CN109688092A - It falls equipment detection method and device - Google Patents
It falls equipment detection method and device Download PDFInfo
- Publication number
- CN109688092A CN109688092A CN201810379276.3A CN201810379276A CN109688092A CN 109688092 A CN109688092 A CN 109688092A CN 201810379276 A CN201810379276 A CN 201810379276A CN 109688092 A CN109688092 A CN 109688092A
- Authority
- CN
- China
- Prior art keywords
- falling
- host
- detection method
- data
- equipment detection
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
It falls equipment detection method and device the present invention provides one kind, this method comprises: step 1, the behavioural characteristic data of host is extracted according to primitive network flow, and the application data for being related to TCP/IP application are restored;Step 2, the matching that IOC security threat information is carried out using data based on reduction;Step 3, according to described matched as a result, determining host of falling.This system detects the host of falling that can not much find by traditional antivirus software by security threat information, while also including the mobile phone for having suffered wooden horse.
Description
Technical field
The present invention relates to a kind of technical field of network security, in particular to one kind is fallen equipment detection method and device.
Background technique
The usual way for detecting equipment of falling at present, is that antivirus software is installed in equipment.But antivirus software is easy to
It is bypassed.For example processing free to kill can be done for specific antivirus software;In addition, the Malware of some strengths can be closed directly
Antivirus software is closed, its failure is made.In addition, Malware can also hide itself process and port by the rootkit of system,
Prevent antivirus software from detecting.
Summary of the invention
The technical issues of itself can be protected with various ways in view of the Malware referred in above-mentioned background technique, this
Invention provides one kind and falls equipment detection method and device, and this method is lost by identifying its specific network behavior to position
Fall into equipment.
It falls equipment detection method the present invention provides one kind, comprising:
Step 1, the behavioural characteristic data of host are extracted according to primitive network flow, and will be related to answering for TCP/IP application
It is restored with data;
Step 2, the matching that IOC security threat information is carried out using data based on reduction;
Step 3, according to described matched as a result, determining host of falling.
It is answered preferably, carrying out the described of restoring operation using five-tuple information, the DNS request that data include common discharge
Answer information, HTTP request response message.
Preferably, the step 1 includes:
Step 11, raw network data packet is filtered;
Step 12, the restoring operation for doing IP fragmentation will carry out the restoring operation of TCP segment if it is Transmission Control Protocol;
Step 13, the agreement of application layer is identified.
Preferably, step 11 obtains IP data packet, and data filtering is done to port, retains the default corresponding number of port numbers
According to packet.
Preferably, step 2 further comprises: all information being loaded into memory and are matched.
Preferably, the method also includes:
Step 4, the relevant information of determining host of falling is stored, and stores corresponding PCAP file, be provided with
Investigation and analysis.
Preferably, the method also includes: one Read-Write Locks of setting, the lock when updating or changing the security threat information
The upper Read-Write Locks, otherwise unlock the Read-Write Locks.
Preferably, the method also includes: it falls host alarm in discovery.
It falls assembly detection apparatus the embodiment of the invention also provides one kind, including obtains module, matching module and judgement
Module;
The acquisition module is configured to extract the behavioural characteristic data of host according to primitive network flow, and will be related to
The application data of TCP/IP application are restored;
The matching module is configured to the matching that IOC security threat information is carried out using data according to reduction;
The judgment module is configured to according to described matched as a result, determining host of falling.
Preferably, the acquisition module is further configured to: filtering raw network data packet;It is the reduction behaviour of IP fragmentation
Make, the restoring operation of TCP segment is carried out if it is Transmission Control Protocol;Identify the agreement of application layer.
It is found by actual test, this method can be detected much by security threat information through traditional antivirus software
The host of falling that can not be found, while also including the mobile phone for having suffered wooden horse.
Detailed description of the invention
Fig. 1 is the principle of the present invention figure
Fig. 2 is flow chart of the invention.
Specific embodiment
Technical solution in order to enable those skilled in the art to better understand the present invention, with reference to the accompanying drawing and specific embodiment party
Formula elaborates to the present invention.
Equipment of falling refers to the equipment captured by hacker, and hacker used can fall equipment as springboard, to falling
Enterprise where equipment is further to be permeated.Network flow mirror image refers to through interchanger or light-dividing device, flows through all
Primitive network flow all duplication portion is sent to specified device port.Enterprise's existing network frame can not changed in this way
On the basis of structure, by analyzing mirror image network flow, the network behavior of computer is identified.
IOC information (Indicators of Compromise, index of falling) is also referred to as security threat information, once host
Behavior has matched index of falling, and indicates that this host has been fallen.Index of falling includes many kinds, such as: domain name, ip,
Url, the hash of wooden horse file, the key assignments of registration table, the title etc. of semaphore used when wooden horse is run.Recently as mobile phone
The outburst of virus, mobile device also become the target of attack of hacker.Traditional kill soft can not cover existing mobile device.
Although Malware can protect itself with various ways, non-PC equipment can be infected, its network triggered
Behavior can not hide.On this basis, it falls equipment detection method and device the present invention provides one kind, this method is logical
Analysis network flow is crossed to detect the fall method of equipment of enterprise and can carry out combined with Figure 1 and Figure 2, as follows to reach this target
Several steps:
(1) the behavioural characteristic data that host is extracted according to primitive network flow are related to the application data of TCP/IP application
High speed restores, and goes back the five-tuple information that raw content includes common discharge;DNS request response message;HTTP request response message etc.
Data.
(2) the application data based on reduction carry out the matching of IOC security threat information, are lost according to matched as a result, determining
Fall into host.I.e. if successful match, show to find host of falling.In one embodiment, by the application data of reduction and in advance
The characteristic first stored is matched, and showing that this applies the corresponding host of data if successful match is host of falling.
(3) the automatic acquisition and replacement problem of IOC security threat information.Since the real-time of security threat information is higher,
Renewal frequency also can be with height, so cannot influence ongoing detection function while updating information.
(4) malicious traffic stream storage problem, for analyzing and investigating and collecting evidence.
It mainly include following module: application layer traffic recovery module, security threat in the system for implementing this method
Information matching module and warning message and PCAP memory module.
Application layer traffic recovery module: being responsible for reduction application layer protocol, and the agreement mainly restored is HTTP and DNS.Work
When, firstly, filtering raw network data packet, obtains IP data packet, and do data filtering to port, it is corresponding to retain default port numbers
Data packet.It is specifically as follows and port is filtered, the data packet that remaining end slogan is 80,443,53;Secondly, doing IP fragmentation
Restoring operation;The restoring operation of TCP segment is carried out if it is Transmission Control Protocol.Finally, the agreement of identification application layer.This module
Key data structure is as follows:
Five-tuple data structure:
DNS data structure:
HTTP data structure:
Information matching module is threatened to be mainly responsible for matching security threat information.Due to towards enterprise customer, so threatening feelings
Report matching module needs to ensure matching speed, also needs to solve the problems, such as intelligence update.Due to needing to ensure matching speed, so this
System is loaded into memory the matched mode that carries out using by all information, improves matching efficiency, the data structure of specific information is such as
Under:
It includes the information such as the ID of IOC, type, content, menace level and confidence level.
It is as follows to match code:
Due to needing to solve hot replacement problem, so having added Read-Write Locks:
When updating or changing iocMap, the Read-Write Locks only need to be locked, prevent from leading to data (such as since operation is chaotic
Security threat information) damage:
Warning message and pcap memory module: the relevant information for being mainly responsible for the host of falling that will be seen that stores, together
When store relevant PCAP file, for investigation and analysis, furthermore fall host alarm in discovery to remind user.
This system stores warning message with log mode, and key code is as follows:
It is as follows that PCAP stores key code:
By adopting the above-described technical solution, the corresponding whole system of this method can be developed by Golang in aspect of performance,
It ensure that performance can be used in business network.From the point of view of actual test result, on the low dispensing computer of single CPU 1G memory
The flow that 10Gb/s or more can be analyzed threatens the matching speed of information to can reach 20W/s.
It is found by actual test, this method is detected by security threat information much can not by traditional antivirus software
It was found that host of falling detection target is not defined, as long as being related to original net simultaneously because using step as above
Network flow and its electronic equipment of relevant data can be detected as target device, as target device also includes
The mobile phone etc. of wooden horse may have been suffered.
It falls assembly detection apparatus the embodiment of the invention also provides one kind, including obtains module, matching module and judgement
Module;It obtains module to be configured to extract the behavioural characteristic data of host according to primitive network flow, and TCP/IP will be related to and answered
It is restored using data;Matching module is configured to that IOC security threat information is carried out using data according to reduction
Match;The matched host as a result, determination is fallen.
In conjunction with Fig. 1, specifically, the behavioural characteristic data that module extracts host according to primitive network flow is obtained, are related to
And the application data high-speed of TCP/IP application restores, and goes back the five-tuple information that raw content includes common discharge;DNS request response letter
Breath;The data such as HTTP request response message.
Matching module carries out the matching of IOC security threat information according to the application message of reduction.Judgment module is according to matching
Fall host as a result, determining.I.e. if successful match, show to find host of falling.In one embodiment, by reduction
It is matched using data with pre-stored characteristic, shows that this is using the corresponding host of data if successful match
It falls host.
And for IOC security threat information it is automatic acquisition and replacement problem, due to security threat information real-time compared with
Height, renewal frequency also can be with height, so cannot influence ongoing detection function while updating information.Malicious traffic stream is deposited
Storage problem, for analyzing and investigating and collecting evidence.
In one embodiment of the invention, judgment module is configured to be further configured to according to acquisition module: filtering is former
Beginning network packet;The restoring operation for doing IP fragmentation will carry out the restoring operation of TCP segment if it is Transmission Control Protocol;Identification application
The agreement of layer.Specifically, application layer traffic recovery module is equipped in judgment module.Application layer traffic recovery module is responsible for reduction
Application layer protocol, the agreement mainly restored are HTTP and DNS.For example, raw network data packet is filtered first when work,
IP data packet is obtained, and data filtering is done to port, retains the default corresponding data packet of port numbers.It is specifically as follows and port is done
Filtering, the data packet that remaining end slogan is 80,443,53;Next does the restoring operation of IP fragmentation;It is carried out again if it is Transmission Control Protocol
The restoring operation of TCP segment.
Above embodiments are only exemplary embodiment of the present invention, are not used in the limitation present invention, protection scope of the present invention
It is defined by the claims.Those skilled in the art can within the spirit and scope of the present invention make respectively the present invention
Kind modification or equivalent replacement, this modification or equivalent replacement also should be regarded as being within the scope of the present invention.
Claims (10)
- The equipment detection method 1. one kind is fallen characterized by comprisingStep 1, the behavioural characteristic data of host are extracted according to primitive network flow, and will be related to the application number of TCP/IP application According to being restored;Step 2, the matching that IOC security threat information is carried out using data based on reduction;Step 3, according to described matched as a result, determining host of falling.
- 2. equipment detection method according to claim 1 of falling, which is characterized in that carry out the application number of restoring operation According to five-tuple information, the DNS request response message, HTTP request response message for including common discharge.
- 3. equipment detection method according to claim 1 of falling, which is characterized in that the step 1 includes:Step 11, raw network data packet is filtered;Step 12, the restoring operation for doing IP fragmentation will carry out the restoring operation of TCP segment if it is Transmission Control Protocol;Step 13, the agreement of application layer is identified.
- 4. equipment detection method according to claim 3 of falling, which is characterized in that step 11 obtains IP data packet, and right Data filtering is done in port, retains the default corresponding data packet of port numbers.
- 5. equipment detection method according to claim 1 of falling, which is characterized in that step 2 further comprises: institute is in love Reports of newspaper, which enter in memory, to be matched.
- 6. equipment detection method according to claim 1 of falling, which is characterized in that the method also includes:Step 4, the relevant information of determining host of falling is stored, and stores corresponding PCAP file, be provided with investigating Analysis.
- 7. equipment detection method according to claim 1 of falling, which is characterized in that the method also includes: setting one is read Lock is write, the Read-Write Locks are locked when updating or changing the security threat information, otherwise unlocks the Read-Write Locks.
- 8. equipment detection method according to claim 1 of falling, which is characterized in that the method also includes: it is lost in discovery Fall into host alarm.
- The assembly detection apparatus 9. one kind is fallen, including obtain module, matching module and judgment module;The acquisition module is configured to extract the behavioural characteristic data of host according to primitive network flow, and will be related to TCP/IP The application data of application are restored;The matching module is configured to the matching that IOC security threat information is carried out using data according to reduction;The judgment module is configured to according to described matched as a result, determining host of falling.
- 10. device according to claim 9, the acquisition module is further configured to: filtering raw network data packet;It does The restoring operation of IP fragmentation will carry out the restoring operation of TCP segment if it is Transmission Control Protocol;Identify the agreement of application layer.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810379276.3A CN109688092A (en) | 2018-04-25 | 2018-04-25 | It falls equipment detection method and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810379276.3A CN109688092A (en) | 2018-04-25 | 2018-04-25 | It falls equipment detection method and device |
Publications (1)
Publication Number | Publication Date |
---|---|
CN109688092A true CN109688092A (en) | 2019-04-26 |
Family
ID=66184348
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201810379276.3A Pending CN109688092A (en) | 2018-04-25 | 2018-04-25 | It falls equipment detection method and device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109688092A (en) |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110958251A (en) * | 2019-12-04 | 2020-04-03 | 中电福富信息科技有限公司 | Method and device for detecting and backtracking lost host based on real-time stream processing |
CN111818073A (en) * | 2020-07-16 | 2020-10-23 | 深信服科技股份有限公司 | Method, device, equipment and medium for detecting defect host |
CN112073362A (en) * | 2020-06-19 | 2020-12-11 | 北京邮电大学 | APT (advanced persistent threat) organization flow identification method based on flow characteristics |
CN112769775A (en) * | 2020-12-25 | 2021-05-07 | 深信服科技股份有限公司 | Threat information correlation analysis method, system, equipment and computer medium |
CN113726818A (en) * | 2021-11-01 | 2021-11-30 | 北京微步在线科技有限公司 | Method and device for detecting lost host |
CN114095217A (en) * | 2021-11-06 | 2022-02-25 | 北京天融信网络安全技术有限公司 | Evidence obtaining and tracing method and system for failing host snapshot |
CN116886452A (en) * | 2023-09-08 | 2023-10-13 | 北京安博通科技股份有限公司 | Method and system for judging host computer collapse |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103634306A (en) * | 2013-11-18 | 2014-03-12 | 北京奇虎科技有限公司 | Security detection method and security detection server for network data |
US20170048260A1 (en) * | 2015-08-12 | 2017-02-16 | Wizard Tower TechnoServices Ltd. | Method and system for network resource attack detection using a client identifier |
CN106921608A (en) * | 2015-12-24 | 2017-07-04 | 华为技术有限公司 | One kind detection terminal security situation method, apparatus and system |
CN107360170A (en) * | 2017-07-18 | 2017-11-17 | 百色闻远网络科技有限公司 | A kind of computer network security detection method |
CN107579995A (en) * | 2017-09-30 | 2018-01-12 | 北京奇虎科技有限公司 | The network protection method and device of onboard system |
CN107800685A (en) * | 2017-07-03 | 2018-03-13 | 南京骏腾信息技术有限公司 | Based on the intelligent security defense platform for threatening information |
-
2018
- 2018-04-25 CN CN201810379276.3A patent/CN109688092A/en active Pending
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103634306A (en) * | 2013-11-18 | 2014-03-12 | 北京奇虎科技有限公司 | Security detection method and security detection server for network data |
US20170048260A1 (en) * | 2015-08-12 | 2017-02-16 | Wizard Tower TechnoServices Ltd. | Method and system for network resource attack detection using a client identifier |
CN106921608A (en) * | 2015-12-24 | 2017-07-04 | 华为技术有限公司 | One kind detection terminal security situation method, apparatus and system |
