WO2024113953A1 - Procédé et appareil d'identification de serveur c2, dispositif électronique et support de stockage lisible - Google Patents

Procédé et appareil d'identification de serveur c2, dispositif électronique et support de stockage lisible Download PDF

Info

Publication number
WO2024113953A1
WO2024113953A1 PCT/CN2023/112751 CN2023112751W WO2024113953A1 WO 2024113953 A1 WO2024113953 A1 WO 2024113953A1 CN 2023112751 W CN2023112751 W CN 2023112751W WO 2024113953 A1 WO2024113953 A1 WO 2024113953A1
Authority
WO
WIPO (PCT)
Prior art keywords
server
preset rule
preset
suspicious
devices
Prior art date
Application number
PCT/CN2023/112751
Other languages
English (en)
Chinese (zh)
Inventor
王奕雄
李艳军
Original Assignee
北京知道创宇信息技术股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 北京知道创宇信息技术股份有限公司 filed Critical 北京知道创宇信息技术股份有限公司
Publication of WO2024113953A1 publication Critical patent/WO2024113953A1/fr

Links

Definitions

  • the present disclosure relates to the field of communication technology, and in particular to a C2 server identification method, device, electronic device and readable storage medium.
  • C2 server (Command & Control Server), also known as C&C server, is commonly seen in the case where a virus or trojan controls the host and the attacker forwards commands through the C2 server.
  • the discovery of C2 servers in related technologies is mainly done by security technicians detecting back-connection behavior in the victim's network traffic or terminal, thereby discovering the C2 server. This method is very inefficient and can only be discovered after a virus or trojan is found to have been implanted.
  • the IP or domain name of the C2 server cannot be discovered in advance, so protection and blocking cannot be achieved in advance.
  • the embodiments of the present disclosure provide a C2 server identification method, device, electronic device and readable storage medium, which can actively identify C2 servers from the massive targets exposed on the Internet, so that newly launched C2 assets that have not been used can be discovered, facilitating early blocking and protection.
  • the embodiments of the present disclosure adopt the following implementation scheme, which at least achieves the effects of early blocking and protection.
  • Some embodiments of the present disclosure provide a C2 server identification method, which may include:
  • first device information of each to-be-selected device is obtained through asset detection, wherein the to-be-selected device is a device corresponding to each asset that can be searched during asset detection;
  • a C2 server is determined from the candidate devices, wherein the preset rule is a rule set according to features of a known C2 server.
  • the preset rule includes a first preset rule
  • determining the C2 server from the candidate devices according to the preset rule and the first device information may include:
  • the selected device that matches the first device information with the first preset rule is regarded as a suspicious device
  • a C2 server is determined from the determined suspicious devices.
  • the preset rule further includes a second preset rule, and the first preset rule is consistent with the The second preset rule is different, and the determining of the C2 server from the determined suspicious device may include:
  • For each of the suspicious devices perform deep interaction with the suspicious device according to each type of detection message to obtain second device information of the suspicious device, wherein the second device information includes HTTP service configuration parameters of the suspicious device;
  • the second device information of the suspicious device is matched with the second preset rule to determine whether the suspicious device is a C2 server.
  • obtaining a detection message constructed according to the type of the C2 server may include:
  • a detection message corresponding to the protocol characteristics is constructed.
  • the second device information may include at least one of a host header, a beacon type, a proxy type, and an API connection address.
  • the preset parameter in the first preset rule includes at least one of preset header information, preset HTTP service status code, preset transmission text type, and preset text length, and for each of the to-be-selected devices, matching the first device information of the to-be-selected device with the first preset rule may include:
  • a matching result is determined based on the obtained comparison result.
  • C2 server identification device which may include:
  • a detection module configured to obtain first device information of each of the to-be-selected devices through asset detection, wherein the to-be-selected devices are devices corresponding to each of the assets that can be searched during asset detection;
  • An identification module is configured to determine a C2 server from the candidate devices according to a preset rule and the first device information, wherein the preset rule is a rule set according to features of a known C2 server.
  • the preset rule includes a first preset rule
  • the identification module may be specifically configured to:
  • the selected device that matches the first device information with the first preset rule is regarded as a suspicious device
  • a C2 server is determined from the determined suspicious devices.
  • the preset rule further includes a second preset rule, the first preset rule is different from the second preset rule, and the identification module may be configured to:
  • For each of the suspicious devices perform deep interaction with the suspicious device according to each type of detection message to obtain second device information of the suspicious device, wherein the second device information includes HTTP service configuration parameters of the suspicious device;
  • the second device information of the suspicious device is matched with the second preset rule to determine whether the suspicious device is a C2 server.
