CN111225079A

CN111225079A - Method, device, storage medium and device for locating geographical position of malicious software author

Info

Publication number: CN111225079A
Application number: CN201911424373.0A
Authority: CN
Inventors: 许益鑫; 边亮; 辛流通
Original assignee: Suzhou 360 Intelligent Security Technology Co Ltd
Current assignee: Suzhou 360 Intelligent Security Technology Co Ltd
Priority date: 2019-12-31
Filing date: 2019-12-31
Publication date: 2020-06-02
Anticipated expiration: 2039-12-31
Also published as: CN111225079B

Abstract

The invention discloses a method, equipment, a storage medium and a device for positioning the geographical position of a malicious software author, wherein the method comprises the following steps: acquiring a target external network IP address of a user terminal of a malicious software author; searching a reference IP address according to the target external network IP address; searching corresponding reference geographical position information according to the reference IP address; and determining target geographical location information of the malicious software author according to the reference geographical location information. In the invention, the target geographical position information of the malicious software author is determined through the target external network IP address, so that the geographical position of the malicious software author can be accurately positioned, the malicious software author is tracked, the malicious software publishing source is timely tracked, and the control of network security is facilitated.

Description

Method, device, storage medium and device for locating geographical position of malicious software author

Technical Field

The invention relates to the technical field of network security, in particular to a method, equipment, a storage medium and a device for positioning the geographical position of a malicious software author.

Background

At present, for identification of malicious software and malicious software authors, identification is performed based on samples, for example, 900 ten thousand samples per day, and static rules that malicious software conforms to are matched, so that malicious software authors (also called hackers), gray guests and white guests are identified according to matching conditions, the gray guests are suspected objects, may be malicious software authors, or may not be, further judgment is needed, behavior rules are obtained, and whether the malicious software authors are ordinary trojans, advanced trojans or normal programs is judged according to the behavior rules. And (3) combining the analysis result based on the static rule with the analysis result based on the behavior rule to perform manual association analysis, acquiring the information of the malicious software author of the historical version, performing feature extraction, analyzing language, working time and returning control Internet Protocol (IP), and further identifying whether the hacker is a domestic hacker or a foreign organization. However, the specific geographical location information of the malicious software author cannot be obtained, the malicious software author cannot be tracked, and the malicious software author continuously releases the malicious software, thereby threatening the network security.

The above is only for the purpose of assisting understanding of the technical aspects of the present invention, and does not represent an admission that the above is prior art.

Disclosure of Invention

The invention mainly aims to provide a method, equipment, a storage medium and a device for locating the geographical position of a malicious software author, and aims to solve the technical problems that the malicious software author cannot be tracked, and the malicious software author continuously releases malicious software, so that the network security is threatened in the prior art.

In order to achieve the above object, the present invention provides a method for locating a geographical position of a malware author, including the following steps:

acquiring a target external network IP address of a user terminal of a malicious software author;

searching a reference IP address according to the target external network IP address;

searching corresponding reference geographical position information according to the reference IP address;

and determining target geographical location information of the malicious software author according to the reference geographical location information.

Preferably, the searching for the corresponding reference geographical location information according to the reference IP address specifically includes:

and searching corresponding reference geographical position information from a mapping relation table according to the reference IP address, wherein the mapping relation table comprises the corresponding relation between the external network IP address and the geographical position information.

Preferably, before looking up the corresponding reference geographical location information from the mapping relation table according to the reference IP address, the method for locating the geographical location of the malware author further includes:

capturing POI information through a web spider;

extracting the corresponding relation between the geographical position information and the actual IP address from the POI information;

and establishing a mapping relation table according to the corresponding relation between the geographical position information and the actual IP address.

Preferably, the searching for the reference IP address according to the target external network IP address specifically includes:

searching an actual IP address close to the target external network IP address from the mapping relation table;

and taking the actual IP address close to the target external network IP address as a reference IP address.

Preferably, the searching for the actual IP address close to the target external network IP address from the mapping relationship table specifically includes:

acquiring other characters except the last character in the target external network IP address as target characters;

acquiring other characters except the last character of each actual IP address in the mapping relation table as actual characters;

matching the target character with each actual character;

and if the matching is successful, taking the actual IP address corresponding to the successfully matched actual character as the actual IP address close to the target external network IP address.

Preferably, if the matching is successful, taking the actual IP address corresponding to the successfully matched actual character as the actual IP address close to the target external network IP address, specifically including:

if the matching is successful, taking the actual IP address corresponding to the successfully matched actual character as the matched IP address;

judging whether the number of the matched IP addresses is larger than a preset number or not;

when the number of the matched IP addresses is larger than the preset number, calculating a difference value between the last character in the target external network IP address and the last character in each matched IP address;

and taking the matched IP address corresponding to the minimum difference value as an actual IP address close to the target external network IP address.

Preferably, the determining the target geographical location information of the malware author according to the reference geographical location information specifically includes:

judging whether the reference geographical position information meets the condition of configuring the terminal;

and if the reference geographic position meets the configuration terminal condition, taking the reference geographic position information as target geographic position information of the malicious software author.

Preferably, after determining whether the reference geographical location information satisfies a configured terminal condition, the method for locating the geographical location of the malware author further includes:

if the reference geographic position does not meet the condition of the configuration terminal, acquiring a plurality of geographic position information to be determined within a preset distance range by taking the reference geographic position information as a center;

judging whether the geographical position information to be determined meets the condition of the configuration terminal;

and taking the geographical position information to be determined which meets the condition of the configuration terminal as the target geographical position information of the malicious software author.

Preferably, the acquiring the target extranet IP address of the user terminal of the malware author specifically includes:

acquiring running information of a user terminal of a malicious software author in a preset time period;

extracting a plurality of corresponding IP addresses to be confirmed from the operation information;

calculating the occurrence frequency of each IP address to be confirmed in the preset time period;

and taking the IP address to be confirmed with the highest occurrence frequency as the target external network IP address of the user terminal.

Preferably, the extracting the corresponding multiple IP addresses to be confirmed from the operation information specifically includes:

extracting the MAC address of the user terminal from the operation information;

and searching a plurality of corresponding IP addresses to be confirmed according to the MAC address.

acquiring running information of a user terminal of a malicious software author;

judging whether a preset operation type exists in the running information or not;

if the preset operation type exists in the running information, acquiring operation time corresponding to the preset operation type;

and searching a corresponding target external network IP address according to the operation time.

Preferably, the determining whether the preset operation type exists in the running information specifically includes:

extracting a webpage address corresponding to the user operation from the running information;

acquiring target master station information of the webpage address;

judging whether a target page corresponding to the webpage address is a normal page or not according to the target master station information;

and when the target page is a normal page, determining that a preset operation type exists in the running information.

Preferably, the determining, according to the target master station information, whether the target page corresponding to the web address is a normal page specifically includes:

matching the target master station information with master station information in a preset master station information base;

and if the matching is successful, determining that the target page corresponding to the webpage address is a normal page.

Preferably, the preset operation type includes browsing a webpage, online shopping, playing a game or watching a video.

In addition, in order to achieve the above object, the present invention further provides a malware author geolocation positioning device, which includes a memory, a processor, and a malware author geolocation positioning program stored on the memory and executable on the processor, where the malware author geolocation positioning program is configured to implement the steps of the malware author geolocation positioning method described above.

In addition, to achieve the above object, the present invention further provides a storage medium, on which a malware author geographical location program is stored, and when executed by a processor, the storage medium implements the steps of the malware author geographical location method as described above.

In addition, in order to achieve the above object, the present invention further provides a malware author geographical position locating device, including:

the acquisition module is used for acquiring a target external network IP address of a user terminal of a malicious software author;

the searching module is used for searching a reference IP address according to the target external network IP address;

the searching module is further used for searching corresponding reference geographical position information according to the reference IP address;

and the positioning module is used for determining the target geographical position information of the malicious software author according to the reference geographical position information.

Preferably, the searching module is further configured to search for corresponding reference geographic location information from a mapping relationship table according to the reference IP address, where the mapping relationship table includes a correspondence between an external network IP address and geographic location information.

Preferably, the malware author geographical position locating device further comprises:

the capturing module is used for capturing POI information through a web spider;

the extraction module is used for extracting the corresponding relation between the geographic position information and the actual IP address from the POI information;

and the establishing module is used for establishing a mapping relation table according to the corresponding relation between the geographic position information and the actual IP address.

Preferably, the searching module is further configured to search an actual IP address close to the target external network IP address from the mapping relationship table; and taking the actual IP address close to the target external network IP address as a reference IP address.

In the invention, a target outer network IP address of a user terminal of a malicious software author is obtained, and a reference IP address is searched according to the target outer network IP address, so that the malicious software author usually hides the outer network IP address, the target outer network IP address cannot find a corresponding geographic position, and the reference IP address is searched to find the corresponding geographic position; and searching corresponding reference geographical position information according to the reference IP address, determining target geographical position information of the malicious software author according to the reference geographical position information, determining the target geographical position information of the malicious software author through the reference IP address, and accurately positioning the geographical position of the malicious software author so as to track the malicious software author and track a malicious software publishing source in time, thereby being beneficial to the control of network security.

