WO2011047600A1 - 僵尸网络检测方法、装置和系统 - Google Patents
僵尸网络检测方法、装置和系统 Download PDFInfo
- Publication number
- WO2011047600A1 WO2011047600A1 PCT/CN2010/077640 CN2010077640W WO2011047600A1 WO 2011047600 A1 WO2011047600 A1 WO 2011047600A1 CN 2010077640 W CN2010077640 W CN 2010077640W WO 2011047600 A1 WO2011047600 A1 WO 2011047600A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- botnet
- control host
- information
- host
- address information
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/12—Discovery or management of network topologies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2463/00—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
- H04L2463/144—Detection or countermeasures against botnets
Definitions
- the present invention relates to the field of network security technologies, and in particular, to a botnet detection method, apparatus and system. Background technique
- the botnet uses only one or more means of communication to infect a large number of hosts with the bot tool Bot program, thereby forming a one-to-many control network between the controller and the infected host.
- the bot tool Bot is Abbreviation for robot, which can perform predefined functions, can be remotely controlled by predefined commands, and has a certain artificial intelligence program.
- Zombie host means that it contains bots or other remote control programs, so that it can be The computer that the attacker remotely controlled.
- the botnet constitutes an attack platform, which can initiate a variety of cyber attacks, resulting in the smashing of the entire basic information network or important application systems, and can also lead to a large number of confidential or personal privacy leaks, and can also be used to engage in networks.
- Other illegal criminal activities such as fraud, using Botnet can initiate distributed denial of service attacks (hereinafter referred to as: DD0S), sending spam, stealing secrets, abusing resources and other network attacks, such as the entire network or users It has serious consequences for itself.
- DD0S distributed denial of service attacks
- botnets have multiple network topologies, one of which is a tree topology with multi-level control, and the other is based on IRC (Internet Relay Chat).
- Protocol-implemented botnet whose controller creates a communication channel on the IRC server, and the zombie host logs into the IRC server and joins the channel created by the controller in advance. Waiting for the controller to initiate an instruction, the controller sends an instruction on the designated channel of the IRC, and the zombie host executes the instruction after receiving the instruction, and initiates an attack.
- P2P peer-to-peer
- the detection of the botnet is performed by means of honeypots and the like, and the malicious code analysis means such as reverse engineering is used to obtain the related information required for logging in to the blog, and the customized information is used.
- the bot program logs into the botnet and takes further countermeasures. Second, by studying the network traffic changes of zombie behavior, using offline and online analysis methods, the botnet can be judged.
- the inventor found in the process of implementing the present invention that the botnet cannot be monitored in real time in the prior art, and the topology of the botnet is generated. Summary of the invention
- the object of the embodiments of the present invention is to provide a botnet detection method, device and system, which can monitor a botnet in real time and generate a topology structure of a botnet.
- an embodiment of the present invention provides a botnet detection method, including: acquiring address information of a control host of a bot tool sample by using an eruption environment;
- the invention also provides a botnet detecting device, comprising:
- An address obtaining module configured to obtain address information of a control host of the bot tool sample by using an eruption environment
- a sending module configured to send, to the traffic analysis device, a query request message for acquiring address information of a zombie host connected to the control host, where the query request message includes address information of the control host;
- a receiving module configured to receive a query response message returned by the traffic analysis device, where the query response message includes address information of a zombie host connected to the control host.
- the embodiment of the present invention further provides a botnet detection system, including the botnet detection device and the traffic analysis device, where the traffic analysis device is configured to obtain, according to the DNS response information of the control host, after receiving the query request message.
- the botnet detection method, device and system provided by the embodiment of the present invention obtain the address information of the control host of the bot tool sample by using the self-explosion environment, and then send the query request message to the flow analysis device, after acquiring the bot model sample,
- the query response message returned by the received traffic analysis device includes the address information of the zombie host controlled by the control host, so that the relevant information of the botnet can be obtained in real time, and the topology of the botnet is constructed.
- FIG. 1 is a schematic flow chart of an embodiment of a botnet detection method of the present invention
- FIG. 2 is a schematic structural diagram of an embodiment of a botnet detecting apparatus according to the present invention.
- FIG. 3 is a schematic structural diagram of an embodiment of a botnet detection system according to the present invention.
- FIG. 4 is a flowchart of a method for detecting a botnet in a specific embodiment of the present invention.
- FIG. 5 is a schematic diagram of an apparatus of a botnet detection system according to an embodiment of the present invention. detailed description
- FIG. 1 is a schematic flowchart of an embodiment of a botnet detection method according to the present invention. As shown in FIG. 1, the method includes the following steps:
- Step 101 Acquire the address information of the control host of the zombie tool sample by using the self-explosion environment; the self-explosion environment in this step refers to the bot tool that performs the above acquisition by using the virtual machine after the botnet detection device acquires the living sample of the bot tool.
- Step 102 Send, to the traffic analysis device, a query request message for acquiring address information of a zombie host connected to the control host, where the query request message includes address information of the control host;
- Step 103 Receive a query response message returned by the traffic analysis device, where the query response message includes address information of a zombie host connected to the control host.
- the botnet detection method obtained by the embodiment of the present invention obtains the address information of the control host of the bot tool sample by using the self-explosion environment after acquiring the bot model, and then sends a query request message to the flow analysis device, and the received traffic is received.
- the query response message returned by the analysis device includes the address information of the zombie host controlled by the control host, so that the relevant information of the botnet can be obtained in real time, and the topology structure of the botnet is constructed.
- the botnet tool sample of the botnet may be obtained according to the honeynet technology or the web crawler technology, that is, the address information of the control host that obtains the sample of the bot tool by using the self-outbreak environment may be specifically as follows:
- the bot model obtained by the honeynet technology or the web crawler technology corresponds to the address information of the control host.
- the self-explosive environment described above is used to automate the running of zombie tool samples.
