CN105117647A - Trojan behavior recovery method - Google Patents
Trojan behavior recovery method Download PDFInfo
- Publication number
- CN105117647A CN105117647A CN201510504639.8A CN201510504639A CN105117647A CN 105117647 A CN105117647 A CN 105117647A CN 201510504639 A CN201510504639 A CN 201510504639A CN 105117647 A CN105117647 A CN 105117647A
- Authority
- CN
- China
- Prior art keywords
- data
- wooden horse
- trojan
- detection system
- behavior
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/552—Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Virology (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a Trojan behavior recovery method. The Trojan behavior recovery method comprises the following steps of: arranging an intrusion detection system connected with a data outlet and a data inlet in a network; filtering data transmitted from the data outlet by the intrusion detection system according to the network characteristics of Trojan uploading and downloading file operation; copying a Trojan command and file content with regards to the data containing corresponding characteristics; and storing the Trojan command and the file content in a database of the system. According to the Trojan behavior recovery method, the operation carried out by Trojan and the operated file can be conveniently recovered by reading the database, thus, a file stolen behavior implemented through Trojan can be stably and practically intercepted, and all obtained details are thoroughly recorded for a worker to inquire and read at any time.
Description
Technical field
The present invention relates to computer network security technology field, the method for reducing of particularly a kind of wooden horse behavior.
Background technology
At present, have a lot of mechanism all doing wooden horse analytical work, the behavior of wooden horse reduced, but direction and the degree of depth different.From technological layer in fact, detect especially in trojan horse detection in malicious traffic stream, existing wooden horse analytical work, normally only records behavior, communicating pair IP address, the statistical informations such as time.Even if two kinds of critical behaviors of the upload and download file for wooden horse, also can only record behavior, and not reduction act for concrete file, thus the harm that above-mentioned behavior causes cannot be known.
Summary of the invention
The present invention be intended to provide a kind of can by upload and download behavior for concrete file content carry out the wooden horse behavior method of reducing that reduces, to strengthen the monitoring of Context resolution to wooden horse, behavior.
Wooden horse behavior method of reducing of the present invention, comprises the steps:
A, acquisition wooden horse sample, this trojan horse program of dry run, running by monitoring this wooden horse, obtaining the network characterization of wooden horse upload and download file operation;
B, arrange intruding detection system in a network, intruding detection system is connected with data entry and exit, can receive the data that data entry and exit are sent;
C, data entry and exit arrange filtrator, and filtrator can carry out screening and filtering according to object IP address to data, and the data of the object IP address meeting monitoring range requirement are sent to intruding detection system;
D, intruding detection system arrange filtrator equally, this filtrator filters again to the data that data entry and exit are sent, with the network characterization of wooden horse upload and download file operation for filtration parameter, to the data filtering of the corresponding network characterization of wooden horse upload and download file operation be included out, copy wooden horse order that these data comprise and for file content, and the wooden horse order copied and file content to be stored in the database of intruding detection system.
Wooden horse behavior method of reducing of the present invention, data entry and exit for the filtration of IP and intruding detection system for the filtration of specifically uploading, downloading behavior, by above-mentioned cascade filtration, intruding detection system can monitor the uploading and download file behavior of specific wooden horse of data outlet for specific purpose IP address, and the upload and download behavior command that specific wooden horse can be carried out and corresponding behavior for file content be stored in database.By reading database, the behavior that the wooden horse that can reduce easily carries out, and the behavior for the content of concrete file.The file theft behavior realized by wooden horse can be intercepted and captured by described method pointedly, and the details of all behaviors of exquisite detail, inquire about at any time in order to staff and have access to, thus understanding the situation of harm.And according to Harm, blocking apparatus can be set up, the generation endangered can also be avoided in time.
Accompanying drawing explanation
Fig. 1 is the system schematic of the network characterization obtaining the file operation of wooden horse upload and download.
Embodiment
A kind of wooden horse behavior method of reducing, first, determines the target wooden horse needing monitoring; Then, this wooden horse of dry run, obtains network characterization when this wooden horse carries out upload and download file operation.The concrete grammar obtaining this network characterization is as follows: in dual virtual machine, install the controlled terminal of wooden horse and main end processed respectively, and as Fig. 1, running example observation analysis, analyze local behavior in conjunction with registration table and file testing tool (such as FileMon and RegMon); Utilize the instruments such as wireshark to record and analyze network data, then adopting IDA to analyze the implementation by assembly method of wooden horse, then applying OD and carry out dynamic debugging, obtaining final dynamic operating conditions.By above a series of initial analysis, the mode that wooden horse sends data can be understood, understand the agreement that data send and the acceptance action uses of wooden horse completely.Determine the network characterization of target wooden horse upload and download file operation.Then, in network to be monitored, arrange intruding detection system, the data outlet that intruding detection system and data pass in and out and entrance (being called for short data entry and exit) are connected, and can receive the data that data outlet and entrance are sent.After determining the object IP address needing to monitor, data outlet filters data according to the object IP address that need monitor, and the data of the object IP address meeting monitoring range requirement are sent to intruding detection system.Intruding detection system is filtered the data that data outlet is sent by the filtrator arranged again, filtering data is carried out as filtration parameter using the network characterization of determined wooden horse upload and download file operation, by to comprising the data filtering of this individual features out, and copy its wooden horse order comprised and corresponding file content, and wooden horse order and file content are stored in the database of system.By this corresponding data in reading database, the operation that wooden horse carries out just can be understood, and the concrete file content corresponding to operation, thus realize the monitoring to wooden horse behavior.For the behavior undertaken by wooden horse, the details of all behaviors of exquisite detail, staff can inquire about at any time and have access to, thus understands the situation of harm.And by setting up blocking apparatus, the generation endangered can also be avoided in time.
Claims (1)
1. a wooden horse behavior method of reducing, is characterized in that: comprise the steps:
A. obtain wooden horse sample, this trojan horse program of dry run, running by monitoring this wooden horse, obtaining the network characterization of wooden horse upload and download file operation;
B. arrange intruding detection system in a network, intruding detection system is connected with data entry and exit, can receive the data that data entry and exit are sent;
C. data entry and exit arrange filtrator, and filtrator can carry out screening and filtering according to object IP address to data, and the data of the object IP address meeting monitoring range requirement are sent to intruding detection system;
D. intruding detection system arranges filtrator equally, this filtrator filters again to the data that data entry and exit are sent, with the network characterization of wooden horse upload and download file operation for filtration parameter, to the data filtering of the corresponding network characterization of wooden horse upload and download file operation be included out, copy wooden horse order that these data comprise and for file content, and the wooden horse order copied and file content to be stored in the database of intruding detection system.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510504639.8A CN105117647A (en) | 2015-08-18 | 2015-08-18 | Trojan behavior recovery method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510504639.8A CN105117647A (en) | 2015-08-18 | 2015-08-18 | Trojan behavior recovery method |
Publications (1)
Publication Number | Publication Date |
---|---|
CN105117647A true CN105117647A (en) | 2015-12-02 |
Family
ID=54665632
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201510504639.8A Pending CN105117647A (en) | 2015-08-18 | 2015-08-18 | Trojan behavior recovery method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN105117647A (en) |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101052046A (en) * | 2007-05-22 | 2007-10-10 | 网御神州科技(北京)有限公司 | Anti-virus method and device for fire-proof wall |
CN101605074A (en) * | 2009-07-06 | 2009-12-16 | 中国人民解放军信息技术安全研究中心 | The method and system of communication behavioural characteristic monitoring wooden horse Network Based |
US20110083176A1 (en) * | 2009-10-01 | 2011-04-07 | Kaspersky Lab, Zao | Asynchronous processing of events for malware detection |
CN102045220A (en) * | 2010-12-09 | 2011-05-04 | 国都兴业信息审计***技术(北京)有限公司 | Wooden horse monitoring and auditing method and system thereof |
CN103139169A (en) * | 2011-11-30 | 2013-06-05 | 西门子公司 | Virus detection system and method based on network behavior |
-
2015
- 2015-08-18 CN CN201510504639.8A patent/CN105117647A/en active Pending
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101052046A (en) * | 2007-05-22 | 2007-10-10 | 网御神州科技(北京)有限公司 | Anti-virus method and device for fire-proof wall |
CN101605074A (en) * | 2009-07-06 | 2009-12-16 | 中国人民解放军信息技术安全研究中心 | The method and system of communication behavioural characteristic monitoring wooden horse Network Based |
US20110083176A1 (en) * | 2009-10-01 | 2011-04-07 | Kaspersky Lab, Zao | Asynchronous processing of events for malware detection |
CN102045220A (en) * | 2010-12-09 | 2011-05-04 | 国都兴业信息审计***技术(北京)有限公司 | Wooden horse monitoring and auditing method and system thereof |
CN103139169A (en) * | 2011-11-30 | 2013-06-05 | 西门子公司 | Virus detection system and method based on network behavior |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10795855B1 (en) | Method and apparatus for continuous compliance assessment | |
CN112906010B (en) | Automatic attack testing method and automatic safety testing method based on same | |
US20130073715A1 (en) | Methods and apparatus for remediating policy test failures, including correlating changes to remediation processes | |
CN102541729A (en) | Detection device and method for security vulnerability of software | |
US20170310687A1 (en) | Botnet detection system and method | |
CN112906011B (en) | Vulnerability discovery method, testing method, security testing method, related device and platform | |
CN104376023A (en) | Auditing method and system based on logs | |
JP6058246B2 (en) | Information processing apparatus, information processing method, and program | |
US9472084B1 (en) | Alarm notification based on detecting anomalies in big data | |
CN104794399A (en) | Terminal protection system and method based on massive program behavior data | |
CN108234480B (en) | Intrusion detection method and device | |
US11971994B2 (en) | End-point visibility | |
CN112511387A (en) | Network attack monitoring system based on multi-source information analysis | |
Chan et al. | Forensic analysis of a Siemens programmable logic controller | |
CN108566392B (en) | Machine learning-based system and method for preventing CC attack | |
Binnar et al. | Cyber forensic case study of waste water treatment plant | |
Cook et al. | Introducing a forensics data type taxonomy of acquirable artefacts from programmable logic controllers | |
CN105117647A (en) | Trojan behavior recovery method | |
CN106899977B (en) | Abnormal flow detection method and device | |
CN104376254A (en) | Method and system for auditing log | |
CN106790280B (en) | Emergency troubleshooting method and device for network attack | |
Zhou et al. | LogPruner: detect, analyze and prune logging calls in Android apps | |
CN113259396A (en) | S7comm protocol anomaly detection method and device | |
CN101917420B (en) | Behavior filtering method of job network behavior fire wall | |
CN113032785A (en) | Document detection method, device, equipment and storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20151202 |
|
RJ01 | Rejection of invention patent application after publication |