CN110602104B - Method and device for preventing public cloud disk from being maliciously utilized by botnet - Google Patents

Method and device for preventing public cloud disk from being maliciously utilized by botnet Download PDF

Info

Publication number
CN110602104B
CN110602104B CN201910875679.1A CN201910875679A CN110602104B CN 110602104 B CN110602104 B CN 110602104B CN 201910875679 A CN201910875679 A CN 201910875679A CN 110602104 B CN110602104 B CN 110602104B
Authority
CN
China
Prior art keywords
file
address
sensitivity
public cloud
cloud disk
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910875679.1A
Other languages
Chinese (zh)
Other versions
CN110602104A (en
Inventor
王忠儒
阮强
李斌
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Digapis Technology Co ltd
Original Assignee
Beijing Digapis Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Digapis Technology Co ltd filed Critical Beijing Digapis Technology Co ltd
Priority to CN201910875679.1A priority Critical patent/CN110602104B/en
Publication of CN110602104A publication Critical patent/CN110602104A/en
Application granted granted Critical
Publication of CN110602104B publication Critical patent/CN110602104B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/144Detection or countermeasures against botnets
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/146Tracing the source of attacks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Information Transfer Between Computers (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a method for preventing a public cloud disk from being maliciously utilized by a botnet, which comprises the following steps: capturing the flow of a target public cloud disk, and acquiring a suspected secret stealing file in the flow and a zombie program IP address for uploading the suspected secret stealing file; when it is detected that the zombie program IP address uploads a request data packet to the target public cloud disk, intercepting the request data packet and disguising the request data packet into the zombie program IP address to submit a honey mark file to the target public cloud disk, wherein the honey mark file is the same as the request data packet in type and is provided with a tracking watermark; when detecting that an attacker downloads and opens the honey mark file, determining an attack IP address of the attacker; and disabling the attack IP address. According to the method, the attack IP address is forbidden, so that the problem that a botnet threatens a user through public cloud disk attack is avoided.