Drawings

FIG. 1 is a schematic structural diagram of a malware author geographical location positioning device of a hardware operating environment according to an embodiment of the present invention;

FIG. 2 is a flowchart illustrating a first embodiment of a method for locating a geographical position of a malware author in accordance with the present invention;

FIG. 3 is a flowchart illustrating a second embodiment of a method for locating a geographical position of an author of malware according to the present invention;

FIG. 4 is a flowchart illustrating a third embodiment of a method for locating a geographical position of an author of malware according to the present invention;

FIG. 5 is a flowchart illustrating a fourth embodiment of a method for locating a geographical position of an author of malware according to the present invention;

FIG. 6 is a block diagram of the first and second embodiments of the malware author geolocation locating device of the present invention.

The implementation, functional features and advantages of the objects of the present invention will be further explained with reference to the accompanying drawings.

Detailed Description

It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.

Referring to fig. 1, fig. 1 is a schematic structural diagram of a malware author geographical location positioning device of a hardware operating environment according to an embodiment of the present invention.

As shown in fig. 1, the malware author geolocation locating device may include: a processor 1001, such as a Central Processing Unit (CPU), a communication bus 1002, a user interface 1003, a network interface 1004, and a memory 1005. Wherein a communication bus 1002 is used to enable connective communication between these components. The user interface 1003 may include a Display screen (Display), and the optional user interface 1003 may further include a standard wired interface and a wireless interface, and the wired interface for the user interface 1003 may be a USB interface in the present invention. The network interface 1004 may optionally include a standard wired interface, a WIreless interface (e.g., a WIreless-FIdelity (WI-FI) interface). The Memory 1005 may be a Random Access Memory (RAM) Memory or a Non-volatile Memory (NVM), such as a disk Memory. The memory 1005 may alternatively be a storage device separate from the processor 1001.

Those skilled in the art will appreciate that the configuration shown in FIG. 1 does not constitute a limitation of the malware author geolocation locating device, and may include more or fewer components than shown, or some components in combination, or a different arrangement of components.

As shown in fig. 1, memory 1005, which is one type of computer storage medium, may include an operating system, a network communication module, a user interface module, and a malware author geolocation program.

In the malware author geolocation positioning device shown in fig. 1, the network interface 1004 is mainly used to connect to a backend server, and perform data communication with the backend server; the user interface 1003 is mainly used for connecting user equipment; the malware author geographical location device invokes a malware author geographical location program stored in the memory 1005 through the processor 1001, and executes the malware author geographical location method provided by the embodiment of the present invention.

The malware author geolocation device invokes, through the processor 1001, a malware author geolocation program stored in the memory 1005, and performs the following operations:

Further, the malware author geolocation device invokes, through the processor 1001, the malware author geolocation program stored in the memory 1005, to further perform the following operations:

capturing POI information through a web spider;

matching the target character with each actual character;

extracting the MAC address of the user terminal from the operation information;

acquiring target master station information of the webpage address;

In this embodiment, a target external network IP address of a user terminal of a malicious software author is obtained, and a reference IP address is searched according to the target external network IP address, so that the malicious software author usually hides the external network IP address, and the target external network IP address cannot find a corresponding geographic location, and the reference IP address is searched to find the corresponding geographic location; and searching corresponding reference geographical position information according to the reference IP address, determining target geographical position information of the malicious software author according to the reference geographical position information, determining the target geographical position information of the malicious software author through the reference IP address, and accurately positioning the geographical position of the malicious software author so as to track the malicious software author and track a malicious software publishing source in time, thereby being beneficial to the control of network security.

Based on the hardware structure, the embodiment of the method for positioning the geographical position of the malicious software author is provided.

Referring to fig. 2, fig. 2 is a flowchart illustrating a first embodiment of a method for locating a geographical position of a malware author of the present invention, and provides the first embodiment of the method for locating a geographical position of a malware author of the present invention.

In a first embodiment, the malware author geographical location positioning method comprises the following steps:

step S10: and acquiring a target external network IP address of the user terminal of the malicious software author.

It should be understood that the execution subject of the present embodiment is the malware author geolocation device, and the malware author geolocation device may be an electronic device such as a personal computer or a server, which is not limited in this embodiment. The running log of the user terminal of the malicious software author can be obtained, the running information of the user terminal is extracted from the running log, and the target external network IP address of the user terminal is obtained according to the running information.

Step S20: and searching a reference IP address according to the target external network IP address.

It will be appreciated that in order to avoid being traced, malware authors will often transform the foreign IP address, which typically does not have an actual geographic location corresponding to it, and therefore can look up the IP address having an actual geographic location that is close to it as the reference address from the target foreign IP address. Usually, the corresponding relationship between the IP address and the geographic location information may be collected in advance, and a mapping relationship table is established, so that the IP addresses stored in the mapping relationship table all have actual geographic location information corresponding thereto. The target external network IP address may be matched with an IP address in the mapping table to find a reference IP address that is close to the external network IP address.

Step S30: and searching corresponding reference geographical position information according to the reference IP address.

