[go: up one dir, main page]

CN105516096A - Botnet network discovery technology and apparatus - Google Patents

Botnet network discovery technology and apparatus Download PDF

Info

Publication number
CN105516096A
CN105516096A CN201510856177.6A CN201510856177A CN105516096A CN 105516096 A CN105516096 A CN 105516096A CN 201510856177 A CN201510856177 A CN 201510856177A CN 105516096 A CN105516096 A CN 105516096A
Authority
CN
China
Prior art keywords
network
model
traffic
information
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201510856177.6A
Other languages
Chinese (zh)
Other versions
CN105516096B (en
Inventor
沈能辉
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Rui Feng Network Cloud (beijing) Polytron Technologies Inc
Original Assignee
Rui Feng Network Cloud (beijing) Polytron Technologies Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Rui Feng Network Cloud (beijing) Polytron Technologies Inc filed Critical Rui Feng Network Cloud (beijing) Polytron Technologies Inc
Priority to CN201510856177.6A priority Critical patent/CN105516096B/en
Publication of CN105516096A publication Critical patent/CN105516096A/en
Application granted granted Critical
Publication of CN105516096B publication Critical patent/CN105516096B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/144Detection or countermeasures against botnets

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a botnet network discovery technology which comprises the following steps of: capturing network information traffic and generating traffic data; according to network segment information and VLAN (Virtual Local Area Network) partitioning information of an IP (Internet Protocol) address in the generated network data and behavior analysis of related data, partitioning a network device into a corresponding network organizational chart, and according to the network organizational chart, generating a network traffic model graph; according to the network traffic model graph and an access behavior of a device, carrying out comparison; and moreover, according to a comparison condition, judging a suspicious access source. The botnet network discovery technology has the beneficial effects that: a data traffic model is generated by capturing network information; moreover, traffic comparison is carried out by utilizing device information accessed by the data traffic model so as to judge safety of the access device; the related suspicious access source of the suspicious access device can be found; and use safety of the network device is ensured.