Description

Method and device for preventing public cloud disk from being maliciously utilized by botnet
Technical Field
The invention relates to the technical field of internet, in particular to a method and a device for preventing a public cloud disk from being maliciously utilized by a botnet.
Background
With the rise of the internet and the popularization of artificial intelligence, our information is threatened variously, and due to the existence of botnet, the information is in danger from notebook computers, routers, DVRs to security cameras. Botnet is an effective network attack launching platform, is one of the biggest security threats of the current internet, and is one of key attack weapons in network battles.
The botnet mainly has DDoS attacks, steals host information, spreads malicious software, sends junk mails and the like, and with the development of internet technology, the botnet takes a public cloud disk as a command download sub-channel, a registration sub-channel and a data return sub-channel to engage in activities such as returning stolen files, sending junk mails, updating malicious software and the like, thus threatening the information security of users.
A method for preventing a public cloud disk from being maliciously utilized by a botnet is urgently needed to avoid the problem that the botnet threatens users through public cloud disk attack.
Disclosure of Invention
In view of the above, the present invention provides a method and an apparatus for preventing a public cloud disk from being maliciously utilized by a botnet, so as to avoid the problem that the botnet threatens a user through public cloud disk attack, and the specific scheme is as follows:
a method of preventing a public cloud disk from being maliciously utilized by a botnet, comprising:
capturing the flow of a target public cloud disk, and acquiring a suspected secret stealing file in the flow and a zombie program IP address for uploading the suspected secret stealing file;
when it is detected that the zombie program IP address uploads a request data packet to the target public cloud disk, intercepting the request data packet and disguising the request data packet into the zombie program IP address to submit a honey mark file to the target public cloud disk, wherein the honey mark file is the same as the request data packet in type and is provided with a tracking watermark.
When detecting that an attacker downloads and opens the honey mark file, determining an attack IP address of the attacker;
and disabling the attack IP address.
Optionally, the method for obtaining the suspected secret stealing file in the traffic and uploading the zombie program IP address of the suspected secret stealing file includes:
acquiring a URL address of a file in the flow and a request source IP address for uploading the file;
determining the type of the file according to the URL address, and calculating the sensitivity of the file by adopting a detection method corresponding to the type;
and when the sensitivity of the file meets a preset sensitivity threshold, judging that the file is a suspected secret stealing file and the request source IP address is a bot program IP address.
Optionally, in the foregoing method, when the type is a text, calculating the sensitivity of the file by using a detection method corresponding to the type includes:
acquiring content information and position information of the sensitive words and the sensitive word variants in the file;
determining content sensitivity and position sensitivity of the sensitive words and the variants according to the content information and the position information;
according to the formula
Figure BDA0002204264710000021
Calculating a sensitivity of the file, wherein:
n-frequency, i.e. the number of occurrences of sensitive words and their variants in the text;
Sloc(Si) -a position sensitivity;
Ti-a content sensitivity;
s-sensitivity.
The above method, optionally, further includes:
and carrying out normalization processing on the sensitivity.
The above method, optionally, further includes:
and when the honey mark file is successfully submitted, returning a successful submitting instruction to the zombie program.
An apparatus for preventing a public cloud disk from being maliciously utilized by a botnet, comprising:
the system comprises a capturing and obtaining module, a verification module and a verification module, wherein the capturing and obtaining module is used for capturing the flow of a target public cloud disk, obtaining a suspected secret stealing file in the flow and uploading a zombie program IP address of the suspected secret stealing file;
and the intercepting module is used for intercepting the request data packet and disguising the request data packet into the bot program IP address to submit a honey mark file to the target public cloud disk when the fact that the request data packet is uploaded to the target public cloud disk by the bot program IP address is detected, wherein the honey mark file is the same as the request data packet in type and is provided with a tracking watermark.
The determining module is used for determining an attack IP address of an attacker when the attacker is detected to download and open the honey mark file;
and the disabling module is used for disabling the attack IP address.
The above apparatus, optionally, the capture obtaining module includes:
the address acquisition unit is used for acquiring a URL (Uniform resource locator) address of a file in the flow and a request source IP (Internet protocol) address for uploading the file;
