CN107332832A - Mobile Internet distribution corpse wooden horse Worm detection method and device - Google Patents
Mobile Internet distribution corpse wooden horse Worm detection method and device Download PDFInfo
- Publication number
- CN107332832A CN107332832A CN201710473358.XA CN201710473358A CN107332832A CN 107332832 A CN107332832 A CN 107332832A CN 201710473358 A CN201710473358 A CN 201710473358A CN 107332832 A CN107332832 A CN 107332832A
- Authority
- CN
- China
- Prior art keywords
- worm
- address
- detection
- attack
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
- H04L63/123—Applying verification of the received information received data contents, e.g. message integrity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1483—Countermeasures against malicious traffic service impersonation, e.g. phishing, pharming or web spoofing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Information Transfer Between Computers (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
A kind of distributed corpse wooden horse Worm detection method of mobile Internet of disclosure of the invention and device, methods described include:By detecting that client cooperates with cloud server terminal, wooden horse, corpse and worm attack are accurately detected;Detection client, by detect file integrality, system and function call, network service behavior, depth search wooden horse;In detection cloud server terminal, the internet message submitted using client, utilize the high performance computing capability of cloud server terminal, carry out big data processing, advertisement matter and fishing mail in the ddos attack and spam of accurate detection Botnet attack, the vulnerability exploit worm of accurate detection worm attack and the worm mail in social worker worm and webpage worm.Using the present invention, can quickly and accurately detect wooden horse, Botnet attack and the worm attack in mobile Internet, the present invention have quickly and it is accurate the characteristics of.
Description
Technical field
The present invention relates to technical field of network security, and in particular in a kind of distributed corpse wooden horse worm of mobile Internet
Detection method and device.
Background technology
With the fast development of mobile Internet, the opening of Android platform, APP explosivity issues, using under shop
APP convenience is carried, mobile terminal is quickly become the convenient platform that people use network service, enter acquisition of information on line, purchase
Thing, social and hand are swum, simultaneously as user privacy information is store in mobile terminal, such as address list, positional information, bank
Account information etc. so that interests type hacker sets about to mobile terminal user more and more, so as to compromise the interests of user.
Following skill is related generally in the distributed corpse wooden horse Worm detection method of mobile Internet and device of the present invention
Art:File integrity detection technology, system and function call detection technique, communication behavior detection technique, bayes filter inspection
Survey technology, active scan detection technique, based on port, the dispersion of flow and behavioural characteristic detection technique where leak.
The development of mobile Internet distribution corpse wooden horse worm detecting technology has both direction, and one is keyword detection skill
Art;Two be flow detection technology.For the technology in the two directions, their advantage is that Technical comparing is ripe, and defect is detection
There is larger rate of false alarm, do not detect the association of client and cloud server end in technology without particular attack classification is accurately directed to
Make, performance comparision is low, it is necessary to carry out network information sampling, there is larger rate of failing to report.The present invention uses file integrity detection
Technology, system and function call detection technique, communication behavior detection technique, bayes filter detection technique, active scan inspection
Survey technology, based on port, the dispersion of flow and behavioural characteristic detection technique where leak, overcome the side in two above direction
Shortcoming present in method, can quickly, accurately detect corpse wooden horse worm.
The content of the invention
Bright purpose is to overcome the shortcoming of prior art there is provided a kind of distributed corpse wooden horse worm detecting of mobile Internet
Method and apparatus, enabling quickly and accurately detect wooden horse, Botnet and worm attack, effectively ensure mobile terminal
The confidentiality of middle information and integrality, the availability of mobile Internet, a safety, available shifting are provided for mobile terminal user
Dynamic internet environment.
The purpose of the present invention is achieved through the following technical solutions:
A kind of distributed corpse wooden horse Worm detection method of mobile Internet, comprises the following steps:
A, by detect file integrality, system and function call, network service behavior, detection mobile terminal in wooden horse;
B, client cooperate with cloud server end, in convergence degree, bayes filter and active scan mail based on flow
Advertisement matter and fishing mail in URL, the ddos attack and spam of detection Botnet attack;
C, client cooperate with cloud server end, dispersion and behavioural characteristic based on leak place port, flow, detect worm
The vulnerability exploit worm of attack and the worm mail in social worker worm and webpage worm.
Preferably, the step A includes:
A1, retrieval mobile terminal executable and library file, calculation document hashed value, with the file hash ratio in information bank
Compared with if it is different, then alerting, otherwise;
A2, the system of detection mobile terminal call the address with call back function, are compared with the appropriate address in information bank, if not
Together, then alert, otherwise;
A3, capture browser URL and communication behavior purpose IP address, if purpose IP address is not APP WEB services, OS upgradings
Or browser URL IP address, then alert.
Information base information includes the title of the executable and library file of different os releases and file hash, system call with
Call back function address, APP titles and corresponding Web service IP address, OS titles and corresponding upgrading IP.
Preferably, the step B includes:
B1, detection client are by local IP address, the source of flow and purpose IP address, port numbers, flag, packet length, mail
The keyword of appearance is sent to detection cloud server end with URL;
B2, for identical sources and purpose IP address, port numbers, whether detection TCP three-way handshake complete, and UDP and ICMP asks to ring
Whether should correspond to, if imperfect or do not correspond to,;
Whether B3, detection local IP address and source IP address are identical, if differing,;
B4, detect whether the source address number of identical destination address and port in period of 1 second is more than 500, if being more than, accuse
Alert ddos attack;
The keyword that B5, statistic mixed-state client are sent respectively normally with the frequency occurred in spam, and use pattra leaves
This filter:P=P 1 P 2…P n/(P 1 P 2…P n+(1-P 1) (1-P 2)…(1-P n)),P n=P(S|W n),PIt is that an envelope mail is rubbish
The joint probability value of mail,P nIt isW nIt is the conditional probability value of spam when word occurs, calculating is the probability of spam;
Whether B6, the probability for judging spam if be more than, alert advertisement matter more than 99%;
The URL pages in B7, active obtaining analytical analysis mail, determine whether list password domain, if so, then alarm fishing postal
Part.
Preferably, the step C includes:
C1, detection client include file-sharing, WEB, database, mail source and the purpose of javascript eval flows
IP address, source and destination interface are sent to detection cloud server end;
C2, the identical destination interface for file-sharing service and the address in source, if destination address number per minute is more than 30,
Warning file shares vulnerability exploit worm;
C3, identical destination interface and source address for WEB service, if destination address number per minute is more than 30, are accused
Alert WEB vulnerability exploit worms;
C4, identical destination interface and source address for database service, if destination address number per minute is more than 30,
Record alert database vulnerability exploit worm;
C5, identical destination interface and source address for mail service, if destination address number per minute is more than 30, are accused
Alert worm mail;
If webpage includes javascript eval in C6, mail, webpage worm is alerted.
A kind of distributed corpse wooden horse worm detecting device of mobile Internet, including:
Client is detected, the collection and submission of the trojan horse detection and communication behavior of mobile terminal is substantially carried out, including based on file
Integrity detection, call based on system and function detection, based on network service behavioral value;
Cloud server end is detected, Botnet and worm attack is predominantly detected, includes the ddos attack of detection Botnet attack
With the advertisement matter and fishing mail in spam, the vulnerability exploit worm of worm attack and the mail in social worker worm are detected
Worm and webpage worm;
The executable title with library file that information base information includes different os releases is called and adjusted back with file hash, system
Function address, APP titles and corresponding Web service IP address, OS titles and corresponding upgrading IP.
Client is detected, the trojan horse detection of terminal is moved, and gathers and submits network service behavior, cloud service is detected
Device end utilizes the information detected in information and information bank that client is submitted, detection Botnet and worm attack.
Instant invention overcomes the shortcoming of prior art, there is provided one it can be seen from the technical scheme that the present invention is provided more than
Plant the distributed corpse wooden horse Worm detection method of mobile Internet and device, enabling quickly and accurately detect wooden horse, corpse
Network and worm attack, effectively ensure the confidentiality and integrality, the availability of mobile Internet of information in mobile terminal, are
Mobile terminal user provides safety, an available mobile internet environment.
Brief description of the drawings
Fig. 1 is the networking schematic diagram of the distributed corpse wooden horse worm detecting device of mobile Internet;
Fig. 2 is the system structure diagram of the inventive method;
Fig. 3 is the main flow chart of the inventive method;
Fig. 4 is the flow chart of the inventive method trojan horse detection;
Fig. 5 is the flow chart of the inventive method Botnet detection;
Fig. 6 is the flow chart of the inventive method worm attack detection.
Claims (7)
1. the distributed corpse wooden horse Worm detection method of a kind of mobile Internet, it is characterised in that comprise the following steps:
A, by detect file integrality, system and function call, network service behavior, detection mobile terminal in wooden horse;
B, client cooperate with cloud server end, in convergence degree, bayes filter and active scan mail based on flow
Advertisement matter and fishing mail in URL, the ddos attack and spam of detection Botnet attack;
C, client cooperate with cloud server end, dispersion and behavioural characteristic based on leak place port, flow, detect worm
The vulnerability exploit worm of attack and the worm mail in social worker worm and webpage worm.
2. the distributed corpse wooden horse Worm detection method of a kind of mobile Internet according to claim 1 and device, it is special
Levy and be, the step A includes:
A1, retrieval mobile terminal executable and library file, calculation document hashed value, with the file hash ratio in information bank
Compared with if it is different, then alerting, otherwise;
A2, the system of detection mobile terminal call the address with call back function, are compared with the appropriate address in information bank, if not
Together, then alert, otherwise;
A3, capture browser URL and communication behavior purpose IP address, if purpose IP address is not APP WEB services, OS upgradings
Or browser URL IP address, then alert.
3. the title that information base information includes the executable and library file of different os releases is called with returning with file hash, system
Adjust function address, APP titles and corresponding Web service IP address, OS titles and corresponding upgrading IP.
4. the distributed corpse wooden horse Worm detection method of a kind of mobile Internet according to claim 1, it is characterised in that
The step B includes:
B1, detection client are by local IP address, the source of flow and purpose IP address, port numbers, flag, packet length, mail
The keyword of appearance is sent to detection cloud server end with URL;
B2, for identical sources and purpose IP address, port numbers, whether detection TCP three-way handshake complete, and UDP and ICMP asks to ring
Whether should correspond to, if imperfect or do not correspond to,;
Whether B3, detection local IP address and source IP address are identical, if differing,;
B4, detect whether the source address number of identical destination address and port in period of 1 second is more than 500, if being more than, accuse
Alert ddos attack;
The keyword that B5, statistic mixed-state client are sent respectively normally with the frequency occurred in spam, and use pattra leaves
This filter:P=P 1 P 2…P n/(P 1 P 2…P n+(1-P 1) (1-P 2)…(1-P n)),P n=P(S|W n),PIt is that an envelope mail is rubbish
The joint probability value of mail,P nIt isW nIt is the conditional probability value of spam when word occurs, calculating is the probability of spam;
Whether B6, the probability for judging spam if be more than, alert advertisement matter more than 99%;
The URL pages in B7, active obtaining analytical analysis mail, determine whether list password domain, if so, then alarm fishing postal
Part.
5. the distributed corpse wooden horse Worm detection method of a kind of mobile Internet according to claim 1, it is characterised in that
The step C includes:
C1, detection client include file-sharing, WEB, database, mail source and the purpose of javascript eval flows
IP address, source and destination interface are sent to detection cloud server end;
C2, the identical destination interface for file-sharing service and the address in source, if destination address number per minute is more than 30,
Warning file shares vulnerability exploit worm;
C3, identical destination interface and source address for WEB service, if destination address number per minute is more than 30, are accused
Alert WEB vulnerability exploit worms;
C4, identical destination interface and source address for database service, if destination address number per minute is more than 30,
Record alert database vulnerability exploit worm;
C5, identical destination interface and source address for mail service, if destination address number per minute is more than 30, are accused
Alert worm mail;
If webpage includes javascript eval in C6, mail, webpage worm is alerted.
6. a kind of distributed corpse wooden horse worm detecting device of mobile Internet, it is characterised in that including:
Client is detected, the collection and submission of the trojan horse detection and communication behavior of mobile terminal is substantially carried out, including based on file
Integrity detection, call based on system and function detection, based on network service behavioral value;
Cloud server end is detected, Botnet and worm attack is predominantly detected, includes the ddos attack of detection Botnet attack
With the advertisement matter and fishing mail in spam, the vulnerability exploit worm of worm attack and the mail in social worker worm are detected
Worm and webpage worm;
The executable title with library file that information base information includes different os releases is called and adjusted back with file hash, system
Function address, APP titles and corresponding Web service IP address, OS titles and corresponding upgrading IP.
7. detecting client, the trojan horse detection of terminal is moved, and gathers and submits network service behavior, Cloud Server is detected
End utilizes the information detected in information and information bank that client is submitted, detection Botnet and worm attack.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710473358.XA CN107332832A (en) | 2017-06-21 | 2017-06-21 | Mobile Internet distribution corpse wooden horse Worm detection method and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710473358.XA CN107332832A (en) | 2017-06-21 | 2017-06-21 | Mobile Internet distribution corpse wooden horse Worm detection method and device |
Publications (1)
Publication Number | Publication Date |
---|---|
CN107332832A true CN107332832A (en) | 2017-11-07 |
Family
ID=60195045
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710473358.XA Pending CN107332832A (en) | 2017-06-21 | 2017-06-21 | Mobile Internet distribution corpse wooden horse Worm detection method and device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107332832A (en) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108512896A (en) * | 2018-02-06 | 2018-09-07 | 北京东方棱镜科技有限公司 | Mobile Internet security postures cognition technology based on big data and device |
CN109934014A (en) * | 2019-02-15 | 2019-06-25 | 福建天泉教育科技有限公司 | A kind of method and terminal detecting resource file correctness |
CN112788039A (en) * | 2021-01-15 | 2021-05-11 | 合肥浩瀚深度信息技术有限公司 | DDoS attack identification method, device and storage medium |
CN115361182A (en) * | 2022-08-08 | 2022-11-18 | 北京永信至诚科技股份有限公司 | Botnet behavior analysis method and device, electronic equipment and medium |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1697404A (en) * | 2005-06-10 | 2005-11-16 | 广东省电信有限公司研究院 | System and method for detecting network worm in interactive mode |
CN101799855A (en) * | 2010-03-12 | 2010-08-11 | 北京大学 | Simulated webpage Trojan detecting method based on ActiveX component |
-
2017
- 2017-06-21 CN CN201710473358.XA patent/CN107332832A/en active Pending
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1697404A (en) * | 2005-06-10 | 2005-11-16 | 广东省电信有限公司研究院 | System and method for detecting network worm in interactive mode |
CN101799855A (en) * | 2010-03-12 | 2010-08-11 | 北京大学 | Simulated webpage Trojan detecting method based on ActiveX component |
Non-Patent Citations (5)
Title |
---|
张璐: "基于改进贝叶斯算法的文本广告邮件过滤", 《网络安全技术与应用》 * |
李秀婷: "一种DDOS攻击的检测方法", 《科技视界》 * |
杨明: "网络钓鱼邮件分析***的设计与实现", 《中国人民公安大学学报(自然科学版)》 * |
梁晓: "基于***调用挂钩的隐蔽木马程序检测方法", 《计算机工程》 * |
顺巧云: "基于Windows的文件完整性检测统的设计和实现", 《计算机工程》 * |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108512896A (en) * | 2018-02-06 | 2018-09-07 | 北京东方棱镜科技有限公司 | Mobile Internet security postures cognition technology based on big data and device |
CN109934014A (en) * | 2019-02-15 | 2019-06-25 | 福建天泉教育科技有限公司 | A kind of method and terminal detecting resource file correctness |
CN109934014B (en) * | 2019-02-15 | 2021-06-25 | 福建天泉教育科技有限公司 | Method and terminal for detecting correctness of resource file |
CN112788039A (en) * | 2021-01-15 | 2021-05-11 | 合肥浩瀚深度信息技术有限公司 | DDoS attack identification method, device and storage medium |
CN115361182A (en) * | 2022-08-08 | 2022-11-18 | 北京永信至诚科技股份有限公司 | Botnet behavior analysis method and device, electronic equipment and medium |
CN115361182B (en) * | 2022-08-08 | 2024-02-09 | 永信至诚科技集团股份有限公司 | Botnet behavior analysis method, device, electronic equipment and medium |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11019094B2 (en) | Methods and systems for malicious message detection and processing | |
Englehardt et al. | Cookies that give you away: The surveillance implications of web tracking | |
US10581977B2 (en) | Computer security and usage-analysis system | |
US8776224B2 (en) | Method and apparatus for identifying phishing websites in network traffic using generated regular expressions | |
US9215242B2 (en) | Methods and systems for preventing unauthorized acquisition of user information | |
US8990938B2 (en) | Analyzing response traffic to detect a malicious source | |
CN107332832A (en) | Mobile Internet distribution corpse wooden horse Worm detection method and device | |
US9521157B1 (en) | Identifying and assessing malicious resources | |
CN112822147B (en) | Method, system and equipment for analyzing attack chain | |
CN115134099B (en) | Network attack behavior analysis method and device based on full flow | |
Tang et al. | Clues in tweets: Twitter-guided discovery and analysis of SMS spam | |
Onaolapo et al. | {SocialHEISTing}: Understanding Stolen Facebook Accounts | |
US10298622B2 (en) | System and method for passive decoding of social network activity using replica database | |
WO2016044065A1 (en) | Malicious message detection and processing | |
US20210200884A1 (en) | Capturing contextual information for data accesses to improve data security | |
Čermák et al. | Detection of DNS traffic anomalies in large networks | |
Athavale et al. | Framework for threat analysis and attack modelling of network security protocols | |
Kara | Don't bite the bait: phishing attack for internet banking (e-banking) | |
Shaw et al. | Social network forensics: Survey and challenges | |
Bian et al. | Shining a light on dark places: A comprehensive analysis of open proxy ecosystem | |
Subhan et al. | Analyzing adversary’s attack on ethereum collected from honeypots | |
Hong et al. | Client-Based Web Attacks Detection Using Artificial Intelligence | |
RU2777348C1 (en) | Computing apparatus and method for identifying compromised apparatuses based on dns tunnelling detection | |
Naidu et al. | Detection Technique to trace IP behind VPN/Proxy using Machine Learning. | |
Zhu et al. | ARP spoofing forensics based on network data flow |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20171107 |