment, the method may include steps S110 to S120.
Step S110, aiming at each device to be selected, first device information of each device to be selected is obtained through asset detection.
And step S120, determining a C2 server from the devices to be selected according to a preset rule and the first device information.
In this embodiment, each asset that can be searched at the time of asset detection may include a domain name, an IP address, and the like. And taking the equipment corresponding to each asset as the equipment to be selected, and acquiring first equipment information of each equipment to be selected through asset detection. And then, determining the C2 server from the devices to be selected based on a preset rule and the first device information of each device to be selected. Wherein the preset rule is a rule set according to the known characteristics of the C2 server.
Therefore, the used C2 server and the C2 server which is not used in the new online process can be screened out from the mass targets exposed in the Internet, so that the blocking and the protection in advance are convenient to achieve, meanwhile, manual analysis is not needed, the identification rate efficiency can be improved, and the dependence on open-source information and security event information can be reduced.
Optionally, in this embodiment, each device to be selected in the internet may be detected by a network space search engine, so as to obtain first device information of each device to be selected. The preset rules comprise first preset rules, and the first preset rules comprise common characteristics of the C2 devices. The information type in the first device information is the same as the information type in the first preset rule, so that matching is facilitated. Referring to fig. 3, fig. 3 is a flowchart illustrating sub-steps included in step S120 in fig. 2. In the present embodiment, step S120 may include substeps S121 through substep S123.
And a substep S121, for each device to be selected, matching the first device information of the device to be selected with the first preset rule.
In this embodiment, for each device to be selected, the first device information of the device to be selected may be compared with the information in the first preset rule to obtain a matching result. The first preset rule may be specifically set in combination with an actual requirement.
As a possible implementation manner, the preset parameter of the first preset rule may include at least one of preset header information, a preset HTTP service status code, a preset transmission text type, and a preset text length, and the matching result may be obtained in a manner shown in fig. 4. Referring to fig. 4, fig. 4 is a schematic flowchart illustrating sub-steps included in sub-step S121 in fig. 3. In the present embodiment, the substep S121 may include substeps S1211 to substep S1212.
The sub-step S1211 compares each of the first device information with a preset parameter in the first preset rule, respectively.
And a substep S1212 of determining a matching result according to the obtained comparison result.
In this embodiment, the information in the first device information of the same category may be compared with the preset parameters in the first preset rule. For example, when the preset parameters of the first preset rule include preset header information, a preset HTTP service status code, a preset transmission text type, and a preset text length, the header information, the returned status code, the transmission text type, and the text length of the device to be selected (i.e., actual header information, actual status code, actual transmission text type, and actual text length) may be obtained through asset detection, then the preset header information in the first preset rule is compared with the actually detected header information, the preset HTTP service status code is compared with the actual status code, the preset text transmission type is compared with the actual text transmission type, and the preset text length is compared with the actual text length.
It should be noted that the specific preset parameters in the first preset rule are only examples, and may be specifically set in combination with actual requirements, and are not specifically limited herein.
After the comparison is performed on the information, whether the first device information of the device to be selected is matched with the first preset rule or not can be determined according to the obtained comparison result corresponding to the information. The specific mode of determining the matching result according to the comparison result may be set in combination with actual requirements, for example, the matching result may be determined to be matching under the condition of one information matching; or determining the matching result as a match in the case that all the information is matched.
For example, the first preset rule is set as: "HTTP/1.1 404Not Found" + "Content-Type: and if the text/display "+" Content-Length:0", judging whether the status code of the device to be selected is 404Not Found, whether the text transmission type is text/display and whether the text transmission Length is 0 or Not according to each device to be selected. It may be determined that the first device information of the device to be selected matches the first preset rule when the status code of the device to be selected is 404Not Found, the text transmission type is text/play, and the text transmission length is 0.
And a substep S122, taking the device to be selected, of which the first device information is matched with the first preset rule, as a suspicious device.
And a substep S123 of determining a C2 server from the determined suspicious devices.
Since the first preset rule is set according to the known characteristics of the C2 server, if the first device information of one device to be selected is matched with the first preset rule, it indicates that the characteristics of the device to be selected, which are embodied by the first device information, are the characteristics of the C2 server. Then, a corresponding secondary screening mode may be set in combination with actual requirements to determine the C2 server from the determined suspicious device.
As a possible implementation manner, the preset rules further include a second preset rule, and the first preset rule is different from the second preset rule, and secondary screening may be performed in a manner shown in fig. 5. Referring to fig. 5, fig. 5 is a flowchart illustrating sub-steps included in sub-step S123 in fig. 3. In the present embodiment, the substep S123 may include substeps S1231 to substep S1233.
And a substep S1231 of obtaining the detection message constructed according to the type of the C2 server.
If the probe message is constructed freely, the C2 server may return only one HTTP header, for example, only HTTP/1.1 404 is returned, which is inconvenient for obtaining the second device information including more detailed information. In order to avoid the foregoing situation, in this embodiment, a corresponding probe packet may be constructed according to various known types of C2 servers, so as to obtain a response of the type of C2 server, and further extract the second device information from the response. Optionally, the probe packet corresponding to the protocol feature may be constructed according to the protocol features corresponding to different types of C2 servers.
For example, for HTTP and HTTPs protocols, probe messages may be constructed based on the characteristics of the C2 device, which can return a response including more detailed device information using the C2 device. For example, if a C2 device is a normal HTTP protocol interface, has no specific configuration, or uses an 80 port interaction, a probe packet may be constructed based on the 80 port. The number of the constructed probe packets may be the same as the number of the protocol characteristics, for example, if there are 5 protocol characteristics, 5 probe packets may be constructed.
Optionally, the detection message may be constructed by the electronic device 100 itself, may be constructed by other devices, or may be obtained by a method.
And a substep S1232, performing deep interaction with the suspicious device according to the detection packets of each type for each suspicious device, and obtaining second device information of the suspicious device.
Optionally, a batch concurrent probe may be performed based on the obtained probe constructs of each type by using an open source grab _ beacon _ config.nse script provided by nmap, so as to obtain second device information of each suspect device. Thus, the detection speed can be increased. It should be noted that, for any suspicious device, the constructed various types of detection packets are used to detect the suspicious device.
Wherein the second device information includes HTTP service configuration parameters of the suspect device. Correspondingly, the second device information may include at least one of a host header, a beacon type, a proxy type, and an API connection address. As a possible implementation manner, the second device information may be as shown in fig. 6, and include: host Header Host, proxy Type Proxy _ access Type, beacon Type, and API connection address API _ connect.