It should be noted that the mapping relationship table includes a corresponding relationship between an IP address and a geographic location, and corresponding reference geographic location information is searched from the mapping relationship table according to the reference IP address. The mapping relationship table may be established based on a point of information (POI), where the POI includes geographic location information and IP address information. Further, whether the reference geographical location information meets the condition of configuring the terminal needs to be judged, and if yes, the reference geographical location information can be used as the target geographical location information of the malicious software author.

Step S40: and determining target geographical location information of the malicious software author according to the reference geographical location information.

It can be understood that whether the reference geographical location information meets the condition of a configuration terminal is judged, and if yes, the reference geographical location information can be used as the target geographical location information of the malicious software author. The configuration terminal condition is whether the configuration of the terminal device is suitable, for example, an office building is usually suitable for configuring the terminal device such as a computer, if the reference geographical location information is information of one office building, the terminal configuration condition is considered to be satisfied, places which can be used for configuring the terminal device, such as office buildings, machine rooms, internet cafes, supermarkets and other places, can be configured with a personal computer, each place is used as the configuration terminal condition, the reference geographical location information is matched with the terminal configuration condition, if the matching is successful, the reference geographical location information is considered to satisfy the terminal configuration condition, and the reference geographical location information can be used as the target geographical location information of the malicious software author. In this embodiment, the step S40 includes: judging whether the reference geographical position information meets the condition of configuring the terminal; and if the reference geographic position meets the configuration terminal condition, taking the reference geographic position information as target geographic position information of the malicious software author.

Further, after determining whether the reference geographical location information satisfies a configured terminal condition, the method further includes: if the reference geographic position does not meet the condition of the configuration terminal, acquiring a plurality of geographic position information to be determined within a preset distance range by taking the reference geographic position information as a center; judging whether the geographical position information to be determined meets the condition of the configuration terminal; and taking the geographical position information to be determined which meets the condition of the configuration terminal as the target geographical position information of the malicious software author.

It should be noted that, if the reference geographic location information does not satisfy the condition for configuring the terminal, the reference geographic location information may be used as a center to obtain a plurality of pieces of geographic location information to be determined within a preset distance range, where the preset distance range may be set according to an empirical value, for example, a conventional floor space length and a conventional floor space width of an office building are taken as an example, the floor space length of the office building is taken as the preset distance range, the preset distance range may also be obtained based on big data analysis, or the preset distance range may also be set in other manners, which is not limited in this embodiment. And acquiring a plurality of pieces of to-be-determined geographical position information within the preset distance range, judging whether the to-be-determined geographical position information meets the configuration terminal condition, and if so, taking the to-be-determined geographical position information meeting the configuration terminal condition as the target geographical position information of the malicious software author. And if a plurality of pieces of to-be-determined geographical location information meet the configuration terminal condition, using the to-be-determined geographical location information closest to the reference geographical location information as the target geographical location information of the malicious software author. If the terminal configuration condition is still not met, the preset distance range can be reset, the preset distance range is adjusted to be a larger distance, the geographical position information to be determined at a longer distance is obtained, the geographical position information to be determined at the longer distance is judged again, whether the configuration terminal condition is met is judged until the geographical position information meeting the configuration terminal condition is found, and the geographical position information is used as the target geographical position information of the malicious software author.

Referring to fig. 3, fig. 3 is a flowchart illustrating a second embodiment of the method for locating a geographical position of a malware author of the present invention, and the second embodiment of the method for locating a geographical position of a malware author of the present invention is proposed based on the first embodiment illustrated in fig. 2.

In the second embodiment, the step S30 includes:

step S301: and searching corresponding reference geographical position information from a mapping relation table according to the reference IP address, wherein the mapping relation table comprises the corresponding relation between the external network IP address and the geographical position information.

In a specific implementation, the mapping relationship table includes a corresponding relationship between an external network IP address and geographic location information, and reference geographic location information corresponding to the reference IP address can be searched from the mapping relationship table.

In this embodiment, before the step S301, the method for locating the geographical position of the malware author further includes:

capturing POI information through a web spider; extracting the corresponding relation between the geographical position information and the actual IP address from the POI information; and establishing a mapping relation table according to the corresponding relation between the geographical position information and the actual IP address.

It is understood that each POI contains four pieces of information: the system comprises a name, a category, coordinates and a classification, wherein one POI can represent a building, a shop or a scenic spot and the like, POI interest points comprise branches of road conditions of a user and detailed information of surrounding buildings, the POI comprises geographical position information and IP address information, the POI information can be collected through an information capturing tool, information extraction is carried out on the POI information so as to obtain a corresponding relation between the geographical position information and the IP address information, the mapping relation table is established according to the corresponding relation, and the information capturing tool comprises an information collecting tool such as a web spider or a web crawler and the like.

In this embodiment, the step S20 includes:

step S201: and searching the actual IP address close to the target external network IP address from the mapping relation table.

It should be understood that generally, the IP addresses are geographically similar only if the last bit is similar, such as: if the target extranet IP address is 47.16.45.39 and the mapping table has an actual IP address of 47.16.45.35, 47.16.45.35 is used as the actual IP address close to the target extranet IP address, and at this time, the last bit of the mapping table generally has a gap of 10 or less, and the probability of the distances being close is relatively high. And searching the actual IP address which is close to the last bit of the target external network IP address and has the same other bits from the mapping relation table, and taking the searched actual IP address as a reference IP address so as to find out the close geographical position information.

Further, in this embodiment, the step S201 includes:

acquiring other characters except the last character in the target external network IP address as target characters; acquiring other characters except the last character of each actual IP address in the mapping relation table as actual characters; matching the target character with each actual character; and if the matching is successful, taking the actual IP address corresponding to the successfully matched actual character as the actual IP address close to the target external network IP address.

It can be understood that the IP addresses are geographically similar only if the last character is similar, and therefore, other characters except the last character in the target extranet IP address are obtained as target characters, for example: the IP address of the target external network is 47.16.45.39, the target character is 47.16.45.3; and acquiring other characters of each actual IP address except the last character in the mapping relation table as actual characters, for example: the mapping relation table comprises actual IP addresses 47.16.45.35 and 46.16.45.39, and the actual character A and the actual character B corresponding to the actual IP addresses are 47.16.45.3 and 46.16.45.3 respectively; and respectively matching the target characters with each actual character, wherein if the matching is successful, the actual IP address corresponding to the successfully matched actual character is different from the target external network IP address only by the last bit, and can be used as the actual IP address close to the target external network IP address.

Further, in this embodiment, if the matching is successful, taking the actual IP address corresponding to the successfully matched actual character as the actual IP address close to the target external network IP address specifically includes:

if the matching is successful, taking the actual IP address corresponding to the successfully matched actual character as the matched IP address; judging whether the number of the matched IP addresses is larger than a preset number or not; when the number of the matched IP addresses is larger than the preset number, calculating a difference value between the last character in the target external network IP address and the last character in each matched IP address; and taking the matched IP address corresponding to the minimum difference value as an actual IP address close to the target external network IP address.

In a specific implementation, the mapping relationship table usually includes a large number of actual IP addresses, if the number of successfully matched actual characters is more than one, it is indicated that only the last character of the plurality of actual IP addresses is different from the target external network IP address in the mapping relationship table, the preset number may be set to 1, if the number of the matched IP addresses is greater than the preset number, that is, the last character of the plurality of actual IP addresses in the mapping relationship table is different from the target external network IP address, a closest IP address needs to be selected from the plurality of matched IP addresses, a difference between the last character of the target external network IP address and the last character of each matched IP address is calculated, and the smaller the difference is, the closer the corresponding matched IP address is to the target external network IP address, the closer the corresponding geographic location information is, therefore, the matching IP address corresponding to the minimum difference value is used as the actual IP address close to the target external network IP address. For example, the target external network IP address is 47.16.45.39, and the mapping relationship table includes an actual IP address a: 47.16.45.35, actual IP Address B: 47.16.45.38 and actual IP address C: 46.16.45.39, the matching IP addresses are 47.16.45.35 and 47.16.45.38, wherein the difference value between 47.16.45.38 and the last bit of the target external network IP address is 1, namely the minimum difference value, 47.16.45.38 is used as the actual IP address close to the target external network IP address.

Step S202: and taking the actual IP address close to the target external network IP address as a reference IP address.

It should be noted that in the above example, if the target character is successfully matched with the actual character a, the actual IP address 47.16.45.35 corresponding to the actual character a is used as an actual IP address close to the target external network IP address 47.16.45.39, and the actual IP address close to the target external network IP address is used as a reference IP address, so that the reference geographical location information corresponding to the reference IP address can be searched from the mapping relationship table, and the target geographical location information corresponding to the malware author is determined according to the reference geographical location information.

In this embodiment, an actual IP address close to the target external network IP address is searched from the mapping relationship table, the actual IP address close to the target external network IP address is used as a reference IP address, and corresponding reference geographical location information is searched from the mapping relationship table according to the reference IP address, where the mapping relationship table includes a correspondence between the external network IP address and the geographical location information, so that the corresponding reference geographical location information can be searched by the close actual IP address, the target geographical location information of the malicious software author is determined according to the reference geographical location information, and accuracy of locating the malicious software author is improved.

Referring to fig. 4, fig. 4 is a flowchart illustrating a third embodiment of the method for locating a geographical position of a malware author of the present invention, and the third embodiment of the method for locating a geographical position of a malware author of the present invention is proposed based on the first embodiment shown in fig. 2 or the second embodiment shown in fig. 3. This embodiment is explained based on the first embodiment.