the calculation unit is used for determining the type of the file according to the URL address and calculating the sensitivity of the file by adopting a detection method corresponding to the type;
and the judging unit is used for judging that the file is a suspected secret stealing file and the request source IP address is a bot IP address when the sensitivity of the file meets a preset sensitivity threshold.
The above apparatus, optionally, the calculating unit includes:
the information acquisition subunit is used for acquiring content information and position information of the sensitive words and the sensitive word variants in the file;
a determining subunit, configured to determine content sensitivities and position sensitivities of the sensitive words and the variants according to the content information and the position information;
a computing subunit for generating a formula
Figure BDA0002204264710000031
Calculating a sensitivity of the file, wherein:
n-frequency, i.e. the number of occurrences of sensitive words and their variants in the text;
Sloc(Si) -a position sensitivity;
Ti-a content sensitivity;
s-sensitivity.
The above apparatus, optionally, further comprises:
and the normalization subunit is used for carrying out normalization processing on the sensitivity.
The above apparatus, optionally, further comprises:
and the returning module is used for returning a submission success instruction to the zombie program when the honey mark file is successfully submitted.
Compared with the prior art, the invention has the following advantages:
the invention discloses a method for preventing a public cloud disk from being maliciously utilized by a botnet, which comprises the following steps: capturing the flow of a target public cloud disk, and acquiring a suspected secret stealing file in the flow and a zombie program IP address for uploading the suspected secret stealing file; when it is detected that the zombie program IP address uploads a request data packet to the target public cloud disk, intercepting the request data packet and disguising the request data packet into the zombie program IP address to submit a honey mark file to the target public cloud disk, wherein the honey mark file is the same as the request data packet in type and is provided with a tracking watermark; when detecting that an attacker downloads and opens the honey mark file, determining an attack IP address of the attacker; and disabling the attack IP address. According to the method, the attack IP address is forbidden, so that the problem that a botnet threatens a user through public cloud disk attack is avoided.
Of course, it is not necessary for any product in which the invention is practiced to achieve all of the above-described advantages at the same time.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a flowchart of a method for preventing a public cloud disk from being maliciously utilized by a botnet according to an embodiment of the present disclosure;
fig. 2 is a flowchart of another method for preventing a public cloud disk from being maliciously utilized by a botnet according to an embodiment of the present disclosure;
fig. 3 is a block diagram illustrating a structure of an apparatus for preventing a public cloud disk from being maliciously utilized by a botnet according to an embodiment of the present disclosure.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
The invention discloses a method and a device for preventing a public cloud disk from being maliciously utilized by a botnet network, which are applied to the process of accessing the public cloud disk, wherein the public cloud disk refers to a cloud disk which can share files without user registration, such as fileder, rapidspray, zipyshare and the like. The public cloud disk is similar to a note website in form, and a server side has an unlimited storage space. The botnet can utilize the public cloud disk to return a secret stealing file, steal host information, infringe user privacy and the like, in order to effectively cope with the malicious behaviors and prevent the public cloud disk from being maliciously utilized by the botnet, the invention monitors network flow, realizes real-time protection and defense, and adds a safety barrier for the majority of internet users, and the execution flow of the method is shown in figure 1 and comprises the following steps:
s101, capturing the flow of a target public cloud disk, and acquiring a suspected secret stealing file in the flow and a zombie program IP address for uploading the suspected secret stealing file;
in the embodiment of the invention, the target public cloud disk is a cloud disk which is prevented from being utilized by a botnet, and a packet capturing tool is adopted to capture packets of the flow in the target public cloud disk, wherein the packet capturing tool can be Charles, Fiddler and the like. The traffic includes URL addresses of all files and IP addresses corresponding to request sources. And carrying out sensitivity detection on the files in the flow, and acquiring all suspected secret stealing files in the flow and bot program IP addresses for uploading the suspected secret stealing files according to a detection result, wherein the bot programs are usually stored in a computer or other terminals, and once the bot programs are stored in the terminal, the terminal is judged to be infected by the bot programs.
S102, when it is detected that the zombie program IP address uploads a request data packet to the target public cloud disk, intercepting the request data packet and disguising the request data packet into the zombie program IP address to submit a honey mark file to the target public cloud disk, wherein the honey mark file is the same as the request data packet in type and is provided with a tracking watermark;
in the embodiment of the invention, the network flow transmitted by the bot program IP address to the target public cloud disk is intercepted, the target public cloud disk is traversed, when the network flow is detected to contain a request data packet uploaded by the bot program IP address, the request data packet is intercepted and not uploaded, the request data packet is disguised as the bot program IP address, and a honey mark file is submitted to the target public cloud disk, wherein the type of the honey mark file is the same as that of the request data packet and is provided with a tracking watermark.
Further, the target public cloud disk may also return a submit success instruction to the bot, so that the bot knows that the request packet is successfully uploaded, and actually the uploaded honey mark file.
S103, when detecting that an attacker downloads and opens the honey mark file, determining an attack IP address of the attacker;
in the embodiment of the present invention, since the bot only has an uploading function, it is an attacker who can download and open the honey mark file, and when it is detected that the attacker downloads and opens the honey mark file, the attacker can be tracked and traced to determine the network location of the attacker, that is, the attack IP address of the attacker, and the process of determining the attack IP address is defined by taking the URL of the hidden remote picture in the target file as an example: once the attacker opens the honey mark file, the attacker actively requests the URL of the remote picture, and the corresponding picture server can trace the location information of the attacker, that is, the attack IP address, according to the request source IP address.
S104, disabling the attack IP address.
In the embodiment of the invention, in order to defend the attack behavior of the attacker, the attack IP address is selected to be forbidden, and when the attacker requests to download a file, the network communication between the attacker and the target public cloud disk is prevented.
The invention discloses a method for preventing a public cloud disk from being maliciously utilized by a botnet, which comprises the following steps: capturing the flow of a target public cloud disk, and acquiring a suspected secret stealing file in the flow and a zombie program IP address for uploading the suspected secret stealing file; when it is detected that the zombie program IP address uploads a request data packet to the target public cloud disk, intercepting the request data packet and disguising the request data packet into the zombie program IP address to submit a honey mark file to the target public cloud disk, wherein the honey mark file is the same as the request data packet in type and is provided with a tracking watermark; when detecting that an attacker downloads and opens the honey mark file, determining an attack IP address of the attacker; and disabling the attack IP address. According to the method, the attack IP address is forbidden, so that the problem that a botnet threatens a user through public cloud disk attack is avoided.
In the embodiment of the present invention, the flow of the method for acquiring the suspected secret stealing file in the traffic and uploading the zombie program IP address of the suspected secret stealing file is shown in fig. 2, and the method includes the steps of:
s201, acquiring a URL address of a file in the flow and a request source IP address for uploading the file;
in the embodiment of the invention, a packet capturing tool is adopted to capture the flow in the target public cloud disk, and the URL address of the file in the flow and the request source IP address for uploading the file are obtained. Aiming at the acquisition of the URL address of the file, the types of the target public cloud disks are different, and the acquisition modes are different. For example, FileDropper public cloud disk, the search method of file URL address: php, then find the headers information of response, where the Location content is the file URL address. YourFileLink, a public cloud disk, finds the Text field of the response part in the data record named upload. php, the key is http:// www.yourfilelink.com/get. php, and the following fid part is unique. RapidShare has a public cloud disk, file URL is generated in a browser, data is recorded as upload. php, a value of id is obtained from the file URL, and a file URL address is a value of http:// www.rapidshare.com.cn/+ id.
S202, determining the type of the file according to the URL address, and calculating the sensitivity of the file by adopting a detection method corresponding to the type;
in the embodiment of the present invention, a file corresponding to the URL address is accessed according to the URL address, where the file may include at least one of a text, a picture, and a video, and a corresponding sensitivity calculation method is set for each type, where sensitivity calculation for a type of a picture or a video mainly uses an image processing technology, and is not specifically described in the embodiment of the present invention.
In the embodiment of the present invention, description is mainly given for a case where the file type is a text, and a specific algorithm is as follows:
and S1, acquiring the content information and the position information of the sensitive words and the sensitive word variants in the file.
In the embodiment of the present invention, the content information of the sensitive words and the sensitive word variants is obtained by comparing the content information with a preset sensitive word bank of the file, where the preset sensitive word bank is set according to experience, but the specific setting principle of the preset sensitive word bank is not limited in the embodiment of the present invention.
S2, determining position sensitivity Sloc (Si) of sensitive words and variants thereof
In the embodiment of the invention, as the file information is too much, in order to acquire more information in the shortest time, people often only browse the head and the tail of the information, which also accords with the habit that people always like to write the general description at the head and the tail of an article. Therefore, the influence of the sensitive words appearing at the head of the file on the sensitivity of the file is larger than the influence of the sensitive words appearing at the tail of the file on the sensitivity of the file, and the influence of the sensitive words appearing at the tail of the file on the sensitivity of the file is larger than the influence of the sensitive words appearing at other positions of the file on the sensitivity of the file. The position sensitivity of the sensitive word Si is as follows:
Figure BDA0002204264710000081
wherein, alpha, beta, gamma and delta represent the position weights of the sensitive words at the head, the middle upper part, the middle lower part and the tail of the file respectively. len (t) denotes a file length, and a ═ len (t)/4, b ═ len (t))/2, and c ═ len (t))/3/4. li is the position information of the sensitive word Si in the document.
S3, determining content sensitivity Ti of sensitive words and variants thereof
In the embodiment of the present invention, the content sensitivity may also be referred to as a weight, and may be set by itself. For example, the weight of the password is higher than that of the user name, and the weight of the sensitive words can be set according to different levels of importance.
And S4, determining the frequency of the sensitive words and the variants thereof in the file.
In the embodiment of the invention, the frequency is the number of times of occurrence of the sensitive words and the variants thereof in the file.
S5, calculating the sensitivity of the file
In the embodiment of the invention, the sensitivity, the content sensitivity, the frequency and the like of the position of the sensitive word and the variant thereof are used as the text sensitivity reliability calculation factors, and the sensitivity degree of the text is calculated by using the following formula.
Figure BDA0002204264710000091
Wherein:
n-frequency, i.e. the number of occurrences of sensitive words and their variants in the text, is frequently included in 0 to (n-1);
Sloc(Si) -a position sensitivity;
Ti-a content sensitivity;
s-sensitivity.
Equation (2) is normalized to lie within [0,1 ]. The normalized formula is as follows:
Figure BDA0002204264710000092
s203, when the sensitivity of the file meets a preset sensitivity threshold, judging that the file is a suspected secret stealing file and the request source IP address is a bot IP address.
In the embodiment of the invention, the sensitivity thresholds of 0.3 and 0.7 are selected, when the value of S' is greater than 0.7, the file is considered to be a suspected secret stealing file, the request source IP address of the suspected secret stealing file is a zombie program IP address, manual examination is required between 0.3 and 0.7, and the file is considered not to be a secret stealing file below 0.3. The sensitivity threshold is different according to different types of files, the selection principle can be determined according to an empirical value, or big data analysis can be performed through experiments.
In the embodiment of the present invention, the method described above may be deployed in a terminal in the form of a tool, and the terminal starts, stops, updates, and deletes the tool. Starting to enable the components of the target public cloud disk end to operate automatically, wherein flow monitoring is mainly carried out in the early stage, and then an attacker is defended in the later stage; the tool is stopped, namely the running of the tool at the target public cloud disk end is stopped, so that interactive operation is better realized; the "update" operation may upgrade the tool, etc.; when the target public cloud disk end does not need the tool any more, in order to prevent the tool from occupying resources, a deletion operation can be used to delete the tool, and it should be noted that multiple verifications are required when the deletion operation is executed, so that the failure of recovery caused by mistaken deletion is prevented.
Based on the above method for preventing the public cloud disk from being maliciously utilized by the botnet, an embodiment of the present invention further provides an apparatus for preventing the public cloud disk from being maliciously utilized by the botnet, where a structural block diagram of the apparatus is shown in fig. 3, and the apparatus includes:
acquisition module 301, acquisition module 302, determination module 303, and disabling module 304.
Wherein the content of the first and second substances,
the capturing and acquiring module 301 is configured to capture traffic of a target public cloud disk, acquire a suspected secret stealing file in the traffic and a zombie program IP address for uploading the suspected secret stealing file;
the intercepting module 302 is configured to, when it is detected that the zombie program IP address uploads a request data packet to the target public cloud disk, intercept the request data packet and disguise the request data packet as the zombie program IP address and submit a honey mark file to the target public cloud disk, where the honey mark file is the same as the request data packet in type and has a tracking watermark;
the determining module 303 is configured to determine an attack IP address of an attacker when it is detected that the attacker downloads and opens the honey mark file;
the disabling module 304 is configured to disable the attack IP address.
The invention discloses a device for preventing a public cloud disk from being maliciously utilized by a botnet, which comprises: capturing the flow of a target public cloud disk, and acquiring a suspected secret stealing file in the flow and a zombie program IP address for uploading the suspected secret stealing file; when it is detected that the zombie program IP address uploads a request data packet to the target public cloud disk, intercepting the request data packet and disguising the request data packet into the zombie program IP address to submit a honey mark file to the target public cloud disk, wherein the honey mark file is the same as the request data packet in type and is provided with a tracking watermark; when detecting that an attacker downloads and opens the honey mark file, determining an attack IP address of the attacker; and disabling the attack IP address. According to the device, the attack IP address is forbidden, so that the problem that a botnet threatens a user through public cloud disk attack is avoided.
In this embodiment of the present invention, the capture obtaining module 301 includes:
an address acquisition unit 305, a calculation unit 306, and a determination unit 307.
Wherein the content of the first and second substances,
the address obtaining unit 305 is configured to obtain a URL address of a file in the traffic and a request source IP address for uploading the file;
the calculating unit 306 is configured to determine the type of the file according to the URL address, and calculate the sensitivity of the file by using a detection method corresponding to the type;
the determining unit 307 is configured to determine that the file is a suspected secret stealing file and the request source IP address is a bot IP address when the sensitivity of the file meets a preset sensitivity threshold.
In this embodiment of the present invention, the calculating unit 306 includes:
an information acquisition sub-unit 308, a determination sub-unit 309 and a calculation sub-unit 310.
Wherein the content of the first and second substances,
the information obtaining subunit 308 is configured to obtain content information and position information of the sensitive word and the sensitive word variant in the file;
the determining subunit 309, configured to determine content sensitivities and position sensitivities of the sensitive words and the variants according to the content information and the position information;
the calculating subunit 310 is configured to calculate a formula
Figure BDA0002204264710000111
Calculating a sensitivity of the file, wherein:
n-frequency, i.e. the number of occurrences of sensitive words and their variants in the text;
Sloc(Si) -a position sensitivity;
Ti-a content sensitivity;
s-sensitivity.
In this embodiment of the present invention, the calculating unit 306 further includes: a normalization subunit 311.
Wherein the content of the first and second substances,
the normalization subunit 311 is configured to perform normalization processing on the sensitivities.
In the embodiment of the present invention, the apparatus further includes: returning to block 312.
Wherein the content of the first and second substances,
the returning module 312 is configured to, when the submission of the honey bid file is successful, return a submission success instruction to the bot program.
It should be noted that, in the present specification, the embodiments are all described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments may be referred to each other. For the device-like embodiment, since it is basically similar to the method embodiment, the description is simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
Finally, it should also be noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
For convenience of description, the above devices are described as being divided into various units by function, and are described separately. Of course, the functions of the units may be implemented in the same software and/or hardware or in a plurality of software and/or hardware when implementing the invention.
From the above description of the embodiments, it is clear to those skilled in the art that the present invention can be implemented by software plus necessary general hardware platform. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which may be stored in a storage medium, such as ROM/RAM, magnetic disk, optical disk, etc., and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method according to the embodiments or some parts of the embodiments.
The method and the device for preventing the public cloud disk from being maliciously utilized by the botnet are introduced in detail, a specific example is applied in the method to explain the principle and the implementation mode of the invention, and the description of the embodiment is only used for helping to understand the method and the core idea of the invention; meanwhile, for a person skilled in the art, according to the idea of the present invention, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present invention.