- the address information of the control host may include the domain name information and the port information of the control host, or include the IP address and port information of the control host, or the domain name information, the IP address, and the port information of the control host.
- the address information of the zombie host may be the IP address and port information of the zombie host.
- the traffic analysis device in the foregoing embodiment may be a Deep Packet Inspection (DPI) device, a DD0S detection device, a firewall, or an Unifi ed Threa t Management (hereinafter referred to as UTM). device.
- the detection method of the botnet may further include the following steps: constructing a network extension of the botnet according to the address information of the control host and the address information of the zombie host. Park structure.
- the query request message including the address information of the control host is sent to the traffic analysis device.
- the traffic analysis device may obtain the connection with the DNS response information of the control host.
- the address information of the zombie host and the foregoing step 103 may be specifically: receiving the query response message returned by the traffic analysis device, where the query response message includes connecting with the control host according to the DNS response information of the control host. The address information of the zombie host. The acquired zombie host address information is then returned to the botnet detection device.
- FIG. 2 is a schematic structural diagram of an embodiment of a botnet detecting device according to the present invention.
- the botnet detecting device includes an address obtaining module 11, a sending module 12, and receiving.
- the module 13 is configured to: obtain the address information of the control host of the bot model by using the self-explosion environment; and the sending module 12 is configured to send, to the traffic analysis device, an address that is used to obtain a zombie host connected to the control host.
- a query request message of the information the query request message includes address information of the control host;
- the receiving module 13 is configured to receive a query response message returned by the traffic analysis device, where the query response message includes a zombie connected to the control host The address information of the host.
- the botnet detecting apparatus obtains the address information of the control host of the bot tool sample by using the self-explosion environment after acquiring the bot model, and then sends a query request message to the stream analyzing device, and the received traffic is received.
- the query response message returned by the analysis device includes the address information of the zombie host controlled by the control host, so that the botnet can be obtained in real time. Related information, build the topology of the botnet.
- the address obtaining module may include a first obtaining unit for acquiring address information of a control host of a bot tool sample acquired according to the honeynet technology or the web crawler technology by using the self-explosion environment.
- the botnet detecting apparatus may further include a building module, configured to construct a network topology structure of the botnet according to the address information of the control host and the address information of the zombie host.
- An embodiment of the present invention further provides a botnet detection system, where the botnet detection system includes a traffic analysis device and a botnet detection device provided by the foregoing embodiment.
- 3 is a schematic structural diagram of an embodiment of a botnet detection system according to the present invention. As shown in FIG. 3, the botnet detection system includes a botnet detection device 21 and a traffic analysis device 22, wherein the botnet detection device 21 is configured to utilize a self-explosion environment.
- an information query request message for acquiring an address letter of a zombie host connected to the control host, where the message includes address information of the control host;
- the query response message returned by the traffic analysis device, where the query response message includes address information of a zombie host connected to the control host; and the traffic analysis device 22 is configured to perform control according to the control after receiving the query request message.
- the host's DNS response information obtains the address information of the zombie host to which it is connected.
- the botnet detection system obtained by the foregoing embodiment of the present invention obtains the address information of the control host of the bot tool sample by using the self-explosion environment after acquiring the bot model, and then sends a query request message to the traffic analysis device, and receives the
- the query response message returned by the traffic analysis device includes the address information of the zombie host controlled by the control host, so that the related information of the botnet can be obtained in real time, and the topology of the botnet is constructed.
- the traffic analysis device in the botnet detection system of the above embodiment may be a DPI device, a DDO S detection device, a firewall or a UTM.
- FIG. 4 is a flowchart of a method for detecting a botnet in a specific embodiment of the present invention.
- the botnet detection system includes monitoring and analysis.
- Heart equivalent to the above-mentioned botnet detection device
- DPI device corresponding to the above-mentioned traffic analysis device
- the detection method of the botnet can include the following steps:
- Step 201 The monitoring and analysis center obtains a sample of the malicious bot using the honeynet technology or the web crawler technology, and after obtaining the living sample, executes the obtained bot model sample by using the virtual machine, and records the data packet of the external communication mentioned above;
- the sample program is transmitted to the virtual machine by calling the virtual machine API (Application Programming Interface) interface. Run the sample program automatically and record the packets it communicates with.
- virtual machine API Application Programming Interface
- Step 202 The monitoring and analysis center obtains information such as a DNS, an IP address, a connection port, and the like included in the data packet of the foregoing record through a program or a manual operation, and finds that the control server is stably connected to the external connection, and may determine that the server is a control host of the botnet. ;
- Step 203 The monitoring and analysis center stores the obtained address information of the control host corresponding to the living body sample in the sample analysis library;
- Step 204 Generate a C&C list by using the capability of monitoring and analyzing the external linkage of the analysis center, and send the domain name, IP address, and connection port information of the control host to each DPI device.
- the C&C (command and contro l) list refers to a list of command and control servers for the botnet, that is, a list of information about servers that issue botnet commands and control forwarding.
- Step 205 The DPI device receives the C&C list, monitors the DNS response information and the connection information of the control host, that is, monitors client information that is connected to the domain name, port, and IP in the C&C list.
- Step 206 The DPI device detects the foregoing DNS response information. If the domain name information included in the DNS response information returned by the client for DNS query is the same as the domain name in the C&C list, the client It is considered to be a zombie host, and the client that communicates with the domain name, port, and IP in the C&C list is also considered to be the botnet client IP and IP connection client of the botnet, and ignores the client in the DNS response message.
- the end is the data of the DNS server, and the IP address obtained in this step is obtained;
- Step 207 Each DPI device reports the detected IP address of the zombie host in the botnet to the monitoring and analysis center. The above zombie host generates a Bot list;
- Step 208 The monitoring and analysis center constructs a topology structure of the botnet according to information such as the address information of the control host and the IP address of the zombie host.
- the DPI device can be further divided into a traffic acquisition unit, a traffic analysis unit, and data.
- the storage unit, the monitoring unit and the data recording unit, the monitoring and analysis center includes an information extraction unit, a software download unit, a malicious analysis unit, a C&C delivery unit, a B0T reporting unit, and an information summary unit, wherein the DPI traffic acquisition unit is used to perform network
- the traffic acquisition unit is configured to parse the traffic data, and the download format is a file in a PE format, and the data storage unit records the link path in the download process, and sends the obtained download path to the monitoring and analysis center for information extraction.
- the unit, the information extracting unit extracts the above-mentioned download path, and sends it to the software download unit.
- the software download unit downloads the PE file by using the crawler technology, and sends the obtained PE file to the malicious analysis unit, and the malicious analysis unit analyzes. Confirm if it is The corpse tool sample, the malicious analysis unit can also be connected to the sample acquisition unit, that is, the PE file is obtained through the honeynet technology. If the PE file is a bot tool sample, the C&C delivery unit can use the self-explosion environment to obtain the bot tool sample.
- the data recording unit records and forwards it to the B0T reporting unit of the monitoring and analysis center, and the information summary unit performs information aggregation, and constructs the topology structure of the botnet according to the address information of the control host and the IP address of the zombie host. After getting the above information, you can put the botnet Information is stored in the botnet library.
- the botnet detection method, device and system provided by the embodiment of the present invention obtain the address information of the control host of the bot tool sample by using the self-explosion environment, and then send the query request message to the flow analysis device, after acquiring the bot model sample,
- the query response message returned by the received traffic analysis device includes the address information of the zombie host controlled by the control host, so that the relevant information of the botnet can be obtained in real time, and the topology of the botnet is constructed.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Medical Treatment And Welfare Office Work (AREA)
- Information Transfer Between Computers (AREA)
Description
僵尸网络检测方法、 装置和系统 本申请要求于 2009 年 10 月 20 日提交中国专利局, 申请号为 200910206068.4, 发明名称为 "僵尸网络检测方法、 装置和系统" 的中国专 利申请的优先权, 其全部内容通过引用结合在本申请中。 技术领域
本发明涉及网络安全技术领域, 特别涉及一种僵尸网络检测方法、 装置 和系统。 背景技术
僵尸网络(Botnet )是只采用一种或者多种传播手段, 将大量主机感染 僵尸工具 Bot程序, 从而在控制者和被感染主机之间形成一个可一对多控制 的网络, 其中僵尸工具 Bot是 robot (机器人) 的缩写, 其可执行预定义的 功能, 可以被预定义的命令所远程控制、 并具有一定人工智能的程序, 僵尸 主机就是指含有僵尸工具或者其他远程控制程序, 使其可被攻击者远程控制 的计算机。
僵尸网络构成一个攻击平台, 利用这个平台可以发起各种各样的网络攻 击行为, 从而导致整个基础信息网络或者重要应用系统瘫痪, 也可以导致大 量机密或者个人隐私泄露,还可以被用来从事网络欺诈等其他违法犯罪活动, 利用 Botnet 可以发起分布式拒绝服务攻击(Distribution Denial of service,以下简称: DD0S)、 发送垃圾邮件、 窃取机密、 滥用资源等网络攻 击行为, 这些行为无论对整个网络还是用户自身都造成了严重的后果。
目前僵尸网络有多种网络拓朴结构, 其中一种网络拓朴结构为多级控制 的树状拓朴结构, 另一种网络拓朴结构是一种基于 IRC ( Internet Relay Chat, 因特网中继交谈)协议实现的僵尸网络, 其控制者在 IRC服务器上 创建通信频道, 僵尸主机登陆 IRC服务器并加入控制者事先创建的频道,
等待控制者发起指令, 控制者在 IRC指定频道上发指令, 僵尸主机收到指 令后执行指令, 并发起攻击。 另外还有一种存在基于点对点 (P2P ) 结构 的僵尸网络。
现有技术中对僵尸网络的检测, 一种是通过蜜罐等手段获 Bot程序样 本, 采用逆向工程等恶意代码分析手段, 获得隐藏在代码中的登录 Bo tnet 所需要的相关信息, 使用定制的僵尸程序登录到僵尸网络中去, 进一步采 取应对措施; 二是通过研究僵尸计算机行为的网络流量变化, 使用离线和 在线的两种分析方法, 就可以实现对僵尸网络的判断。
发明人在实现本发明的过程中发现, 现有技术中不能实时对僵尸网络 进行监控, 生成僵尸网络的拓朴结构。 发明内容
本发明实施例的目的是提供一种僵尸网络检测方法、 装置和系统, 能够 实现实时对僵尸网络进行监控, 生成僵尸网络的拓朴结构。
为实现上述目的, 本发明实施例提供了一种僵尸网络检测方法, 包括: 利用自爆发环境获取僵尸工具样本的控制主机的地址信息;
向流量分析设备发送用于获取与所述控制主机连接的僵尸主机的地址信 息的查询请求消息, 所述查询请求消息包括所述控制主机的地址信息;
接收所述流量分析设备返回的查询响应消息, 所述查询响应消息包括与 所述控制主机连接的僵尸主机的地址信息。
本发明还提供了一种僵尸网络检测装置, 包括:
地址获取模块, 用于利用自爆发环境获取僵尸工具样本的控制主机的地 址信息;
发送模块, 用于向流量分析设备发送用于获取与所述控制主机连接的僵 尸主机的地址信息的查询请求消息, 所述查询请求消息包括所述控制主机的 地址信息;
接收模块, 用于接收所述流量分析设备返回的查询响应消息, 所述查询 响应消息包括与所述控制主机连接的僵尸主机的地址信息。
本发明实施例还提供了一种僵尸网络检测系统, 包括上述的僵尸网络检 测装置和流量分析设备, 所述流量分析设备用于在接收到所述查询请求消息 后根据控制主机的 DNS应答信息获取与其连接的僵尸主机的地址信息。
本发明实施例提供的僵尸网络检测方法、 装置和系统, 通过在获取到僵 尸工具样本后, 利用自爆发环境获取僵尸工具样本的控制主机的地址信息, 然后向流分析设备发送查询请求消息, 在接收到的流量分析设备返回的查询 响应消息中包括上述的控制主机控制的僵尸主机的地址信息, 从而能够实时 的获取僵尸网络的相关信息, 构建僵尸网络的拓朴结构。 附图说明
为了更清楚地说明本发明实施例的技术方案, 下面将对实施例或现有技 术描述中所需要使用的附图作一简单地介绍, 显而易见地, 下面描述中的附 图是本发明的一些实施例, 对于本领域普通技术人员来讲, 在不付出创造性 劳动性的前提下, 还可以根据这些附图获得其他的附图。 图 1本发明僵尸网络检测方法实施例的流程示意图;
图 2为本发明僵尸网络检测装置实施例的结构示意图;
图 3为本发明僵尸网络检测系统实施例的结构示意图;
图 4为本发明具体实施例中僵尸网络检测方法的流程图
图 5为本发明具体实施例中僵尸网络检测系统的装置示意图。 具体实施方式
下面将结合本发明实施例中的附图, 对本发明实施例中的技术方案进 行清楚、 完整地描述,显然, 所描述的实施例仅仅是本发明一部分实施例,
而不是全部的实施例。 基于本发明中的实施例, 本领域普通技术人员在没 有作出创造性劳动前提下所获得的所有其他实施例, 都属于本发明保护的 范围。
下面通过附图和实施例, 对本发明的技术方案做进一步的详细描述。 本发明实施例提供了一种僵尸网络检测方法, 图 1为本发明僵尸网络检 测方法实施例的流程示意图, 如图 1所示, 该方法包括如下步骤:
步骤 101、 利用自爆发环境获取僵尸工具样本的控制主机的地址信息; 本步骤中的自爆发环境是指在僵尸网络检测装置获取到僵尸工具的活体样本 后, 利用虚拟机执行上述获取的僵尸工具样本;
步骤 102、 向流量分析设备发送用于获取与所述控制主机连接的僵尸主 机的地址信息的查询请求消息, 该查询请求消息包括所述控制主机的地址信 息;
步骤 103、 接收所述流量分析设备返回的查询响应消息, 所述查询响应 消息包括与所述控制主机连接的僵尸主机的地址信息。
本发明实施例提供的僵尸网络检测方法,通过在获取到僵尸工具样本后, 利用自爆发环境获取僵尸工具样本的控制主机的地址信息, 然后向流分析设 备发送查询请求消息, 在接收到的流量分析设备返回的查询响应消息中包括 上述的控制主机控制的僵尸主机的地址信息, 从而能够实时的获取僵尸网络 的相关信息, 构建僵尸网络的拓朴结构。 在上述步骤 101 中, 僵尸网络的僵 尸工具样本可以为根据蜜网技术或网络爬虫技术获取, 即上述利用自爆发环 境获取僵尸工具样本的控制主机的地址信息可以具体为: 利用自爆发环境获 取根据蜜网技术或网络爬虫技术获取的僵尸工具样本对应的控制主机的地址 信息。 上述自爆发环境用于自动运行僵尸工具样本。
控制主机的地址信息可以包括控制主机的域名信息和端口信息, 或者包 括控制主机的 IP地址和端口信息, 或者包括控制主机的域名信息、 IP地址 和端口信息。
在上述实施例中,僵尸主机的地址信息可以为僵尸主机的 IP地址和端口 信息。 上述实施例中的流量分析设备可以为深度包检测 ( Deep Packe t Inspec t ion,以下简称: DPI )设备、 DD0S检测设备、 防火墙或者统一威胁管 理(Un i f i ed Threa t Management , 以下简称: UTM)设备。 另外在上述图 3 所述实施例的基石出上,僵尸网络的检测方法还可以进一步的包括如下的步骤: 根据所述控制主机的地址信息以及所述僵尸主机的地址信息构建僵尸网络的 网络拓朴结构。
在上述的步骤 102 中向流量分析设备发送了包括控制主机的地址信息的 查询请求消息, 流量分析设备在接收到上述的查询请求消息后, 可以根据所 述控制主机的 DNS应答信息获取与其连接的僵尸主机的地址信息, 及上述的 步骤 103可以具体为: 接收所述流量分析设备返回的查询响应消息, 所述查 询响应消息包括根据所述控制主机的 DNS应答信息获取的与所述控制主机连 接的僵尸主机的地址信息。 之后再将获取的僵尸主机的地址信息返回给僵尸 网络检测装置。
本发明实施例还提供了一种僵尸网络检测装置, 图 2为本发明僵尸网络 检测装置实施例的结构示意图, 如图 2所示, 僵尸网络检测装置包括地址获 取模块 11、发送模块 12和接收模块 13 , 其中地址获取模块 11用于利用自爆 发环境获取僵尸工具样本的控制主机的地址信息;发送模块 12用于向流量分 析设备发送包括用于获取与所述控制主机连接的僵尸主机的地址信息的查询 请求消息, 该查询请求消息包括所述控制主机的地址信息; 接收模块 13用于 接收所述流量分析设备返回的查询响应消息, 所述查询响应消息包括与所述 控制主机连接的僵尸主机的地址信息。
本发明实施例提供的僵尸网络检测装置,通过在获取到僵尸工具样本后, 利用自爆发环境获取僵尸工具样本的控制主机的地址信息, 然后向流分析设 备发送查询请求消息, 在接收到的流量分析设备返回的查询响应消息中包括 上述的控制主机控制的僵尸主机的地址信息, 从而能够实时的获取僵尸网络
的相关信息, 构建僵尸网络的拓朴结构。
在上述实施例中上述的地址获取模块可以包括第一获取单元, 该单元用 于利用自爆发环境获取根据蜜网技术或网络爬虫技术获取的僵尸工具样本的 控制主机的地址信息。
另外上述的僵尸网络检测装置还可以包括一个构建模块, 该模块用于根 据所述控制主机的地址信息以及所述僵尸主机的地址信息构建僵尸网络的网 络拓朴结构。
本发明实施例还提供了一种僵尸网络检测系统, 该僵尸网络检测系统包 括流量分析设备和上述实施例提供的僵尸网络检测装置。 图 3为本发明僵尸 网络检测系统实施例的结构示意图, 如图 3所示, 该僵尸网络检测系统包括 僵尸网络检测装置 21和流量分析设备 22 , 其中僵尸网络检测装置 21用于利 用自爆发环境获取僵尸工具样本的控制主机的地址信息; 用于向流量分析设 备发送用于获取与所述控制主机连接的僵尸主机的地址信的息查询请求消 息, 该消息包括所述控制主机的地址信息; 用于接收所述流量分析设备返回 的查询响应消息, 所述查询响应消息包括与所述控制主机连接的僵尸主机的 地址信息;流量分析设备 22用于在接收到所述查询请求消息后根据控制主机 的 DNS应答信息获取与其连接的僵尸主机的地址信息。
本发明上述实施例提供的僵尸网络检测系统, 通过在获取到僵尸工具样 本后, 利用自爆发环境获取僵尸工具样本的控制主机的地址信息, 然后向流 量分析设备发送查询请求消息, 在接收到的流量分析设备返回的查询响应消 息中包括上述的控制主机控制的僵尸主机的地址信息, 从而能够实时的获取 僵尸网络的相关信息, 构建僵尸网络的拓朴结构。
上述实施例的僵尸网络检测系统中的流量分析设备可以为 DPI 设备、 DDO S检测设备、 防火墙或 UTM。
以下是一个本发明的具体实施例, 图 4为本发明具体实施例中僵尸网络 检测方法的流程图, 在本具体实施例中, 僵尸网络检测系统包括监控分析中
心 (相当于上述的僵尸网络检测装置)和 DPI设备(相当于上述的流量分析 设备) , 其中的 DPI设备包括前台和后台, 前台用于流量获取和流量分析, 后台用于进行业务统计汇总和展示, 其僵尸网络的检测方法可以包括如下的 步骤:
步骤 201、 监控分析中心通过蜜网技术或者网络爬虫技术获取恶意僵尸 工具的样本, 并在获得活体样本后, 利用虚拟机执行上述获取的僵尸工具样 本, 并记录上述其对外通信的数据包;
具体的, 监控中心通过蜜网技术或者网络爬虫技术获取恶意僵尸工具的 活体样本后,将样本程序传入虚拟机中,通过调用虚拟机的 API ( Appl icat ion Program Interface, 应用程序接口)接口来自动运行样本程序, 并记录其对 外通信的数据包。
步骤 202、 监控分析中心通过程序或者人工操作获取上述记录的数据包 中包括的 DNS、 IP地址以及连接端口等信息, 并发现其稳定对外连接的控制 服务器, 可确定该服务器为僵尸网络的控制主机;
步骤 203、 监控分析中心将获取的上述活体样本对应的控制主机的地址 信息存储到样本分析库中;
步骤 204、 利用监控分析中心的对外联动的能力, 将控制主机的域名、 IP地址以及连接端口信息生成 C&C列表并发送给各个 DPI设备;
具体的, C&C ( command and contro l , 命令和控制) 列表指的是僵尸网 络的命令和控制服务器的列表, 也就是记录发出僵尸网络命令和控制转发的 服务器的信息列表。
步骤 205、 DPI设备接收上述的 C&C列表,对该控制主机的 DNS应答信息、 连接信息进行监控, 即监控与 C&C列表中的域名、 端口及 IP进行通信连接的 客户机信息;
步骤 206、 DPI设备检测上述 DNS应答信息, 若客户机进行 DNS查询而返 回的 DNS应答信息中包含的域名信息与 C&C列表中的域名相同, 则该客户机
被认为是僵尸主机, 另外对于与 C&C列表中的域名、 端口及 IP进行通信连接 的客户机, 也被认为是僵尸网络的僵尸主机客户端 IP以及 IP连接客户端, 并且忽略 DNS应答信息中客户端是 DNS服务器的数据, 本步骤中获取的是其 IP地址;
步骤 207、 各个 DPI设备将检测到的上述僵尸网络中僵尸主机的 IP地址 报告给监控分析中心。 上述僵尸主机生成 Bot列表;
步骤 208、 监控分析中心根据控制主机的地址信息以及僵尸主机的 IP地 址等信息构建僵尸网络的拓朴结构。
以上提供了一种僵尸网络检测方法的具体实施例, 其中的主要功能由监 测分析中心和 DPI设备完成, 如图 5所示, 可进一步的将 DPI设备分为流量 获取单元、 流量解析单元、 数据存储单元、 监控单元和数据记录单元, 监控 分析中心包括信息提取单元、 软件下载单元、 恶意性分析单元、 C&C 下发单 元、 B0T上报单元和信息汇总单元, 其中 DPI 的流量获取单元用于进行网络 流量获取, 流量解析单元用于对流量数据进行解析, 下载格式是 PE格式的文 件, 并由数据存储单元记录上述下载过程中的链接路径, 并将获取的下载路 径发送给监测分析中心的信息提取单元,信息提取单元提取上述的下载路径, 将其发送给软件下载单元, 软件下载单元利用爬虫技术下载 PE文件, 将获取 的上述 PE文件发送给恶意性分析单元, 由恶意性分析单元进行分析, 确认其 是否为僵尸工具样本, 另外恶意性分析单元还可以与样本获取单元连接, 即 通过蜜网技术获取 PE文件, 若上述 PE文件为僵尸工具样本, 则 C&C下发单 元可利用自爆发环境获取僵尸工具样本的控制主机的地址信息, 尤其是其域 名, 并将上述的地址信息生成 C&C列表发送给 DPI设备的监控单元, 该监控 单元监控上述控制主机的 DNS应答信息,并获取与其连接的僵尸主机的 IP地 址, 由数据记录单元进行记录并转发给监控分析中心的 B0T上报单元, 由信 息汇总单元进行信息汇总,并根据控制主机的地址信息以及僵尸主机的 IP地 址等信息构建僵尸网络的拓朴结构, 在获取到上述的信息后, 可将僵尸网络
信息存储到僵尸网络库中。
本发明实施例提供的僵尸网络检测方法、 装置和系统, 通过在获取到僵 尸工具样本后, 利用自爆发环境获取僵尸工具样本的控制主机的地址信息, 然后向流分析设备发送查询请求消息, 在接收到的流量分析设备返回的查询 响应消息中包括上述的控制主机控制的僵尸主机的地址信息, 从而能够实时 的获取僵尸网络的相关信息, 构建僵尸网络的拓朴结构。
最后应说明的是: 以上实施例仅用以说明本发明的技术方案而非对其进 行限制, 尽管参照较佳实施例对本发明进行了详细的说明, 本领域的普通技 术人员应当理解: 其依然可以对本发明的技术方案进行修改或者等同替换, 而这些修改或者等同替换亦不能使修改后的技术方案脱离本发明技术方案的 ^"神和范围。
Claims
1、 一种僵尸网络检测方法, 其特征在于, 包括:
利用自爆发环境获取僵尸工具样本的控制主机的地址信息;
向流量分析设备发送用于获取与所述控制主机连接的僵尸主机的地址信 息的查询请求消息, 所述查询请求消息包括所述控制主机的地址信息;
接收所述流量分析设备返回的查询响应消息, 所述查询响应消息包括与 所述控制主机连接的僵尸主机的地址信息。
2、 根据权利要求 1所述的僵尸网络检测方法, 其特征在于, 所述控制主 机的地址信息包括控制主机的域名信息和端口信息, 或者包括控制主机的 IP 地址和端口信息, 或者包括控制主机的域名信息、 IP地址和端口信息。
3、 根据权利要求 1所述的僵尸网络检测方法, 其特征在于, 所述僵尸主 机的地址信息包括僵尸主机的 IP地址和端口信息。
4、 根据权利要求 1所述的僵尸网络检测方法, 其特征在于, 所述控制主 机连接的僵尸主机的地址信息是所述流量分析设备根据所述控制主机的 DNS 应答信息获取的。
5、 根据权利要求 1所述的僵尸网络检测方法, 其特征在于, 还包括: 根据所述控制主机的地址信息以及所述僵尸主机的地址信息构建僵尸网 络的网络拓朴结构。
6、 一种僵尸网络检测装置, 其特征在于, 包括:
地址获取模块, 用于利用自爆发环境获取僵尸工具样本的控制主机的地 址信息;
发送模块, 用于向流量分析设备发送用于获取与所述控制主机连接的僵 尸主机的地址信息的查询请求消息, 所述查询请求消息包括所述控制主机的 地址信息;
接收模块, 用于接收所述流量分析设备返回的查询响应消息, 所述查询 响应消息包括与所述控制主机连接的僵尸主机的地址信息。
7、 根据权利要求 6所述的僵尸网络检测装置, 其特征在于, 所述控制主 机的地址信息包括控制主机的域名信息和端口信息, 或者包括控制主机的 IP 地址和端口信息, 或者包括控制主机的域名信息、 IP地址和端口信息。
8、 根据权利要求 6所述的僵尸网络检测装置, 其特征在于, 所述僵尸主 机的地址信息包括僵尸主机的 IP地址和端口信息。
9、 根据权利要求 6所述的僵尸网络检测装置, 其特征在于, 还包括: 构建模块, 用于根据所述控制主机的地址信息以及所述僵尸主机的地址 信息构建僵尸网络的网络拓朴结构。
10、 一种僵尸网络检测系统, 其特征在于, 包括如权利要求 6 - 9任一所 述的僵尸网络检测装置和流量分析设备, 所述流量分析设备用于在接收到所 述查询请求消息后根据控制主机的 DNS应答信息获取与其连接的僵尸主机的 地址信息。
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US13/452,214 US8904532B2 (en) | 2009-10-20 | 2012-04-20 | Method, apparatus and system for detecting botnet |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN200910206068.4 | 2009-10-20 | ||
CN200910206068.4A CN102045214B (zh) | 2009-10-20 | 2009-10-20 | 僵尸网络检测方法、装置和系统 |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US13/452,214 Continuation US8904532B2 (en) | 2009-10-20 | 2012-04-20 | Method, apparatus and system for detecting botnet |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2011047600A1 true WO2011047600A1 (zh) | 2011-04-28 |
Family
ID=43899822
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2010/077640 WO2011047600A1 (zh) | 2009-10-20 | 2010-10-11 | 僵尸网络检测方法、装置和系统 |
Country Status (3)
Country | Link |
---|---|
US (1) | US8904532B2 (zh) |
CN (1) | CN102045214B (zh) |
WO (1) | WO2011047600A1 (zh) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20130031625A1 (en) * | 2011-07-29 | 2013-01-31 | Electronics And Telecommunications Research Institute | Cyber threat prior prediction apparatus and method |
CN107864110A (zh) * | 2016-09-22 | 2018-03-30 | 中国电信股份有限公司 | 僵尸网络主控端检测方法和装置 |
CN110324273A (zh) * | 2018-03-28 | 2019-10-11 | 蓝盾信息安全技术有限公司 | 一种基于dns请求行为与域名构成特征相结合的僵尸网络检测法 |
Families Citing this family (35)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9270690B2 (en) * | 2010-07-21 | 2016-02-23 | Seculert Ltd. | Network protection system and method |
US10397246B2 (en) | 2010-07-21 | 2019-08-27 | Radware, Ltd. | System and methods for malware detection using log based crowdsourcing analysis |
US11343265B2 (en) | 2010-07-21 | 2022-05-24 | Seculert Ltd. | System and methods for malware detection using log analytics for channels and super channels |
CN102571487B (zh) * | 2011-12-20 | 2014-05-07 | 东南大学 | 基于多数据源分布式的僵尸网络规模测量及追踪方法 |
US8291500B1 (en) * | 2012-03-29 | 2012-10-16 | Cyber Engineering Services, Inc. | Systems and methods for automated malware artifact retrieval and analysis |
US20130318609A1 (en) * | 2012-05-25 | 2013-11-28 | Electronics And Telecommunications Research Institute | Method and apparatus for quantifying threat situations to recognize network threat in advance |
US8879558B1 (en) * | 2012-06-27 | 2014-11-04 | Juniper Networks, Inc. | Dynamic remote packet capture |
US9088606B2 (en) * | 2012-07-05 | 2015-07-21 | Tenable Network Security, Inc. | System and method for strategic anti-malware monitoring |
CN102801719B (zh) * | 2012-08-08 | 2015-02-25 | 中国人民解放军装备学院 | 基于主机流量功率谱相似性度量的僵尸网络检测方法 |
EP2901612A4 (en) * | 2012-09-28 | 2016-06-15 | Level 3 Communications Llc | APPARATUS, SYSTEM AND METHOD FOR IDENTIFYING AND MITIGATING MALICIOUS THREATS ON A NETWORK |
US9917849B2 (en) * | 2013-05-01 | 2018-03-13 | Fortinet, Inc. | Security system for physical or virtual environments |
US10432658B2 (en) * | 2014-01-17 | 2019-10-01 | Watchguard Technologies, Inc. | Systems and methods for identifying and performing an action in response to identified malicious network traffic |
JP5640167B1 (ja) * | 2014-03-31 | 2014-12-10 | 株式会社ラック | ログ分析システム |
CN103944901B (zh) * | 2014-04-18 | 2016-11-09 | 中国科学院信息工程研究所 | 社交僵尸网络控制节点的检测方法及装置 |
CN105488408A (zh) * | 2014-12-31 | 2016-04-13 | 中国信息安全认证中心 | 一种基于特征的恶意样本类型识别的方法与系统 |
US10091222B1 (en) * | 2015-03-31 | 2018-10-02 | Juniper Networks, Inc. | Detecting data exfiltration as the data exfiltration occurs or after the data exfiltration occurs |
RU2618947C2 (ru) * | 2015-06-30 | 2017-05-11 | Закрытое акционерное общество "Лаборатория Касперского" | Способ предотвращения работы программ, содержащих нежелательный для пользователя функционал |
CN105099816B (zh) * | 2015-07-02 | 2018-08-24 | 北京航空航天大学 | 一种航空任务电子系统通用综合检测装置及检测方法 |
CN106850501A (zh) * | 2015-12-04 | 2017-06-13 | 中国电信股份有限公司 | 检测僵木蠕网络的方法以及系统 |
GB2545480B8 (en) | 2015-12-18 | 2018-01-17 | F Secure Corp | Detection of coordinated cyber-attacks |
US9942253B2 (en) | 2016-01-15 | 2018-04-10 | Kentlik Technologies, Inc. | Network monitoring, detection, and analysis system |
US10432650B2 (en) | 2016-03-31 | 2019-10-01 | Stuart Staniford | System and method to protect a webserver against application exploits and attacks |
CN107979581B (zh) * | 2016-10-25 | 2020-10-27 | 华为技术有限公司 | 僵尸特征的检测方法和装置 |
US10320810B1 (en) * | 2016-10-31 | 2019-06-11 | Palo Alto Networks, Inc. | Mitigating communication and control attempts |
TWI596498B (zh) * | 2016-11-02 | 2017-08-21 | FedMR-based botnet reconnaissance method | |
US10289456B2 (en) | 2017-06-01 | 2019-05-14 | International Business Machines Corporation | Software bot conflict-resolution service agent |
US10599402B2 (en) * | 2017-07-13 | 2020-03-24 | Facebook, Inc. | Techniques to configure a web-based application for bot configuration |
CN109698814B (zh) * | 2017-10-23 | 2021-06-15 | 中国电信股份有限公司 | 僵尸网络发现方法及僵尸网络发现装置 |
CN107733927B (zh) * | 2017-11-28 | 2021-10-19 | 深信服科技股份有限公司 | 一种僵尸网络文件检测的方法、云服务器、装置及系统 |
CN111183612B (zh) * | 2017-12-27 | 2023-08-29 | 西门子股份公司 | 一种网络流量的发送方法、装置及混合蜜罐系统 |
US11070588B2 (en) | 2018-06-11 | 2021-07-20 | International Business Machines Corporation | Cognitive malicious activity identification and handling |
CN109889619B (zh) * | 2019-01-28 | 2022-01-21 | 中国互联网络信息中心 | 基于区块链的异常域名监测方法及装置 |
CN112134732B (zh) * | 2020-09-10 | 2021-10-26 | 南京大学 | 一种用于DDoS攻击的取证方法及系统 |
US11824891B2 (en) * | 2021-02-15 | 2023-11-21 | Cujo LLC | Detecting botnets |
US20230171099A1 (en) * | 2021-11-27 | 2023-06-01 | Oracle International Corporation | Methods, systems, and computer readable media for sharing key identification and public certificate data for access token verification |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP1739921A1 (en) * | 2005-06-28 | 2007-01-03 | AT&T Corp. | Progressive wiretap |
CN101282340A (zh) * | 2008-05-09 | 2008-10-08 | 华为技术有限公司 | 网络攻击处理方法及处理装置 |
CN101321171A (zh) * | 2008-07-04 | 2008-12-10 | 北京锐安科技有限公司 | 一种检测分布式拒绝服务攻击的方法及设备 |
CN101360019A (zh) * | 2008-09-18 | 2009-02-04 | 华为技术有限公司 | 一种僵尸网络的检测方法、系统和设备 |
CN101588276A (zh) * | 2009-06-29 | 2009-11-25 | 成都市华为赛门铁克科技有限公司 | 一种检测僵尸网络的方法及其装置 |
CN101651579A (zh) * | 2009-09-15 | 2010-02-17 | 成都市华为赛门铁克科技有限公司 | 识别僵尸网络的方法及网关设备 |
Family Cites Families (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR100663546B1 (ko) * | 2005-07-08 | 2007-01-02 | 주식회사 케이티 | 악성 봇 대응 방법 및 그 시스템 |
WO2007107766A1 (en) * | 2006-03-22 | 2007-09-27 | British Telecommunications Public Limited Company | Method and apparatus for automated testing software |
US8533819B2 (en) * | 2006-09-29 | 2013-09-10 | At&T Intellectual Property Ii, L.P. | Method and apparatus for detecting compromised host computers |
-
2009
- 2009-10-20 CN CN200910206068.4A patent/CN102045214B/zh active Active
-
2010
- 2010-10-11 WO PCT/CN2010/077640 patent/WO2011047600A1/zh active Application Filing
-
2012
- 2012-04-20 US US13/452,214 patent/US8904532B2/en active Active
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP1739921A1 (en) * | 2005-06-28 | 2007-01-03 | AT&T Corp. | Progressive wiretap |
CN101282340A (zh) * | 2008-05-09 | 2008-10-08 | 华为技术有限公司 | 网络攻击处理方法及处理装置 |
CN101321171A (zh) * | 2008-07-04 | 2008-12-10 | 北京锐安科技有限公司 | 一种检测分布式拒绝服务攻击的方法及设备 |
CN101360019A (zh) * | 2008-09-18 | 2009-02-04 | 华为技术有限公司 | 一种僵尸网络的检测方法、系统和设备 |
CN101588276A (zh) * | 2009-06-29 | 2009-11-25 | 成都市华为赛门铁克科技有限公司 | 一种检测僵尸网络的方法及其装置 |
CN101651579A (zh) * | 2009-09-15 | 2010-02-17 | 成都市华为赛门铁克科技有限公司 | 识别僵尸网络的方法及网关设备 |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20130031625A1 (en) * | 2011-07-29 | 2013-01-31 | Electronics And Telecommunications Research Institute | Cyber threat prior prediction apparatus and method |
CN107864110A (zh) * | 2016-09-22 | 2018-03-30 | 中国电信股份有限公司 | 僵尸网络主控端检测方法和装置 |
CN107864110B (zh) * | 2016-09-22 | 2021-02-02 | 中国电信股份有限公司 | 僵尸网络主控端检测方法和装置 |
CN110324273A (zh) * | 2018-03-28 | 2019-10-11 | 蓝盾信息安全技术有限公司 | 一种基于dns请求行为与域名构成特征相结合的僵尸网络检测法 |
Also Published As
Publication number | Publication date |
---|---|
CN102045214B (zh) | 2013-06-26 |
US8904532B2 (en) | 2014-12-02 |
CN102045214A (zh) | 2011-05-04 |
US20120204264A1 (en) | 2012-08-09 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2011047600A1 (zh) | 僵尸网络检测方法、装置和系统 | |
US11075885B2 (en) | Methods and systems for API deception environment and API traffic control and security | |
US8490190B1 (en) | Use of interactive messaging channels to verify endpoints | |
Yan et al. | Software-defined networking (SDN) and distributed denial of service (DDoS) attacks in cloud computing environments: A survey, some research issues, and challenges | |
WO2010031288A1 (zh) | 一种僵尸网络的检测方法和系统 | |
Li et al. | Botnet: Survey and case study | |
CN102387135B (zh) | 一种基于用户身份过滤的方法以及防火墙 | |
US20090150972A1 (en) | Apparatus and method for managing p2p traffic | |
WO2017066359A1 (en) | Determining direction of network sessions | |
CN102035793B (zh) | 僵尸网络检测方法、装置以及网络安全防护设备 | |
KR101553264B1 (ko) | 네트워크 침입방지 시스템 및 방법 | |
CN104426837B (zh) | Ftp的应用层报文过滤方法及装置 | |
WO2012164336A1 (en) | Distribution and processing of cyber threat intelligence data in a communications network | |
Schoof et al. | Detecting peer-to-peer botnets | |
US10243983B2 (en) | System and method for using simulators in network security and useful in IoT security | |
CN111526061B (zh) | 网络靶场实战演练场景的监控流量调度系统与方法 | |
CN108810008B (zh) | 传输控制协议流量过滤方法、装置、服务器及存储介质 | |
US11223635B2 (en) | Inception of suspicious network traffic for enhanced network security | |
Shanthi et al. | Detection of botnet by analyzing network traffic flow characteristics using open source tools | |
US8161555B2 (en) | Progressive wiretap | |
Kang et al. | Cyber threats and defence approaches in SCADA systems | |
CN108881127A (zh) | 一种控制远程访问权限的方法及系统 | |
WO2011000297A1 (zh) | 一种检测僵尸网络的方法及其装置 | |
CN114390049A (zh) | 一种应用数据获取方法及装置 | |
CN110753014B (zh) | 基于流量转发的威胁感知方法、设备、装置及存储介质 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 10824441 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 10824441 Country of ref document: EP Kind code of ref document: A1 |