Description

A kind of Botnet discovery technique and device
Technical field
The present invention relates to a kind of method of monitoring network virus, specifically, relate to a kind of Botnet discovery technique and device.
Background technology
Botnet Botnet refers to and adopts one or more communication means, a large amount of main frame is infected bot program (bot program) virus, thus one that is formed between effector and infected main frame can the network that controls of one-to-many.Assailant propagates a large amount of main frames on bot program infection the Internet by all means, and infected main frame will receive the instruction of assailant by a control channel, form a Botnet.Why use this name of Botnet, allow people recognize the feature of this kind of harm in order to vivider: numerous computers to be driven by people unconsciously and commanded as the ancient legendary corpse group of China, become a kind of instrument utilized by people, but do not have the invasion that a kind of technology effectively can monitor corpse virus at present.
For the problem in correlation technique, at present effective solution is not yet proposed.
Summary of the invention
The object of this invention is to provide a kind of Botnet discovery technique and device, to overcome currently available technology above shortcomings.
The object of the invention is to be achieved through the following technical solutions:
A kind of Botnet discovery technique, comprises the steps:
Captured the network information flow volume of the OSI seven layers of each network equipment in consolidated network topology by existing packet catcher, utilize data generating apparatus that the network traffics captured are generated data on flows;
According to the network segment information of IP address in the network data generated and the division information of VLAN and the behavioural analysis of related data, generate corresponding network structure figure, and according to the discharge model of network structure figure generating network;
The visit information of each subset received by server and the Model of network traffic of formation contrast, and judge the similitude of traffic behavior;
After visit information and Model of network traffic contrast, traffic behavior is normal, then upgrade Model of network traffic further;
In time being found the suspicious traffic behavior be free on beyond Model of network traffic figure, then homogeneous assays being carried out to the IP address of this access equipment, finding out the connection device of other suspicious invasions of accessing points.
Further, described network traffic information comprises generation data on flows, comprises capture time, source ip, object ip, source port, destination interface, application protocol, direction, bag number, byte number, identification field, tcp sequence number.
Further, described Model of network traffic comprises the agency information of newly-built linking number, concurrent connection number, destination server type, destination server address, mean packet length, connect hours, linking objective.
A discovery device for Botnet, comprises flow grabbing device, Model of network traffic apparatus for establishing, similitude judgment means, Model of network traffic updating device, suspect device searches device; Wherein:
Flow grabbing device: the network information flow volume being captured the OSI seven layers of each network equipment in consolidated network topology by existing packet catcher, utilizes data generating apparatus that the network traffics captured are generated data on flows;
Model of network traffic apparatus for establishing: according to the network segment information of IP address in the network data generated and the division information of VLAN and the behavioural analysis of related data, generate corresponding network structure figure, and according to network structure figure generating network discharge model;
Similitude judgment means: the visit information of each subset received by server and the Model of network traffic of formation contrast, and judge the similitude of traffic behavior;
Model of network traffic updating device: traffic behavior is normal after visit information and Model of network traffic contrast, then upgrade Model of network traffic further;
Suspect device searches device: in time being found the suspicious traffic behavior be free on beyond Model of network traffic figure, then carry out homogeneous assays to the IP address of this access equipment, finds out the connection device of other suspicious invasions of accessing points.
Beneficial effect of the present invention is: generate data traffic model by capturing the network information, and the facility information utilizing data traffic model to access carries out current capacity contrast and then judges the fail safe of access equipment, and can find out the relevant suspicious access originator of suspicious access equipment, the present invention ensures the safety in utilization of the network equipment.
Accompanying drawing explanation
In order to be illustrated more clearly in the embodiment of the present invention or technical scheme of the prior art, be briefly described to the accompanying drawing used required in embodiment below, apparently, accompanying drawing in the following describes is only some embodiments of the present invention, for those of ordinary skill in the art, under the prerequisite not paying creative work, other accompanying drawing can also be obtained according to these accompanying drawings.
Fig. 1 is the Botnet discovery technique decision flow chart according to the embodiment of the present invention.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, be clearly and completely described the technical scheme in the embodiment of the present invention, obviously, described embodiment is only the present invention's part embodiment, instead of whole embodiments.Based on the embodiment in the present invention, the every other embodiment that those of ordinary skill in the art obtain, all belongs to the scope of protection of the invention.
As shown in Figure 1, according to embodiments of the invention
A kind of Botnet discovery technique, comprises the steps:
Captured the network information flow volume of the OSI seven layers of each network equipment in consolidated network topology by existing packet catcher, utilize data generating apparatus that the network traffics captured are generated data on flows;
According to the network segment information of IP address in the network data generated and the division information of VLAN and the behavioural analysis of related data, generate corresponding network structure figure, and according to the discharge model of network structure figure generating network;
The visit information of each subset received by server and the Model of network traffic of formation contrast, and judge the similitude of traffic behavior; Wherein, wherein mode comprises and exceedes more than 5 times at ordinary times than newly-built connection and/or concurrent connection number amount, or destination server dispersion, and larger change etc. occurs mean packet length.And then judge the dubiety of flowing of access.
After visit information and Model of network traffic contrast, traffic behavior is normal, then upgrade Model of network traffic further;
In time being found the suspicious traffic behavior be free on beyond Model of network traffic figure, then homogeneous assays being carried out to the IP address of this access equipment, finding out the connection device of other suspicious invasions of accessing points.
Further, described network traffic information comprises generation data on flows, comprises capture time, source ip, object ip, source port, destination interface, application protocol, direction, bag number, byte number, identification field, tcp sequence number.
Further, described Model of network traffic comprises the agency information of newly-built linking number, concurrent connection number, destination server type, destination server address, mean packet length, connect hours, linking objective.
A discovery device for Botnet, comprises flow grabbing device, Model of network traffic apparatus for establishing, similitude judgment means, Model of network traffic updating device, suspect device searches device; Wherein:
Flow grabbing device: the network information flow volume being captured the OSI seven layers of each network equipment in consolidated network topology by existing packet catcher, utilizes data generating apparatus that the network traffics captured are generated data on flows;
Model of network traffic apparatus for establishing: according to the network segment information of IP address in the network data generated and the division information of VLAN and the behavioural analysis of related data, generate corresponding network structure figure, and according to network structure figure generating network discharge model;
Similitude judgment means: the visit information of each subset received by server and the Model of network traffic of formation contrast, and judge the similitude of traffic behavior;
Model of network traffic updating device: traffic behavior is normal after visit information and Model of network traffic contrast, then upgrade Model of network traffic further;
Suspect device searches device: in time being found the suspicious traffic behavior be free on beyond Model of network traffic figure, then carry out homogeneous assays to the IP address of this access equipment, finds out the connection device of other suspicious invasions of accessing points.
In sum, by means of technique scheme of the present invention, data traffic model is generated by capturing the network information, and the facility information utilizing data traffic model to access carries out current capacity contrast and then judges the fail safe of access equipment, and can find out the relevant suspicious access originator of suspicious access equipment, the present invention ensures the safety in utilization of the network equipment.
The foregoing is only preferred embodiment of the present invention, not in order to limit the present invention, within the spirit and principles in the present invention all, any amendment done, equivalent replacement, improvement etc., all should be included within protection scope of the present invention.

Claims (4)

1. a Botnet discovery technique, is characterized in that, comprises the steps:
Captured the network information flow volume of the OSI seven layers of each network equipment in consolidated network topology by existing packet catcher, utilize data generating apparatus that the network traffics captured are generated data on flows;
According to the network segment information of IP address in the network data generated and the division information of VLAN and the behavioural analysis of related data, generate corresponding network structure figure, and according to network structure figure generating network discharge model;
The visit information of each subset received by server and the Model of network traffic of formation contrast, and judge the similitude of traffic behavior;
After visit information and Model of network traffic contrast, traffic behavior is normal, then upgrade Model of network traffic further;
In time being found the suspicious traffic behavior be free on beyond Model of network traffic figure, then homogeneous assays being carried out to the IP address of this access equipment, finding out the connection device of other suspicious invasions of accessing points.
2. according to claim 1, it is characterized in that, described network traffic information comprises generation data on flows, comprises capture time, source ip, object ip, source port, destination interface, application protocol, direction, bag number, byte number, identification field, tcp sequence number.
3. Botnet discovery technique according to claim 1, it is characterized in that, described Model of network traffic comprises the agency information of newly-built linking number, concurrent connection number, destination server type, destination server address, mean packet length, connect hours, linking objective.
4. a discovery device for Botnet, is characterized in that, comprises flow grabbing device, Model of network traffic apparatus for establishing, similitude judgment means, Model of network traffic updating device, suspect device search device; Wherein:
Flow grabbing device: the network information flow volume being captured the OSI seven layers of each network equipment in consolidated network topology by existing packet catcher, utilizes data generating apparatus that the network traffics captured are generated data on flows;
Model of network traffic apparatus for establishing: according to the network segment information of IP address in the network data generated and the division information of VLAN and the behavioural analysis of related data, generate corresponding network structure figure, and according to network structure figure generating network discharge model;
Similitude judgment means: the visit information of each subset received by server and the Model of network traffic of formation contrast, and judge the similitude of traffic behavior;
Model of network traffic updating device: traffic behavior is normal after visit information and Model of network traffic contrast, then upgrade Model of network traffic further;
Suspect device searches device: in time being found the suspicious traffic behavior be free on beyond Model of network traffic figure, then carry out homogeneous assays to the IP address of this access equipment, finds out the connection device of other suspicious invasions of accessing points.
CN201510856177.6A 2015-11-30 2015-11-30 A kind of Botnet discovery technique and device Expired - Fee Related CN105516096B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510856177.6A CN105516096B (en) 2015-11-30 2015-11-30 A kind of Botnet discovery technique and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510856177.6A CN105516096B (en) 2015-11-30 2015-11-30 A kind of Botnet discovery technique and device

Publications (2)

Publication Number Publication Date
CN105516096A true CN105516096A (en) 2016-04-20
CN105516096B CN105516096B (en) 2018-10-30

Family

ID=55723734

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510856177.6A Expired - Fee Related CN105516096B (en) 2015-11-30 2015-11-30 A kind of Botnet discovery technique and device

Country Status (1)

Country Link
CN (1) CN105516096B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110557269A (en) * 2018-05-31 2019-12-10 阿里巴巴集团控股有限公司 Service data processing method and system and data processing method
CN113271303A (en) * 2021-05-13 2021-08-17 国家计算机网络与信息安全管理中心 Botnet detection method and system based on behavior similarity analysis