CN107800685A (en) * | 2017-07-03 | 2018-03-13 | 南京骏腾信息技术有限公司 | Based on the intelligent security defense platform for threatening information |
CN107360170A (en) * | 2017-07-18 | 2017-11-17 | 百色闻远网络科技有限公司 | A kind of computer network security detection method |
CN107579995A (en) * | 2017-09-30 | 2018-01-12 | 北京奇虎科技有限公司 | The network protection method and device of onboard system |
Cited By (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110958251A (en) * | 2019-12-04 | 2020-04-03 | 中电福富信息科技有限公司 | Method and device for detecting and backtracking lost host based on real-time stream processing |
CN112073362A (en) * | 2020-06-19 | 2020-12-11 | 北京邮电大学 | APT (advanced persistent threat) organization flow identification method based on flow characteristics |
CN111818073A (en) * | 2020-07-16 | 2020-10-23 | 深信服科技股份有限公司 | Method, device, equipment and medium for detecting defect host |
CN111818073B (en) * | 2020-07-16 | 2022-08-09 | 深信服科技股份有限公司 | Method, device, equipment and medium for detecting defect host |
CN112769775A (en) * | 2020-12-25 | 2021-05-07 | 深信服科技股份有限公司 | Threat information correlation analysis method, system, equipment and computer medium |
CN112769775B (en) * | 2020-12-25 | 2023-05-12 | 深信服科技股份有限公司 | Threat information association analysis method, system, equipment and computer medium |
CN113726818A (en) * | 2021-11-01 | 2021-11-30 | 北京微步在线科技有限公司 | Method and device for detecting lost host |
CN113726818B (en) * | 2021-11-01 | 2022-02-15 | 北京微步在线科技有限公司 | Method and device for detecting lost host |
CN114095217A (en) * | 2021-11-06 | 2022-02-25 | 北京天融信网络安全技术有限公司 | Evidence obtaining and tracing method and system for failing host snapshot |
CN116886452A (en) * | 2023-09-08 | 2023-10-13 | 北京安博通科技股份有限公司 | Method and system for judging host computer collapse |
CN116886452B (en) * | 2023-09-08 | 2023-12-08 | 北京安博通科技股份有限公司 | Method and system for judging host computer collapse |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109688092A (en) | It falls equipment detection method and device | |
US10867034B2 (en) | Method for detecting a cyber attack | |
US7434261B2 (en) | System and method of identifying the source of an attack on a computer network | |
CN107659583B (en) | Method and system for detecting attack in fact | |
US7084760B2 (en) | System, method, and program product for managing an intrusion detection system | |
US8931099B2 (en) | System, method and program for identifying and preventing malicious intrusions | |
US7260844B1 (en) | Threat detection in a network security system | |
KR101292501B1 (en) | Aggregating the knowledge base of computer systems to proactively protect a computer from malware | |
KR100910761B1 (en) | Anomaly Malicious Code Detection Method using Process Behavior Prediction Technique | |
JP2019082989A5 (en) | ||
US20160012222A1 (en) | Methods, systems, and media for baiting inside attackers | |
CN109587179A (en) | A kind of SSH agreement behavior pattern recognition and alarm method based on bypass network full flow | |
US20090217341A1 (en) | Method of updating intrusion detection rules through link data packet | |
CN107154939B (en) | Data tracking method and system | |
CN107046535B (en) | A kind of abnormality sensing and method for tracing and system | |
CN102082836A (en) | DNS (Domain Name Server) safety monitoring system and method | |
CN104038466B (en) | Intruding detection system, method and apparatus for cloud computing environment | |
CN105959290A (en) | Detection method and device of attack message | |
KR100656351B1 (en) | Method for risk management analysis based on vulnerability assessment and apparatus thereof | |
EP3190767B1 (en) | Technique for detecting malicious electronic messages | |
CN106973051B (en) | Establish the method, apparatus and storage medium of detection Cyberthreat model | |
Giacinto et al. | Alarm clustering for intrusion detection systems in computer networks | |
KR101047382B1 (en) | Method and system for preventing file takeover using malicious code and recording medium | |
KR100868569B1 (en) | Network forensic apparatus and method thereof | |
JP2005175714A (en) | Evaluation device, method, and system for maliciousness of access in network |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190426 |
|
RJ01 | Rejection of invention patent application after publication |