And a substep S1233, matching, for each suspicious device, second device information of the suspicious device with the second preset rule, to determine whether the suspicious device is a C2 server.
In this embodiment, the information in the second device information of the same kind may be compared with the corresponding information in the second preset rule. For example, the second device information includes a host header and an agent type, and the second preset rule includes a preset host header and a preset agent type, the host header may be compared with the preset host packet, and the agent type may be compared with the preset agent type. Then, whether second device information of a suspicious device is matched with the second preset rule or not can be determined according to a comparison result of the various information, and the suspicious device with the second device information matched with the second preset rule is used as the C2 server. For a specific description of how the second device information is matched with the second preset rule, reference may be made to the above description of how the first device information is matched with the first preset rule, and details are not described herein again.
Optionally, the asset identifier of the candidate device serving as the C2 server may be used as an identifier of the C2 server, for example, a domain name and/or an IP address. And subsequently, blocking and protecting can be carried out according to the identified identifier of the C2 server so as to avoid the attack of the C2 server.
According to the method for identifying the C2 server based on the active detection technology, firstly, preliminary screening is carried out on massive targets exposed by the Internet according to a first preset rule generated based on the commonality of the C2 equipment, and a target pool in a smaller range is generated, so that the number of subsequent equipment needing deep interaction can be reduced, and the deep interaction detection rate is accelerated. And then, carrying out deep interaction with the suspicious equipment determined by the preliminary screening in batches according to different C2 equipment characteristics, and further identifying the C2 equipment in batches based on the information obtained by interaction and a second preset rule generated based on the C2 equipment characteristics. Therefore, automatic active detection on the global network space assets can be realized, the C2 servers (known and unknown C2 servers) can be found quickly and accurately, and the dependency of open source information and manpower is reduced.
In order to execute the corresponding steps in the above embodiments and various possible manners, an implementation manner of the C2 server identification apparatus 200 is given below, and optionally, the C2 server identification apparatus 200 may adopt the device structure of the electronic device 100 shown in fig. 1. Further, referring to fig. 7, fig. 7 is a block diagram illustrating a C2 server identification apparatus 200 according to an embodiment of the present disclosure. It should be noted that the basic principle and the resulting technical effects of the C2 server identification apparatus 200 provided in this embodiment are the same as those of the above embodiment, and for brevity, reference may be made to the corresponding contents in the above embodiment for the parts not mentioned in this embodiment. In this embodiment, the C2 server identification apparatus 200 may include: a detection module 210 and an identification module 220.
The detection module 210 is configured to obtain, for each device to be selected, first device information of each device to be selected through asset detection. The candidate equipment is equipment corresponding to each asset which can be searched in asset detection.
The identification module 220 is configured to determine the C2 server from the devices to be selected according to a preset rule and the first device information. Wherein the preset rule is a rule set according to the known characteristics of the C2 server.
Optionally, in this embodiment, the preset rule includes a first preset rule, and the identifying module 220 is specifically configured to: for each device to be selected, matching first device information of the device to be selected with the first preset rule; the equipment to be selected, matched with the first preset rule, of the first equipment information is taken as suspicious equipment; and determining a C2 server from the determined suspicious equipment.
Optionally, in this embodiment, the preset rules further include a second preset rule, the first preset rule is different from the second preset rule, and the identifying module 220 is specifically configured to: acquiring a detection message constructed according to the type of the C2 server; for each suspicious device, performing deep interaction with the suspicious device according to each type of detection message to obtain second device information of the suspicious device, wherein the second device information comprises HTTP service configuration parameters of the suspicious device; and aiming at each suspicious device, matching second device information of the suspicious device with the second preset rule to determine whether the suspicious device is a C2 server.
Optionally, in this embodiment, the identifying module 220 is specifically configured to: and constructing a detection message corresponding to the protocol characteristics according to the protocol characteristics corresponding to the different types of C2 servers.
Optionally, in this embodiment, the second device information includes at least one of a host header, a beacon type, a proxy type, and an API connection address.
Optionally, in this embodiment, the preset parameter in the first preset rule includes at least one of preset header information, a preset HTTP service status code, a preset transmission text type, and a preset text length, and the identifying module 220 is specifically configured to: comparing each piece of information in the first equipment information with a preset parameter in the first preset rule respectively; and determining a matching result according to the obtained comparison result.
Alternatively, the above modules may be stored in the form of software or Firmware (Firmware) in the memory 110 shown in fig. 1 or solidified in an Operating System (OS) of the electronic device 100, and may be executed by the processor 120 in fig. 1. Meanwhile, data, codes of programs, and the like required to execute the above-described modules may be stored in the memory 110.
The embodiment of the application also provides a readable storage medium, on which a computer program is stored, and the computer program is executed by a processor to implement the C2 server identification method.
To sum up, the embodiment of the present application provides a C2 server identification method, an apparatus, an electronic device, and a readable storage medium, where for each candidate device, first device information of each candidate device is obtained through asset detection, and the candidate device is a device corresponding to each asset that can be searched during asset detection; and then determining the C2 server from the equipment to be selected according to a preset rule and the first equipment information, wherein the preset rule is a rule set according to the known characteristics of the C2 server. Therefore, the used C2 server and the C2 server which is newly online and has not been used can be actively identified from the mass targets exposed from the Internet, and the C2 server which is newly online and has not been used can be conveniently blocked and protected in advance.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method can be implemented in other ways. The apparatus embodiments described above are merely illustrative, and for example, the flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In addition, functional modules in the embodiments of the present application may be integrated together to form an independent part, or each module may exist separately, or two or more modules may be integrated to form an independent part.
The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solutions of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product, which is stored in a storage medium and includes several instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the methods described in the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
The foregoing is illustrative of only alternative embodiments of the present application and is not intended to limit the present application, which may be modified or varied by those skilled in the art. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application shall be included in the protection scope of the present application.

Claims (10)

1. A C2 server identification method, the method comprising:
aiming at each device to be selected, acquiring first device information of each device to be selected through asset detection, wherein the device to be selected is a device corresponding to each asset which can be searched during asset detection;
and determining the C2 server from the equipment to be selected according to a preset rule and the first equipment information, wherein the preset rule is a rule set according to the known characteristics of the C2 server.
2. The method according to claim 1, wherein the preset rule includes a first preset rule, and the determining the C2 server from the devices to be selected according to the preset rule and the first device information includes:
aiming at each device to be selected, matching first device information of the device to be selected with the first preset rule;
the equipment to be selected, matched with the first preset rule, of the first equipment information is taken as suspicious equipment;
and determining a C2 server from the determined suspicious equipment.
3. The method of claim 2, wherein the preset rules further include a second preset rule, the first preset rule is different from the second preset rule, and the determining the C2 server from the determined suspicious device comprises:
acquiring a detection message constructed according to the type of the C2 server;
for each suspicious device, performing deep interaction with the suspicious device according to each type of detection message to obtain second device information of the suspicious device, wherein the second device information comprises HTTP service configuration parameters of the suspicious device;
and aiming at each suspicious device, matching second device information of the suspicious device with the second preset rule to determine whether the suspicious device is a C2 server.
4. The method according to claim 3, wherein the obtaining the probe packet configured according to the type of the C2 server includes:
and constructing a detection message corresponding to the protocol characteristics according to the protocol characteristics corresponding to the different types of C2 servers.
5. The method of claim 3, wherein the second device information comprises at least one of a host header, a beacon type, a proxy type, and an API connection address.
6. The method according to any one of claims 2 to 5, wherein the preset parameters in the first preset rule include at least one of preset header information, a preset HTTP service status code, a preset transmission text type and a preset text length, and the matching, for each of the devices to be selected, the first device information of the device to be selected with the first preset rule includes:
comparing each piece of information in the first equipment information with a preset parameter in the first preset rule respectively;
and determining a matching result according to the obtained comparison result.
7. A C2 server identification apparatus, the apparatus comprising:
the device comprises a detection module, a first detection module and a second detection module, wherein the detection module is used for acquiring first device information of each to-be-selected device through asset detection aiming at each to-be-selected device, and the to-be-selected device is a device corresponding to each asset which can be searched in the asset detection process;
and the identification module is used for determining the C2 server from the equipment to be selected according to a preset rule and the first equipment information, wherein the preset rule is a rule set according to the known characteristics of the C2 server.
8. The apparatus according to claim 7, wherein the preset rule comprises a first preset rule, and the identification module is specifically configured to:
for each device to be selected, matching first device information of the device to be selected with the first preset rule;
the equipment to be selected, matched with the first preset rule, of the first equipment information is taken as suspicious equipment;
and determining a C2 server from the determined suspicious equipment.
9. An electronic device comprising a processor and a memory, the memory storing machine executable instructions executable by the processor to implement the C2 server identification method of any one of claims 1-6.
10. A readable storage medium on which a computer program is stored, which computer program, when being executed by a processor, carries out the C2 server identification method according to any one of claims 1 to 6.
CN202211539414.2A 2022-12-02 2022-12-02 C2 server identification method and device, electronic equipment and readable storage medium Pending CN115955333A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211539414.2A CN115955333A (en) 2022-12-02 2022-12-02 C2 server identification method and device, electronic equipment and readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211539414.2A CN115955333A (en) 2022-12-02 2022-12-02 C2 server identification method and device, electronic equipment and readable storage medium

Publications (1)

Publication Number Publication Date
CN115955333A true CN115955333A (en) 2023-04-11

Family

ID=87295870

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211539414.2A Pending CN115955333A (en) 2022-12-02 2022-12-02 C2 server identification method and device, electronic equipment and readable storage medium

Country Status (1)

Country Link
CN (1) CN115955333A (en)

Similar Documents

Publication Publication Date Title
CN107426242B (en) Network security protection method, device and storage medium
CN110730175B (en) Botnet detection method and detection system based on threat information
CN110719291A (en) Network threat identification method and identification system based on threat information
US20100235917A1 (en) System and method for detecting server vulnerability
CN110210213B (en) Method and device for filtering malicious sample, storage medium and electronic device
CN112073437B (en) Multi-dimensional security threat event analysis method, device, equipment and storage medium
CN110149319B (en) APT organization tracking method and device, storage medium and electronic device
JP5739034B1 (en) Attack detection system, attack detection device, attack detection method, and attack detection program
CN110868403B (en) Method and equipment for identifying advanced persistent Attack (APT)
US11568053B2 (en) Automated malware monitoring and data extraction
WO2016121348A1 (en) Anti-malware device, anti-malware system, anti-malware method, and recording medium in which anti-malware program is stored
CN112532631A (en) Equipment safety risk assessment method, device, equipment and medium
CN116389099A (en) Threat detection method, threat detection device, electronic equipment and storage medium
CN106878240B (en) Zombie host identification method and device
JPWO2019043804A1 (en) Log analysis device, log analysis method and program
JP6592196B2 (en) Malignant event detection apparatus, malignant event detection method, and malignant event detection program
CN113098852A (en) Log processing method and device
CN110224975B (en) APT information determination method and device, storage medium and electronic device
CN111079144B (en) Virus propagation behavior detection method and device
CN115643044A (en) Data processing method, device, server and storage medium
CN115955333A (en) C2 server identification method and device, electronic equipment and readable storage medium
TW201928746A (en) Method and apparatus for detecting malware
CN110430199B (en) Method and system for identifying internet of things botnet attack source
CN113923039A (en) Attack equipment identification method and device, electronic equipment and readable storage medium
US11763004B1 (en) System and method for bootkit detection

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination