CN107332832A - Mobile Internet distribution corpse wooden horse Worm detection method and device - Google Patents

Mobile Internet distribution corpse wooden horse Worm detection method and device Download PDF

Info

Publication number
CN107332832A
CN107332832A CN201710473358.XA CN201710473358A CN107332832A CN 107332832 A CN107332832 A CN 107332832A CN 201710473358 A CN201710473358 A CN 201710473358A CN 107332832 A CN107332832 A CN 107332832A
Authority
CN
China
Prior art keywords
worm
address
detection
mail
attack
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201710473358.XA
Other languages
Chinese (zh)
Inventor
何中旭
何中天
何华
张洁
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Eastern Prism Technology Corp Ltd
Original Assignee
Beijing Eastern Prism Technology Corp Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Eastern Prism Technology Corp Ltd filed Critical Beijing Eastern Prism Technology Corp Ltd
Priority to CN201710473358.XA priority Critical patent/CN107332832A/en
Publication of CN107332832A publication Critical patent/CN107332832A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1483Countermeasures against malicious traffic service impersonation, e.g. phishing, pharming or web spoofing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Information Transfer Between Computers (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A kind of distributed corpse wooden horse Worm detection method of mobile Internet of disclosure of the invention and device, methods described include:By detecting that client cooperates with cloud server terminal, wooden horse, corpse and worm attack are accurately detected;Detection client, by detect file integrality, system and function call, network service behavior, depth search wooden horse;In detection cloud server terminal, the internet message submitted using client, utilize the high performance computing capability of cloud server terminal, carry out big data processing, advertisement matter and fishing mail in the ddos attack and spam of accurate detection Botnet attack, the vulnerability exploit worm of accurate detection worm attack and the worm mail in social worker worm and webpage worm.Using the present invention, can quickly and accurately detect wooden horse, Botnet attack and the worm attack in mobile Internet, the present invention have quickly and it is accurate the characteristics of.

Description

Mobile Internet distribution corpse wooden horse Worm detection method and device
Technical field
The present invention relates to technical field of network security, and in particular in a kind of distributed corpse wooden horse worm of mobile Internet Detection method and device.
Background technology
With the fast development of mobile Internet, the opening of Android platform, APP explosivity issues, using under shop APP convenience is carried, mobile terminal is quickly become the convenient platform that people use network service, enter acquisition of information on line, purchase Thing, social and hand are swum, simultaneously as user privacy information is store in mobile terminal, such as address list, positional information, bank Account information etc. so that interests type hacker sets about to mobile terminal user more and more, so as to compromise the interests of user.
Following skill is related generally in the distributed corpse wooden horse Worm detection method of mobile Internet and device of the present invention Art:File integrity detection technology, system and function call detection technique, communication behavior detection technique, bayes filter inspection Survey technology, active scan detection technique, based on port, the dispersion of flow and behavioural characteristic detection technique where leak.
The development of mobile Internet distribution corpse wooden horse worm detecting technology has both direction, and one is keyword detection skill Art;Two be flow detection technology.For the technology in the two directions, their advantage is that Technical comparing is ripe, and defect is detection There is larger rate of false alarm, do not detect the association of client and cloud server end in technology without particular attack classification is accurately directed to Make, performance comparision is low, it is necessary to carry out network information sampling, there is larger rate of failing to report.The present invention uses file integrity detection Technology, system and function call detection technique, communication behavior detection technique, bayes filter detection technique, active scan inspection Survey technology, based on port, the dispersion of flow and behavioural characteristic detection technique where leak, overcome the side in two above direction Shortcoming present in method, can quickly, accurately detect corpse wooden horse worm.
The content of the invention
Bright purpose is to overcome the shortcoming of prior art there is provided a kind of distributed corpse wooden horse worm detecting of mobile Internet Method and apparatus, enabling quickly and accurately detect wooden horse, Botnet and worm attack, effectively ensure mobile terminal The confidentiality of middle information and integrality, the availability of mobile Internet, a safety, available shifting are provided for mobile terminal user Dynamic internet environment.
The purpose of the present invention is achieved through the following technical solutions:
A kind of distributed corpse wooden horse Worm detection method of mobile Internet, comprises the following steps:
A, by detect file integrality, system and function call, network service behavior, detection mobile terminal in wooden horse;
B, client cooperate with cloud server end, in convergence degree, bayes filter and active scan mail based on flow Advertisement matter and fishing mail in URL, the ddos attack and spam of detection Botnet attack;
C, client cooperate with cloud server end, dispersion and behavioural characteristic based on leak place port, flow, detect worm The vulnerability exploit worm of attack and the worm mail in social worker worm and webpage worm.
Preferably, the step A includes:
A1, retrieval mobile terminal executable and library file, calculation document hashed value, with the file hash ratio in information bank Compared with if it is different, then alerting, otherwise;
A2, the system of detection mobile terminal call the address with call back function, are compared with the appropriate address in information bank, if not Together, then alert, otherwise;
A3, capture browser URL and communication behavior purpose IP address, if purpose IP address is not APP WEB services, OS upgradings Or browser URL IP address, then alert.
Information base information includes the title of the executable and library file of different os releases and file hash, system call with Call back function address, APP titles and corresponding Web service IP address, OS titles and corresponding upgrading IP.
Preferably, the step B includes:
B1, detection client are by local IP address, the source of flow and purpose IP address, port numbers, flag, packet length, mail The keyword of appearance is sent to detection cloud server end with URL;
B2, for identical sources and purpose IP address, port numbers, whether detection TCP three-way handshake complete, and UDP and ICMP asks to ring Whether should correspond to, if imperfect or do not correspond to,;
Whether B3, detection local IP address and source IP address are identical, if differing,;
B4, detect whether the source address number of identical destination address and port in period of 1 second is more than 500, if being more than, accuse Alert ddos attack;
The keyword that B5, statistic mixed-state client are sent respectively normally with the frequency occurred in spam, and use pattra leaves This filter:P=P 1 P 2P n/(P 1 P 2P n+(1-P 1) (1-P 2)…(1-P n)),P n=P(S|W n),PIt is that an envelope mail is rubbish The joint probability value of mail,P nIt isW nIt is the conditional probability value of spam when word occurs, calculating is the probability of spam;
Whether B6, the probability for judging spam if be more than, alert advertisement matter more than 99%;
The URL pages in B7, active obtaining analytical analysis mail, determine whether list password domain, if so, then alarm fishing postal Part.
Preferably, the step C includes:
C1, detection client include file-sharing, WEB, database, mail source and the purpose of javascript eval flows IP address, source and destination interface are sent to detection cloud server end;
C2, the identical destination interface for file-sharing service and the address in source, if destination address number per minute is more than 30, Warning file shares vulnerability exploit worm;
C3, identical destination interface and source address for WEB service, if destination address number per minute is more than 30, are accused Alert WEB vulnerability exploit worms;
C4, identical destination interface and source address for database service, if destination address number per minute is more than 30, Record alert database vulnerability exploit worm;
C5, identical destination interface and source address for mail service, if destination address number per minute is more than 30, are accused Alert worm mail;
If webpage includes javascript eval in C6, mail, webpage worm is alerted.
A kind of distributed corpse wooden horse worm detecting device of mobile Internet, including:
Client is detected, the collection and submission of the trojan horse detection and communication behavior of mobile terminal is substantially carried out, including based on file Integrity detection, call based on system and function detection, based on network service behavioral value;
Cloud server end is detected, Botnet and worm attack is predominantly detected, includes the ddos attack of detection Botnet attack With the advertisement matter and fishing mail in spam, the vulnerability exploit worm of worm attack and the mail in social worker worm are detected Worm and webpage worm;
The executable title with library file that information base information includes different os releases is called and adjusted back with file hash, system Function address, APP titles and corresponding Web service IP address, OS titles and corresponding upgrading IP.
Client is detected, the trojan horse detection of terminal is moved, and gathers and submits network service behavior, cloud service is detected Device end utilizes the information detected in information and information bank that client is submitted, detection Botnet and worm attack.
Instant invention overcomes the shortcoming of prior art, there is provided one it can be seen from the technical scheme that the present invention is provided more than Plant the distributed corpse wooden horse Worm detection method of mobile Internet and device, enabling quickly and accurately detect wooden horse, corpse Network and worm attack, effectively ensure the confidentiality and integrality, the availability of mobile Internet of information in mobile terminal, are Mobile terminal user provides safety, an available mobile internet environment.
Brief description of the drawings
Fig. 1 is the networking schematic diagram of the distributed corpse wooden horse worm detecting device of mobile Internet;
Fig. 2 is the system structure diagram of the inventive method;
Fig. 3 is the main flow chart of the inventive method;
Fig. 4 is the flow chart of the inventive method trojan horse detection;
Fig. 5 is the flow chart of the inventive method Botnet detection;
Fig. 6 is the flow chart of the inventive method worm attack detection.

Claims (7)

1. the distributed corpse wooden horse Worm detection method of a kind of mobile Internet, it is characterised in that comprise the following steps:
A, by detect file integrality, system and function call, network service behavior, detection mobile terminal in wooden horse;
B, client cooperate with cloud server end, in convergence degree, bayes filter and active scan mail based on flow Advertisement matter and fishing mail in URL, the ddos attack and spam of detection Botnet attack;
C, client cooperate with cloud server end, dispersion and behavioural characteristic based on leak place port, flow, detect worm The vulnerability exploit worm of attack and the worm mail in social worker worm and webpage worm.
2. the distributed corpse wooden horse Worm detection method of a kind of mobile Internet according to claim 1 and device, it is special Levy and be, the step A includes:
A1, retrieval mobile terminal executable and library file, calculation document hashed value, with the file hash ratio in information bank Compared with if it is different, then alerting, otherwise;
A2, the system of detection mobile terminal call the address with call back function, are compared with the appropriate address in information bank, if not Together, then alert, otherwise;
A3, capture browser URL and communication behavior purpose IP address, if purpose IP address is not APP WEB services, OS upgradings Or browser URL IP address, then alert.
3. the title that information base information includes the executable and library file of different os releases is called with returning with file hash, system Adjust function address, APP titles and corresponding Web service IP address, OS titles and corresponding upgrading IP.
4. the distributed corpse wooden horse Worm detection method of a kind of mobile Internet according to claim 1, it is characterised in that The step B includes:
B1, detection client are by local IP address, the source of flow and purpose IP address, port numbers, flag, packet length, mail The keyword of appearance is sent to detection cloud server end with URL;
B2, for identical sources and purpose IP address, port numbers, whether detection TCP three-way handshake complete, and UDP and ICMP asks to ring Whether should correspond to, if imperfect or do not correspond to,;
Whether B3, detection local IP address and source IP address are identical, if differing,;
B4, detect whether the source address number of identical destination address and port in period of 1 second is more than 500, if being more than, accuse Alert ddos attack;
The keyword that B5, statistic mixed-state client are sent respectively normally with the frequency occurred in spam, and use pattra leaves This filter:P=P 1 P 2P n/(P 1 P 2P n+(1-P 1) (1-P 2)…(1-P n)),P n=P(S|W n),PIt is that an envelope mail is rubbish The joint probability value of mail,P nIt isW nIt is the conditional probability value of spam when word occurs, calculating is the probability of spam;
Whether B6, the probability for judging spam if be more than, alert advertisement matter more than 99%;
The URL pages in B7, active obtaining analytical analysis mail, determine whether list password domain, if so, then alarm fishing postal Part.
5. the distributed corpse wooden horse Worm detection method of a kind of mobile Internet according to claim 1, it is characterised in that The step C includes:
C1, detection client include file-sharing, WEB, database, mail source and the purpose of javascript eval flows IP address, source and destination interface are sent to detection cloud server end;
C2, the identical destination interface for file-sharing service and the address in source, if destination address number per minute is more than 30, Warning file shares vulnerability exploit worm;
C3, identical destination interface and source address for WEB service, if destination address number per minute is more than 30, are accused Alert WEB vulnerability exploit worms;
C4, identical destination interface and source address for database service, if destination address number per minute is more than 30, Record alert database vulnerability exploit worm;
C5, identical destination interface and source address for mail service, if destination address number per minute is more than 30, are accused Alert worm mail;
If webpage includes javascript eval in C6, mail, webpage worm is alerted.
6. a kind of distributed corpse wooden horse worm detecting device of mobile Internet, it is characterised in that including:
Client is detected, the collection and submission of the trojan horse detection and communication behavior of mobile terminal is substantially carried out, including based on file Integrity detection, call based on system and function detection, based on network service behavioral value;
Cloud server end is detected, Botnet and worm attack is predominantly detected, includes the ddos attack of detection Botnet attack With the advertisement matter and fishing mail in spam, the vulnerability exploit worm of worm attack and the mail in social worker worm are detected Worm and webpage worm;
The executable title with library file that information base information includes different os releases is called and adjusted back with file hash, system Function address, APP titles and corresponding Web service IP address, OS titles and corresponding upgrading IP.
7. detecting client, the trojan horse detection of terminal is moved, and gathers and submits network service behavior, Cloud Server is detected End utilizes the information detected in information and information bank that client is submitted, detection Botnet and worm attack.
CN201710473358.XA 2017-06-21 2017-06-21 Mobile Internet distribution corpse wooden horse Worm detection method and device Pending CN107332832A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710473358.XA CN107332832A (en) 2017-06-21 2017-06-21 Mobile Internet distribution corpse wooden horse Worm detection method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710473358.XA CN107332832A (en) 2017-06-21 2017-06-21 Mobile Internet distribution corpse wooden horse Worm detection method and device

Publications (1)

Publication Number Publication Date
CN107332832A true CN107332832A (en) 2017-11-07

Family

ID=60195045

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710473358.XA Pending CN107332832A (en) 2017-06-21 2017-06-21 Mobile Internet distribution corpse wooden horse Worm detection method and device

Country Status (1)

Country Link
CN (1) CN107332832A (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108512896A (en) * 2018-02-06 2018-09-07 北京东方棱镜科技有限公司 Mobile Internet security postures cognition technology based on big data and device
CN109934014A (en) * 2019-02-15 2019-06-25 福建天泉教育科技有限公司 A kind of method and terminal detecting resource file correctness
CN112788039A (en) * 2021-01-15 2021-05-11 合肥浩瀚深度信息技术有限公司 DDoS attack identification method, device and storage medium
CN115361182A (en) * 2022-08-08 2022-11-18 北京永信至诚科技股份有限公司 Botnet behavior analysis method and device, electronic equipment and medium

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1697404A (en) * 2005-06-10 2005-11-16 广东省电信有限公司研究院 System and method for detecting network worm in interactive mode
CN101799855A (en) * 2010-03-12 2010-08-11 北京大学 Simulated webpage Trojan detecting method based on ActiveX component

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1697404A (en) * 2005-06-10 2005-11-16 广东省电信有限公司研究院 System and method for detecting network worm in interactive mode
CN101799855A (en) * 2010-03-12 2010-08-11 北京大学 Simulated webpage Trojan detecting method based on ActiveX component

Non-Patent Citations (5)

* Cited by examiner, † Cited by third party
Title
张璐: "基于改进贝叶斯算法的文本广告邮件过滤", 《网络安全技术与应用》 *
李秀婷: "一种DDOS攻击的检测方法", 《科技视界》 *
杨明: "网络钓鱼邮件分析***的设计与实现", 《中国人民公安大学学报(自然科学版)》 *
梁晓: "基于***调用挂钩的隐蔽木马程序检测方法", 《计算机工程》 *
顺巧云: "基于Windows的文件完整性检测统的设计和实现", 《计算机工程》 *

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108512896A (en) * 2018-02-06 2018-09-07 北京东方棱镜科技有限公司 Mobile Internet security postures cognition technology based on big data and device
CN109934014A (en) * 2019-02-15 2019-06-25 福建天泉教育科技有限公司 A kind of method and terminal detecting resource file correctness
CN109934014B (en) * 2019-02-15 2021-06-25 福建天泉教育科技有限公司 Method and terminal for detecting correctness of resource file
CN112788039A (en) * 2021-01-15 2021-05-11 合肥浩瀚深度信息技术有限公司 DDoS attack identification method, device and storage medium
CN115361182A (en) * 2022-08-08 2022-11-18 北京永信至诚科技股份有限公司 Botnet behavior analysis method and device, electronic equipment and medium
CN115361182B (en) * 2022-08-08 2024-02-09 永信至诚科技集团股份有限公司 Botnet behavior analysis method, device, electronic equipment and medium

Similar Documents

Publication Publication Date Title
US11019094B2 (en) Methods and systems for malicious message detection and processing
Englehardt et al. Cookies that give you away: The surveillance implications of web tracking
US10581977B2 (en) Computer security and usage-analysis system
US8776224B2 (en) Method and apparatus for identifying phishing websites in network traffic using generated regular expressions
US9215242B2 (en) Methods and systems for preventing unauthorized acquisition of user information
US8990938B2 (en) Analyzing response traffic to detect a malicious source
CN107332832A (en) Mobile Internet distribution corpse wooden horse Worm detection method and device
US9521157B1 (en) Identifying and assessing malicious resources
CN112822147B (en) Method, system and equipment for analyzing attack chain
CN115134099B (en) Network attack behavior analysis method and device based on full flow
Tang et al. Clues in tweets: Twitter-guided discovery and analysis of SMS spam
Onaolapo et al. {SocialHEISTing}: Understanding Stolen Facebook Accounts
US10298622B2 (en) System and method for passive decoding of social network activity using replica database
WO2016044065A1 (en) Malicious message detection and processing
US20210200884A1 (en) Capturing contextual information for data accesses to improve data security
Čermák et al. Detection of DNS traffic anomalies in large networks
Athavale et al. Framework for threat analysis and attack modelling of network security protocols
Kara Don't bite the bait: phishing attack for internet banking (e-banking)
Shaw et al. Social network forensics: Survey and challenges
Bian et al. Shining a light on dark places: A comprehensive analysis of open proxy ecosystem
Subhan et al. Analyzing adversary’s attack on ethereum collected from honeypots
Hong et al. Client-Based Web Attacks Detection Using Artificial Intelligence
RU2777348C1 (en) Computing apparatus and method for identifying compromised apparatuses based on dns tunnelling detection
Naidu et al. Detection Technique to trace IP behind VPN/Proxy using Machine Learning.
Zhu et al. ARP spoofing forensics based on network data flow

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20171107