Claims (8)

1. A method for preventing public cloud disks from being maliciously utilized by botnet networks is characterized by comprising the following steps:
capturing the flow of a target public cloud disk, and acquiring a suspected secret stealing file in the flow and a zombie program IP address for uploading the suspected secret stealing file;
the acquiring of the suspected secret stealing file in the flow and the uploading of the zombie program IP address of the suspected secret stealing file comprise the following steps:
acquiring a URL address of a file in the flow and a request source IP address for uploading the file;
determining the type of the file according to the URL address, and calculating the sensitivity of the file by adopting a detection method corresponding to the type;
when the sensitivity of the file meets a preset sensitivity threshold, judging that the file is a suspected secret stealing file and the request source IP address is a bot program IP address;
when it is detected that the zombie program IP address uploads a request data packet to the target public cloud disk, intercepting the request data packet and disguising the request data packet into the zombie program IP address to submit a honey mark file to the target public cloud disk, wherein the honey mark file is the same as the request data packet in type and is provided with a tracking watermark;
when detecting that an attacker downloads and opens the honey mark file, determining an attack IP address of the attacker;
and disabling the attack IP address.
2. The method of claim 1, wherein calculating the sensitivity of the document using a detection method corresponding to the type when the type is text comprises:
acquiring content information and position information of the sensitive words and the sensitive word variants in the file;
determining content sensitivity and position sensitivity of the sensitive words and the variants according to the content information and the position information;
according to the formula
Figure FDA0003404856720000011
Calculating a sensitivity of the file, wherein:
n-frequency, i.e. the number of occurrences of sensitive words and their variants in the text;
Sloc(Si) -a position sensitivity;
Ti-a content sensitivity;
s-sensitivity.
3. The method of claim 2, further comprising:
and carrying out normalization processing on the sensitivity.
4. The method of claim 1, further comprising:
and when the honey mark file is successfully submitted, returning a successful submitting instruction to the zombie program.
5. An apparatus for preventing a public cloud disk from being maliciously utilized by a botnet, comprising:
the system comprises a capturing and obtaining module, a verification module and a verification module, wherein the capturing and obtaining module is used for capturing the flow of a target public cloud disk, obtaining a suspected secret stealing file in the flow and uploading a zombie program IP address of the suspected secret stealing file;
wherein the capture acquisition module comprises:
the address acquisition unit is used for acquiring a URL (Uniform resource locator) address of a file in the flow and a request source IP (Internet protocol) address for uploading the file;
the calculation unit is used for determining the type of the file according to the URL address and calculating the sensitivity of the file by adopting a detection method corresponding to the type;
the judging unit is used for judging that the file is a suspected secret stealing file and the request source IP address is a bot IP address when the sensitivity of the file meets a preset sensitivity threshold;
the intercepting module is used for intercepting the request data packet and disguising the request data packet into the zombie program IP address to submit a honey mark file to the target public cloud disk when the fact that the zombie program IP address uploads the request data packet to the target public cloud disk is detected, wherein the honey mark file is the same as the request data packet in type and is provided with a tracking watermark;
the determining module is used for determining an attack IP address of an attacker when the attacker is detected to download and open the honey mark file;
and the disabling module is used for disabling the attack IP address.
6. The apparatus of claim 5, wherein the computing unit comprises:
the information acquisition subunit is used for acquiring content information and position information of the sensitive words and the sensitive word variants in the file;
a determining subunit, configured to determine content sensitivities and position sensitivities of the sensitive words and the variants according to the content information and the position information;
a computing subunit for generating a formula
Figure FDA0003404856720000031
Calculating a sensitivity of the file, wherein:
n-frequency, i.e. the number of occurrences of sensitive words and their variants in the text;
Sloc(Si) -a position sensitivity;
Ti-a content sensitivity;
s-sensitivity.
7. The apparatus of claim 6, further comprising:
and the normalization subunit is used for carrying out normalization processing on the sensitivity.
8. The apparatus of claim 5, further comprising:
and the returning module is used for returning a submission success instruction to the zombie program when the honey mark file is successfully submitted.
CN201910875679.1A 2019-09-17 2019-09-17 Method and device for preventing public cloud disk from being maliciously utilized by botnet Active CN110602104B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910875679.1A CN110602104B (en) 2019-09-17 2019-09-17 Method and device for preventing public cloud disk from being maliciously utilized by botnet

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910875679.1A CN110602104B (en) 2019-09-17 2019-09-17 Method and device for preventing public cloud disk from being maliciously utilized by botnet

Publications (2)

Publication Number Publication Date
CN110602104A CN110602104A (en) 2019-12-20
CN110602104B true CN110602104B (en) 2022-02-18

Family

ID=68860072

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910875679.1A Active CN110602104B (en) 2019-09-17 2019-09-17 Method and device for preventing public cloud disk from being maliciously utilized by botnet

Country Status (1)

Country Link
CN (1) CN110602104B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113068048A (en) * 2021-03-16 2021-07-02 上海宽带技术及应用工程研究中心 Vehicle-mounted camera multimedia information leakage warning method, system, medium and equipment

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101262351A (en) * 2008-05-13 2008-09-10 华中科技大学 A network tracking system
CN101588276A (en) * 2009-06-29 2009-11-25 成都市华为赛门铁克科技有限公司 A kind of method and device thereof that detects Botnet
CN104484605A (en) * 2014-12-10 2015-04-01 央视国际网络无锡有限公司 Method of detecting viral sources in cloud storage environment
CN107046535A (en) * 2017-03-24 2017-08-15 中国科学院信息工程研究所 A kind of abnormality sensing and method for tracing and system

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8973142B2 (en) * 2013-07-02 2015-03-03 Imperva, Inc. Compromised insider honey pots using reverse honey tokens
US10693892B2 (en) * 2017-12-11 2020-06-23 International Business Machines Corporation Network attack tainting and tracking

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101262351A (en) * 2008-05-13 2008-09-10 华中科技大学 A network tracking system
CN101588276A (en) * 2009-06-29 2009-11-25 成都市华为赛门铁克科技有限公司 A kind of method and device thereof that detects Botnet
CN104484605A (en) * 2014-12-10 2015-04-01 央视国际网络无锡有限公司 Method of detecting viral sources in cloud storage environment
CN107046535A (en) * 2017-03-24 2017-08-15 中国科学院信息工程研究所 A kind of abnormality sensing and method for tracing and system

Also Published As

Publication number Publication date
CN110602104A (en) 2019-12-20

Similar Documents

Publication Publication Date Title
US10785254B2 (en) Network attack defense method, apparatus, and system
Konoth et al. Minesweeper: An in-depth look into drive-by cryptocurrency mining and its defense
US11057427B2 (en) Method for identifying phishing websites and hindering associated activity
CN105939326B (en) Method and device for processing message
US11228593B2 (en) Session security splitting and application profiler
He et al. Mobile application security: malware threats and defenses
JP5382850B2 (en) Anti-phishing detection against client side attacks
CN105577608B (en) Network attack behavior detection method and device
US10148700B2 (en) Classification of top-level domain (TLD) websites based on a known website classification
US8646038B2 (en) Automated service for blocking malware hosts
US10708281B1 (en) Content delivery network (CDN) bot detection using primitive and compound feature sets
US20130014253A1 (en) Network Protection Service
JP2009527855A5 (en)
CN105592017B (en) The defence method and system of cross-site scripting attack
WO2009111224A1 (en) Identification of and countermeasures against forged websites
CN106992981B (en) Website backdoor detection method and device and computing equipment
US11503072B2 (en) Identifying, reporting and mitigating unauthorized use of web code
CN110674496A (en) Method and system for program to counter invading terminal and computer equipment
CN113518064A (en) Defense method and device for challenging black hole attack, computer equipment and storage medium
CN108282443B (en) Crawler behavior identification method and device
CN110602104B (en) Method and device for preventing public cloud disk from being maliciously utilized by botnet
CN112671736B (en) Attack flow determination method, device, equipment and storage medium
US10757118B2 (en) Method of aiding the detection of infection of a terminal by malware
CN108268774A (en) The determination method and device of query-attack
Eshmawi et al. Smartphone applications security: Survey of new vectors and solutions

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant