[go: up one dir, main page]

TWI381284B - Anti-hacker detection and protection system and method - Google Patents

Anti-hacker detection and protection system and method Download PDF

Info

Publication number
TWI381284B
TWI381284B TW98113594A TW98113594A TWI381284B TW I381284 B TWI381284 B TW I381284B TW 98113594 A TW98113594 A TW 98113594A TW 98113594 A TW98113594 A TW 98113594A TW I381284 B TWI381284 B TW I381284B
Authority
TW
Taiwan
Prior art keywords
malicious
information
station
hacker
service platform
Prior art date
Application number
TW98113594A
Other languages
Chinese (zh)
Other versions
TW201039169A (en
Inventor
I Fang Wu
Ming Feng Wu
Wei Chen Liu
feng peng Yu
Shang Ta Lin
Original Assignee
Chunghwa Telecom Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chunghwa Telecom Co Ltd filed Critical Chunghwa Telecom Co Ltd
Priority to TW98113594A priority Critical patent/TWI381284B/en
Publication of TW201039169A publication Critical patent/TW201039169A/en
Application granted granted Critical
Publication of TWI381284B publication Critical patent/TWI381284B/en

Links

Landscapes

  • Computer And Data Communications (AREA)

Description

反駭客之偵測防護系統及方法Anti-hacker detection and protection system and method

本發明係有關於一種反駭客之偵測防護系統及方法,更詳言之,係一種結合誘捕偵測、惡意行為分析與資訊安全防護的反駭客之偵測防護系統及方法。The present invention relates to an anti-hacker detection and protection system and method, and more particularly to an anti-hacker detection and protection system and method combining trap detection, malicious behavior analysis and information security protection.

隨著網路寬頻時代來臨以及電子商務交易盛行,人與人之間的種種行為模式逐漸受到網路影響,因為網路的快速和便捷,使得網路成為人類生活的一部分,故網路安全因此逐漸受到人們重視。With the advent of the Internet broadband era and the prevalence of e-commerce transactions, the various behavior patterns between people are gradually affected by the Internet. Because of the fast and convenient network, the network becomes a part of human life, so network security is therefore Gradually received attention.

通常網路安全防護的目的係為防止病毒或駭客入侵用戶電腦,因此使用者會架設如入侵防護設備或防毒軟體等防護設備以阻擋來自外部的攻擊。然而,入侵防護設備或防毒軟體並無誘捕偵測病毒或駭客的機制,只能針對已知的病毒或攻擊特徵進行防護,因此無法防護未知的攻擊以及惡意站台的入侵。換句話說,若病毒或駭客資料的更新速度過慢,會大大增加使用者受駭的可能性。另外,由於提供入侵防護設備或防毒軟體之廠商多係來自歐美國家或地區,因廠商成本考量,難以兼顧特定區域所產生之最新的功擊或惡意站台,導致安全防護的效果不佳。Usually, the purpose of network security protection is to prevent viruses or hackers from invading the user's computer. Therefore, users will set up protection devices such as intrusion prevention devices or anti-virus software to block attacks from outside. However, intrusion prevention devices or anti-virus software do not trap the mechanism for detecting viruses or hackers. They can only protect against known viruses or attack features, so they cannot protect against unknown attacks and malicious websites. In other words, if the virus or hacker data is updated too slowly, it will greatly increase the likelihood of user being victimized. In addition, since the manufacturers providing intrusion prevention equipment or anti-virus software are mostly from European countries and regions, it is difficult to balance the latest power or malicious platforms generated in specific areas due to the cost of the manufacturers, resulting in poor security protection.

為了服務特定區域的使用者,由具有區域性質的網際網路服務提供者(ISP)來提供網路安全服務是一個較佳的解決方案。然而,目前的ISP若只是於其機房端架設一些外購的入侵防護設備或防毒設備,如此上述病毒或駭客資料更新的問題仍然無法解決。綜上所述,如何能提出一種反駭客之防護系統與方法,使ISP能即時執行誘捕偵測、惡意行為分析與資訊安全防護的動作,以強化其客戶使用網路時的安全性,實為目前亟需解決之問題。In order to serve users in a specific area, it is a better solution to provide network security services by a regional Internet Service Provider (ISP). However, if the current ISP only installs some purchased intrusion prevention equipment or anti-virus equipment on its computer room, the problem of updating the above-mentioned virus or hacker data cannot be solved. In summary, how can we propose an anti-hacker protection system and method that enables ISPs to perform trap detection, malicious behavior analysis and information security protection actions in real time to enhance the security of their customers when using the network. It is an urgent problem to be solved.