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101741862A (en) * 2010-01-22 2010-06-16 西安交通大学 IRC botnet detection system and detection method based on data packet sequence characteristics
US20100169476A1 (en) * 2008-12-31 2010-07-01 Jaideep Chandrashekar Method and system for detecting and reducing botnet activity
CN101924757A (en) * 2010-07-30 2010-12-22 中国电信股份有限公司 Method and system for reviewing Botnet
CN102014025A (en) * 2010-12-06 2011-04-13 北京航空航天大学 Method for detecting P2P botnet structure based on network flow clustering
CN102035793A (en) * 2009-09-28 2011-04-27 成都市华为赛门铁克科技有限公司 Botnet detecting method, device and network security protective equipment
CN103457909A (en) * 2012-05-29 2013-12-18 中国移动通信集团湖南有限公司 Botnet detection method and device

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100169476A1 (en) * 2008-12-31 2010-07-01 Jaideep Chandrashekar Method and system for detecting and reducing botnet activity
CN102035793A (en) * 2009-09-28 2011-04-27 成都市华为赛门铁克科技有限公司 Botnet detecting method, device and network security protective equipment
CN101741862A (en) * 2010-01-22 2010-06-16 西安交通大学 IRC botnet detection system and detection method based on data packet sequence characteristics
CN101924757A (en) * 2010-07-30 2010-12-22 中国电信股份有限公司 Method and system for reviewing Botnet
CN102014025A (en) * 2010-12-06 2011-04-13 北京航空航天大学 Method for detecting P2P botnet structure based on network flow clustering
CN103457909A (en) * 2012-05-29 2013-12-18 中国移动通信集团湖南有限公司 Botnet detection method and device

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110557269A (en) * 2018-05-31 2019-12-10 阿里巴巴集团控股有限公司 Service data processing method and system and data processing method
CN113271303A (en) * 2021-05-13 2021-08-17 国家计算机网络与信息安全管理中心 Botnet detection method and system based on behavior similarity analysis

Also Published As

Publication number Publication date
CN105516096B (en) 2018-10-30

Similar Documents

Publication Publication Date Title
CN105681313B (en) A kind of flow quantity detecting system and method for virtualized environment
CN108040057B (en) Working method of SDN system suitable for guaranteeing network security and network communication quality
KR100834570B1 (en) Real-time state-based packet inspection method and apparatus therefor
CN104702584B (en) A kind of Modbus communications access control methods based on self-learning-ruler
CN102857486B (en) Application firewall system of future generation and defence method
CN109962903A (en) A home gateway security monitoring method, device, system and medium
CN104954367B (en) A kind of cross-domain ddos attack means of defence of internet omnidirectional
CN103428224A (en) Method and device for intelligently defending DDoS attacks
CN110401624A (en) Method and system for detecting abnormality of source-network-load system interaction message
CN105429963A (en) Intrusion Detection and Analysis Method Based on Modbus/Tcp
CN104767752A (en) Distributed network isolating system and method
CN106357622A (en) Network anomaly flow detection and defense system based on SDN (software defined networking)
CN101924757A (en) Method and system for reviewing Botnet
CN109768981B (en) A network attack defense method and system based on machine learning under SDN architecture
CN104135490A (en) Intrusion detection system (IDS) analysis method and intrusion detection system
CN102468987B (en) NetFlow characteristic vector extraction method
CN109587156A (en) Abnormal network access connection identification and blocking-up method, system, medium and equipment
CN107040552A (en) Network attack path Forecasting Methodology
CN102014025A (en) Method for detecting P2P botnet structure based on network flow clustering
CN106027497A (en) DDoS (Distributed Denial of Service) tracing and source end filtering method oriented to SDN (Software Defined Networking) and based on OpenFlow-DPM
EP2974355A2 (en) A device, a system and a related method for dynamic traffic mirroring and policy, and the determination of applications running on a network
CN108833430B (en) A topology protection method for software-defined networks
CN105516096A (en) Botnet network discovery technology and apparatus
CN108959927B (en) Device and method for horizontal comparative analysis of Internet of Things security
CN103957128A (en) Method and system for monitoring data flow direction in cloud computing environment

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20181030

Termination date: 20191130

CF01 Termination of patent right due to non-payment of annual fee