  • the identification module may be configured to:
  • a detection message corresponding to the protocol characteristics is constructed.
  • the second device information may include at least one of a host header, a beacon type, a proxy type, and an API connection address.
  • the preset parameter in the first preset rule includes at least one of preset header information, preset HTTP service status code, preset transmission text type and preset text length, and the identification module may be configured to:
  • a matching result is determined based on the obtained comparison result.
  • Still other embodiments of the present disclosure provide an electronic device, which may include a processor and a memory, wherein the memory stores machine-executable instructions that can be executed by the processor, and the processor can execute the machine-executable instructions to implement the C2 server identification method described in the aforementioned embodiment.
  • Still some embodiments of the present disclosure provide a readable storage medium having a computer program stored thereon.
  • the computer program is executed by a processor, the C2 server identification method as described in the aforementioned implementation manner is implemented.
  • the C2 server identification method, device, electronic device and readable storage medium provided by the embodiments of the present disclosure obtain the first device information of each candidate device through asset detection for each candidate device, and the candidate device is the device corresponding to each asset that can be searched during asset detection; then, according to the preset rules and the first device information, the C2 server is determined from the candidate devices, and the preset rules are rules set according to the characteristics of the known C2 servers. In this way, it is possible to proactively identify the used C2 servers and the newly launched C2 servers that have not been used from the massive targets exposed on the Internet, so as to facilitate early blocking and protection of the newly launched C2 servers that have not been used.
  • FIG1 is a block diagram of an electronic device provided by an embodiment of the present disclosure.
  • FIG2 is a flow chart of a C2 server identification method provided in an embodiment of the present disclosure.
  • FIG3 is a schematic flow chart of the sub-steps included in step S120 in FIG2 ;
  • FIG4 is a schematic flow chart of the sub-steps included in sub-step S121 in FIG3 ;
  • FIG5 is a schematic flow chart of the sub-steps included in sub-step S123 in FIG3 ;
  • FIG6 is a schematic diagram of second device information provided by an embodiment of the present disclosure.
  • FIG. 7 is a block diagram of a C2 server identification device provided in an embodiment of the present disclosure.
  • Icon 100 - electronic device; 110 - memory; 120 - processor; 130 - communication unit; 200 - C2 server identification device; 210 - detection module; 220 - identification module.
  • the C2 server can generally be discovered in the following two ways.
  • Method 1 By analyzing security events, the addresses to which the detected viruses and Trojans connect back are extracted, and then the C2 server is passively discovered through manual experience.
  • Method 2 Passively identify the C2 server by collecting C2IP and domain name information from open source threat intelligence and judging through manual experience.
  • the embodiments of the present disclosure provide a C2 server identification method, device, electronic device and readable storage medium, which can actively identify used C2 servers and newly launched C2 servers that have not been used from the massive targets exposed on the Internet, so as to facilitate early blocking and protection, while reducing dependence on open source intelligence and manual work; and, by completing the identification of C2 servers in an automated manner, it can improve discovery efficiency and reduce labor costs.
  • FIG. 1 is a block diagram of an electronic device 100 provided in an embodiment of the present disclosure.
  • the electronic device 100 may be, but is not limited to, a computer, a server, etc.
  • the electronic device 100 may include a memory 110, a processor 120, and a communication unit 130.
  • the memory 110, the processor 120, and the communication unit 130 may be electrically connected to each other directly or indirectly to achieve data transmission or interaction.
  • these components may be electrically connected to each other via one or more communication buses or signal lines.
  • the memory 110 may be used to store programs or data.
  • the memory 110 may be, but is not limited to, a random access memory (RAM), a read-only memory (ROM), a programmable read-only memory (PROM), an erasable programmable read-only memory (EPROM), an electrically erasable read-only memory (EEPROM), etc.
  • RAM random access memory
  • ROM read-only memory
  • PROM programmable read-only memory
  • EPROM erasable programmable read-only memory
  • EEPROM electrically erasable read-only memory
  • the processor 120 can be used to read/write data or programs stored in the memory 110 and execute corresponding functions.
  • the memory 110 stores a C2 server identification device 200
  • the C2 server identification device 200 may include at least one software function module that can be stored in the memory 110 in the form of software or firmware.
  • the processor 120 can execute various functional applications and data processing by running software programs and modules stored in the memory 110, such as the C2 server identification device 200 in the embodiment of the present disclosure, that is, to implement the C2 server identification method in the embodiment of the present disclosure.
  • the communication unit 130 may be used to establish a communication connection between the electronic device 100 and other communication terminals through a network, and to send and receive data through the network.