為解決上述習知技術之缺失,本發明提供一種反駭客之偵測防護系統及方法,用以進行大規模自動化惡意行為的偵測、分析、監控及阻擋防護,同時,若系統發現有站台遭駭,將主動通知該受駭之站台進行後續處理。In order to solve the above-mentioned shortcomings of the prior art, the present invention provides an anti-hacker detection and protection system and method for detecting, analyzing, monitoring and blocking protection of large-scale automated malicious behavior, and at the same time, if the system finds a platform In the event of a disaster, the affected station will be notified of the follow-up.

本發明之反駭客之偵測防護方法,係應用於一網路系統,該網路系統具有至少一誘捕設備、分析設備及服務平台,該反駭客之偵測防護方法至少包括以下步驟:(1)將該誘捕設備放置於預設之網段(Network),以於該誘捕設備遭受攻擊時形成受駭資訊;(2)將該受駭資訊輸入該分析設備,使該分析設備執行或分析該受駭資訊俾據之形成惡意資訊記錄,再將該惡意資訊記錄輸入該服務平台;以及(3)令該服務平台依據該惡意資訊記錄啟動相應之反駭客防護動作。The anti-hacker detection and protection method of the present invention is applied to a network system, the network system having at least one trapping device, an analyzing device and a service platform, and the anti-hacker detection and protection method comprises at least the following steps: (1) placing the trapping device on a preset network to form a subject information when the trapping device is attacked; (2) inputting the subject information into the analyzing device, causing the analyzing device to perform or Analyzing the information of the subject information to form a malicious information record, and then inputting the malicious information record into the service platform; and (3) causing the service platform to initiate a corresponding anti-hacker protection action according to the malicious information record.

於一較佳態樣中,該分析設備具有中控機台與至少一個虛擬機台,且步驟(2)復包括:(2-1)令該中控機台將該受駭資訊配發給該虛擬機台;(2-2)令該虛擬機台執行該受駭資訊並進行分析,以將分析結果傳回該中控機台,再由該中控機台產生惡意資訊記錄;以及(2-3)將該惡意資訊記錄傳送至該服務平台,並將該虛擬機台之狀態回復至初始狀態。In a preferred aspect, the analyzing device has a central control station and at least one virtual machine, and step (2) includes: (2-1) causing the central control station to distribute the received information to The virtual machine (2-2) causes the virtual machine to execute the information and analyze the information to transmit the analysis result back to the central control machine, and then the central control machine generates a malicious information record; 2-3) transmitting the malicious information record to the service platform, and returning the status of the virtual machine to an initial state.

本發明之反駭客之偵測防護系統,係應用於一網路系統中,該反駭客之偵測防護系統至少包括:誘捕設備,係設置在可能遭受駭客攻擊之網段(Network),用以於該誘捕設備遭受攻擊時形成受駭資訊;分析設備,係輸入該受駭資訊以執行或分析該受駭資訊俾據之形成惡意資訊記錄;以及服務平台,係依據該惡意資訊記錄啟動相應之反駭客防護動作。The anti-hacker detection and protection system of the present invention is applied to a network system, and the anti-hacker detection protection system includes at least: a trapping device, which is set in a network segment that may be attacked by a hacker. And forming an information for the attack on the trapping device; the analyzing device inputs the information to perform or analyzes the information of the received information to form a malicious information record; and the service platform is based on the malicious information record Start the corresponding anti-hacker protection action.

於一較佳態樣中,上述之分析設備復包括:中控機台;以及至少一虛擬機台,係用以執行該受駭資訊並進行分析,以將分析結果傳回該中控機台,再由該中控機台依據該分析結果形成惡意資訊記錄,其中,該中控機台將該惡意資訊記錄傳送至該服務平台,並將該虛擬機台之狀態回復至初始狀態,以由該服務平台執行後續之告警或即時防護服務。In a preferred aspect, the analyzing device comprises: a central control machine; and at least one virtual machine station configured to perform the information and perform analysis to transmit the analysis result back to the central control machine And the central control machine forms a malicious information record according to the analysis result, wherein the central control machine transmits the malicious information record to the service platform, and returns the state of the virtual machine to an initial state, The service platform performs subsequent alerting or immediate protection services.

