CN106911662B - System and method for high-interaction to low-interaction conversion of malicious sample culture - Google Patents
System and method for high-interaction to low-interaction conversion of malicious sample culture Download PDFInfo
- Publication number
- CN106911662B CN106911662B CN201610889558.9A CN201610889558A CN106911662B CN 106911662 B CN106911662 B CN 106911662B CN 201610889558 A CN201610889558 A CN 201610889558A CN 106911662 B CN106911662 B CN 106911662B
- Authority
- CN
- China
- Prior art keywords
- data
- packet
- malicious
- network
- interaction
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a system for high-interaction conversion and low-interaction of malicious sample culture, which comprises: the high interaction module is used for acquiring first packet data of network communication of malicious behaviors based on at least twice re-running of the malicious behaviors in the running environment, wherein the first packet data which is kept unchanged in running is simulated replay data; and the low interaction module is used for sending the first packet of data to the malicious behaviors in the same family based on the simulated replay data, and monitoring and acquiring network information of malicious behavior communication. The invention solves the technical problems that in the prior art, the network information of the sample is obtained in a high-interaction mode, the efficiency of monitoring commands and controlling a server or attacking behaviors is low, and the effect can be achieved only by consuming a large amount of network and entity resources to realize the operation environment.
Description
Technical Field
The invention relates to the technical field of computer security, in particular to a system and a method for high-interaction conversion and low-interaction of a malicious sample breeding honey net.
Background
In the prior art, the breeding honey net technology can be divided into two types according to the interaction degree of the breeding honey net data: low-interaction breeding honey nets and high-interaction breeding honey nets. The low-interaction breeding honey net adopts a simulation technology, has no real operating system and service, has low interaction degree, and can only simulate the response behavior of the operating system and the application program according to the known loopholes; the high-interaction breeding honey net runs on a real operating system, a real application program is deployed, a real service environment can be constructed, and richer attack data can be captured.
At present, researchers are required to breed a large number of malicious samples in a sandbox to monitor commands and control servers or attack behaviors by acquiring network information of the samples, and the mode is called a high-interaction breeding method. The high interaction mode is low in realization efficiency and high in risk, a large number of network and entity resources are consumed to realize the operation environment, the effect can be achieved, and the long-term high-concurrency realization cost is high.
Disclosure of Invention
In order to solve the technical problem, the invention provides a system and a method for high-interaction to low-interaction malicious sample culture.
According to a first aspect of the invention, a system for high-interaction to low-interaction transformation of malicious sample culture is provided. The system comprises: the high interaction module is used for acquiring first packet data of network communication of malicious behaviors based on at least twice re-running of the malicious behaviors in the running environment, wherein the first packet data which is kept unchanged in running is simulated replay data; the low interaction module is used for sending the first packet of data to the malicious behaviors in the same family based on the simulated replay data, and monitoring and acquiring network information of malicious behavior communication; the first packet data comprises a data packet with communication content after three handshakes with the server for the first time in the process of re-operation, and the first packet data is automatically sent by an instruction built in the malicious behavior.
In some embodiments, the high interaction module comprises: the acquisition submodule is used for acquiring the first packet of data of the malicious behavior which does not exceed the second re-operation in the operation environment and establishes communication with the server for the first time in network communication; and the comparison submodule is used for comparing the first packet of data which is not less than two times, and the record of the first packet of data which is kept unchanged is the simulation replay data.
In some embodiments, further comprising: and the operation module is used for simulating a network operation environment to operate malicious behaviors and cleaning the data of the simulated network operation environment before re-operating the malicious behaviors after acquiring the first packet of data each time.
In some embodiments, the obtaining submodule is configured to be deployed at a network interface, monitor data sent by a connection network, and obtain the first packet data.
According to a second aspect of the invention, a method for high-interaction and low-interaction transformation of malicious sample breeding is provided, and comprises the following steps: on the basis of at least two times of re-running malicious behaviors in the running environment, obtaining first packet data of network communication of the malicious behaviors, wherein the first packet data which is kept unchanged in running is simulated replay data; based on the simulated replay data, sending first packet data to the same family of malicious behaviors, and monitoring and acquiring network information of malicious behavior communication; the first packet data comprises a data packet with communication content after three handshakes with the server for the first time in the process of re-operation, and the first packet data is automatically sent by an instruction built in the malicious behavior.
