CN110933060B - Excavation Trojan detection system based on flow analysis - Google Patents
Excavation Trojan detection system based on flow analysis Download PDFInfo
- Publication number
- CN110933060B CN110933060B CN201911155285.5A CN201911155285A CN110933060B CN 110933060 B CN110933060 B CN 110933060B CN 201911155285 A CN201911155285 A CN 201911155285A CN 110933060 B CN110933060 B CN 110933060B
- Authority
- CN
- China
- Prior art keywords
- flow
- mining
- network
- excavation
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 75
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 title claims abstract description 68
- 238000009412 basement excavation Methods 0.000 title claims abstract description 32
- 238000005206 flow analysis Methods 0.000 title claims abstract description 13
- 238000005065 mining Methods 0.000 claims abstract description 105
- 238000004891 communication Methods 0.000 claims abstract description 19
- 230000003068 static effect Effects 0.000 claims abstract description 19
- 238000000605 extraction Methods 0.000 claims abstract description 8
- 238000000034 method Methods 0.000 claims description 19
- 238000001914 filtration Methods 0.000 claims description 14
- 238000004422 calculation algorithm Methods 0.000 claims description 11
- 238000012549 training Methods 0.000 claims description 8
- 238000012706 support-vector machine Methods 0.000 claims description 7
- 238000012216 screening Methods 0.000 claims description 4
- 238000007781 pre-processing Methods 0.000 claims description 2
- 230000006399 behavior Effects 0.000 description 27
- 230000008569 process Effects 0.000 description 6
- 230000005540 biological transmission Effects 0.000 description 5
- 230000000694 effects Effects 0.000 description 5
- 230000006870 function Effects 0.000 description 5
- 238000005516 engineering process Methods 0.000 description 4
- 230000007246 mechanism Effects 0.000 description 4
- 230000002159 abnormal effect Effects 0.000 description 3
- 238000004458 analytical method Methods 0.000 description 3
- 238000010801 machine learning Methods 0.000 description 3
- 230000007547 defect Effects 0.000 description 2
- 238000012544 monitoring process Methods 0.000 description 2
- 208000032170 Congenital Abnormalities Diseases 0.000 description 1
- 241000283086 Equidae Species 0.000 description 1
- 241000700605 Viruses Species 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 238000013145 classification model Methods 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 230000007812 deficiency Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000002474 experimental method Methods 0.000 description 1
- 239000000284 extract Substances 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/069—Management of faults, events, alarms or notifications using logs of notifications; Post-processing of notifications
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a mining Trojan horse detection system based on flow analysis, which relates to the field of computer network safety and comprises a connection mining Trojan horse digging behavior detection subsystem and a p2p mining Trojan horse digging behavior detection subsystem. The invention takes a static pcap data packet or real-time flow as input, can select two modes of detecting connection mine pool excavation and p2p excavation, analyzes the excavation flow therein through field characteristic extraction or communication flow characteristic extraction and identification of the system, and outputs alarm information to a user. The invention can aim at the situations of plaintext communication and ciphertext communication, has the capability of rapidly processing mass data, and can simultaneously meet the requirements of personal hosts and enterprise-level users.
Description
Technical Field
The invention relates to the field of computer network safety, in particular to a mining Trojan horse detection system based on flow analysis.
Background
The blockchain is a huge decentralized account book, and in the decentralized system, the positions of all participating nodes are equal, and in order to maintain the consistency of the blockchain at all nodes, the blockchain system needs all the nodes to follow the same consensus mechanism to achieve consensus. One widely adopted consensus mechanism is the workload certification (PoW) mechanism proposed by the inventor in 2009, in which nodes participating in a block chain network perform "puzzle computation" using computing power (hereinafter, computing power) of a computer to obtain random number answers meeting difficulty requirements, and if the answers are computed and authenticated by the whole network, the nodes possess generation rights and accounting rights of the block and obtain a digital encryption currency profit, which stimulates miners to invest a large amount of computing power in the block chain system, so as to maintain consistency and tamper resistance of the workload certification block chain system.
And malicious mining behaviors are that under the condition that a user does not know or is not allowed, hardware resources and software resources of user terminal equipment are occupied to conduct mining, and therefore digital encryption money is obtained for profit making. Malicious mining activities initiated by an attacker implanting a mining trojan may typically occur on a user's personal computer, an enterprise website or server, a personal cell phone, a network router, and the like. With the development of the digital cryptocurrency market and the increase of the value thereof in recent years, malicious mining attacks have become a threat attack which has the most extensive influence, and threaten enterprise institutions and vast individual netizens. The mining trojans are mainly divided into two types, one type is the trojans invading a host or a cloud server through various modes, the trojans are high in concealment and strong in transmission, a long life cycle can be obtained in the server, mining behaviors can be carried out, the trojans attacking the mining trojans are more and more serious since 2017, and large-scale mining botnet networks such as WannaMine and Mykings appear; another type of mining trojan is a web page mining trojan script, which hides a link pointing to a target mining program in the code of a web page, and when a user accesses the web site, the target mining program is loaded unconsciously for mining, and the mining trojan takes effect only when the user accesses a web page hung with horses. At present, the mining Trojan attack technology is obviously promoted, the malicious mining industry tends to mature, and the value of a damaged computer and network equipment is squeezed to a greater extent by the mutual cooperation of malicious mining families.
The traditional detection method comprises the steps of identifying abnormal high CPU occupancy rate, identifying abnormal high Hash calculation amount, identifying malicious processes or codes of malicious files, monitoring abnormal continuous high-temperature hardware, adopting active defense software to monitor calling of system sensitive resources and functions by a process, adopting a blacklist mechanism to shield a known mine pool address used by the mining Trojan horse and the like, carrying out relatively accurate behavior judgment on the mining Trojan horse on a host layer, however, the judgment method based on the host layer still has the defects, the mining Trojan horse can adopt the Rootkit and other technologies to hide the mining processes, hide characteristics by limiting the CPU utilization rate, using time and other modes, adopting the technical means of adding shells, mixing codes and the like to avoid matching of code segments in a virus library, adopting the 'no-file' technology or process image conversion to hide files, the host-based identification method has congenital defects and deficiencies in resisting various hiding methods.
Accordingly, those skilled in the art have endeavored to develop a mining Trojan detection system that does not rely on host signature detection, but rather is based on flow analysis, to overcome the shortcomings of the existing systems.
Disclosure of Invention
In view of the above-mentioned defects of the prior art, the technical problem to be solved by the present invention is how to detect a mining trojan based on the communication traffic between the host and other nodes on the network.
In order to achieve the purpose, the invention provides a mining Trojan detection system based on flow analysis, which comprises a connection mining Trojan behavior detection subsystem and a p2p mining network mining Trojan behavior detection subsystem.
And furthermore, a detection subsystem connected with the mine excavation trojan behavior detection subsystem comprises a mine excavation trojan detection module with static flow and a mine excavation trojan detection module with dynamic flow, and a signature characteristic detection method is used for filtering and positioning the flow to a data field, matching special character strings, wherein the special character strings comprise method, params, mining, difficulity, blob and nonce, generating a detection report, and sending an alarm and recording the detection report into a log file.
Further, the input of the static flow ore pool excavation Trojan detection module is a static flow pcap packet.
Further, the input of the dynamic-flow mine pit excavation trojan detection module is a pcap packet captured by starting a data packet capturing function according to the selected network card.
Further, the detection subsystem for the mining trojan horse digging behavior of the mining receiving pond comprises the following working steps:
step 101, filtering out data packets with the total length less than 80 bytes;
102, filtering the data packet again, leaving the data packet which meets the length requirement and uses the TCP/IP protocol, reading the length of the TCP header, and positioning the initial position of the data segment according to the lengths of the three protocol headers;
103, extracting a data field part of the data packet, preprocessing a character string according to a json matching rule, and searching a target field by using a character string function, wherein the target field comprises a method, a params, a mining, a difficulty, a blob and a nonce;
and step 104, counting the detected excavation IP addresses and the detected traffic, generating a counting report, giving an IP address list of the excavation behavior and a counting result of the traffic, and giving a suggestion of forbidding or checking to the IP addresses.