In the third embodiment, the step S10 includes:

step S101: and acquiring the running information of the user terminal of the malicious software author in a preset time period.

It should be understood that the operation information of the user terminal may be extracted from the operation log by obtaining the operation log of the user terminal of each malware author. The preset time period may be half a month or a month, which is not limited in this embodiment.

Step S102: and extracting a plurality of corresponding IP addresses to be confirmed from the operation information.

It can be understood that the running information of the user terminal of the malware author includes an IP address used in running within the preset time period, and within the preset time period, the malware author usually changes an external network IP address frequently to avoid being tracked, so that a plurality of corresponding to-be-confirmed IP addresses can be extracted from each running information respectively.

Step S103: and calculating the occurrence frequency of each IP address to be confirmed in the preset time period.

It should be noted that, for hiding, a malware author usually changes an external IP address frequently, but sometimes switches to an actual IP address to perform normal user operation, that is, one of the to-be-confirmed IP addresses is the actual IP address. The external IP addresses set for hiding may be different each time, but the actual IP addresses used for normal user operation are the same, and the frequency of occurrence of each IP address to be confirmed in the preset time period may be calculated, and the frequently occurring IP addresses are the actual IP addresses.

Step S104: and taking the IP address to be confirmed with the highest occurrence frequency as the target external network IP address of the user terminal.

In the specific implementation, all the IP addresses to be confirmed are sequentially sorted from high to low according to the occurrence frequency to obtain a sorted list, and the IP address corresponding to the highest occurrence frequency is selected from the sorted list to be used as the external network IP address of the user terminal. Then, the switching time point or time period of the external network IP address can be further counted, the change rule of the external network IP address in the preset time period is determined, and each malicious software author is associated according to each change rule to obtain a malicious software author team. And using the target extranet IP address as the extranet IP address of the malware author team.

Further, the step S102 includes:

extracting the MAC address of the user terminal from the operation information;

It should be understood that the operation information of the user terminal generally includes a MAC address, and a mapping relationship exists between the MAC address and the IP address, so that the MAC address of each user terminal can be respectively extracted from each operation information, and a plurality of corresponding to-be-confirmed IP addresses are searched based on each MAC address.

In this embodiment, by acquiring the operation information of the user terminal of the malicious software author in a preset time period, extracting a plurality of corresponding to-be-confirmed IP addresses from the operation information, calculating the occurrence frequency of each to-be-confirmed IP address in the preset time period, and using the to-be-confirmed IP address with the highest occurrence frequency as the external network IP address of the user terminal, a similar actual IP address is searched according to the external network IP address, so as to search corresponding geographical location information according to the actual IP address, thereby accurately positioning the geographical location of the malicious software author, tracking the malicious software author, and tracking the malicious software publishing source in time, so as to help control network security.

Referring to fig. 5, fig. 5 is a flowchart illustrating a fourth embodiment of the method for locating a geographical position of a malware author of the present invention, and the fourth embodiment of the method for locating a geographical position of a malware author of the present invention is proposed based on the first embodiment shown in fig. 2 or the second embodiment shown in fig. 3. This embodiment is explained based on the first embodiment.

In the fourth embodiment, the step S10 includes:

step S105: and acquiring the running information of the user terminal of the malicious software author.

It should be understood that the operation information of the user terminal may be extracted from the operation log by obtaining the operation log of the user terminal of each malware author, and specifically, the operation information of the user terminal in a preset time period may also be obtained. The preset time period may be half a month or a month, which is not limited in this embodiment.

Step S106: and judging whether a preset operation type exists in the running information.

It can be understood that the preset operation type is an operation normally performed by a normal network user, and the preset operation type includes: browsing a web page, online shopping, playing a game, or watching a video. And extracting user operation from each running information, matching the user operation with the preset operation type, and if the matching is successful, indicating that the preset operation type exists in the running information.

Further, the step S106 includes: extracting a webpage address corresponding to the user operation from the running information; acquiring target master station information of the webpage address; judging whether a target page corresponding to the webpage address is a normal page or not according to the target master station information; and when the target page is a normal page, determining that a preset operation type exists in the running information.

It can be understood that the webpage address corresponding to the user operation is extracted from each running information, and whether the malicious software author accesses a normal webpage can be judged according to the webpage address. The method includes the steps that the information of the main station of the webpage address of each normal page can be counted in advance, a preset main station information base is established for the counted information of each main station, for example, if a user can conduct online shopping through a shopping website, the information of the main station of the normal shopping website can be obtained, and the information of the main station of the normal shopping website is added into the preset main station information base. And acquiring target master station information of each webpage address, matching the target master station information with master station information in the preset master station information base, and if the matching is successful, indicating that the accessed webpage address is normal, wherein the access is conventional network operation. In this embodiment, the determining, according to the target master station information, whether the target page corresponding to the web address is a normal page specifically includes: matching the target master station information with master station information in a preset master station information base; and if the matching is successful, determining that the target page corresponding to the webpage address is a normal page.

