TW202009767A - Gateway apparatus, detecting method of malicious domain and hacked host, and non-transitory computer readable medium thereof - Google Patents
Gateway apparatus, detecting method of malicious domain and hacked host, and non-transitory computer readable medium thereof Download PDFInfo
- Publication number
- TW202009767A TW202009767A TW107130038A TW107130038A TW202009767A TW 202009767 A TW202009767 A TW 202009767A TW 107130038 A TW107130038 A TW 107130038A TW 107130038 A TW107130038 A TW 107130038A TW 202009767 A TW202009767 A TW 202009767A
- Authority
- TW
- Taiwan
- Prior art keywords
- connection
- total number
- marked
- node
- connection factor
- Prior art date
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
Description
本發明是有關於一種資安技術,且特別是有關於一種閘道裝置、惡意網域與受駭主機的偵測方法及其非暫態電腦可讀取媒體。The invention relates to an information security technology, and in particular to a gateway device, a malicious network domain and a hacked host detection method and its non-transitory computer readable media.
惡意網域一直以來都是網路犯罪活動(例如,散發垃圾郵件、財務詐欺、釣魚網站等惡意行為)的溫床。企業如何在眾多的對外連線中及早發現可疑網域已成為一件極重要的企業資安問題。Malicious domains have always been hotbeds of cybercriminal activities (for example, spamming, financial fraud, phishing websites, and other malicious acts). How companies find suspicious domains early in numerous external connections has become a very important enterprise security problem.
當攻擊者建構中繼站後,會企圖藉由社交郵件、釣魚網站或其他途徑將惡意程式植入被害主機後,並使這些主機成為殭屍電腦(Bots)。而成為殭屍電腦內的惡意程式絕大多數需要網路連結以進行其惡意活動(例如,發送垃圾郵件、洩漏私人機密、下載惡意程式更新、傳染周遭主機等)。攻擊者為了提高殭屍網路(Botnet)的存活率,經常使用網域變動(domain flux)等技術,以避免被查獲且降低植入惡意程式之行為遭封鎖的機會。由此可知,資安相關業者勢必需要研究出有效地偵測惡意網域及受駭主機的技術。When an attacker builds a relay station, it will attempt to implant malicious programs into the victim host via social mail, phishing website, or other means, and make these hosts bots. The vast majority of malicious programs that become bots require network connections for their malicious activities (for example, sending spam emails, leaking private secrets, downloading malicious program updates, and infecting surrounding hosts, etc.). In order to improve the survival rate of botnets, attackers often use technologies such as domain flux to avoid being detected and reduce the chance of blocking malicious programs. It can be seen from this that security-related companies are bound to develop technologies to effectively detect malicious domains and hacked hosts.
有鑑於此,本發明提出一種閘道裝置、惡意網域與受駭主機的偵測方法及其非暫態電腦可讀取媒體,其提供正確性高的偵測技術。In view of this, the present invention provides a detection method for gateway devices, malicious domains and hacked hosts, and non-transitory computer-readable media, which provide highly accurate detection techniques.
本發明提供一種惡意網域與受駭主機的偵測方法,適用於閘道裝置,偵測方法包括:接收多個網路流量。自多個網路流量中解析出多個通道及多個連線因子,其中多個通道中的每一者關聯於網域與網際網路協定位址的連結。建立多個通道與多個連線因子的連接關係。基於連接關係及威脅情資建構出網路互動行為鏈結模型。透過所述網路互動行為鏈結模型偵測未知通道的受害情形。The invention provides a malicious network domain and a hacked host detection method, which is suitable for a gateway device. The detection method includes: receiving a plurality of network traffic. Multiple channels and multiple connection factors are parsed from multiple network traffic, where each of the multiple channels is associated with the link between the domain and the Internet protocol address. Establish the connection relationship between multiple channels and multiple connection factors. Construct a network interaction behavior link model based on connection relationships and threat intelligence. Detect the victimization of unknown channels through the network interaction behavior link model.
本發明提供一種閘道裝置,分別連線至內部網路及外部網路,閘道裝置包括:通訊單元、儲存單元及處理單元。通訊單元收發資料。儲存單元儲存多個模組。處理單元耦接通訊單元及儲存單元,且存取並執行儲存單元所儲存的多個模組,所述多個模組包括:流量側錄模組、模型學習模組以及受害判定模組。流量側錄模組透過通訊單元接收內部網路及外部網路之間的多個網路流量。模型學習模組自多個網路流量中解析出多個通道及多個連線因子,建立多個通道與多個連線因子的連接關係,並且基於連接關係及威脅情資建構出網路互動行為鏈結模型,其中多個通道中的每一者關聯於網域與網際網路協定位址的連結。受害判定模組透過網路互動行為鏈結模型偵測未知通道的受害情形。The invention provides a gateway device, which is respectively connected to an internal network and an external network. The gateway device includes a communication unit, a storage unit and a processing unit. The communication unit sends and receives data. The storage unit stores multiple modules. The processing unit is coupled to the communication unit and the storage unit, and accesses and executes a plurality of modules stored in the storage unit, the plurality of modules including: a flow profile recording module, a model learning module, and a victim determination module. The traffic profile recording module receives multiple network traffic between the internal network and the external network through the communication unit. The model learning module parses out multiple channels and multiple connection factors from multiple network traffic, establishes a connection relationship between multiple channels and multiple connection factors, and constructs network interaction based on the connection relationship and threat information Behavioral link model, where each of the multiple channels is associated with the link between the domain and the Internet protocol address. The damage judgment module detects the damage situation of the unknown channel through the network interaction behavior link model.
本發明提供一種非暫態電腦可讀取媒體,記錄程式,並經由閘道裝置載入所述程式以執行以下步驟:接收多個網路流量。自多個網路流量中解析出多個通道及多個連線因子,其中多個通道中的每一者關聯於網域與網際網路協定位址的連結。建立多個通道與多個連線因子的連接關係。基於連接關係及威脅情資建構出網路互動行為鏈結模型。透過所述網路互動行為鏈結模型偵測未知通道的受害情形。The present invention provides a non-transitory computer-readable medium, recording a program, and loading the program through a gateway device to perform the following steps: receive multiple network traffic. Multiple channels and multiple connection factors are parsed from multiple network traffic, where each of the multiple channels is associated with the link between the domain and the Internet protocol address. Establish the connection relationship between multiple channels and multiple connection factors. Construct a network interaction behavior link model based on connection relationships and threat intelligence. Detect the victimization of unknown channels through the network interaction behavior link model.
基於上述,本發明可藉由連接關係所形成之互動分析二分圖取得通道節點的特徵值,再進一步用機器學習建構出惡意程度模型,以利於後續未知通道之判斷。Based on the above, the present invention can obtain the feature value of the channel node through the interactive analysis bipartite graph formed by the connection relationship, and then further use machine learning to construct a malicious degree model to facilitate subsequent determination of the unknown channel.
為讓本發明的上述特徵和優點能更明顯易懂,下文特舉實施例,並配合所附圖式作詳細說明如下。In order to make the above-mentioned features and advantages of the present invention more obvious and understandable, the embodiments are specifically described below in conjunction with the accompanying drawings for detailed description as follows.
惡意程式雖經常使用網域變動等技術以避免被查獲或遭封鎖,但其造成的威脅行為還是會留下惡意程式的訪問線索於網路流量日誌資料中。有鑑於此,本發明可藉由類似的惡意程式會使用相近之連線因子進行互動行為的特點,提出藉由與惡意程式相關聯之連線因子偵測惡意網域或受駭主機之受害情形的偵測方法。透過以下內容將可讓讀者了解本發明之創作精神。Although malicious programs often use technologies such as domain changes to avoid being detected or blocked, the threats they cause will still leave malicious program access clues in the network traffic log data. In view of this, the present invention can use the characteristics of similar malicious programs to use similar connection factors for interactive behavior, and propose to detect the victimization of malicious domains or hacked hosts by the connection factors associated with the malicious programs Detection method. The following content will allow readers to understand the creative spirit of the present invention.
圖1是根據本發明的實施例繪示通訊系統1的架構的示意圖。通訊系統1包括一或更多台用戶主機100處於內部網路150(例如,區域網路(LAN))、一或更多台外部主機130處於外部網路170(例如,網際網路(Internet))及閘道裝置200。FIG. 1 is a schematic diagram illustrating the architecture of a
這些用戶主機100可以係桌上型電腦、筆記型電腦、伺服器、智慧型手機、平板電腦等任何具備連網功能的電子裝置。These
外部主機130可以係伺服器、工作站、中繼站等連網裝置。另須說明的是,本實施例之內部網路150、外部網路170主要係用於區分兩個不同的網路。The
閘道裝置200介於內部網路150與外部網路170之間。閘道裝置200可包括通訊單元210、儲存單元230及處理單元250。通訊單元210可以係具備諸如乙太網路(Ethernet)、光纖(optical fiber)或其他具備通訊傳輸功能的任何類型的網路介面,以連線至內部網路150與外部網路170。The
儲存單元230可以是任何型態的固定或可移動隨機存取記憶體(RAM)、唯讀記憶體(ROM)、快閃記憶體(flash memory)、傳統硬碟(hard disk drive)、固態硬碟(solid-state drive)或類似元件或上述元件的組合如網路連接儲存設備(Network Attached Storage),並用以記錄流量側錄模組231、模型學習模組232、受害判定模組233、情資收集模組235及情資分享模組236等程式、網路流量、流量日誌、互動分析二分圖、威脅情資資料庫237等相關資訊。The
處理單元250與通訊單元210及儲存單元230及連接,並可以是中央處理單元(CPU),或是其他可程式化之一般用途或特殊用途的微處理單元(Microprocessor)、數位信號處理單元(DSP)、可程式化控制器、特殊應用積體電路(ASIC)或其他類似元件或上述元件的組合。在本發明實施例中,處理單元250用以執行閘道裝置200的所有作業,且可存取並執行上述儲存單元230中記錄的模組。The
為了方便理解本發明實施例的操作流程,以下將舉諸多實施例詳細說明本發明實施例中閘道裝置200對於惡意網域與受駭主機的偵測方法。圖2是根據本發明的實施例繪示惡意網域與受駭主機的偵測方法的流程圖。請參照圖2,本實施例的方法適用於圖1中通訊系統1中的各裝置。下文中,將搭配閘道裝置200的各項元件及模組說明本發明實施例所述之方法。本方法的各個流程可依照實施情形而隨之調整,且並不僅限於此。In order to facilitate understanding of the operation process of the embodiment of the present invention, a number of embodiments will be described in detail below to describe the detection method of the
在步驟S21,流量側錄模組231透過通訊單元210接收多個網路流量(例如:內部網路150及外部網路170之間的多個網路流量)。流量側錄模組231可側錄閘道裝置200所在之閘道口的流量日誌,從而使閘道裝置200能藉由所側錄的網路流量定期地產生惡意網域或受駭主機的相關情資。舉例來說,閘道裝置200可透過情資分享模組236將受害判定模組233的偵測結果分享給第三方協防系統或設備(例如:防火牆或代理伺服器等)。如此,可幫助第三方阻斷在及時地阻斷或隔離惡意連線。In step S21, the traffic
網路流量可包括如網際網路協定位址(IP)(例如:用戶主機100或外部主機130之IP位址)、網域(Domain)(例如:用戶主機100或外部主機130所註冊之網域)及連線因子(Connection Factor,CF)等相關資訊,其中連線因子的種類可關聯於例如蹤跡(Trace)、用戶代理(User Agent)、時間戳(TimeStamp)、連線方法(Method)或連線請求(例如:超文本傳輸協定要求(HyperText Transfer Protocol Request,HTTP Request)),本發明不限於此。在本實施例中,僅使用單一種類的連線因子在建立互動分析二分圖(Interaction Profiling Bipartite Graph)。互動分析二分圖的建立將會於步驟S25的相關段落說明。Internet traffic may include, for example, Internet Protocol Address (IP) (for example: IP address of
情資收集模組235接收不同來源(例如,http://www.malware-traffic-analysis.net/、VirusTotal、Bluecoat等來源)所提供的諸如惡意程式、病毒、不當網路行為、網路威脅相關資安情資資訊,並整合新產生的(網路)威脅情資,以豐富威脅情資資料庫237中的威脅情資,進而讓後續分類更加準確,其中威脅情資可關聯於通道的資訊,例如威脅情資可包含一通道係為惡意、良性或未知等資訊。另一方面,情資收集模組235可基於所接收之資安情資資訊判斷出流量側錄模組231所接收之網路流量中的何者屬於已知的惡意程式之網路流量。The
在步驟S23,模型學習模組232可自多個網路流量中解析出多個通道及多個連線因子,其中多個通道中的每一者關聯於網域及網際網路協定位址的連結。例如,可將一個網域與一個網際網路協定位址的連結視為一通道。由於網路犯罪者經常利用相似的手法(例如:相似的HTTP要求)來使惡意的中繼站(例如,外部主機130)與受駭主機(例如:用戶主機100)進行互動,故本發明可解析該些手法以取得連線因子。舉例來說,由於連結惡意中繼站的不同惡意程式會使用相似的HTTP要求來查詢中繼站(例如,外部主機130),故本發明可針對HTTP要求進行解析以取得可作為連線因子的蹤跡,如圖3所示。In step S23, the
圖3是繪示解析超文本傳輸協定要求的範例,其中m 表示查詢統一資源定位符(Uniform Resource Locator,URL)時使用的方法(method),p 表示查詢URL的頁面(page),其餘查詢URL所用的資訊會以key=value 為一對的組合出現在「?」之後並且以「&」隔開,n 表示查詢URL的參數名稱(parameter names),而v 表示參數值(parameter values)。而由於v 較容易變動(部分惡意程式會以亂數產生),因此在本實施例中會統一以同一個符號(例如,|)取代v 所指之內容,也就表示本發明實施例不會(或不考慮)使用v 。如圖3所示,原本為「GET /gxtxlxyxx.php?pass=999&psql=99&xio=TW」的HTTP要求),將參數值以同一個符號取代後與方法(m )結合後即會變成GET_/gxtxlxyxx.php?pass|Psql|xio|的蹤跡。需說明的是,前述替換代碼及規則可視需求而調整。Figure 3 shows an example of parsing the requirements of the Hypertext Transfer Protocol, where m represents the method used when querying the Uniform Resource Locator (URL), p represents the page querying the URL, and the remaining query URLs The information used will appear as a pair of key=value after "?" and separated by "&", n represents the parameter names of the query URL, and v represents the parameter values. Since v is easy to change (some malicious programs will be generated by random numbers), in this embodiment, the same symbol (for example, |) will replace the content of v , which means that the embodiment of the present invention will not (Or not considered) use v . As shown in Figure 3, the original HTTP request for "GET /gxtxlxyxx.php?pass=999&psql=99&xio=TW"), after replacing the parameter value with the same symbol and combining with the method ( m ), it will become GET_/gxtxlxyxx .php?pass|Psql|xio| trail. It should be noted that the aforementioned replacement codes and rules can be adjusted according to requirements.
回到圖2,在步驟S25,模型學習模組232可建立多個通道與多個連線因子的連接關係。前述的連接關係可以二分圖(Bipartite Graph)的形式呈現,此二分圖便可稱為互動分析二分圖,如圖4所示。Returning to FIG. 2, in step S25, the
圖4是根據本發明的實施例繪示互動分析二分圖。模型學習模組232可將多個連線因子中的每一者作為連線因子節點,並將多個通道中的每一者作為通道節點。假設在步驟S23中,模型學習模組232自多個網路流量中解析出多個通道(包括關聯於網域A及用戶IP A之連結的通道A,以及關聯於網域B及用戶IP B之連結的通道B等)並且解析出多個連線因子(包括連線因子CF1、CF2、CF3、CF4、CF5、CF6、CF7、CF8及CF9等)。模型學習模組232可將通道A及通道B作為通道節點繪示於互動分析二分圖中,並將連線因子CF1至CF9作為連線因子節點繪示於互動分析二分圖中。模型學習模組232可藉由解析一連線因子而取得該連線因子與其相關聯的通道。例如,本實施例中的連線因子CF1關聯於通道A,故在互動分析二分圖中,將連線因子CF1與通道A連線。另一方面,同一個連線因子也可以關聯於多個通道,例如,連線因子CF4關聯於通道A及通道B,故在互動分析二分圖中,將連線因子CF4分別與通道A及通道B連線。此代表著通道A及通道B均有使用連線因子CF4。如此,依據多個網路流量的每一者將對應的連線因子節點及對應的通道節點連線,可形成互動分析二分圖,如圖4所示。FIG. 4 is a bipartite diagram of interactive analysis according to an embodiment of the present invention. The
由於類似的惡意網域(或惡意程式)可能使用相同的連線因子進行與他者的互動,因此,若一通道被判定為屬於惡意的通道,則在互動分析二分圖中與該通道互相連結的另一通道(例如:原本為未知的通道)將有較大的機率也屬於惡意的通道。Since similar malicious domains (or malicious programs) may use the same connection factor to interact with others, if a channel is judged to be a malicious channel, it is connected to the channel in the interactive analysis bipartite graph The other channel (for example: the channel that was originally unknown) will have a greater chance of being a malicious channel.
回到圖2。在產生互動分析二分圖後,在步驟S27,模型學習模組232可基於連接關係以及情資收集模組235所收集的威脅情資來建構出網路互動行為鏈結模型。Back to Figure 2. After generating the interactive analysis bipartite graph, in step S27, the
具體來說,模型學習模組232可基於威脅情資將各個通道節點標記為良性、惡意或未知等標籤屬性。在流量側錄模組231所接收的網路流量中,與已知的惡意程式之網路流量相關的通道一律標記為惡意通道,而其餘的通道則可以透過與威脅情資記載的通道(或網域)之良性名單比對而被判斷為良性通道或未知通道。Specifically, the
在互動分析二分圖標記完通道節點後,模型學習模組232可對連線因子節點進行標記以完成互動分析二分圖,並可基於已完成的互動分析二分圖訓練網路互動行為鏈結模型。After the channel node is marked by the interactive analysis bipartite graph, the
更具體來說,模型學習模組232可基於威脅情資而將互動分析二分圖中的連線因子節點標記為良性(Benign)、惡意(Virulence)、混合(Mixed)、未知(Unknown)或離群(Leaf)等標籤屬性。以圖5為例,圖5是根據本發明的實施例繪示標記連線因子節點後的互動分析二分圖。圖5中,「✽」表示惡意連線因子節點、「?」表示未知連線因子節點且「○」表示良性連線因子節點。模型學習模組232可依據表1的規則而對連線因子節點進行標記。 表1
在標記完連線因子節點後,模型學習模組232可基於所標記的連線因子節點產生互動分析二分圖中之通道節點中的每一者的特徵值。換言之,模型學習模組232可利用標記後的連線因子節點而將威脅情資中的資訊轉換為各個通道節點的特徵值,從而降低情資的雜訊。在本實施例中,模型學習模組232可根據所標記的連線因子節點計算出每一通道節點的六種特徵值,但本發明不限於此。模型學習模組232可基於表3的規則計算出每一通道節點的六種特徵值。 表3
在計算出所有通道節點之特徵值後,模型學習模組232可依據所標記的通道節點及其對應的特徵值而透過機器學習演算法訓練網路互動行為鏈結模型,亦即,將已標記的通道節點及其對應的特徵值作為訓練網路互動行為鏈結模型的標籤資料。機器學習演算法可例如是類神經網路、隨機森林或支援向量等,本發明不限於此。After calculating the feature values of all the channel nodes, the
回到圖2。在訓練完網路互動行為鏈結模型後,在步驟S29,受害判定模組233便可透過網路互動行為鏈結模型來偵測未知通道的受害情形。不論惡意網址的外觀如何變動,閘道裝置200都可以透過受害判定模組233以偵測出具有相似惡意互動行為(Interaction)的網域或受駭主機。在一些實施例中,所述受害情形係指未知通道與惡意網域(或惡意程式)的互動行為程度。表4以特定的目標網域(Domain)及用戶IP(Client IP)為範例展示使用本實施例之網路互動行為鏈結模型來偵測該些目標網域及用戶IP的偵測結果。在本實施例中,惡意行為程度的數值越高,可代表對應通道之網域為惡意網域或對應通道之用戶IP為受駭主機之IP的可能性越高。 表4
圖6是一通道「com-wkejf32ljd23409system.net_xx.xx.136.246」經數位鑑識驗證之結果示意圖。由圖6可以發現目標網域與用戶IP之間的互動行為會揭露用戶主機的相關訊息,例如所在區域「city=Taipei」、瀏覽器資訊「Chrome&browserVersion=63…」、主機作業系統資訊「operationSystem=Windows& operationSystemVersion=7…」。當網路攻擊者取得這些用戶主機資訊時,就可以很輕易地知道該名用戶所使用的瀏覽器或者作業系統是否有相對應的漏洞,並且進一步地利用漏洞執行竊取機敏資訊或其他網路犯罪的手法。對照表4及圖6可知,本揭露的偵測方法可有效地偵測出可能遭受惡意程式攻擊的目標網域或用戶IP。Figure 6 is a schematic diagram of the results of a channel "com-wkejf32ljd23409system.net_xx.xx.136.246" verified by digital authentication. From Figure 6, it can be found that the interaction between the target domain and the user's IP will reveal relevant information about the user's host, such as the location "city=Taipei", browser information "Chrome&browserVersion=63...", host operating system information "operationSystem= Windows& operationSystemVersion=7...". When a cyber attacker obtains information about these user hosts, he can easily know whether the browser or operating system used by the user has corresponding vulnerabilities, and further use the vulnerabilities to steal sensitive information or other cyber crimes Tactics. With reference to Table 4 and FIG. 6, it can be seen that the detection method of the present disclosure can effectively detect target domains or user IPs that may be attacked by malicious programs.
值得說明的是,前述惡意網域與受駭主機的偵測方法亦可作為程式,並記錄在諸如等硬碟、軟碟、隨身碟、CD等非暫態電腦可讀取媒體中,且能透過任何類型的處理單元(例如,處理單元250)執行此程式。It is worth noting that the aforementioned detection methods for malicious domains and hacked hosts can also be used as programs and recorded on non-transitory computer-readable media such as hard drives, floppy disks, pen drives, CDs, etc. This program is executed by any type of processing unit (eg, processing unit 250).
綜上所述,本發明的閘道裝置可定期地產生惡意網域或受駭主機的相關情資並分享給第三方,幫助第三方阻斷在及時地阻斷或隔離惡意連線。閘道裝置還可基於各個通道所使用的連線因子判斷出未知的通道是否屬於惡意的通道。此外,本發明可利用標記後的連線因子節點而將威脅情資中的資訊轉換為特徵值,從而降低情資的雜訊。不論惡意網址的外觀如何變動,閘道裝置都可以透過受害判定模組偵測出具有相似惡意互動行為的網域或受駭主機,並且判斷該些網域或受駭主機的受害情形。In summary, the gateway device of the present invention can periodically generate information about malicious domains or hacked hosts and share it with third parties to help third parties block or block malicious connections in a timely manner. The gateway device can also determine whether the unknown channel belongs to a malicious channel based on the connection factors used by each channel. In addition, the present invention can utilize the marked connection factor node to convert the information in the threat intelligence into characteristic values, thereby reducing the noise of the intelligence. No matter how the appearance of the malicious URL changes, the gateway device can detect domains or hacked hosts with similar malicious interaction behavior through the victim determination module, and determine the victimization of these domains or hacked hosts.
雖然本發明已以實施例揭露如上,然其並非用以限定本發明,任何所屬技術領域中具有通常知識者,在不脫離本發明的精神和範圍內,當可作些許的更動與潤飾,故本發明的保護範圍當視後附的申請專利範圍所界定者為準。Although the present invention has been disclosed as above with examples, it is not intended to limit the present invention. Any person with ordinary knowledge in the technical field can make some changes and modifications without departing from the spirit and scope of the present invention. The scope of protection of the present invention shall be subject to the scope defined in the appended patent application.
1‧‧‧通訊系統100‧‧‧用戶主機130‧‧‧外部主機150‧‧‧內部網路170‧‧‧外部網路200‧‧‧閘道裝置210‧‧‧通訊單元230‧‧‧儲存單元231‧‧‧流量側錄模組232‧‧‧模型學習模組233‧‧‧受害判定模組235‧‧‧情資收集模組236‧‧‧情資分享模組237‧‧‧威脅情資資料庫250‧‧‧處理單元CF1、CF2、CF3、CF4、CF5、CF6、CF7、CF8、CF9‧‧‧連線因子/連線因子節點S21、S23、S25、S27、S29‧‧‧步驟1‧‧‧
圖1是根據本發明的實施例繪示通訊系統的架構的示意圖。 圖2是根據本發明的實施例繪示惡意網域與受駭主機的偵測方法的流程圖。 圖3是繪示解析超文本傳輸協定要求的範例。 圖4是根據本發明的實施例繪示互動分析二分圖。 圖5是根據本發明的實施例繪示標記連線因子節點後的互動分析二分圖。 圖6是一通道經數位鑑識驗證之結果示意圖。FIG. 1 is a schematic diagram illustrating the architecture of a communication system according to an embodiment of the present invention. FIG. 2 is a flowchart illustrating a method for detecting malicious domains and hacked hosts according to an embodiment of the present invention. FIG. 3 shows an example of parsing the requirements of the Hypertext Transfer Protocol. FIG. 4 is a bipartite diagram of interactive analysis according to an embodiment of the present invention. FIG. 5 is a bipartite graph of interactive analysis after marking connection factor nodes according to an embodiment of the present invention. Figure 6 is a schematic diagram of the results of a channel verified by digital identification.
S21、S23、S25、S27、S29‧‧‧步驟 S21, S23, S25, S27, S29
Claims (15)
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
TW107130038A TWI684113B (en) | 2018-08-28 | 2018-08-28 | Gateway apparatus, detecting method of malicious domain and hacked host, and non-transitory computer readable medium thereof |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
TW107130038A TWI684113B (en) | 2018-08-28 | 2018-08-28 | Gateway apparatus, detecting method of malicious domain and hacked host, and non-transitory computer readable medium thereof |
Publications (2)
Publication Number | Publication Date |
---|---|
TWI684113B TWI684113B (en) | 2020-02-01 |
TW202009767A true TW202009767A (en) | 2020-03-01 |
Family
ID=70413427
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
TW107130038A TWI684113B (en) | 2018-08-28 | 2018-08-28 | Gateway apparatus, detecting method of malicious domain and hacked host, and non-transitory computer readable medium thereof |
Country Status (1)
Country | Link |
---|---|
TW (1) | TWI684113B (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
TWI764618B (en) * | 2020-10-19 | 2022-05-11 | 新加坡商賽博創新新加坡股份有限公司 | Cyber security protection system and related proactive suspicious domain alert system |
US11558352B2 (en) | 2020-10-19 | 2023-01-17 | Cycraft Singapore Pte. Ltd. | Cyber security protection system and related proactive suspicious domain alert system |
Families Citing this family (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
TWI777766B (en) * | 2021-09-10 | 2022-09-11 | 中華電信股份有限公司 | System and method of malicious domain query behavior detection |
TWI774582B (en) | 2021-10-13 | 2022-08-11 | 財團法人工業技術研究院 | Detection device and detection method for malicious http request |
Family Cites Families (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102821002B (en) * | 2011-06-09 | 2015-08-26 | 中国移动通信集团河南有限公司信阳分公司 | Network flow abnormal detecting method and system |
US20180198812A1 (en) * | 2017-01-11 | 2018-07-12 | Qualcomm Incorporated | Context-Based Detection of Anomalous Behavior in Network Traffic Patterns |
US10264005B2 (en) * | 2017-01-11 | 2019-04-16 | Cisco Technology, Inc. | Identifying malicious network traffic based on collaborative sampling |
-
2018
- 2018-08-28 TW TW107130038A patent/TWI684113B/en active
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
TWI764618B (en) * | 2020-10-19 | 2022-05-11 | 新加坡商賽博創新新加坡股份有限公司 | Cyber security protection system and related proactive suspicious domain alert system |
US11558352B2 (en) | 2020-10-19 | 2023-01-17 | Cycraft Singapore Pte. Ltd. | Cyber security protection system and related proactive suspicious domain alert system |
Also Published As
Publication number | Publication date |
---|---|
TWI684113B (en) | 2020-02-01 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
TWI648650B (en) | Gateway device, detection method of malicious domain and host host, and non-transitory computer readable media | |
US11785037B2 (en) | Cybersecurity risk assessment on an industry basis | |
US10033753B1 (en) | System and method for detecting malicious activity and classifying a network communication based on different indicator types | |
TWI684113B (en) | Gateway apparatus, detecting method of malicious domain and hacked host, and non-transitory computer readable medium thereof | |
US20150215334A1 (en) | Systems and methods for generating network threat intelligence | |
TWI625641B (en) | Methods for preventing computer attacks in two-phase filtering and apparatuses using the same | |
US20160044054A1 (en) | Network appliance for dynamic protection from risky network activities | |
CN110362992B (en) | Method and apparatus for blocking or detecting computer attacks in cloud-based environment | |
US8713674B1 (en) | Systems and methods for excluding undesirable network transactions | |
Cai et al. | Detecting HTTP botnet with clustering network traffic | |
Alani | Big data in cybersecurity: a survey of applications and future trends | |
Paulauskas et al. | Local outlier factor use for the network flow anomaly detection | |
CN109525577B (en) | Malicious software detection method based on HTTP behavior diagram | |
Bhardwaj et al. | Privacy-aware detection framework to mitigate new-age phishing attacks | |
Besel et al. | Full cycle analysis of a large-scale botnet attack on Twitter | |
Yoshihama et al. | Web-Based Data Leakage Prevention. | |
TWI656778B (en) | Malicious domain detection method combining network information and network traffic | |
Leita et al. | HARMUR: Storing and analyzing historic data on malicious domains | |
TWI677803B (en) | Suspicious domain detecting method, gateway apparatus and non-transitory computer readable medium apparatus | |
Zadnik et al. | AI infers DoS mitigation rules | |
Alageel et al. | EARLYCROW: Detecting APT Malware Command and Control over HTTP (S) Using Contextual Summaries | |
US20240154997A1 (en) | Tor-based malware detection | |
Kondracki | Leveraging Side-Channels to Fingerprint Software Systems | |
Spaulding | D-FENS: DNS filtering & extraction network system for malicious domain names | |
Senthilkumar et al. | Recognizing User Portraits for Fraudulent Identification on Online Social Networks |