因此,本發明之反駭客之偵測防護系統及方法,係結合誘捕偵測、惡意行為分析與資訊安全防護的方式,能即時且有效地主動偵測出惡意站台,例如惡意功擊者、病毒感染者、殭屍電腦、殭屍電腦控制站及惡意下載點,以避免用戶端電腦設備誤連至這些惡意站台而遭植入木馬或後門程式。同時,若系統發現站台遭駭,也將主動傳送告警訊息至受駭站台進行處理,大大強化了用戶端使用網路時的安全性。Therefore, the anti-hacker detection and protection system and method of the present invention combines trap detection, malicious behavior analysis and information security protection to actively and maliciously detect malicious stations, such as malicious attackers, Virus-infected people, zombies, zombie control stations, and malicious download points to prevent user-side computer devices from being misconnected to these malicious sites and being implanted with Trojans or backdoors. At the same time, if the system finds that the station is suffering, it will also actively send an alarm message to the receiving station for processing, which greatly enhances the security of the user when using the network.

以下係以特定的具體實施例說明本發明之實施方式,讓熟悉此技藝之人士可由本說明書所揭示之內容輕易地瞭解本發明之其他優點與功效。本發明亦以其他相異的具體實例加以施行或應用,因此,本說明書中的各項細節亦基於相異觀點與應用,在不悖離本發明之精神下得進行各種修飾與變更。The embodiments of the present invention are described in the following detailed description of the embodiments of the present invention, and those skilled in the art can readily understand other advantages and advantages of the present invention. The present invention has been described and illustrated with reference to the various embodiments of the invention.

請參閱第1圖,係用以說明本發明之反駭客之偵測防護系統的基本系統架構方塊示意圖。如圖所示,本發明之反駭客之偵測防護系統4係應用於一網路系統,該網路系統具有至少一誘捕設備41、分析設備42及服務平台43。Please refer to FIG. 1 , which is a block diagram showing the basic system architecture of the anti-hacker detection and protection system of the present invention. As shown, the anti-hacker detection and protection system 4 of the present invention is applied to a network system having at least one trapping device 41, an analyzing device 42, and a service platform 43.

誘捕設備41、分析設備42及服務平台43可透過軟體的形態實現,並可整合設於同一電腦或是分設於不同電腦。首先,將誘捕設備41設置在可能遭受駭客1攻擊之網段(Network),用以於該誘捕設備41遭受攻擊時形成受駭資訊,以將該受駭資訊輸入分析設備42。接著,由該分析設備42執行或分析該受駭資訊俾據之形成惡意資訊記錄,再透過服務平台43依據該惡意資訊記錄啟動相應之反駭客防護動作,例如利用資訊安全防護設備對用戶端進行即時防護。The trapping device 41, the analyzing device 42, and the service platform 43 can be implemented in the form of software, and can be integrated on the same computer or set in different computers. First, the trapping device 41 is placed in a network segment that may be subjected to the hacker 1 attack to form a subject information when the trapping device 41 is attacked to input the subject information to the analyzing device 42. Then, the analyzing device 42 performs or analyzes the formed information record to form a malicious information record, and then initiates a corresponding anti-hacker protection action according to the malicious information record through the service platform 43, for example, using the information security protection device to the user end. Instant protection.

請參閱第2圖,係本發明之反駭客之偵測防護系統之一實施例的系統架構方塊示意圖,如圖所示,該分析設備42復包括中控機台421;以及至少一虛擬機台422,該虛擬機台422係用以擴充受駭資訊之執行與分析的能力,因此執行該受駭資訊並進行分析,以將分析結果傳回該中控機台,再由該中控機台依據該分析結果形成惡意資訊記錄。此外,該虛擬機台422藉由執行該受駭資訊以找出被新增、刪除、修改或複製之檔案、檔案記錄、帳號、登錄檔,或對外連線、執行資料下載之惡意程式及組態,最後產生一惡意資訊記錄,該惡意資訊記錄係為惡意攻擊者、病毒感染者、殭屍電腦、殭屍電腦控制站及惡意下載點的資訊。Referring to FIG. 2, it is a block diagram of a system architecture of an embodiment of the anti-hacker detection and protection system of the present invention. As shown, the analysis device 42 further includes a central control unit 421; and at least one virtual machine. The virtual machine 422 is used to expand the execution and analysis of the received information, so the information is executed and analyzed to transmit the analysis result back to the central control machine, and then the central control unit Based on the analysis results, the station forms a malicious information record. In addition, the virtual machine 422 executes the information to find files, file records, account numbers, login files, or external programs, and malicious programs and groups for downloading data that are added, deleted, modified, or copied. Finally, a malicious information record is generated, which is information of a malicious attacker, a virus infected person, a zombie computer, a zombie computer control station, and a malicious download point.

接著,分析設備42將該惡意賞訊記錄傳送至該服務平台43,並將該受駭虛擬機台422回復至初始狀態,以由該服務平台43比對該惡意資訊記錄以決定是否需要執行告警或即時防護。Next, the analyzing device 42 transmits the malicious reward record to the service platform 43, and returns the trusted virtual machine 422 to an initial state, so that the malicious information is recorded by the service platform 43 to determine whether an alarm needs to be executed. Or immediate protection.

於一較佳實施例中,該服務平台43復包括惡意站台存活檢測模組43a、危害等級區分模組43b、惡意站台資料庫43c及受駭用戶資料庫43e。In a preferred embodiment, the service platform 43 includes a malicious station surviving detection module 43a, a hazard class distinguishing module 43b, a malicious station database 43c, and a trusted user database 43e.

該惡意站台存活檢測模組43a係用以判斷該惡意站台是否存活。危害等級區分模組43b係用以透過該惡意站台的發現時間與出現頻率判斷該惡意站台之危害等級,以由該服務平台形成惡意站台清單。The malicious station survival detecting module 43a is configured to determine whether the malicious station is alive. The hazard class distinguishing module 43b is configured to determine the hazard level of the malicious station by the discovery time and the frequency of occurrence of the malicious station, so that the service platform forms a malicious station list.

其次,該服務平台復包括惡意站台資料庫43c,用以儲存該惡意站台清單,以由該服務平台透過一資訊安全防護設備44依據該惡意站台清單即時阻擋用戶所執行之惡意站台的連線,其中,該資訊安全防護設備44,係可為防護伺服器、路由器或閘道器等,用以確實落實駭客入侵之防護。Secondly, the service platform includes a malicious platform database 43c for storing the malicious website list, so that the service platform can block the connection of the malicious platform executed by the user according to the malicious website list through an information security protection device 44. The information security protection device 44 can be a protection server, a router or a gateway device, etc., for ensuring protection against hacking.

此外,該服務平台43可將該惡意資訊記錄與惡意站台資料庫43c中的惡意站台清單進行比對,以形成惡意活動分佈資訊、惡意活動情況和趨勢變化分析。而該服務平台43將該惡意資訊記錄與用戶資料進行比對,以將比對結果產生該受駭用戶資料庫43e,俾依據該受駭用戶資料庫之資料即時通知受駭之用戶端進行後續處理,並隨時提供惡意活動趨勢變化分析予用戶。In addition, the service platform 43 can compare the malicious information record with the malicious website list in the malicious station database 43c to form malicious activity distribution information, malicious activity status, and trend change analysis. The service platform 43 compares the malicious information record with the user data to generate the user database 43e according to the comparison result, and immediately notifies the affected user terminal according to the information of the user database. Process and provide analysis of trends in malicious activity trends to users at any time.

請參閱第3圖,係本發明反駭客之偵測防護方法的基本作業流程示意圖,該反駭客之偵測防護方法係應用於一網路系統,該網路系統具有至少一誘捕設備、分析設備及服務平台。如圖所示,首先執行步驟S31中,將該誘捕設備放置於預設之網段(Network),以於該誘捕設備遭受攻擊時形成受駭資訊,接著進至步驟S32。Please refer to FIG. 3 , which is a schematic diagram of a basic operation flow of the anti-hacker detection and protection method of the present invention. The anti-hacker detection and protection method is applied to a network system, and the network system has at least one trapping device. Analytical equipment and service platform. As shown in the figure, first, in step S31, the trapping device is placed on a preset network to form the subject information when the trapping device is attacked, and then proceeds to step S32.

於該步驟S32中,將該受駭資訊輸入該分析設備,使該分析設備執行或分析該受駭資訊俾據之形成惡意資訊記錄,再將該惡意資訊記錄輸入該服務平台,接著進至步驟S33。In the step S32, the subject information is input to the analyzing device, so that the analyzing device performs or analyzes the information of the subject information to form a malicious information record, and then inputs the malicious information record into the service platform, and then proceeds to the step. S33.

於該步驟S33中,令該服務平台依據該惡意賞訊記錄啟動相應之反駭客防護動作。In the step S33, the service platform is caused to initiate a corresponding anti-hacker protection action according to the malicious reward record.

上述之誘捕設備係用以測試用戶端網段的資訊安全狀況,且該誘捕設備係依據網段的活躍程度分散地且廣闊地放置該誘捕設備,以提升誘捕率。The trapping device is used to test the information security status of the customer network segment, and the trapping device disperses and widely places the trapping device according to the activity degree of the network segment to improve the trapping rate.

請參閱第4圖,係本發明之反駭客之偵測防護方法之第一實施例的作業流程示意圖,如圖所示,首先執行步驟S41中,令該中控機台將該受駭資訊配發給虛擬機台,接著進至步驟S42。Please refer to FIG. 4 , which is a schematic diagram of the operation of the first embodiment of the anti-hacker detection and protection method of the present invention. As shown in the figure, first, step S41 is executed to enable the central control station to receive the information. It is distributed to the virtual machine, and then proceeds to step S42.

於步驟S42中,令該虛擬機台執行該受駭資訊並進行分析,以將分析結果傳回該中控機台,再由該中控機台產生惡意資訊記錄,接著進至步驟S43。In step S42, the virtual machine station is caused to execute the received information and analyze to transfer the analysis result back to the central control machine, and then the central control machine generates a malicious information record, and then proceeds to step S43.

於步驟S43中,將該惡意資訊記錄傳送至該服務平台,並將該虛擬機台之狀態回復至初始狀態。In step S43, the malicious information record is transmitted to the service platform, and the state of the virtual machine is returned to the initial state.

上述之虛擬機台係用以擴充受駭資訊執行與分析能力;該虛擬機台藉由執行該受駭資訊以找出被新增、刪除、修改或複製之檔案、檔案記錄、帳號、登錄檔,或對外連線、執行資料下載之惡意程式及組態,俾產生惡意資訊記錄;而該惡意資訊記錄係為惡意攻擊者、病毒感染者、殭屍電腦、殭屍電腦控制站或惡意下載點的資訊。The above virtual machine is used to expand the information execution and analysis capabilities; the virtual machine performs the information to find out the files, file records, account numbers, and login files that are added, deleted, modified or copied. , or externally connected, malicious programs and configurations for performing data downloads, generating malicious information records; and the malicious information records are information of malicious attackers, virus infected persons, zombies, zombie control stations or malicious download points. .

請參閱第5圖,係本發明之反駭客之偵測防護方法之第二實施例的作業流程示意圖,如圖所示,於該步驟S51中,該服務平台依據該惡意資訊記錄啟動相應之反駭客防護動作,接著進至步驟S52。Referring to FIG. 5, it is a schematic diagram of the operation of the second embodiment of the anti-hacker detection and protection method of the present invention. As shown in the figure, in the step S51, the service platform starts corresponding according to the malicious information record. The anti-hacker protection action proceeds to step S52.

於該步驟S52中,該服務平台判斷該惡意站台是否存活與該惡意站台之危害等級,以形成惡意站台清單,接著進至步驟S53。In the step S52, the service platform determines whether the malicious station survives the malicious level of the malicious station to form a malicious station list, and then proceeds to step S53.

於該步驟S53中,該惡意站台之危害等級係透過該惡意站台的發現時間與出現頻率進行判斷,接著進至步驟S54。In the step S53, the malicious level of the malicious station is determined by the discovery time and the frequency of occurrence of the malicious station, and then proceeds to step S54.

於該步驟S54中,該服務平台復包括用以儲存惡意站台清單之惡意站台資料庫,且該服務平台透過一資訊安全防護設備依據該惡意站台清單即時阻擋用戶所執行之惡意站台的連線之步驟,接著進至步驟S55。In the step S54, the service platform further includes a malicious platform database for storing the malicious station list, and the service platform immediately blocks the connection of the malicious website executed by the user according to the malicious website list through an information security protection device. The step proceeds to step S55.

於該步驟S55中,該服務平台將該惡意資訊記錄與惡意站台資料庫中的惡意站台清單進行比對,以形成惡意活動分佈資訊、惡意活動情況和趨勢變化分析。In the step S55, the service platform compares the malicious information record with the malicious station list in the malicious station database to form malicious activity distribution information, malicious activity situation and trend change analysis.

由上述實施例可知,該反駭客之偵測防護方法係利用主動出擊引誘之方式,取得惡意站台進行攻擊之各種惡意資料,用以進行後續資料分析,以利於將分析結果提供給予資訊安全防護設備及用戶端進行資訊安全之防護。而該服務平台可將該惡意資訊記錄與用戶資料進行比對,以將比對結果產生該受駭用戶資料庫,俾依據該受駭用戶資料庫之資料即時通知受駭之用戶端進行後續處理,並隨時提供惡意活動趨勢變化分析予用戶。該趨勢變化分析係用以針對國家或區域之攻擊型態、攻擊弱點及常受駭之通信埠進行分析。It can be seen from the above embodiments that the anti-hacker detection and protection method utilizes an active attack and lure method to obtain various malicious data of a malicious station for attack, and is used for subsequent data analysis, so as to facilitate the analysis result to provide information security protection. Device and client for information security protection. The service platform can compare the malicious information record with the user data to generate the user database according to the comparison result, and immediately notify the affected user terminal for subsequent processing according to the data of the user database. And provide analysis of the trend of malicious activity trends to users at any time. This trend change analysis is used to analyze national or regional attack patterns, attack weaknesses, and frequently encountered communications.

綜上所述,本發明之反駭客之偵測防護方法及系統可大規模自動化地進行惡意行為的偵測、分析及阻擋防護,若系統發現惡意站台或駭客攻擊行為的存在,將主動告知用戶端或受駭站台進行處理,用以避免用戶端電腦設備因連結至這些惡意站台而受駭或遭惡意站台植入木馬或後門程式,進而受到控制成為殭屍電腦。本發明亦可規劃為獨立之資訊安全服務產品或提升現有資安服務的附加價值。In summary, the anti-hacker detection and protection method and system of the present invention can perform malicious behavior detection, analysis and blocking protection on a large-scale basis, and if the system finds the existence of a malicious platform or hacker attack behavior, it will take the initiative. The client or the receiving station is informed to prevent the user computer device from being connected to the malicious platform or being maliciously implanted into the Trojan or the backdoor program, and then controlled to become a zombie computer. The invention can also be planned as an independent information security service product or to add value to an existing security service.

上述實施例僅例示性說明本發明之原理、特點及其功效,並非用以限制本發明之可實施範疇,任何熟習此項技藝之人士均可在不違背本發明之精神及範疇下,對上述實施例進行修飾與改變。任何運用本發明所揭示內容而完成之功效改變及修飾,均仍應為下述之申請專利範圍所涵蓋。因此,本發明之權利保護範圍,應如後述之申請專利範圍所列。The above-described embodiments are merely illustrative of the principles, features, and effects of the present invention, and are not intended to limit the scope of the present invention. Any person skilled in the art can practice the above without departing from the spirit and scope of the present invention. The examples are modified and altered. Any changes or modifications made to the use of the present disclosure will still be covered by the scope of the following claims. Therefore, the scope of protection of the present invention should be as set forth in the scope of the claims described below.

1...駭客1. . . Hacker

2...網際網路2. . . Internet

3...受駭站台3. . . Trust station

4...反駭客之偵測防護系統4. . . Anti-hacker detection and protection system

41...誘捕設備41. . . Trap device

42...分析設備42. . . Analytical equipment

421...中控機台421. . . Central control machine

422...虛擬機台422. . . Virtual machine

43...服務平台43. . . Service Platform

43a...惡意站台存活檢測模組43a. . . Malicious station survival detection module

43b...危害等級區分模組43b. . . Hazard class distinguishing module

43c...惡意站台資料庫43c. . . Malicious platform database

43e...受駭用戶資料庫43e. . . Trusted user database

44...資訊安全防護設備44. . . Information security equipment

S31至S33...步驟S31 to S33. . . step

S41至S43...步驟S41 to S43. . . step

S51至S55...步驟S51 to S55. . . step

第1圖係本發明之反駭客之偵測防護系統的基本系統架構方塊示意圖。1 is a block diagram showing the basic system architecture of the anti-hacker detection and protection system of the present invention.