Step S107: and if the preset operation type exists in the running information, acquiring operation time corresponding to the preset operation type.

It should be noted that, if the preset operation type exists in each piece of running information, the operation time corresponding to the preset operation type may be obtained from the running information, that is, the malware author is performing normal network operation in the operation time, and the external network IP address used at this time is the actual IP address corresponding to the user equipment of the malware author.

Step S108: and searching a corresponding target external network IP address according to the operation time.

In a specific implementation, the target external network IP address adopted by the user equipment at the operation time is searched according to the operation time. And further counting the switching time point or time period of the target external network IP address, determining the change rule of the target external network IP address in a preset time period, and associating each malicious software author according to the change rules corresponding to a plurality of malicious software authors to obtain a malicious software author team. And using the target extranet IP address as a target extranet IP address of the malware author team. The geographic location of the malware author team may be located according to the target extranet IP address.

In this embodiment, whether a preset operation type exists in the running information is judged by obtaining the running information of the user terminal of the malicious software author, if the preset operation type exists in the running information, the operation time corresponding to the preset operation type is obtained, and the corresponding external network IP address is searched according to the operation time, so that the external network IP address can be accurately obtained, the geographical position of the malicious software author is accurately positioned according to the external network IP address, the malicious software author is tracked, and the source of the malicious software release is tracked, so that the control of network security is facilitated.

In addition, an embodiment of the present invention further provides a storage medium, where a malware author geographical location program is stored on the storage medium, and when executed by a processor, the malware author geographical location program implements the following steps:

Further, the malware author geolocation program, when executed by the processor, further performs the following operations:

capturing POI information through a web spider;

matching the target character with each actual character;

extracting the MAC address of the user terminal from the operation information;

acquiring target master station information of the webpage address;

In addition, referring to fig. 6, an embodiment of the present invention further provides a malware author geographical location positioning apparatus, where the malware author geographical location positioning apparatus includes:

an obtaining module 10, configured to obtain a target extranet IP address of a user terminal of a malware author.

It should be understood that the operation information of the user terminal of the malicious software author can be extracted from the operation log by acquiring the operation log of the user terminal, and the target external network IP address of the user terminal can be acquired according to the operation information.

And the searching module 20 is configured to search the reference IP address according to the target external network IP address.

The searching module 20 is further configured to search for corresponding reference geographic location information according to the reference IP address.

And the positioning module 30 is configured to determine target geographical location information of the malware author according to the reference geographical location information.

It can be understood that whether the reference geographical location information meets the condition of a configuration terminal is judged, and if yes, the reference geographical location information can be used as the target geographical location information of the malicious software author. The configuration terminal condition is whether the configuration of the terminal device is suitable, for example, an office building is usually suitable for configuring the terminal device such as a computer, if the reference geographical location information is information of one office building, the terminal configuration condition is considered to be satisfied, places which can be used for configuring the terminal device, such as office buildings, machine rooms, internet cafes, supermarkets and other places, can be configured with a personal computer, each place is used as the configuration terminal condition, the reference geographical location information is matched with the terminal configuration condition, if the matching is successful, the reference geographical location information is considered to satisfy the terminal configuration condition, and the reference geographical location information can be used as the target geographical location information of the malicious software author. In this embodiment, the positioning module 30 is further configured to determine whether the reference geographic location information meets a terminal configuration condition; and if the reference geographic position meets the configuration terminal condition, taking the reference geographic position information as target geographic position information of the malicious software author.

Other embodiments or specific implementation manners of the malware author geographical position positioning device of the present invention may refer to the above method embodiments, and are not described herein again.

It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or system that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or system. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or system that comprises the element.

The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments. In the unit claims enumerating several means, several of these means may be embodied by one and the same item of hardware. The use of the words first, second, third and the like do not denote any order, but rather the words first, second and the like may be interpreted as indicating any order.

Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better implementation manner. Based on such understanding, the technical solutions of the present invention may be substantially implemented or a part contributing to the prior art may be embodied in the form of a software product, where the computer software product is stored in a storage medium (e.g., a Read Only Memory (ROM)/Random Access Memory (RAM), a magnetic disk, an optical disk), and includes several instructions for enabling a terminal device (which may be a mobile phone, a computer, a server, an air conditioner, or a network device) to execute the method according to the embodiments of the present invention.

The above description is only a preferred embodiment of the present invention, and not intended to limit the scope of the present invention, and all modifications of equivalent structures and equivalent processes, which are made by using the contents of the present specification and the accompanying drawings, or directly or indirectly applied to other related technical fields, are included in the scope of the present invention.