Further, the p2p mining network mining Trojan horse excavation behavior detection subsystem comprises a p2p network mining Trojan horse detection module with static flow and a p2p network mining Trojan horse detection module with dynamic flow, pcap packet data are input, filtered, extracted into network flow data according to the definition of the network flow, the characteristics of the network flow data are counted, an Affinity prediction clustering algorithm is carried out according to the characteristics to obtain a p2p network cluster, each p2p network dynamic behavior characteristic is extracted, the network flow data are input into a pre-trained support vector machine for detection, whether the network flow is a p2p mining network is judged, finally, each node is filtered again, a mining node is screened from the p2p mining network, and if the mining node is found, a warning is sent and recorded in a log.
Further, the input of the p2p network mining trojan detection module for static flow is a static flow pcap packet.
Further, the input of the p2p network mining trojan detection module with dynamic flow is a pcap packet captured by starting a data packet capturing function according to the selected network card.
Further, the p2p network mining trojan horse excavation behavior detection subsystem comprises the following working steps:
105, filtering the flow of the common ports (80, 443), and judging that the node is a p2p node if the flow is higher than a set failure rate threshold value according to the connection failure rate statistical result of the target detection node;
step 106, changing the real flow data into statistical flow data according to the concept of network flow data, and extracting specific traffic flow characteristics of each p2p node obtained in step 105, including the number of bytes in a unit data flow, the number of packets in a unit flow, a flow arrival interval, a flow density, and the number of concentrated time period flows;
step 107, carrying out AP algorithm clustering by using the features extracted in the step 106 to obtain p2p network clusters, wherein the clusters comprise possible mining p2p networks and normal p2p application networks, and carrying out mining flow communication flow feature extraction on each p2p network, wherein the mining flow communication flow feature extraction comprises cluster connection features, cluster shared neighbor features, cluster hottest connection features and cluster changeability features;
step 108, inputting the features extracted in the step 106 into a support vector machine, identifying the excavation p2p network, and taking the average value of training features for all nodes if the network is judged to be the excavation p2p network;
step 109, comparing the training characteristics of all the nodes with the average value obtained in the step 107, and further screening out p2p ore excavation nodes;
and step 110, for the p2p mining node detected in step 109, giving an IP address list of the mining-passing behavior and a statistical result of the traffic, generating a statistical report, and giving a recommendation of forbidding or checking to the IP address.
Further, the detected mining trojans are added into a blacklist.
The system for detecting the mining trojans based on the flow analysis detects the mining trojans by using the flow analysis method, and extracts and identifies the characteristics of the mining trojans which are in communication with a mine pool and participate in communication between a p2p network and adjacent nodes according to different communication objects of the mining trojans.
The system can be deployed on a gateway or a router at the boundary of a large network for real-time dynamic monitoring, and can also detect the mining flow in static flow data.
Compared with the traditional mine digging Trojan detection software system, the system has the following advantages: the system can adopt the ore digging behavior of plaintext transmission, such as the ore pool adopting stratum protocol communication, aiming at the conditions of plaintext transmission and ciphertext transmission, and the ore digging Trojan horse behavior detection subsystem connected with the ore pool can accurately match the content of a data field, and adopts the ore digging behavior of ciphertext transmission, such as the Trojan horse participating in p2p network ore digging, and the p2p network ore digging Trojan horse behavior detection subsystem can identify through the analysis of data stream characteristics; and secondly, the system simultaneously meets the requirements of the personal host and the enterprise-level users, and has high real-time performance and high efficiency because the system filters the original data for many times and uses the algorithm of the fastest character string matching and machine learning, thereby meeting the application requirements of two conditions. The system can finally give an analysis report and log information, and a network administrator can find and stop the ore digging behavior in time according to the log and the report, analyze the type of the ore digging trojans infecting the system, perform corresponding protection and effectively prevent the network from being attacked by the ore digging trojans.
The conception, the specific structure and the technical effects of the present invention will be further described with reference to the accompanying drawings to fully understand the objects, the features and the effects of the present invention.
Drawings
FIG. 1 is a diagram of a flow analysis based software architecture for a mining Trojan detection system;
fig. 2 is a flow chart of a p2p mine pool excavation detection model.
Detailed Description
The technical contents of the preferred embodiments of the present invention will be more clearly and easily understood by referring to the drawings attached to the specification. The present invention may be embodied in many different forms of embodiments and the scope of the invention is not limited to the embodiments set forth herein.
In the drawings, structurally identical elements are represented by like reference numerals, and structurally or functionally similar elements are represented by like reference numerals throughout the several views. The size and thickness of each component shown in the drawings are arbitrarily illustrated, and the present invention is not limited to the size and thickness of each component. The thickness of the components may be exaggerated where appropriate in the figures to improve clarity.
The invention relates to a system for detecting an excavated Trojan horse based on flow analysis, which is characterized in that the excavated Trojan horse is identified by using a flow analysis method, and is divided into two types of communication with a mine pool and communication with a neighboring node participating in a p2p network according to different communication objects of the excavated Trojan horse, and a subsystem for detecting the behavior of the excavated Trojan horse connected with the mine pool is constructed based on a method for matching special fields in communication flow; a p2p mining network mining Trojan horse excavation behavior detection subsystem is built on the basis of communication flow feature extraction and a machine learning algorithm. The system is shown in fig. 1, and comprises the following modules:
1) the mine pool excavation Trojan detection module with static flow comprises: inputting static flow pcap packet data by using a signature characteristic detection method, matching special character strings of method, params, mining, difficulity, blob and nonce after filtering and positioning the packet data to a data section, finally generating a detection report, sending an alarm and recording the alarm into a log file;
2) the mine pool excavation Trojan detection module with dynamic flow comprises: automatically starting a data packet capturing function according to the selected network card by using a signature characteristic detection method, matching special character strings of method, params, mining, difficulty, blob and nonce after filtering and positioning each flow packet to a data segment, finally generating a detection report, and sending an alarm and recording the detection report into a log file;
3) static flow p2p network mining trojan detection module: inputting static flow pcap packet data, extracting the static flow pcap packet data into network flow data according to the definition of the network flow after filtering, counting the characteristics of the network flow data, carrying out Affinity prediction clustering algorithm according to the characteristics to obtain a p2p network cluster, extracting dynamic behavior characteristics of each p2p network, inputting the dynamic behavior characteristics into a pre-trained support vector machine for detection, judging whether the network is a p2p mining network, finally filtering each node again, and screening mining nodes from the p2p mining network; if the mining node is found, warning is given and recorded in a log;
4) dynamic flow p2p network mining trojan detection module: capturing data for 1 hour according to a selected network card to obtain a real-time flow data pcap packet for one hour, inputting the real-time flow data pcap packet into a system, extracting the real-time flow data pcap packet into network flow data according to the definition of network flow after filtering, counting the characteristics of the real-time flow data pcap packet, performing Affinity Propagation clustering algorithm according to the characteristics to obtain a p2p network cluster, extracting dynamic behavior characteristics of each p2p network, inputting the dynamic behavior characteristics into a pre-trained support vector machine for detection, judging whether the network is a p2p mining network, finally filtering each node again, and screening mining nodes from the p2p mining network; if a mining node is found, an alert is issued and recorded in the log.
After detecting the mining flow, the system can count the detection condition to generate a report, display the mining flow distribution of the input flow data and the IP address and the port number which need to be checked or forbidden, and record the flow in a log so as to be convenient for a network administrator to check. The information is compared with an established black list of the mining trojans, and if the information is in the black list, the known mining trojans are matched; if the detected mine digging Trojan horse is not in the blacklist, the detected mine digging Trojan horse can be used as a novel threat to be recorded into threat information of the mine digging Trojan horse.
Fig. 2 explains the flow of the p2p network mining trojan detection module in detail:
the upper part of the graph in fig. 2 represents the training process, a supervised learning method is adopted to support a vector machine classification model, the training set comprises labeled data of a p2p mine digging network and a p2p normal application network, and the labeled data is trained by using a connection characteristic representing a dynamic characteristic to ensure that the system has the dynamic characteristic.
The lower half of fig. 2 is a detection process, real-time stream data is input, a p2p cluster is obtained through unsupervised learning clustering, and dynamic detection is performed by using a trained model. The training and testing data are represented as streaming data, i.e., a collection of packets with the same five-tuple (source IP address, destination IP address, source port, destination port, protocol number). And (4) performing feature extraction on the stream data, namely counting the number of bytes in the elementary stream, the number of packets in the elementary stream, the stream arrival interval, the stream density and the number of streams in a centralized time period, and storing the statistics in the csv file. Inputting the csv files into an Affinity prediction clustering algorithm for clustering to obtain a p2p network cluster, extracting dynamic behavior characteristics of each detected p2p network, and inputting the extracted dynamic behavior characteristics into a support vector machine for detection. The dynamic behavior characteristics include: the connection characteristics of the cluster (the sum of the number of connections between each node), the shared neighbor characteristics of the cluster (the ratio of the number of shared connections to the sum of the number of connections), the hottest connection characteristics of the cluster (the connections between some nodes will contribute the most flows), and the changeability characteristics of the cluster (whether a certain p2p network has the same hottest connection set). The vector machine needs to be trained before detection, 24 models are built in the system, one model is trained every hour to meet the dynamic property and detection real-time property of a p2p network, and a proper time period model can be selected according to input data during detection. The vector machine outputs a determination of whether each p2p network is a mine excavation network. And for the network judged to be the mining p2p, taking the average value of the dynamic characteristics, and for all considered nodes, comparing the dynamic characteristics with the obtained average value of the dynamic characteristics to screen out the p2p mining nodes.
Finally, the system obtains the IP address and other flow characteristics of the nodes connecting the mining pool and the mining p2p, the characteristics can be compared with a built-in mining Trojan blacklist, if the characteristics appear in the blacklist, the found nodes can be identified, and if the characteristics do not appear in the blacklist, the nodes can be added into the blacklist.
At present, the attack activity of the mining trojans is very frequent, each common computer or cloud server has the risk of infecting the trojans, regular searching and killing of the mining trojans is an important means for maintaining the safety of the computers, however, the mining trojans can be hidden by using a skillful hiding technology. The system adopts a modular design, the training model, the machine learning algorithm, the clustering algorithm, the signature feature matching rule and the Trojan blacklist can be plugged and unplugged, the more complete and comprehensive mining behavior of the mining Trojan is considered, and the system is suitable for the requirements of a user level and an enterprise level by the time efficiency, the high efficiency and the high detection success rate.
The foregoing detailed description of the preferred embodiments of the invention has been presented. It should be understood that numerous modifications and variations could be devised by those skilled in the art in light of the present teachings without departing from the inventive concepts. Therefore, the technical solutions available to those skilled in the art through logic analysis, reasoning and limited experiments based on the prior art according to the concept of the present invention should be within the scope of protection defined by the claims.
Claims (2)
1. A mining Trojan horse detection system based on flow analysis is characterized by comprising a detection subsystem for detecting the mining Trojan horse behavior of a connecting mine pool and a detection subsystem for detecting the mining Trojan horse behavior of a p2p mining network;
the detection subsystem for the behavior of connecting the mine pit and the mine digging trojan comprises a static flow mine pit and mine digging trojan detection module and a dynamic flow mine pit and mine digging trojan detection module, wherein a signature characteristic detection method is used for filtering flow, matching special character strings after positioning to a data field, generating a detection report, and sending out a warning and recording the detection report into a log file, wherein the special character strings comprise method, params, mining, difficulity, blob and nonce;
the input of the static flow ore pool excavation Trojan horse detection module is a static flow pcap packet;
the input of the dynamic-flow mine pit digging Trojan horse detection module is a pcap packet captured by starting a data packet capturing function according to a selected network card;
the system for detecting the Trojan horse excavation behavior of the connection mine comprises the following working steps:
step 101, filtering out data packets with the total length less than 80 bytes;
102, filtering the data packet again, leaving the data packet which meets the length requirement and uses the TCP/IP protocol, reading the length of the TCP header, and positioning the initial position of the data segment according to the lengths of the three protocol headers;
103, extracting a data field part of the data packet, preprocessing a character string according to a json matching rule, and searching a target field by using a character string function, wherein the target field comprises a method, a params, a mining, a difficulty, a blob and a nonce;
step 104, counting the detected excavation IP addresses and communication traffic, generating a counting report, giving an IP address list of the excavation behavior and a counting result of the communication traffic, and giving a suggestion of forbidding or checking to the IP addresses;
the p2p mining network mining Trojan horse behavior detection subsystem comprises a p2p network mining Trojan horse detection module with static flow and a p2p network mining Trojan horse detection module with dynamic flow, pcap packet data are input, filtered, extracted into network flow data according to the definition of network flow, the characteristics of the network flow data are counted, an Affinity prediction clustering algorithm is carried out according to the characteristics to obtain a p2p network cluster, each p2p network dynamic behavior characteristic is extracted, the network flow data are input into a pre-trained support vector machine for detection, whether the network flow is a p2p mining network is judged, finally, each node is filtered again, a mining node is screened from the p2p mining network, and if the mining node is found, a warning is sent and recorded in a log;
the input of the p2p network mining trojan detection module for the static flow is a static flow pcap packet;
the input of the p2p network mining trojan detection module with dynamic flow is a pcap packet captured by starting a data packet capturing function according to a selected network card;
the p2p network mining trojan horse excavation behavior detection subsystem comprises the following working steps:
105, filtering the flow of the common ports 80 and 443, and determining that the node is a p2p node if the connection failure rate statistical result of the target detection node is higher than a set failure rate threshold;
step 106, changing the real flow data into statistical flow data according to the concept of network flow data, and extracting specific traffic flow characteristics of each p2p node obtained in step 105, including the number of bytes in a unit data flow, the number of packets in a unit flow, a flow arrival interval, a flow density, and the number of concentrated time period flows;
step 107, carrying out Affinity probability clustering algorithm clustering on the features extracted in the step 106 to obtain p2p network clusters, wherein the clusters comprise possible ore excavation p2p networks and normal p2p application networks, and carrying out ore excavation flow communication flow feature extraction on each p2p network, wherein the communication flow feature extraction comprises cluster connection features, cluster shared neighbor features, cluster hottest connection features and cluster changeability features; the connection characteristic of the cluster refers to the sum of the number of connections among the nodes, the shared neighbor characteristic of the cluster refers to the ratio of the number of shared connections to the sum of the number of connections, the hottest connection characteristic of the cluster refers to the flow with the most contribution of the connections among the nodes, and the changeability characteristic of the cluster refers to the same hottest connection set of the p2p network;
step 108, inputting the features extracted in the step 106 into a support vector machine, identifying the excavation p2p network, and taking the average value of training features for all nodes if the network is judged to be the excavation p2p network;
step 109, comparing the training characteristics of all the nodes with the average value obtained in step 108, and further screening out p2p ore excavation nodes;
and step 110, for the p2p mining node detected in step 109, giving an IP address list of the mining-passing behavior and a statistical result of the traffic, generating a statistical report, and giving a recommendation of forbidding or checking to the IP address.
2. The flow analysis-based mining trojan detection system of claim 1, wherein detected mining trojans are added to a blacklist.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911155285.5A CN110933060B (en) | 2019-11-22 | 2019-11-22 | Excavation Trojan detection system based on flow analysis |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911155285.5A CN110933060B (en) | 2019-11-22 | 2019-11-22 | Excavation Trojan detection system based on flow analysis |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110933060A CN110933060A (en) | 2020-03-27 |
| CN110933060B true CN110933060B (en) | 2021-10-22 |
Family
ID=69850713
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911155285.5A Active CN110933060B (en) | 2019-11-22 | 2019-11-22 | Excavation Trojan detection system based on flow analysis |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110933060B (en) |
Families Citing this family (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112887272B (en) * | 2021-01-12 | 2022-06-28 | 绍兴文理学院 | Device and method for controlling ore excavation attack surface in sensing edge cloud task unloading |
| CN112787954A (en) * | 2021-01-26 | 2021-05-11 | 武汉思普崚技术有限公司 | Encrypted ore excavation flow identification method, system, device and storage medium |
| CN113518073B (en) * | 2021-05-05 | 2022-07-19 | 东南大学 | Method for rapidly identifying bit currency mining botnet flow |
| CN113868088A (en) * | 2021-09-29 | 2021-12-31 | 杭州默安科技有限公司 | Detection method and system for mining excavation behavior and computer readable storage medium |
| CN114065204A (en) * | 2021-11-29 | 2022-02-18 | 中国工商银行股份有限公司 | File-free Trojan horse searching and killing method and device |
| CN114697086B (en) * | 2022-03-17 | 2024-06-18 | 浪潮云信息技术股份公司 | Mining Trojan detection method based on depth typical correlation analysis |
| CN115134276B (en) * | 2022-05-12 | 2023-12-08 | 亚信科技(成都)有限公司 | Mining flow detection method and device |
| CN115801466B (en) * | 2023-02-08 | 2023-05-02 | 北京升鑫网络科技有限公司 | Flow-based mining script detection method and device |
| CN117768243B (en) * | 2024-02-21 | 2024-05-31 | 中国信息通信研究院 | Behavior monitoring method and system for virtual digital currency |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108183900A (en) * | 2017-12-28 | 2018-06-19 | 北京奇虎科技有限公司 | A kind of method, server, client and system for digging the detection of ore deposit script |
| CN108363925A (en) * | 2018-03-16 | 2018-08-03 | 北京奇虎科技有限公司 | Webpage digs recognition methods and the device of mine script |
| CN108427883A (en) * | 2018-03-16 | 2018-08-21 | 北京奇虎科技有限公司 | Webpage digs the detection method and device of mine script |
| CN108563946A (en) * | 2018-04-17 | 2018-09-21 | 广州大学 | A kind of browser digs method, browser plug-in and the system of mine behavioral value |
| CN108829829A (en) * | 2018-06-15 | 2018-11-16 | 深信服科技股份有限公司 | Detect method, system, device and storage medium that ideal money digs mine program |
| CN108900496A (en) * | 2018-06-22 | 2018-11-27 | 杭州安恒信息技术股份有限公司 | A kind of quick detection website is implanted the detection method and device of digging mine wooden horse |
| CN109347806A (en) * | 2018-09-20 | 2019-02-15 | 天津大学 | A kind of the digging mine malware detection system and method for Intrusion Detection based on host monitoring technology |
| CN109446809A (en) * | 2018-10-31 | 2019-03-08 | 北斗智谷(北京)安全技术有限公司 | A kind of recognition methods of rogue program and electronic equipment |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108427884B (en) * | 2018-03-16 | 2021-09-10 | 北京奇虎科技有限公司 | Warning method and device for webpage ore mining script |
| CN108399337B (en) * | 2018-03-16 | 2021-07-30 | 北京奇虎科技有限公司 | Method and device for identifying webpage ore mining script |
-
2019
- 2019-11-22 CN CN201911155285.5A patent/CN110933060B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108183900A (en) * | 2017-12-28 | 2018-06-19 | 北京奇虎科技有限公司 | A kind of method, server, client and system for digging the detection of ore deposit script |
| CN108363925A (en) * | 2018-03-16 | 2018-08-03 | 北京奇虎科技有限公司 | Webpage digs recognition methods and the device of mine script |
| CN108427883A (en) * | 2018-03-16 | 2018-08-21 | 北京奇虎科技有限公司 | Webpage digs the detection method and device of mine script |
| CN108563946A (en) * | 2018-04-17 | 2018-09-21 | 广州大学 | A kind of browser digs method, browser plug-in and the system of mine behavioral value |
| CN108829829A (en) * | 2018-06-15 | 2018-11-16 | 深信服科技股份有限公司 | Detect method, system, device and storage medium that ideal money digs mine program |
| CN108900496A (en) * | 2018-06-22 | 2018-11-27 | 杭州安恒信息技术股份有限公司 | A kind of quick detection website is implanted the detection method and device of digging mine wooden horse |
| CN109347806A (en) * | 2018-09-20 | 2019-02-15 | 天津大学 | A kind of the digging mine malware detection system and method for Intrusion Detection based on host monitoring technology |
| CN109446809A (en) * | 2018-10-31 | 2019-03-08 | 北斗智谷(北京)安全技术有限公司 | A kind of recognition methods of rogue program and electronic equipment |
Non-Patent Citations (4)
| Title |
|---|
| "An adaptive multi-layer botnet detection technique using machine learning classifiers";Khan R U, Zhang X, Kumar R, et al.;《Applied Sciences》;20190611;第9卷(第2375期);第1-22页 * |
| "Detecting P2P botnets through network behavior analysis and machine learning";Saad S, Traore I, Ghorbani A, et al.;《2011 Ninth annual international conference on privacy, security and trust. IEEE》;20110730;第174-180页 * |
| "suricata下的挖矿行为检测";charm1y;《FreeBuf,原文链接:https://www.freebuf.com/articles/network/195171.htm》;20190207;第1-5页 * |
| "教你检测门罗币挖矿木马";MS016小组;《博客园,原文链接:https://www.cnblogs.com/ms016/p/7978880.html》;20171204;第1-5页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110933060A (en) | 2020-03-27 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110933060B (en) | Excavation Trojan detection system based on flow analysis | |
| Nisioti et al. | From intrusion detection to attacker attribution: A comprehensive survey of unsupervised methods | |
| Aljawarneh et al. | Anomaly-based intrusion detection system through feature selection analysis and building hybrid efficient model | |
| Hosseini et al. | The hybrid technique for DDoS detection with supervised learning algorithms | |
| CN111935170B (en) | Network abnormal flow detection method, device and equipment | |
| Li et al. | DDoS attack detection based on neural network | |
| Li et al. | A network behavior-based botnet detection mechanism using PSO and K-means | |
| Jongsuebsuk et al. | Real-time intrusion detection with fuzzy genetic algorithm | |
| Singla et al. | How deep learning is making information security more intelligent | |
| Krishnaveni et al. | Ensemble approach for network threat detection and classification on cloud computing | |
| Xue et al. | Design and implementation of a malware detection system based on network behavior | |
| Dai et al. | Eclipse attack detection for blockchain network layer based on deep feature extraction | |
| BACHAR et al. | Towards a behavioral network intrusion detection system based on the SVM model | |
| CN117478403A (en) | Whole scene network security threat association analysis method and system | |
| Abulaish et al. | Socialbots: Impacts, threat-dimensions, and defense challenges | |
| Shamsolmoali et al. | C2DF: High rate DDOS filtering method in cloud computing | |
| Srinivasan et al. | ENetRM: ElasticNet Regression Model based malicious cyber-attacks prediction in real-time server | |
| Shalini et al. | DOCUS-DDoS detection in SDN using modified CUSUM with flash traffic discrimination and mitigation | |
| Yadav et al. | Comparative study of datasets used in cyber security intrusion detection | |
| Kumar et al. | Malware Attack Detection in Large Scale Networks using the Ensemble Deep Restricted Boltzmann Machine | |
| Yang et al. | Botnet detection based on machine learning | |
| Tian et al. | Large-scale network intrusion detection based on distributed learning algorithm | |
| Abou Haidar et al. | High perception intrusion detection system using neural networks | |
| Ruiz et al. | Intrusion detection system: The use of neural network packet classification | |
| Chen et al. | Unveiling encrypted traffic types through hierarchical network characteristics |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20230307 Address after: No. 588, Longchang Road, Yangpu District, Shanghai, 200090_ Room 2602-60, 26th floor, No. 1 Patentee after: SHANGHAI SHIYUE COMPUTER TECHNOLOGY Co.,Ltd. Address before: 200240 No. 800, Dongchuan Road, Shanghai, Minhang District Patentee before: SHANGHAI JIAO TONG University |
|
| PE01 | Entry into force of the registration of the contract for pledge of patent right |
Denomination of invention: A mining Trojan detection system based on traffic analysis Granted publication date: 20211022 Pledgee: Shanghai Rural Commercial Bank Co.,Ltd. Putuo Sub branch Pledgor: SHANGHAI SHIYUE COMPUTER TECHNOLOGY Co.,Ltd. Registration number: Y2024310000689 |