In some embodiments, the obtaining of the first packet data of malicious behavior communication based on no less than twice re-running of malicious behaviors in the running environment, where the first packet data that remains unchanged during running is simulated replay data includes: acquiring first packet data of a malicious behavior which is not less than twice re-run in a running environment and establishes communication with a server for the first time in network communication; comparing the first packet of data which is not less than two times, and recording the first packet of data as analog replay data without change.
In some embodiments, further comprising: and operating the malicious behaviors in the simulated network operating environment, and cleaning the data in the simulated network operating environment before re-operating the malicious behaviors after acquiring the first packet of data each time.
In some embodiments, the first packet of data for establishing communication with the server for the first time in network communication by the malicious behavior that does not exceed the second time of rerun is acquired, and is used for being deployed at a network interface, monitoring data sent by a connection network, and acquiring the first packet of data.
By using the method and the system, the real malicious behavior first packet is obtained by utilizing the network monitoring of the sandbox, only the highly simulated malicious behavior first packet is sent by utilizing limited network and entity resources, the maximum concurrency capability is exerted, and the continuous and automatic monitoring of malicious behavior activities is realized according to the continuously operated automatic module. The method can meet the requirement of automatic and efficient monitoring of the malicious sample, realize efficient monitoring of the malicious sample by using limited network resources and other entity resources, and obtain the latest intelligence resources of the malicious sample.
Drawings
In order to more clearly illustrate the technical solution of the present invention, the drawings needed to be used in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments described in the present invention, and it is obvious for those skilled in the art that other drawings can be obtained according to these drawings without creative efforts.
Fig. 1 is a schematic diagram of an application scenario of a communication system 100 according to an embodiment of the present invention;
FIG. 2 is a block diagram of a system for high-interaction to low-interaction transformation for malicious sample culture according to an embodiment of the present invention;
FIG. 3 is a block diagram of a high interaction module of a system for transforming high interaction into low interaction for breeding malicious samples according to an embodiment of the present invention;
fig. 4 is a flowchart of a method for high-interaction to low-interaction transformation of malicious sample culture according to an embodiment of the present invention.
Detailed Description
In the following detailed description of the preferred embodiments of the present invention, reference is made to the accompanying drawings, in which details and functions that are not necessary for the invention are omitted so as not to obscure the understanding of the present invention. While exemplary embodiments are shown in the drawings, it should be understood that the present invention may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the invention to those skilled in the art.
Fig. 1 is a schematic diagram illustrating an application scenario of a communication system 100 according to the present invention. As shown in fig. 1, communication system 100 may include a production web server 110 and a command and control server 120. The production network server 110 may be connected to and communicate with the control server 120 through a communication network 130. The communication network 130 may be wired or wireless. Specifically, examples of communication network 130 may include (but are not limited to): a network of the wired cable or optical fiber type, or a WLAN ("wireless local area network", possibly of the WiFi or WiMAX type), or also a wireless short-range communication network of the bluetooth type.
The production network server 110 transmits a data packet to the command and control server 120 in a network environment, and receives a data packet transmitted from the command and control server 120 to perform network communication. Production network server 110 includes a high interaction sandbox 111 and a low interaction server 112, and low interaction server 112 may be operated by user A. According to the invention, the high-interaction sandbox 111 can breed and operate malicious code samples for multiple times, send and obtain real data packets to the command and control server 120, obtain multiple times of first packet data through a network interface deployed in the sandbox, find unchanged first packet data and send the unchanged first packet data to the low-interaction server 112, and monitor the first packet data to the command and control server 120 through the low-interaction server 112 in a simulated retransmission manner to obtain network information of the same family sample.
Fig. 2 is a block diagram illustrating a system for high-interaction to low-interaction transformation of malicious sample culture according to the present invention, as shown in fig. 2, the system includes: a high interaction module 210, a low interaction module 220, and a run module 230, wherein the run module 230 is optional.
The high interaction module 210 is configured to obtain first packet data of network communication of malicious behaviors based on at least two times of heavy operation of malicious behaviors in an operation environment, where the first packet data that remains unchanged during operation is simulated replay data;
based on the malicious code behavior sample, the sample is cultured in the sandbox operating environment, and the high interaction module 210 deployed in the network interface of the sandbox is used for acquiring and storing the network information related to the command and control first packet data. And then, a data cleaning link is carried out, secondary cultivation is carried out in a sandbox, the command and control first package data are obtained again, the first package data can also be cultivated and obtained for multiple times, and if the first package data of two times are not changed, the first package data are used as low-interaction simulation replay data.
The information of primary concern here is command and control first packet data, that is, the first packet after the high interaction module 210 in network communication of the sandbox performs three handshakes with the command and control server for the first time, and this first packet is the first data packet with communication content sent to the command and control server by the local high interaction module 210. Because the command and control server first packet is usually automatically sent by the instruction built in the sample, theoretically, the network information sent back by the command and control server can be really received as long as the condition of automatically sending the packet by the instruction in the sample is simulated. Furthermore, command and control behaviors can be carried out, and at the moment, harmful communication data (such as DDoS data) generated by high interaction can be subjected to harmless treatment, so that attack behaviors can be effectively prevented.
The purpose of running the malicious behavior sample for the first time is to screen the existing sample for the first time, screen out the sample capable of carrying out command and control communication, and record the first packet of data.
The high-interaction module 210 re-runs the malicious behavior for the second time, and sends and acquires real command and control first packet data to the command and control server through the high-interaction breeding sample. And comparing the command acquired twice with the control first packet data, if the information of the first packet data is not changed, determining that the command is effective and the control first packet data, and storing related network information.
Because it is necessary to ensure that the transmitted first packet data is true with respect to the command and control first packet, and it is ensured that the command and control server can correctly receive the first packet data, it is necessary to find out the changed and unchanged portions of the first packet data transmitted many times. Because the first packet of data issued by the instructions in the sample may depend on variables such as time, system configuration information, etc. And finding out a variable part and a non-variable part, and sending a more real command and control first packet to obtain real communication data so as to prevent the sent data from being incapable of command and control communication due to the setting of a command and control server. And carrying out secondary culture and running of the malicious behavior sample, and comparing the first packet of data to find a variable and invariable place in the first packet so as to obtain a reproducible real command and control the first packet of data as simulated replay data.
And the low interaction module 220 is configured to send first packet data to malicious acts in the same family based on the simulated replay data, and monitor and acquire network information of malicious act communication.
Based on the analog replay data obtained by the high interaction module 210, the low interaction module 220 simulates replay of command and control header packet data to the same family sample in the command and control server while receiving and listening to network communication data to obtain network information of the same family sample.
The main concern here is that the low interaction module 220 sends the command and control header packet to the command and control server to communicate with the command and control server, so that the network information of the command and control communication data can be obtained and processed and stored.
In some embodiments, the system further comprises:
the running module 230 is configured to simulate a network running environment to run a malicious behavior, and perform data cleaning on the simulated network running environment after the first packet of data is obtained each time and before the malicious behavior is rerun.
Fig. 3 is a block diagram illustrating a system high-interaction module for transforming high-interaction into low-interaction for breeding malicious samples according to the present invention, and as shown in fig. 3, the high-interaction module includes: a fetch submodule 212 and a compare submodule 214.
The obtaining sub-module 212 is configured to obtain first packet data of a malicious behavior that does not exceed the second re-operation in the operation environment, where the malicious behavior establishes communication with the server for the first time in the network communication. The server is a command and control server, and the obtaining submodule 212 may be configured to be deployed at a network interface of the high interaction sandbox 111, monitor data sent by a connection network, and obtain first packet data.
And the comparison submodule 214 is used for comparing the first packet of data which is not less than two times, and the record of the first packet of data which is kept unchanged is the analog replay data. The purpose of comparing the first packet data is to find the variable and invariable places in the first packet to obtain the real command capable of being replayed and control the first packet data as the simulated replay data.
Fig. 4 is a flowchart illustrating a method for transforming high interaction into low interaction in the breeding of malicious samples according to the present invention, and as shown in fig. 4, the method includes:
s410, running the malicious behavior for the first time in the running environment, and acquiring the first packet data 1 of the network communication established with the server for the first time in the network communication, wherein the server is a command and control server.
Based on the malicious code behavior sample, the sample is cultured in the sandbox operating environment, and the high interaction module 210 deployed in the network interface of the sandbox is used for acquiring and storing the network information related to the command and control first packet data.
And S420, after the first packet of data is obtained each time, cleaning the data of the simulation network operation environment before the malicious behavior is rerun.
And S430, re-running the malicious behaviors in the running environment for the second time, and acquiring the first packet data 2 of the network communication of the malicious behaviors.
And S440, comparing the secondary first packet of data, and recording the first packet of data as analog replay data without change.
The first packet of data issued by the instructions in the malicious behavior sample may depend on variables such as time, system configuration information, and the like. And finding out a variable part and a non-variable part, and sending a more real command and control first packet to obtain real communication data so as to prevent the sent data from being incapable of command and control communication due to the setting of a command and control server.
The first packet data comprises a data packet with communication content after three times of handshake with the server for the first time during the re-operation, and the data packet is automatically sent by an instruction built in the malicious behavior.
S450, based on the simulation replay data, sending first packet data to the malicious behaviors in the same family, and monitoring and acquiring network information of malicious behavior communication.
The invention obtains the real command and control first packet by utilizing the network monitoring of the sandbox, only sends the high-simulation command and control first packet by utilizing the limited network and entity resources, exerts the maximum concurrency capability and realizes the continuous and automatic monitoring command and control activities according to the continuously operated automatic module. The method can meet the requirement of automatic and efficient monitoring of the malicious sample, realize efficient monitoring of the malicious sample by using limited network resources and other entity resources, and obtain the latest intelligence resources of the malicious sample.
The invention has thus been described with reference to the preferred embodiments. It should be understood by those skilled in the art that various other changes, substitutions, and additions may be made without departing from the spirit and scope of the invention. The scope of the invention is therefore not limited to the particular embodiments described above, but rather should be determined by the claims that follow.
Claims (8)
1. A system for high-interaction to low-interaction malicious sample culture is characterized by comprising:
the high interaction module is used for acquiring first packet data of network communication of malicious behaviors based on at least twice re-running of the malicious behaviors in the running environment, wherein the first packet data which is kept unchanged in running is simulated replay data;
the low interaction module is used for sending the first packet of data to the malicious behaviors in the same family based on the simulated replay data, and monitoring and acquiring network information of malicious behavior communication;
the first packet data comprises a data packet with communication content after three handshakes with the server for the first time in the process of re-operation, and the first packet data is automatically sent by an instruction built in the malicious behavior.
2. The system of claim 1, wherein the high interaction module comprises:
the acquisition submodule is used for acquiring the first packet of data of the malicious behavior which does not exceed the second re-operation in the operation environment and establishes communication with the server for the first time in network communication;
and the comparison submodule is used for comparing the first packet of data which is not less than two times, and the record of the first packet of data which is kept unchanged is the simulation replay data.
3. The system of claim 1, further comprising:
and the operation module is used for simulating a network operation environment to operate malicious behaviors and cleaning the data of the simulated network operation environment before re-operating the malicious behaviors after acquiring the first packet of data each time.
4. The system according to claim 2, wherein the obtaining sub-module is configured to be deployed at a network interface, monitor data sent by a connection network, and obtain the first packet data.
5. A method for high-interaction to low-interaction conversion of malicious sample culture is characterized by comprising the following steps:
on the basis of at least two times of re-running malicious behaviors in the running environment, obtaining first packet data of network communication of the malicious behaviors, wherein the first packet data which is kept unchanged in running is simulated replay data;
based on the simulated replay data, sending first packet data to the same family of malicious behaviors, and monitoring and acquiring network information of malicious behavior communication;
the first packet data comprises a data packet with communication content after three handshakes with the server for the first time in the process of re-operation, and the first packet data is automatically sent by an instruction built in the malicious behavior.
6. The method according to claim 5, wherein the step of obtaining the first packet data of malicious behavior communication based on no less than twice rerunning of malicious behaviors in the running environment, wherein the first packet data which remains unchanged in running is simulated replay data, comprises the steps of:
acquiring first packet data of a malicious behavior which is not less than twice re-run in a running environment and establishes communication with a server for the first time in network communication;
comparing the first packet of data which is not less than two times, and recording the first packet of data as analog replay data without change.
7. The method of claim 5, further comprising:
and operating the malicious behaviors in the simulated network operating environment, and cleaning the data in the simulated network operating environment before re-operating the malicious behaviors after acquiring the first packet of data each time.
8. The method according to claim 6, wherein the first packet of data for acquiring the malicious behavior that is not less than twice rerun and establishes communication with the server for the first time in network communication is deployed at a network interface, and is used for monitoring data sent by a connection network to acquire the first packet of data.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610889558.9A CN106911662B (en) | 2016-10-12 | 2016-10-12 | System and method for high-interaction to low-interaction conversion of malicious sample culture |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610889558.9A CN106911662B (en) | 2016-10-12 | 2016-10-12 | System and method for high-interaction to low-interaction conversion of malicious sample culture |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106911662A CN106911662A (en) | 2017-06-30 |
| CN106911662B true CN106911662B (en) | 2020-11-03 |
Family
ID=59207454
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610889558.9A Active CN106911662B (en) | 2016-10-12 | 2016-10-12 | System and method for high-interaction to low-interaction conversion of malicious sample culture |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106911662B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112261029B (en) * | 2020-10-16 | 2023-05-02 | 北京锐驰信安技术有限公司 | DDoS malicious code detection and tracing method based on cultivation |
| CN113190835A (en) * | 2021-02-04 | 2021-07-30 | 恒安嘉新(北京)科技股份公司 | Application program violation detection method, device, equipment and storage medium |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101087196A (en) * | 2006-12-27 | 2007-12-12 | 北京大学 | Multi-layer honey network data transmission method and system |
Family Cites Families (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060075099A1 (en) * | 2004-09-16 | 2006-04-06 | Pearson Malcolm E | Automatic elimination of viruses and spam |
| CN101582907B (en) * | 2009-06-24 | 2012-07-04 | 成都市华为赛门铁克科技有限公司 | Method for enhancing the trapping capability of honeynet and honeynet system |
| CN102035793B (en) * | 2009-09-28 | 2014-05-07 | 成都市华为赛门铁克科技有限公司 | Botnet detecting method, device and network security protective equipment |
| US20150047032A1 (en) * | 2013-08-07 | 2015-02-12 | Front Porch Communications, Inc. | System and method for computer security |
| CN103561004B (en) * | 2013-10-22 | 2016-10-12 | 西安交通大学 | Cooperating type Active Defending System Against based on honey net |
| CN105787370B (en) * | 2016-03-07 | 2018-08-10 | 四川驭奔科技有限公司 | A kind of Malware based on honey jar collects and analyzes method |
-
2016
- 2016-10-12 CN CN201610889558.9A patent/CN106911662B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101087196A (en) * | 2006-12-27 | 2007-12-12 | 北京大学 | Multi-layer honey network data transmission method and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106911662A (en) | 2017-06-30 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102523103B (en) | Industrial monitoring network data collection node | |
| CN104424095A (en) | Automatic testing method and system of mobile terminal | |
| KR101173558B1 (en) | Method and apparatus for providing service reconstruction in home network environment | |
| WO2016165242A1 (en) | Method of adjusting number of nodes in system and device utilizing same | |
| CN103532795A (en) | Monitoring system and method for detecting availability of WEB business system | |
| CN105490876A (en) | Method for automatic testing of server performance through packet sending linkage and concurrent monitoring | |
| CN108298397A (en) | A kind of elevator maintenance monitoring method and supervising platform based on elevator Internet of Things | |
| CN114077742B (en) | Intelligent software vulnerability mining method and device | |
| CN106911662B (en) | System and method for high-interaction to low-interaction conversion of malicious sample culture | |
| CN106649342A (en) | Data processing method and apparatus in data acquisition platform | |
| CN110011875A (en) | Dial testing method, device, equipment and computer readable storage medium | |
| CN108052385A (en) | A kind of Container Management method, system, equipment and computer storage media | |
| CN103425486A (en) | Remote card content management method and system using synchronous server-side scripting | |
| CN109800081A (en) | A kind of management method and relevant device of big data task | |
| CN103580951B (en) | Output comparative approach, test migration householder method and the system of multiple information systems | |
| CN105827682A (en) | Data uploading and downloading methods and devices thereof | |
| CN113364820A (en) | Equipment control method and device of Internet of things service system | |
| Santi et al. | Automated and reproducible application traces generation for IoT applications | |
| US9189370B2 (en) | Smart terminal fuzzing apparatus and method using multi-node structure | |
| CN102571412B (en) | Target machine server of embedded distributed system | |
| CN111581107B (en) | FTP program fatigue test method and system | |
| KR100929235B1 (en) | Dynamic Reconfiguration Method of Wireless Sensor Network and Its System | |
| CN109218064A (en) | network management system and management method | |
| CN107465569A (en) | A kind of SAS Switch whole machine cabinets crawl node phy error count method and system | |
| CN106850806A (en) | The method for interchanging data and device of intelligent building and energy efficiency monitoring system based on Internet of Things |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CP01 | Change in the name or title of a patent holder |
Address after: 518000 Shenzhen, Baoan District, Guangdong Xixiang Baoan District street, the source of excellent industrial products display procurement center, block B, 7 floor, No. Patentee after: Shenzhen Antan Network Security Technology Co.,Ltd. Address before: 518000 Shenzhen, Baoan District, Guangdong Xixiang Baoan District street, the source of excellent industrial products display procurement center, block B, 7 floor, No. Patentee before: SHENZHEN ANZHITIAN INFORMATION TECHNOLOGY Co.,Ltd. |
|
| CP01 | Change in the name or title of a patent holder |