The invention discloses a1, a method for locating the geographical position of a malicious software author, which comprises the following steps:

A2, the method for locating a geographical location of a malware author as in a1, where the searching for corresponding reference geographical location information according to the reference IP address specifically includes:

A3, the method for locating geographical position of malicious software author as A2, before looking up corresponding reference geographical position information from a mapping relation table according to the reference IP address, the method for locating geographical position of malicious software author further comprises:

capturing POI information through a web spider;

A4, the method for locating a geographical location of a malware author as in a2, where the searching for a reference IP address according to the target extranet IP address specifically includes:

A5, the method for locating a geographical location of a malware author as in a4, wherein the searching for an actual IP address close to the target extranet IP address from the mapping relationship table specifically includes:

matching the target character with each actual character;

A6, the method for locating a geographical location of a malware author as in a5, wherein if matching is successful, taking an actual IP address corresponding to an actual character successfully matched as an actual IP address close to the target extranet IP address specifically includes:

A7, the method for locating a geographical location of a malware author as in a1, wherein the determining the target geographical location information of the malware author according to the reference geographical location information specifically includes:

A8, the malware author geolocation method of a7, after determining whether the reference geolocation information meets configuration termination conditions, the malware author geolocation method further comprising:

A9, the method for locating a geographical location of a malware author as in any one of a1-A8, wherein the obtaining a target extranet IP address of a user terminal of the malware author specifically includes:

A10, the method for locating a geographical location of a malware author as in a9, wherein the extracting a plurality of corresponding to-be-confirmed IP addresses from the running information specifically includes:

extracting the MAC address of the user terminal from the operation information;

A11, the method for locating a geographical location of a malware author as in any one of a1-A8, wherein the obtaining a target extranet IP address of a user terminal of the malware author specifically includes:

A12, the method for locating a geographical location of a malware author as in a11, wherein the determining whether the running information includes a preset operation type specifically includes:

acquiring target master station information of the webpage address;

A13, the method for locating a geographical position of a malware author as in a12, where the determining, according to the target master station information, whether the target page corresponding to the web page address is a normal page specifically includes:

A14, the method for locating geographical position of malicious software author as A11, the preset operation type comprises browsing web page, online shopping, playing game or watching video.

The invention also discloses B15, a malware author geographical position locating device, comprising: memory, a processor, and a malware author geolocation program stored on the memory and executable on the processor, the malware author geolocation program when executed by the processor implementing the steps of the malware author geolocation method of any of claims a1-a 14.

The invention also discloses C16, a storage medium having stored thereon a malware author geolocation program which, when executed by a processor, implements the steps of the malware author geolocation method of any of claims a1 to a 14.

The invention also discloses D17, a malware author geographical position positioning device, the malware author geographical position positioning device comprises:

D18, the malware author geographical location positioning apparatus of D17, wherein the searching module is further configured to search for corresponding reference geographical location information from a mapping relationship table according to the reference IP address, and the mapping relationship table includes a correspondence between an extranet IP address and geographical location information.

D19, the malware author geolocation locating device of D18, wherein said malware author geolocation locating device further comprises:

D20, the malware author geolocation locating device of D18, wherein the searching module is further configured to search the mapping relationship table for an actual IP address that is close to the target extranet IP address; and taking the actual IP address close to the target external network IP address as a reference IP address.

Claims

1. A malware author geographical position locating method is characterized by comprising the following steps:

2. The method as claimed in claim 1, wherein said searching for the corresponding reference geographical location information according to the reference IP address specifically comprises:

3. The method as claimed in claim 2, wherein said searching for a reference IP address according to said target extranet IP address specifically comprises:

4. The method as claimed in claim 1, wherein the determining the target geographical location information of the malware author according to the reference geographical location information specifically comprises:

5. The malware author geolocation positioning method of claim 4, wherein after said determining if said reference geolocation information meets configuration terminal conditions, said malware author geolocation positioning method further comprises:

6. The method as claimed in any one of claims 1 to 5, wherein the obtaining of the target extranet IP address of the user terminal of the malware author specifically comprises:

7. The method as claimed in any one of claims 1 to 5, wherein the obtaining of the target extranet IP address of the user terminal of the malware author specifically comprises:

8. A malware author geolocation locating device characterized in that it comprises: memory, a processor and a malware author geolocation program stored on the memory and executable on the processor, the malware author geolocation program when executed by the processor implementing the steps of the malware author geolocation method as recited in any of claims 1 to 7.

9. A storage medium having stored thereon a malware author geolocation program which, when executed by a processor, implements the steps of a malware author geolocation method as recited in any one of claims 1 to 7.

10. A malware author geolocation locating device, characterized in that it comprises: