TWI648978B - Hacker reverse connection behavior detection method - Google Patents

Abstract

The present invention provides a method for detecting a hacker reverse connection behavior, which includes counting the number of connections of each two IP addresses in a statistical unit time, and the number of connections of any two IP addresses. More than one connection threshold, it is determined that the two IPs have suspicious connection behavior. When the suspicious connection behavior is connected by HTTP protocol, the length of the packet content of each connection session is counted. When the number of occurrences of the content length value has a regularity characteristic, the packet content of each connection session is manually analyzed to determine whether the destination IP address in the suspicious connection behavior is a malicious relay station, and the advantage of the present invention is that only Using a simple and fast statistical method, it can filter out abnormal external network connections, and then analyze the scope of the victim host and the hacking attack method.

Description

Hacker reverse connection behavior detection method

The invention relates to a method for detecting a hacker reverse connection behavior, in particular to a method for detecting a hacker reverse connection behavior based on network traffic analysis.

Target attack can be said to be one of the biggest cyber threats to organizations of all types in today's online environment. Companies that are targeted as targets will not only be damaged but also in money. There are millions of losses.

Among such hacking attacks, the most capable of hiding and wandering around the corporate network should be an Advanced Persistent Threat (APT) attack. These attacks are called "advanced" because hackers use zero-day attack (0-day Attack) technology and hidden connection methods. Users are often hacked for a long time, still not Knowing that you have been victimized, even if the company purchases advanced security equipment, it still cannot prevent hackers from invading or making early warnings. It is often the case that the sensitive information is leaked or notified by other security experts before returning to investigate.

Common APT attack prevention methods, one is to use the blacklist mechanism to prevent blocking, and the other is to use machine learning algorithms to analyze network traffic data to detect whether there are signs of hacking, but the former blacklist information must be updated at any time. It can be effective, so the maintenance cost is not low; the latter needs a lot of data training, and it also has the problem of high operating cost, and the actual performance In view, its accuracy is not high.

In order to solve the problems disclosed above, the object of the present invention is to provide a hacker reverse connection behavior detection method based on network traffic analysis, simple steps and using only simple statistical methods.

To achieve the above objective, the present invention provides a hacker reverse connection behavior detection method, which includes: counting the number of connections between two IP (Internet Protocol) addresses in a statistical unit time, when two The number of connections between IP addresses exceeds the threshold of the number of connections, and it is determined that the two IP addresses have suspicious connection behavior. When the suspicious connection behavior is connected by HTTP protocol, the suspicious connection behavior is counted. The value of the content length of each connection session (Session), when the number of occurrences of the packet content length value has a regular feature, the human content analysis is performed on the content of each connection session to determine the Whether the destination IP address in the suspicious connection behavior is a malicious relay station.

In summary, the present invention includes at least the following advantages:

1. The present invention can easily and quickly find the hacker's concealed reverse connection behavior, and only needs to perform simple statistical operations on the header data of the network packet without using complicated algorithms to calculate.

2. The present invention can be applied to detect botnet host and APT attack events, and can find the victim host, malicious relay station, and hacker attack method, so that the enterprise can understand the affected range of the hacker attack, and through the attack method. The cognition is due to the early precautions of the next attack.

3. The invention can find a malicious relay station by network traffic analysis, instead of identifying the victim computer host, and reducing management troubles.

S21-S24, S31-S36‧‧‧ steps

1‧‧‧Internet

11‧‧‧ malicious relay station

12‧‧‧Visitor Springboard Host

2‧‧‧Intranet

21‧‧‧ Gateway Firewall

22‧‧‧ victim host

23‧‧‧Other internal hosts

24‧‧‧ mail server

25‧‧‧Web server

26‧‧‧Database Server

FIG. 1 is a schematic diagram of an application scenario of a method for detecting a hacker reverse connection behavior according to the present invention.

2 is a flow chart of a method for detecting a hacker reverse connection behavior according to the present invention.

FIG. 3 is a flow chart of an embodiment of a method for detecting a hacker reverse connection behavior according to the present invention.

The specific embodiments are described below to illustrate the embodiments of the invention, but are not intended to limit the scope of the invention.