  • FIG1 is only a schematic diagram of the structure of the electronic device 100, and the electronic device 100 may also include more or fewer components than those shown in FIG1, or may have a configuration different from that shown in FIG1.
  • Each component shown in the figure can be implemented by hardware, software or a combination thereof.
  • FIG. 2 is a schematic diagram of the process of the C2 server identification method provided in the embodiment of the present disclosure.
  • the C2 server identification method can be applied to the above-mentioned electronic device 100.
  • the specific process of the C2 server identification method is described in detail below.
  • the C2 server identification method may include steps S110 to S120.
  • Step S110 For each to-be-selected device, first device information of each to-be-selected device is obtained through asset detection.
  • Step S120 Determine a C2 server from the candidate devices according to a preset rule and the first device information.
  • each asset that can be searched during asset detection may include a domain name, an IP address, etc.
  • the device corresponding to each asset may be used as a candidate device, and the first device information of each candidate device is obtained through asset detection. Then, based on the preset rules and the first device information of each candidate device, the C2 server is determined from the candidate devices.
  • the preset rules are rules set according to the characteristics of the known C2 servers.
  • each candidate device in the Internet can be detected through a cyberspace search engine to obtain the first device information of each candidate device.
  • the preset rule may include a first preset rule, and the first preset rule may include the common characteristics of C2 devices.
  • the type of information in the first device information may be the same as the type of information in the first preset rule, so that matching is convenient.
  • Figure 3 is a flow chart of the sub-steps included in step S120 in Figure 2.
  • step S120 may include sub-steps S121 to S123.
  • Sub-step S121 for each of the to-be-selected devices, matching the first device information of the to-be-selected device with the first preset rule.
  • the first device information of the to-be-selected device may be compared with the information in the first preset rule to obtain a matching result.
  • the first preset rule may be specifically set in combination with actual requirements.
  • the preset parameters of the first preset rule may include at least one of preset header information, preset HTTP service status code, preset transmission text type and preset text length, and the matching result can be obtained by the method shown in FIG4.
  • FIG4 is a flow chart of the sub-steps included in sub-step S121 in FIG3.
  • sub-step S121 may include sub-steps S1211 to S1212.
  • Sub-step S1211 compare each information in the first device information with the preset parameters in the first preset rule respectively.
  • Sub-step S1212 determining a matching result according to the obtained comparison result.
  • the information in the first device information of the same type can be compared with the preset parameters in the first preset rule.
  • the preset parameters of the first preset rule include preset header information, preset HTTP service status code, preset transmission text type and preset text length
  • the header of the selected device can be obtained through asset detection.
  • the method further comprises the steps of: obtaining the preset header information, the returned status code, the transmission text type, and the text length (i.e., obtaining the actual header information, the actual status code, the actual transmission text type, and the actual text length), and then comparing the preset header information in the first preset rule with the header information actually detected, comparing the preset HTTP service status code with the actual status code, comparing the preset text transmission type with the actual text transmission type, and comparing the preset text length with the actual text length.
  • the specific method of determining the matching result based on the comparison result can be set in combination with actual needs. For example, when one piece of information matches, the matching result can be determined to be a match; or when all pieces of information match, the matching result can be determined to be a match.
  • the first preset rule is set to: "HTTP/1.1 404 Not Found” + "Content-Type: text/plain” + “Content-Length: 0”, then for each to-be-selected device, it can be determined whether the status code of the to-be-selected device is "404 Not Found", whether the text transmission type is text/plain, and whether the text transmission length is 0. Then, when the status code of a to-be-selected device is 404 Not Found, the text transmission type is text/plain, and the text transmission length is 0, it can be determined that the first device information of the to-be-selected device matches the first preset rule.
  • Sub-step S122 The candidate device that matches the first device information with the first preset rule is regarded as a suspicious device.
  • Sub-step S123 determining a C2 server from the determined suspicious devices.
  • the first preset rule is set based on the known characteristics of the C2 server, if the first device information of a candidate device matches the first preset rule, it means that the characteristics of the candidate device reflected by the first device information are the characteristics of the C2 server. In this case, the candidate device can be regarded as a suspicious device. Afterwards, the corresponding secondary screening method can be set according to actual needs to determine the C2 server from the determined suspicious devices.
  • the preset rule may further include a second preset rule, and the first preset rule and the second preset rule may be different, and secondary screening may be performed in the manner shown in FIG5.
  • FIG5 is a flowchart of the sub-steps included in sub-step S123 in FIG3.
  • sub-step S123 may include sub-steps S1231 to S1233.
  • Sub-step S1231 obtaining a detection message constructed according to the type of the C2 server.
  • the C2 server may return only an HTTP header, for example, only HTTP/1.1 404, which makes it difficult to obtain the second device information including more detailed information.
  • corresponding detection messages can be constructed according to various known types of C2 servers, so as to obtain the response of the C2 server of this type, and then extract the second device information from the response.
  • detection messages corresponding to the protocol characteristics can be constructed according to the protocol characteristics corresponding to different types of C2 servers.
  • a probe message can be constructed based on the characteristics of the C2 device.
  • the probe message can use the C2 device to return a response including more detailed device information. For example, if a C2 device is a normal HTTP protocol connection without any specific configuration, and uses port 80 for interaction, a probe message can be constructed based on port 80.
  • the number of constructed probe messages can be the same as the number of protocol characteristics. For example, if there are 5 protocol characteristics, 5 probe messages can be constructed.
  • the detection message may be constructed by the electronic device 100 itself, or by other devices, or may be obtained through a method.
  • Sub-step S1232 for each suspicious device, perform deep interaction with the suspicious device according to each type of detection message to obtain second device information of the suspicious device.
  • the open source grab_beacon_config.nse script provided by nmap can be used to perform batch concurrent detection based on the various types of detection constructions obtained, thereby obtaining the second device information of each suspicious device. In this way, the detection speed can be improved.
  • various types of detection messages constructed are used to detect the suspicious device.
  • the second device information may include the HTTP service configuration parameters of the suspicious device.
  • the second device information may include at least one of a host header, a beacon type, a proxy type, and an API connection address.
  • the second device information may be as shown in FIG. 6, and may include: a host header Host Header, a proxy type Proxy_AccessType, a beacon type Beacom Type, and an API connection address api_connnect.
  • Sub-step S1233 For each of the suspicious devices, the second device information of the suspicious device is matched with the second preset rule to determine whether the suspicious device is a C2 server.
  • the information in the second device information of the same type can be compared with the corresponding information in the second preset rule.
  • the second device information includes a host header and a proxy type
  • the second preset rule includes a preset host header and a preset proxy type
  • the host header can be compared with the preset host message
  • the proxy type can be compared with the preset proxy type.
  • the asset identification of the candidate device as the C2 server can be used as the identification of the C2 server, such as a domain name and/or an IP address, etc. Subsequently, blocking and protection can be performed based on the identified identification of the C2 server to avoid attacks by the C2 server.
  • the method for identifying C2 servers based on active detection technology first performs preliminary screening among the massive targets exposed on the Internet according to the first preset rule generated based on the commonality of C2 devices, and generates a smaller target pool, which can reduce the number of devices that need to interact deeply in the future and thus speed up the deep interaction detection rate. Then, In batches, the system deeply interacts with suspicious devices identified through preliminary screening based on different C2 device characteristics, and then identifies C2 devices in batches based on the information obtained through interaction and the second preset rules generated based on the C2 device characteristics. In this way, it is possible to automatically and actively detect global cyberspace assets, quickly and accurately discover C2 servers (known and unknown C2 servers), and reduce the reliance on open source intelligence and manual work.
  • the C2 server identification device 200 can adopt the device structure of the electronic device 100 shown in Figure 1 above.
  • Figure 7 is a block diagram of the C2 server identification device 200 provided in the embodiment of the present disclosure. It should be noted that the basic principle and technical effect of the C2 server identification device 200 provided in this embodiment are the same as those in the above-mentioned embodiments.
  • the C2 server identification device 200 may include: a detection module 210 and an identification module 220.
  • the detection module 210 may be configured to obtain first device information of each of the devices to be selected through asset detection, wherein the devices to be selected are devices corresponding to each asset that can be searched during asset detection.
  • the identification module 220 may be configured to determine a C2 server from the selected devices according to a preset rule and the first device information, wherein the preset rule is a rule set according to the characteristics of a known C2 server.
  • the preset rules may include a first preset rule
  • the identification module 220 may be specifically configured to: for each of the to-be-selected devices, match the first device information of the to-be-selected device with the first preset rule; treat the to-be-selected device whose first device information matches the first preset rule as a suspicious device; and determine the C2 server from the determined suspicious devices.
  • the preset rules may further include a second preset rule, the first preset rule and the second preset rule may be different, and the identification module 220 may be specifically configured to: obtain a detection message constructed according to the type of the C2 server; for each of the suspicious devices, deeply interact with the suspicious device according to each type of detection message to obtain second device information of the suspicious device, wherein the second device information includes the HTTP service configuration parameters of the suspicious device; for each of the suspicious devices, match the second device information of the suspicious device with the second preset rule to determine whether the suspicious device is a C2 server.
  • the identification module 220 may be specifically configured to: construct a detection message corresponding to the protocol characteristics according to the protocol characteristics corresponding to different types of C2 servers.
  • the second device information may include at least one of a host header, a beacon type, a proxy type, and an API connection address.
  • the preset parameters in the first preset rule may include at least one of preset header information, preset HTTP service status code, preset transmission text type and preset text length
  • the identification module 220 may be specifically configured to: compare each information in the first device information with the preset parameters in the first preset rule; The numbers are compared respectively; and the matching result is determined according to the comparison result.
  • the above modules can be stored in the memory 110 shown in FIG. 1 in the form of software or firmware, or can be fixed in the operating system (OS) of the electronic device 100, and can be executed by the processor 120 in FIG. 1.
  • the data, program codes, etc. required to execute the above modules can be stored in the memory 110.
  • the embodiment of the present disclosure further provides a readable storage medium, on which a computer program is stored.
  • a computer program is stored on which a computer program is stored.
  • the computer program is executed by a processor, the C2 server identification method is implemented.
  • the embodiments of the present disclosure provide a C2 server identification method, device, electronic device and readable storage medium.
  • the first device information of each candidate device is obtained through asset detection.
  • the candidate device is the device corresponding to each asset that can be searched during asset detection.
  • the C2 server is determined from the candidate devices.
  • the preset rules are rules set according to the characteristics of the known C2 servers. In this way, it is possible to actively identify the used C2 servers and the newly launched C2 servers that have not been used from the massive targets exposed on the Internet, so as to facilitate early blocking and protection of the newly launched C2 servers that have not been used.
  • each box in the flowchart or block diagram can represent a module, a program segment or a part of a code, and the module, program segment or a part of the code contains one or more executable instructions for implementing the specified logical function.
  • the functions marked in the box can also occur in an order different from that marked in the accompanying drawings.
  • each box in the block diagram and/or flowchart, and the combination of boxes in the block diagram and/or flowchart can be implemented with a dedicated hardware-based system that performs a specified function or action, or can be implemented with a combination of dedicated hardware and computer instructions.
  • the functional modules in the various embodiments of the present disclosure may be integrated together to form an independent part, or each module may exist separately, or two or more modules may be integrated to form an independent part.
  • the functions are implemented in the form of software function modules and sold or used as independent products, they can be stored in a computer-readable storage medium.
  • the technical solution of the present disclosure or the part that contributes to the relevant technology or the part of the technical solution, can be embodied in the form of a software product, which is stored in a storage medium and includes several instructions for a computer device (which can be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the method described in each embodiment of the present disclosure.
  • the aforementioned storage medium includes: various media that can store program codes, such as a USB flash drive, a mobile hard disk, a read-only memory (ROM), a random access memory (RAM), a magnetic disk or an optical disk.
  • the embodiments of the present disclosure provide a C2 server identification method, device, electronic device and readable storage medium, which relate to the field of communication technology.
  • the C2 server identification method includes: for each candidate device, obtaining the first device information of each candidate device through asset detection, wherein the candidate device is the device corresponding to each asset that can be searched during asset detection; according to preset rules and the first device information, determining the C2 server from the candidate devices, wherein the preset rules are rules set according to the characteristics of known C2 servers.
  • the C2 server identification device of the present disclosure is reproducible and can be used in a variety of industrial applications.
  • the C2 server identification device of the present disclosure can be used in any application that requires the C2 server identification device to identify the C2 server.

Landscapes

  • Computer And Data Communications (AREA)

Abstract

Selon des modes de réalisation, la présente invention se rapporte au domaine technique des communications, et concerne un procédé et un appareil d'identification de serveur C2, un dispositif électronique et un support de stockage lisible. Le procédé d'identification de serveur C2 consiste à : pour des dispositifs à sélectionner, obtenir des premières informations de dispositif desdits dispositifs au moyen d'une détection d'actifs, lesdits dispositifs étant des dispositifs correspondant à des actifs qui peuvent être trouvés pendant la détection d'actifs ; et déterminer un serveur C2 parmi lesdits dispositifs selon des règles prédéfinies et les premières informations de dispositif, les règles prédéfinies étant des règles qui sont établies selon les caractéristiques connues du serveur C2. Par conséquent, un serveur C2 utilisé et un serveur C2 qui passe nouvellement en ligne et n'est pas utilisé peuvent être identifiés activement parmi des cibles massives exposées par l'internet, de telle sorte qu'un blocage et une protection à l'avance puissent être réalisés pour le serveur C2 qui passe nouvellement en ligne et n'est pas utilisé.
PCT/CN2023/112751 2022-12-02 2023-08-11 Procédé et appareil d'identification de serveur c2, dispositif électronique et support de stockage lisible WO2024113953A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202211539414.2A CN115955333A (zh) 2022-12-02 2022-12-02 C2服务器识别方法、装置、电子设备及可读存储介质
CN202211539414.2 2022-12-02

Publications (1)

Publication Number Publication Date
WO2024113953A1 true WO2024113953A1 (fr) 2024-06-06

Family

ID=87295870

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2023/112751 WO2024113953A1 (fr) 2022-12-02 2023-08-11 Procédé et appareil d'identification de serveur c2, dispositif électronique et support de stockage lisible

Country Status (2)

Country Link
CN (1) CN115955333A (fr)
WO (1) WO2024113953A1 (fr)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115955333A (zh) * 2022-12-02 2023-04-11 北京知道创宇信息技术股份有限公司 C2服务器识别方法、装置、电子设备及可读存储介质

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106230800A (zh) * 2016-07-25 2016-12-14 恒安嘉新(北京)科技有限公司 一种对资产主动探测和漏洞预警的方法
CN106453386A (zh) * 2016-11-09 2017-02-22 深圳市魔方安全科技有限公司 基于分布式技术的自动化互联网资产监控和风险检测方法
US20210058411A1 (en) * 2018-02-15 2021-02-25 Nippon Telegraph And Telephone Corporation Threat information extraction device and threat information extraction system
CN113949748A (zh) * 2021-10-15 2022-01-18 北京知道创宇信息技术股份有限公司 一种网络资产识别方法、装置、存储介质及电子设备
CN114363053A (zh) * 2021-12-31 2022-04-15 深信服科技股份有限公司 一种攻击识别方法、装置及相关设备
CN115955333A (zh) * 2022-12-02 2023-04-11 北京知道创宇信息技术股份有限公司 C2服务器识别方法、装置、电子设备及可读存储介质

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106230800A (zh) * 2016-07-25 2016-12-14 恒安嘉新(北京)科技有限公司 一种对资产主动探测和漏洞预警的方法
CN106453386A (zh) * 2016-11-09 2017-02-22 深圳市魔方安全科技有限公司 基于分布式技术的自动化互联网资产监控和风险检测方法
US20210058411A1 (en) * 2018-02-15 2021-02-25 Nippon Telegraph And Telephone Corporation Threat information extraction device and threat information extraction system
CN113949748A (zh) * 2021-10-15 2022-01-18 北京知道创宇信息技术股份有限公司 一种网络资产识别方法、装置、存储介质及电子设备
CN114363053A (zh) * 2021-12-31 2022-04-15 深信服科技股份有限公司 一种攻击识别方法、装置及相关设备
CN115955333A (zh) * 2022-12-02 2023-04-11 北京知道创宇信息技术股份有限公司 C2服务器识别方法、装置、电子设备及可读存储介质

Also Published As

Publication number Publication date
CN115955333A (zh) 2023-04-11

Similar Documents

Publication Publication Date Title
US10375089B2 (en) Multi-host threat tracking
CN107426242B (zh) 网络安全防护方法、装置及存储介质
US8683585B1 (en) Using file reputations to identify malicious file sources in real time
CN109194680B (zh) 一种网络攻击识别方法、装置及设备
US8516573B1 (en) Method and apparatus for port scan detection in a network
CN111737696A (zh) 一种恶意文件检测的方法、***、设备及可读存储介质
CN111460445B (zh) 样本程序恶意程度自动识别方法及装置
US10581880B2 (en) System and method for generating rules for attack detection feedback system
CN102594623B (zh) 防火墙的数据检测方法及装置
US10313370B2 (en) Generating malware signatures based on developer fingerprints in debug information
CN110730175A (zh) 一种基于威胁情报的僵尸网络检测方法及检测***
RU2726032C2 (ru) Системы и способы обнаружения вредоносных программ с алгоритмом генерации доменов (dga)
JP5739034B1 (ja) 攻撃検知システム、攻撃検知装置、攻撃検知方法および攻撃検知プログラム
WO2024113953A1 (fr) Procédé et appareil d'identification de serveur c2, dispositif électronique et support de stockage lisible
US9350754B2 (en) Mitigating a cyber-security attack by changing a network address of a system under attack
CN112532631A (zh) 一种设备安全风险评估方法、装置、设备及介质
US11550920B2 (en) Determination apparatus, determination method, and determination program
CN112839054A (zh) 一种网络攻击检测方法、装置、设备及介质
CN112261046A (zh) 一种基于机器学习的工控蜜罐识别方法
WO2017080424A1 (fr) Procédé et appareil de détection de sécurité basée sur un réseau local
JP6592196B2 (ja) 悪性イベント検出装置、悪性イベント検出方法および悪性イベント検出プログラム
CN115442109A (zh) 网络攻击结果的确定方法、装置、设备及存储介质
CN111079144B (zh) 一种病毒传播行为检测方法及装置
CN114726579A (zh) 防御网络攻击的方法、装置、设备、存储介质及程序产品
WO2017110099A1 (fr) Dispositif de traitement d'informations, procédé de traitement d'informations et programme