TW202009767A - Gateway apparatus, detecting method of malicious domain and hacked host, and non-transitory computer readable medium thereof - Google Patents

Abstract

A detecting method of malicious domain and hacked host is provided, including: Receiving network traffics. Parsing channels and connection factors, wherein each of the channels is associated with a link between a domain and an Internet Protocol (IP) address. Establishing connection relations of the channels and the connection factors. Generating a Cyber Interaction Linker model based on the connection relations and threat intelligence. Detecting victimization for unknown channels by according to the Cyber Interaction Linker model.

Description

Gateway device, malicious domain and hacked host detection method and non-transitory computer readable media

The invention relates to an information security technology, and in particular to a gateway device, a malicious network domain and a hacked host detection method and its non-transitory computer readable media.

Malicious domains have always been hotbeds of cybercriminal activities (for example, spamming, financial fraud, phishing websites, and other malicious acts). How companies find suspicious domains early in numerous external connections has become a very important enterprise security problem.

When an attacker builds a relay station, it will attempt to implant malicious programs into the victim host via social mail, phishing website, or other means, and make these hosts bots. The vast majority of malicious programs that become bots require network connections for their malicious activities (for example, sending spam emails, leaking private secrets, downloading malicious program updates, and infecting surrounding hosts, etc.). In order to improve the survival rate of botnets, attackers often use technologies such as domain flux to avoid being detected and reduce the chance of blocking malicious programs. It can be seen from this that security-related companies are bound to develop technologies to effectively detect malicious domains and hacked hosts.

In view of this, the present invention provides a detection method for gateway devices, malicious domains and hacked hosts, and non-transitory computer-readable media, which provide highly accurate detection techniques.

The invention provides a malicious network domain and a hacked host detection method, which is suitable for a gateway device. The detection method includes: receiving a plurality of network traffic. Multiple channels and multiple connection factors are parsed from multiple network traffic, where each of the multiple channels is associated with the link between the domain and the Internet protocol address. Establish the connection relationship between multiple channels and multiple connection factors. Construct a network interaction behavior link model based on connection relationships and threat intelligence. Detect the victimization of unknown channels through the network interaction behavior link model.

The invention provides a gateway device, which is respectively connected to an internal network and an external network. The gateway device includes a communication unit, a storage unit and a processing unit. The communication unit sends and receives data. The storage unit stores multiple modules. The processing unit is coupled to the communication unit and the storage unit, and accesses and executes a plurality of modules stored in the storage unit, the plurality of modules including: a flow profile recording module, a model learning module, and a victim determination module. The traffic profile recording module receives multiple network traffic between the internal network and the external network through the communication unit. The model learning module parses out multiple channels and multiple connection factors from multiple network traffic, establishes a connection relationship between multiple channels and multiple connection factors, and constructs network interaction based on the connection relationship and threat information Behavioral link model, where each of the multiple channels is associated with the link between the domain and the Internet protocol address. The damage judgment module detects the damage situation of the unknown channel through the network interaction behavior link model.

The present invention provides a non-transitory computer-readable medium, recording a program, and loading the program through a gateway device to perform the following steps: receive multiple network traffic. Multiple channels and multiple connection factors are parsed from multiple network traffic, where each of the multiple channels is associated with the link between the domain and the Internet protocol address. Establish the connection relationship between multiple channels and multiple connection factors. Construct a network interaction behavior link model based on connection relationships and threat intelligence. Detect the victimization of unknown channels through the network interaction behavior link model.

Based on the above, the present invention can obtain the feature value of the channel node through the interactive analysis bipartite graph formed by the connection relationship, and then further use machine learning to construct a malicious degree model to facilitate subsequent determination of the unknown channel.

In order to make the above-mentioned features and advantages of the present invention more obvious and understandable, the embodiments are specifically described below in conjunction with the accompanying drawings for detailed description as follows.

Although malicious programs often use technologies such as domain changes to avoid being detected or blocked, the threats they cause will still leave malicious program access clues in the network traffic log data. In view of this, the present invention can use the characteristics of similar malicious programs to use similar connection factors for interactive behavior, and propose to detect the victimization of malicious domains or hacked hosts by the connection factors associated with the malicious programs Detection method. The following content will allow readers to understand the creative spirit of the present invention.

FIG. 1 is a schematic diagram illustrating the architecture of a communication system 1 according to an embodiment of the present invention. The communication system 1 includes one or more user hosts 100 on an internal network 150 (eg, a local area network (LAN)), and one or more external hosts 130 on an external network 170 (eg, the Internet) ) And gateway device 200.

These user hosts 100 can be any electronic device with a networking function such as a desktop computer, a notebook computer, a server, a smart phone, a tablet computer, or the like.

The external host 130 may be a network device such as a server, a workstation, a relay station, or the like. It should also be noted that the internal network 150 and the external network 170 of this embodiment are mainly used to distinguish two different networks.

The gateway device 200 is interposed between the internal network 150 and the external network 170. The gateway device 200 may include a communication unit 210, a storage unit 230, and a processing unit 250. The communication unit 210 may be provided with any type of network interface such as Ethernet, optical fiber or other communication transmission functions to connect to the internal network 150 and the external network 170.

The storage unit 230 can be any type of fixed or removable random access memory (RAM), read-only memory (ROM), flash memory (flash memory), traditional hard disk drive, solid-state hard drive Disk (solid-state drive) or similar components or a combination of the above components such as Network Attached Storage (Network Attached Storage), and is used to record traffic side recording module 231, model learning module 232, damage judgment module 233, situation Resources collection module 235 and situation information sharing module 236 and other programs, network traffic, traffic logs, interactive analysis bipartite graph, threat situation database 237 and other related information.

The processing unit 250 is connected to the communication unit 210 and the storage unit 230, and may be a central processing unit (CPU), or other programmable general-purpose or special-purpose microprocessors (Microprocessor), digital signal processing units (DSP) ), programmable controller, special application integrated circuit (ASIC) or other similar components or a combination of the above components. In the embodiment of the present invention, the processing unit 250 is used to perform all operations of the gateway device 200, and can access and execute the modules recorded in the storage unit 230.

In order to facilitate understanding of the operation process of the embodiment of the present invention, a number of embodiments will be described in detail below to describe the detection method of the gateway device 200 for malicious domains and hacked hosts in the embodiment of the present invention. FIG. 2 is a flowchart illustrating a method for detecting malicious domains and hacked hosts according to an embodiment of the present invention. Please refer to FIG. 2, the method of this embodiment is applicable to each device in the communication system 1 in FIG. 1. Hereinafter, the methods described in the embodiments of the present invention will be described in conjunction with the components and modules of the gateway device 200. The various processes of the method can be adjusted according to the implementation situation, and it is not limited to this.

In step S21, the traffic profile recording module 231 receives multiple network traffic (eg, multiple network traffic between the internal network 150 and the external network 170) through the communication unit 210. The traffic recording module 231 can record the traffic log of the gateway where the gateway device 200 is located, so that the gateway device 200 can periodically generate malicious domains or related information of the hacked host through the recorded network traffic Capital. For example, the gateway device 200 can share the detection result of the damage determination module 233 to the third-party cooperative defense system or equipment (such as a firewall or proxy server, etc.) through the information sharing module 236. In this way, it can help third parties to block or isolate malicious connections in a timely manner.

Internet traffic may include, for example, Internet Protocol Address (IP) (for example: IP address of user host 100 or external host 130), and Domain (for example: the network registered by user host 100 or external host 130 Field) and connection factor (Connection Factor, CF) and other related information, where the type of connection factor can be associated with, for example, Trace, User Agent, TimeStamp, and Connection Method Or a connection request (for example: HyperText Transfer Protocol Request (HyperText Transfer Protocol Request, HTTP Request)), the present invention is not limited to this. In this embodiment, only a single type of connection factor is used to create an Interaction Profiling Bipartite Graph. The establishment of the interactive analysis bipartite graph will be described in the relevant paragraph of step S25.

The intelligence collection module 235 receives information such as malicious programs, viruses, inappropriate network behaviors, and network threats provided by different sources (for example, http://www.malware-traffic-analysis.net/, VirusTotal, Bluecoat, etc.) Relevant security information, and integrate newly generated (network) threat information to enrich the threat information in the threat information database 237, so as to make the subsequent classification more accurate, where the threat information can be associated with the channel Information, such as threat intelligence, may include information that the channel is malicious, benign, or unknown. On the other hand, the intelligence collection module 235 can determine which of the network traffic received by the traffic profile module 231 belongs to the network traffic of a known malicious program based on the received security information.

In step S23, the model learning module 232 can parse out multiple channels and multiple connection factors from multiple network traffic, where each of the multiple channels is associated with the domain and the Internet protocol address link. For example, a link between a domain and an Internet protocol address can be considered as a channel. Since cybercriminals often use similar techniques (eg, similar HTTP requirements) to make malicious relay stations (eg, external host 130) interact with hacked hosts (eg, user host 100), the present invention can resolve this Some methods to obtain the connection factor. For example, since different malicious programs connecting to a malicious relay station use similar HTTP requests to query the relay station (for example, the external host 130), the present invention can parse the HTTP request to obtain traces that can be used as connection factors, as shown in the figure 3 shown.

Figure 3 shows an example of parsing the requirements of the Hypertext Transfer Protocol, where m represents the method used when querying the Uniform Resource Locator (URL), p represents the page querying the URL, and the remaining query URLs The information used will appear as a pair of key=value after "?" and separated by "&", n represents the parameter names of the query URL, and v represents the parameter values. Since v is easy to change (some malicious programs will be generated by random numbers), in this embodiment, the same symbol (for example, |) will replace the content of v , which means that the embodiment of the present invention will not (Or not considered) use v . As shown in Figure 3, the original HTTP request for "GET /gxtxlxyxx.php?pass=999&psql=99&xio=TW"), after replacing the parameter value with the same symbol and combining with the method ( m ), it will become GET_/gxtxlxyxx .php?pass|Psql|xio| trail. It should be noted that the aforementioned replacement codes and rules can be adjusted according to requirements.

Returning to FIG. 2, in step S25, the model learning module 232 may establish a connection relationship between multiple channels and multiple connection factors. The aforementioned connection relationship can be presented in the form of a bipartite graph (Bipartite Graph). This bipartite graph can be called an interactive analysis bipartite graph, as shown in FIG. 4.

FIG. 4 is a bipartite diagram of interactive analysis according to an embodiment of the present invention. The model learning module 232 may use each of the plurality of connection factors as a connection factor node, and each of the plurality of channels as a channel node. Suppose that in step S23, the model learning module 232 parses out multiple channels from multiple network traffic (including the channel A associated with the domain A and the user IP A link, and the domain B and the user IP B Connected channel B, etc.) and parse out multiple connection factors (including connection factors CF1, CF2, CF3, CF4, CF5, CF6, CF7, CF8 and CF9, etc.). The model learning module 232 can plot channel A and channel B as channel nodes in the interactive analysis bipartite graph, and connect the connection factors CF1 to CF9 as connection factor nodes in the interactive analysis bipartite graph. The model learning module 232 can obtain the channel associated with the connection factor by parsing the connection factor. For example, the connection factor CF1 in this embodiment is associated with channel A, so in the interactive analysis bipartite graph, the connection factor CF1 is connected to channel A. On the other hand, the same connection factor can also be associated with multiple channels. For example, the connection factor CF4 is associated with channel A and channel B. Therefore, in the interactive analysis bipartite graph, the connection factor CF4 is associated with channel A and channel respectively B connection. This means that both channel A and channel B use the connection factor CF4. In this way, according to each of the multiple network flows, the corresponding connection factor node and the corresponding channel node are connected to form an interactive analysis bipartite graph, as shown in FIG. 4.

Since similar malicious domains (or malicious programs) may use the same connection factor to interact with others, if a channel is judged to be a malicious channel, it is connected to the channel in the interactive analysis bipartite graph The other channel (for example: the channel that was originally unknown) will have a greater chance of being a malicious channel.

Back to Figure 2. After generating the interactive analysis bipartite graph, in step S27, the model learning module 232 may construct a network interactive behavior link model based on the connection relationship and the threat intelligence collected by the intelligence collection module 235.

Specifically, the model learning module 232 may mark each channel node as a benign, malicious, or unknown tag attribute based on threat information. In the network traffic received by the traffic profile recording module 231, the channels related to the network traffic of the known malicious programs are all marked as malicious channels, and the remaining channels can be recorded through the channels related to the threat information (or (Domain), the benign list is compared and judged as a benign channel or an unknown channel.

After the channel node is marked by the interactive analysis bipartite graph, the model learning module 232 can mark the connection factor node to complete the interactive analysis bipartite graph, and can train the network interactive behavior link model based on the completed interactive analysis bipartite graph.

其中連線因子的白名單總數可例如是連線因子在威脅情資的良性名單中出現的次數、連線因子的黑名單總數可例如連線因子在惡意程式的網路流量中出現的次數並且連線因子的出現總數可例如白名單總數加上黑名單總數。透過表1的標記規則，模型學習模組232可針對不同種類的連線因子進行標記。舉例來說，表2展示了當連線因子為蹤跡時，對該些蹤跡進行標記的範例。 表2

More specifically, the model learning module 232 may mark the connection factor nodes in the bipartite graph of the interactive analysis as benign, malicious, mixed, unknown, or unknown based on threat intelligence. Label attributes such as group. Taking FIG. 5 as an example, FIG. 5 is a bipartite graph of interactive analysis after marking connection factor nodes according to an embodiment of the present invention. In FIG. 5, "✽" indicates a malicious connection factor node, "?" indicates an unknown connection factor node, and "○" indicates a benign connection factor node. The model learning module 232 can mark the connection factor nodes according to the rules in Table 1. Table 1

The total number of connection factors in the white list can be, for example, the number of times the connection factor appears in the benign list of threats, and the total number of connection factors in the black list can be, for example, the number of times the connection factor appears in the network traffic of the malware and The total number of occurrences of connection factors may be, for example, the total number of white lists plus the total number of black lists. Through the labeling rules in Table 1, the model learning module 232 can label different types of connection factors. For example, Table 2 shows an example of marking these traces when the connection factor is a trace. Table 2

其中T 係所有連線因子節點的集合、B 係標記為良性的連線因子節點的集合、V 係標記為惡意的連線因子節點的集合、U 係標記為未知的連線因子節點的集合、M 係標記為混合的連線因子節點的集合並且L 係標記為離群的連線因子節點的集合。After marking the connection factor node, the model learning module 232 may generate the feature value of each of the channel nodes in the interactive analysis bipartite graph based on the marked connection factor node. In other words, the model learning module 232 can use the marked connection factor nodes to convert the information in the threat intelligence into the characteristic values of each channel node, thereby reducing the noise of the intelligence. In this embodiment, the model learning module 232 can calculate the six feature values of each channel node according to the marked connection factor nodes, but the invention is not limited thereto. The model learning module 232 can calculate the six feature values of each channel node based on the rules in Table 3. table 3

Among them, the collection of all connection factor nodes of the T series, the collection of connection factor nodes marked as benign by the B system, the collection of connection factor nodes marked as malicious by the V system, and the collection of connection factor nodes marked by the U system as unknown, The M system is marked as a set of mixed connection factor nodes and the L system is marked as a set of outlier connection factor nodes.

After calculating the feature values of all the channel nodes, the model learning module 232 can train the network interactive behavior link model through the machine learning algorithm according to the labeled channel nodes and their corresponding feature values, that is, the labeled The channel node and its corresponding feature value are used as the label data of the training network interactive behavior link model. The machine learning algorithm may be, for example, a neural network, random forest, or support vector, etc. The present invention is not limited to this.

Back to Figure 2. After training the network interaction behavior link model, in step S29, the victim determination module 233 can detect the victimization of the unknown channel through the network interaction behavior link model. No matter how the appearance of the malicious URL changes, the gateway device 200 can detect the domain or the hacked host with similar malicious interaction behavior (Interaction) through the victim determination module 233. In some embodiments, the victim situation refers to the degree of interaction between the unknown channel and the malicious domain (or malicious program). Table 4 uses specific target domains (Domain) and user IPs (Client IP) as examples to show the detection results of using the network interaction behavior link model of this embodiment to detect these target domains and user IPs. In this embodiment, the higher the value of the malicious behavior, the higher the probability that the domain of the corresponding channel is a malicious domain or the user IP of the corresponding channel is the IP of the hacked host. Table 4

Figure 6 is a schematic diagram of the results of a channel "com-wkejf32ljd23409system.net_xx.xx.136.246" verified by digital authentication. From Figure 6, it can be found that the interaction between the target domain and the user's IP will reveal relevant information about the user's host, such as the location "city=Taipei", browser information "Chrome&browserVersion=63...", host operating system information "operationSystem= Windows& operationSystemVersion=7...". When a cyber attacker obtains information about these user hosts, he can easily know whether the browser or operating system used by the user has corresponding vulnerabilities, and further use the vulnerabilities to steal sensitive information or other cyber crimes Tactics. With reference to Table 4 and FIG. 6, it can be seen that the detection method of the present disclosure can effectively detect target domains or user IPs that may be attacked by malicious programs.

It is worth noting that the aforementioned detection methods for malicious domains and hacked hosts can also be used as programs and recorded on non-transitory computer-readable media such as hard drives, floppy disks, pen drives, CDs, etc. This program is executed by any type of processing unit (eg, processing unit 250).

In summary, the gateway device of the present invention can periodically generate information about malicious domains or hacked hosts and share it with third parties to help third parties block or block malicious connections in a timely manner. The gateway device can also determine whether the unknown channel belongs to a malicious channel based on the connection factors used by each channel. In addition, the present invention can utilize the marked connection factor node to convert the information in the threat intelligence into characteristic values, thereby reducing the noise of the intelligence. No matter how the appearance of the malicious URL changes, the gateway device can detect domains or hacked hosts with similar malicious interaction behavior through the victim determination module, and determine the victimization of these domains or hacked hosts.

Although the present invention has been disclosed as above with examples, it is not intended to limit the present invention. Any person with ordinary knowledge in the technical field can make some changes and modifications without departing from the spirit and scope of the present invention. The scope of protection of the present invention shall be subject to the scope defined in the appended patent application.

1‧‧‧Communication system 100‧‧‧User host 130‧‧‧External host 150‧‧‧Internal network 170‧‧‧External network 200‧‧‧Gateway device 210‧‧‧‧Communication unit 230‧‧‧Storage Unit 231 ‧‧‧ traffic profile recording module 232 ‧ ‧ ‧ model learning module 233 ‧ ‧ ‧ victim judgment module 235 ‧ ‧ ‧ intelligence collection module 236 ‧ ‧ ‧ intelligence sharing module 237 ‧ ‧ ‧ threat situation Data bank 250‧‧‧Processing units CF1, CF2, CF3, CF4, CF5, CF6, CF7, CF8, CF9

FIG. 1 is a schematic diagram illustrating the architecture of a communication system according to an embodiment of the present invention. FIG. 2 is a flowchart illustrating a method for detecting malicious domains and hacked hosts according to an embodiment of the present invention. FIG. 3 shows an example of parsing the requirements of the Hypertext Transfer Protocol. FIG. 4 is a bipartite diagram of interactive analysis according to an embodiment of the present invention. FIG. 5 is a bipartite graph of interactive analysis after marking connection factor nodes according to an embodiment of the present invention. Figure 6 is a schematic diagram of the results of a channel verified by digital identification.

S21, S23, S25, S27, S29

Claims (15)

A detection method for malicious domains and hacked hosts is suitable for gateway devices. The detection method includes: receiving multiple network traffics; parsing multiple channels and multiples from the multiple network traffics Connection factor, wherein each of the plurality of channels is associated with a link between a domain and an Internet protocol address; establishing a connection relationship between the plurality of channels and the plurality of connection factors; based on the The connection relationship and threat intelligence construct a network interaction behavior link model; and use the network interaction behavior link model to detect the victimization of an unknown channel. The detection method according to item 1 of the patent application scope, wherein the connection relationship is an interactive analysis bipartite graph, and the step of establishing a connection relationship between the plurality of channels and the plurality of connection factors includes: Each of the plurality of connection factors is used as a connection factor node, and each of the plurality of channels is used as a channel node; and each of the plurality of network traffic will be correspondingly connected Factor nodes and corresponding channel nodes are connected to form the interactive analysis bipartite graph. The detection method as described in item 2 of the patent application scope, wherein the step of constructing a network interaction behavior link model based on the connection relationship and threat intelligence includes: marking the channel node based on the threat intelligence; and Train the network interaction behavior link model based on the marked channel nodes. The detection method according to item 3 of the patent application scope, wherein the step of training the network interactive behavior link model based on the marked channel node includes: labeling the connection factor node based on the threat situation; based on The marked connection factor node generates a feature value corresponding to each of the channel nodes; and training the network interactive behavior chain through a machine learning algorithm according to the feature value and the marked channel node Knot model. The detection method as described in item 4 of the patent application scope, wherein the step of marking the connection factor node based on the threat information includes: The total number of whitelists based on the connection factor node is greater than a threshold and the total number of blacklists Equal to zero and mark the connection factor node as benign; mark the connection factor node as malicious based on the total number of blacklists greater than the threshold and the total number of blacklists greater than the total number of whitelists; The total number of blacklists is greater than the threshold and the total number of whitelists is greater than the total number of blacklists, and the connection factor node is marked as mixed; based on the total number of whitelists equal to zero and the total number of blacklists equal to zero, all The connection factor node is marked as unknown; and the connection factor node is marked as outlier based on the total number of occurrences of the connection factor node equal to one, wherein the total number of whitelists is the connection factor in the The number of occurrences in the benign list of threats, the total number of blacklists is the number of occurrences of the connection factor in the network traffic of the malware, and the total number of occurrences is the total number of whitelists plus the blacklist total. The detection method according to item 5 of the patent application scope, wherein the feature value includes at least one of the following: a first feature value f1 , where f1 = | T |, T is a collection of all connection factor nodes; The second eigenvalue f2 , where f2 = | B |/| T |, B system is marked as a collection of benign connection factor nodes; the third eigenvalue f3 , where f3 = | V |/| T |, V system is marked Is a collection of malicious connection factor nodes; the fourth eigenvalue f4 , where f4 = | U |/| T |, U is a collection of connection factor nodes marked as unknown; the fifth eigenvalue f5 , where f5 = | M |/| T |, M system is marked as a collection of mixed connection factor nodes; and the sixth eigenvalue f6 , where f6 = | L |/| T |, L system is marked as an outlier connection factor node set. The detection method as described in item 1 of the patent application scope, wherein the connection factor is associated with one of the following: trace, user agent, time stamp, connection method, and connection request. A gateway device is connected to an internal network and an external network respectively. The gateway device includes: a communication unit to send and receive data; a storage unit to store a plurality of modules; a processing unit to couple the communication unit and all The storage unit, and accessing and executing the plurality of modules stored in the storage unit, the plurality of modules including: a traffic profile recording module, receiving the internal network and all data through the communication unit Multiple network traffic between the external networks; a model learning module that resolves multiple channels and multiple connection factors from the multiple network traffic to establish the multiple channels and the multiple The connection relationship of the connection factor, and construct a network interaction behavior link model based on the connection relationship and threat information, wherein each of the plurality of channels is associated with the domain and the Internet protocol address Link; and a victim determination module, which detects the victimization of an unknown channel through the network interaction behavior link model. The gateway device according to item 8 of the patent application scope, wherein the connection relationship is an interactive analysis bipartite graph, and the step of establishing a connection relationship between the plurality of channels and the plurality of connection factors includes: Each of the plurality of connection factors is used as a connection factor node, and each of the plurality of channels is used as a channel node; and each of the plurality of network traffic will be correspondingly connected Factor nodes and corresponding channel nodes are connected to form the interactive analysis bipartite graph. The gateway device according to item 9 of the patent application scope, wherein the step of constructing a network interaction behavior link model based on the connection relationship and threat intelligence includes: marking the channel node based on the threat intelligence; and Train the network interaction behavior link model based on the marked channel nodes. The gateway device according to item 10 of the patent application scope, wherein the step of training the network interaction behavior link model based on the marked channel node includes: labeling the connection factor node based on the threat situation; based on The marked connection factor node generates a feature value corresponding to each of the channel nodes; and training the network interactive behavior chain through a machine learning algorithm according to the feature value and the marked channel node Knot model. The gateway device according to item 11 of the patent application scope, wherein the step of marking the connection factor node based on the threat information includes: the total number of whitelists based on the connection factor node is greater than the threshold and the total number of blacklists Equal to zero and mark the connection factor node as benign; mark the connection factor node as malicious based on the total number of blacklists greater than the threshold and the total number of blacklists greater than the total number of whitelists; The total number of blacklists is greater than the threshold and the total number of whitelists is greater than the total number of blacklists, and the connection factor node is marked as mixed; based on the total number of whitelists equal to zero and the total number of blacklists equal to zero, all The connection factor node is marked as unknown; and the connection factor node is marked as outlier based on the total number of occurrences of the connection factor node equal to one, wherein the total number of whitelists is the connection factor in the The number of occurrences in the benign list of threats, the total number of blacklists is the number of occurrences of the connection factor in the network traffic of the malware, and the total number of occurrences is the total number of whitelists plus the blacklist total. The gateway device according to item 12 of the patent application scope, wherein the characteristic value includes at least one of the following: a first characteristic value f1 , where f1 = | T |, T is a collection of all connection factor nodes; The second eigenvalue f2 , where f2 = | B |/| T |, B system is marked as a collection of benign connection factor nodes; the third eigenvalue f3 , where f3 = | V |/| T |, V system is marked Is a collection of malicious connection factor nodes; the fourth eigenvalue f4 , where f4 = | U |/| T |, U is a collection of connection factor nodes marked as unknown; the fifth eigenvalue f5 , where f5 = | M |/| T |, M system is marked as a collection of mixed connection factor nodes; and the sixth eigenvalue f6 , where f6 = | L |/| T |, L system is marked as an outlier connection factor node set. The gateway device as described in item 8 of the patent application scope, wherein the connection factor is associated with one of the following: trace, user agent, time stamp, connection method, and connection request. A non-transitory computer can read media, record a program, and load the program through a gateway device to perform the following steps: receive multiple network traffic; resolve multiple channels from the multiple network traffic and Multiple connection factors, wherein each of the multiple channels is associated with a link between a domain and an Internet protocol address; establishing a connection relationship between the multiple channels and the multiple connection factors; based on The connection relationship and threat intelligence construct a network interaction behavior link model; and use the network interaction behavior link model to detect the victimization of an unknown channel.

Images