Among the various attack methods of the Advanced Persistent Threat (APT) attack, hackers often use an advanced "reverse connection technology" in which Trojans or creeps are implanted on the victim host. The worm program controls the victim host to pretend to browse the website. In fact, it reports to the malicious relay station, so that the hacker knows that the victim host can also be manipulated. In addition, the hacker can also use the control command to the victim host when returning the web page, and the execution result is transmitted by the next time browsing the malicious relay station.

Please refer to FIG. 1 , which is a schematic diagram of a typical enterprise network. The internal network 2 of the enterprise is connected to the Internet 1 through a gateway firewall 21 . Now, it is assumed that a victim host 22 in the internal network 2 of the enterprise has been continuously advanced. The intrusion of the threat attack, so it has the aforementioned reverse connection behavior, and continuously reports to the malicious relay station 11 through the Internet 1.

Referring to FIG. 2, in view of the above-mentioned attack mode of the "reverse connection technology", the present invention proposes a method for detecting the hacker reverse connection behavior, and a detailed explanation is given below for each step.

Step S21 is to count the statistics between every two IP addresses in a statistical unit time. The number of connections to the connection. The two IP addresses include an internal IP located on the internal network and an external IP located on the external network. This step is for a statistical unit time network traffic data, and statistics are performed by each internal IP address and external. The number of connection sessions between IP addresses.

The statistical unit time is a self-defined time parameter, such as 15 minutes, 1 hour, etc. The number of connections is calculated by the number of occurrences of the session, and the determination of a connection is in the connection dialog. Before the end of the time or statistical unit time, the source IP address, the source nickname, the destination IP address, and the destination nickname are the same, and they are regarded as the same connection dialogue. Otherwise, if one of the four pieces of information has different information, then For different connection dialogs, network traffic data can be obtained using network packet inspection software such as Wireshark and SmartSniff.

In step S22, when the number of connections of any two IP addresses exceeds the threshold of the number of connections, it is determined that the two IPs have suspicious connection behavior and regarded as a suspicious connection. This step is to define the sensitivity of detecting the reverse connection behavior of the hacker. The lower the threshold value of the connection threshold is, the higher the sensitivity is, and the false alarm is easy to occur. The higher the threshold is set, the higher the threshold is set. The lower the sensitivity, the easier it is to have an underreport.

Step S23, when the suspicious connection behavior is to use the HTTP (Hyper Text Transfer Protocol) protocol connection, the packet content length of each of the connection sessions (Session) of the suspicious connection behavior is counted (Content Length) value.

Specifically, it uses a network application layer detection device (such as Next Generation Firewall (NGFW)) or a network packet inspection software (such as Wireshark or SmartSniff) to determine whether the suspicious connection behavior is connected using the HTTP protocol. If yes, the length of the packet content of these suspicious connection behaviors is obtained by the same tool, and then proceeds to step S24.

Generally speaking, the packet is composed of a header part and a data part, and the aforementioned seal The packet content length is the number of bits in the data portion of the packet content of a network connection session.

Incidentally, since the transmission of the HTTP connection can be changed by itself, the present invention does not limit the nickname to 80, but the enterprise often restricts the nickname to 53, 80, 8080 or 443 to be externally connected through the firewall. Therefore, hackers often use non-nicknames 80 (such as 53 or 443) to circumvent the inspection of security equipment. In view of this, the HTTP connection behavior of the non-nickname 80 is more likely to be suspected by network administrators.

Step S24: When the number of occurrences of the foregoing packet content length value has a regular feature, manually check and correlate the packet content of each connection session to determine whether the destination IP address in the suspicious connection behavior is For a malicious relay station.

When browsing different web pages, the packets returned by the website should have different lengths of the package content. Even if the same web page is browsed, different contents may be generated at different times, resulting in different lengths of the package contents. Therefore, if the packet returned by the website is concentrated on the length of a certain packet content, it may be that the victim host continues to report to the malicious relay station, and it is likely that the hacker has not issued a new command, so the value has not changed. . Therefore, it is also possible to judge whether the hacker is active or not from the change in the content length value of the connection dialogue.

Therefore, when the number of occurrences of the packet content length value has a regularity characteristic, that is, in the suspicious connection behavior, the packet content length value of the connection session is concentrated on one or a specific number of content length values, that is, for each The content of the packet of a connection dialogue is manually analyzed to determine whether the destination IP address in the aforementioned suspicious connection behavior is a malicious relay station. Specifically, the destination IP refers to the suspicious connection behavior and is located in the external network. External IP address.

Then, the above-mentioned human analysis is combined with the detection result of the network packet inspection software Wireshark to explain the details.

For the convenience of explanation, this article will refer to the network connection dialog using the HTTP protocol in the suspicious connection behavior as “HTTP connection”. “HTTP request (Request)” refers to the malicious host transmitting to the malicious relay station and using HTTP. The agreed network connection dialog, "HTTP Reply" refers to the network connection dialog that is transmitted by the malicious relay station to the victim host and uses the HTTP protocol.

In the present invention, the human analysis includes comparing whether the content of the packet contains non-HTML syntax, and whether the content of the packet contains a command prompt character instruction, such as cmd.

Under normal circumstances, the content of the package returned by the website will only contain the HTML code of the content of the webpage, as shown in Table 1 and Table 2, which are respectively used to detect the HTTP request and HTTP reply of the local host and Google connection using Wireshark. The content, which is shown by the content below Table 2 (the next 7 lines), can be seen as a simple HTML code.

However, in the attack method of hacker reverse connection behavior, the content of the packet returned by the malicious relay station is often mixed with content that is meaningless and not HTML grammar, as shown in Table 3 and Table 4, respectively, using the network packet. Detects the abnormal HTTP reply retrieved by the software Wireshark and the packet detection result of the request. The "P........." below Table 3 is obviously not the HTML syntax, and Table 4 contains the strings that are not HTML syntax and are suspected to be encoded. Such suspected encoded strings The feature often includes multiple repeated characters, so in the present invention, it is also regarded as one of the indicators for determining that the target IP address is a malicious relay station.

Similarly, in the attack method of hacker reverse connection behavior, the content of the packet returned by the malicious relay station is often mixed with the command prompt character command to control the victim host to perform various operations, such as the last row of Table 5 and Table 6. As shown in the content, the "cmd/c dir c:\." command local host executes the query folder, and the "cmd/c ipconfig/all" command local host performs the query IP configuration, which is obviously not normal. The web page will require the action performed by the local host, so in the present invention, it is regarded as another indicator for judging that the target IP address is a malicious relay station.

In another embodiment of the present invention, the manual analysis method described above may also be implemented by a program automation method, and only the same judgment rule may be used. However, the method implemented by the program should be a conventional technique. No longer.

Referring to FIG. 3, the following is a specific example explanation of an embodiment of the method for applying the hacker reverse connection behavior of the present invention.

Referring to FIG. 1, in the enterprise internal network 2, there is a gateway firewall 21 (responsible for blocking attacks from Internet 1), a victim host 22, other internal hosts 23, a mail server 24, a web server 25, and a database. Server 26. Since the company has opened to the external Internet 1 NAT function, and only open DNS, HTTP and HTTPS network services, so hackers can not remotely control the victim computer host and update malicious programs with a simple remote remote control.

Assume that a victim host 22 (IP: 10.1.1.100) in an enterprise's internal network 2 has been successfully attacked by a guest, and a malicious program has been installed to periodically connect to the malicious relay station in a reverse connection manner. The control command issued by the hacker springboard host 12 is received, and the malware or other information is updated, assuming that the victim host 22 reports to the malicious relay station (IP: 200.1.1.200) every 1 minute (using the nickname 443).

Step S31, the hacker reverse connection behavior method of the present invention, the statistical unit time is set to 15 minutes, and the connection threshold is set to 10 times. This means that every 15 minutes, from the network traffic data (Netflow), the number of connections between the internal IP (network segment 10.1.1.0/24) and the external IP is counted, that is, the connection between each two IP addresses. The number of lines, sorted by the number of connections.

In step S32, after sorting, it is found that the first line of the ranking is the connection dialogue of the victim host 22 (IP: 10.1.1.100) to the malicious relay station 11 (IP: 200.1.1.100), and the number of connections is up to 16 times, exceeding the connection. The threshold of the line number is 10 times, and it is regarded as a suspicious connection behavior, and the detection is continued.

Step S33, and then use the network application layer detection software to check the network traffic file recorded at the time, using Wireshark as an example, and input a filter string: (ip.src==10.1.1.100 && ip.dst== 200.1.1.200)∥(ip.src==200.1.1.200 && ip.dst==10.1.1.100), the result is that 199 packets match the filter condition, then enter the filter string http, and the filtered result shows 32 HTTPs. The packet meets this condition, and the suspicious connection behavior includes 16 sets of network connection dialogs (hereinafter referred to as HTTP connections) using the HTTP protocol.

Step S34, counting the length of the packet content of the connection dialog of the suspicious connection behavior The value is here divided into an HTTP request (Request) sent by the victim host 22 to the malicious relay station 11, and an HTTP response (Response) sent by the malicious relay station 11 to the victim host 22.

The statistical result of the packet content length of the HTTP request is: 112 bytes total 9 times, 132 bytes total 2 times, 740 bytes total 1 time, 1216 bytes total 1 time, 1512 bytes total 1 time, 1736 bytes total 1 time, and 3572 bytes total 1 time.

The statistical result of the length of the HTTP reply packet is: 16 bytes for 10 times, 22 bytes for 1 time, 31 bytes for 1 time, 36 bytes for 1 time, 37 bytes for 1 time, 51 bytes for 1 time, and 67 bytes for 1 time.

Step S35, according to the foregoing result, it can be found that the length of the packet content of the HTTP request is concentrated at 112 bytes, and the length of the packet content of the HTTP reply is concentrated at 16 bytes, which conforms to the feature of focusing on one or a specific number of content length values, so the human analysis is continued. .

Step S36, after analyzing the contents of the packet, discovering the content of the HTTP reply packet, and returning the string starting with 5 A (the number of strings is 112 to 3572), and the strings seem to be encoded.

In the content part of the HTTP request, when the content length is greater than 16 bytes, the 17th byte will appear command prompt characters, such as cmd/c ipconfig/all, cmd/c dir c:\, and cmd/dir c:\users Etc., it can be inferred that it is a behavior that does not require a normal web page such as querying the IP configuration and the contents of the folder, and it can be determined that the host with the IP of 200.1.1.100 is a malicious relay station arranged by the hacker.

After using the hacker reverse connection behavior detection method of the present invention, it can be determined that the reverse connection behavior manipulated by the hacker in this embodiment is sent to the malicious relay station 11 by the victim host 22. The HTTP request actually acts to report to the malicious relay station 11 and displays the result of the execution command on the HTTP request packet after the hacker issues the control command.

The detailed description of the preferred embodiments of the present invention is intended to be limited to the scope of the invention, and is not intended to limit the scope of the invention. The patent scope of this case.

Claims (9)

A method for detecting hacking reverse connection behavior includes: counting the number of connections between two IP addresses in a statistical unit time; when the number of connections between two IP addresses exceeds one connection The threshold value of the number of times, determining that the two IP addresses have suspicious connection behavior; when the suspicious connection behavior is connected by using an HTTP protocol, the packet content length value of each connection session of the suspicious connection behavior is counted, wherein Using a network packet inspection software or network application layer detection device to determine whether the suspicious connection behavior uses HTTP protocol connection; and when the number of occurrences of the packet content length values has regular characteristics, The packet content of the connection dialog is further analyzed to determine whether the destination IP address in the suspicious connection behavior is a malicious relay station. The method for detecting a hacker reverse connection behavior as described in claim 1, wherein the number of connections refers to the number of occurrences of the connection session, and the connection session refers to the time before the connection session time or the statistical unit time ends. , source IP address, source nickname, destination IP address and destination nickname. If there is a different information, the four pieces of information are regarded as different connection dialogues. The hacker reverse connection behavior detecting method according to claim 1, wherein the packet content length is the number of bits of the data portion of the packet content of the connection session. The hacker reverse connection behavior detecting method according to claim 1, wherein the regularity feature comprises: the packet content length values of the plurality of connection conversations are concentrated on one or a plurality of content length values. The hacker reverse connection behavior detecting method according to claim 1, wherein the further analysis package Contains: Whether the content of the packet contains non-HTML syntax. The hacker reverse connection behavior detecting method of claim 1, wherein the further analyzing comprises: whether the content of the packet contains a command prompt character instruction. The method for detecting a hacker reverse connection behavior as described in claim 6, wherein the method further comprises: determining, according to the command prompt character command, the attacking method of the hacker. The hacking reverse connection behavior detecting method of claim 1, wherein the further analyzing comprises: comparing whether the content of the packets includes a suspected encoded string. The hacking reverse connection behavior detecting method of claim 8, wherein the feature of the suspected encoded string comprises a repeated occurrence of a character.