第2圖係本發明之反駭客之偵測防護系統之一實施例的系統架構方塊示意圖。Figure 2 is a block diagram showing the system architecture of one embodiment of the anti-hacker detection and protection system of the present invention.

第3圖係本發明之反駭客之偵測防護方法的基本作業流程示意圖。Figure 3 is a schematic diagram showing the basic operation flow of the anti-hacker detection and protection method of the present invention.

第4圖係本發明之反駭客之偵測防護方法之第一實施例的作業流程示意圖。Figure 4 is a schematic diagram showing the operation of the first embodiment of the anti-hacker detection and protection method of the present invention.

第5圖係本發明之反駭客之偵測防護方法之第二實施例的作業流程示意圖。Figure 5 is a schematic diagram showing the operation of the second embodiment of the anti-hacker detection and protection method of the present invention.

1...駭客1. . . Hacker

2...網際網路2. . . Internet

3...受駭站台3. . . Trust station

4...反駭客之偵測防護系統4. . . Anti-hacker detection and protection system

41...誘捕系統41. . . Trap system

42...分析設備42. . . Analytical equipment

43...服務平台43. . . Service Platform

Claims (21)

一種反駭客之偵測防護方法,係應用於一網路系統,該網路系統具有至少一誘捕設備、包括有中控機台與至少一個虛擬機台之分析設備及服務平台,該反駭客之偵測防護方法至少包括以下步驟:(1)將該誘捕設備放置於預設之網段(Network),以於該誘捕設備遭受攻擊時形成受駭資訊;(2)將該受駭資訊輸入該分析設備,使該分析設備執行或分析該受駭資訊俾據之形成惡意資訊記錄,再將該惡意資訊記錄輸入該服務平台;以及(3)令該服務平台依據該惡意資訊記錄啟動相應之反駭客防護動作,其中,該虛擬機台藉由執行該受駭資訊以找出被新增、刪除、修改或複製之檔案、檔案記錄、帳號、登錄檔,或對外連線、執行資料下載之惡意程式及組態,俾產生該惡意資訊記錄。 An anti-hacker detection and protection method is applied to a network system, which has at least one trapping device, an analysis device and a service platform including a central control machine and at least one virtual machine platform, and the reverse The method for detecting and detecting a guest includes at least the following steps: (1) placing the trapping device on a preset network to form a subject information when the trapping device is attacked; and (2) receiving the subject information Entering the analysis device, causing the analysis device to perform or analyze the formed information record to form a malicious information record, and then input the malicious information record into the service platform; and (3) causing the service platform to initiate the corresponding according to the malicious information record The anti-hacker protection action, wherein the virtual machine station performs the information to be added, deleted, modified or copied to find files, file records, account numbers, login files, or external connection and execution data. Download the malware and configuration, and generate the malicious information record. 如申請專利範圍第1項之反駭客之偵測防護方法,其中,步驟(1)係依據網段的活躍程度分散地且廣闊地放置該誘補設備,以提升誘捕率。 For example, in the anti-hacker detection and protection method of claim 1, the step (1) is to disperse and widely place the lure device according to the activity degree of the network segment to improve the trapping rate. 如申請專利範圍第1項之反駭客之偵測防護方法,其中,步驟(2)復包括:(2-1)令該中控機台將該受駭資訊配發給該虛擬機台;(2-2)令該虛擬機台執行該受駭資訊並進行分析, 以將分析結果傳回該中控機台,再由該中控機台產生惡意資訊記錄;以及(2-3)將該惡意資訊記錄傳送至該服務平台,並將該虛擬機台之狀態回復至初始狀態。 For example, in the anti-hacker detection and protection method of claim 1, wherein the step (2) includes: (2-1) causing the central control machine to distribute the received information to the virtual machine; (2-2) causing the virtual machine to execute the subject information and analyze it, Transmitting the analysis result back to the central control machine, and then generating a malicious information record by the central control machine; and (2-3) transmitting the malicious information record to the service platform, and replying the status of the virtual machine station To the initial state. 如申請專利範圍第3項之反駭客之偵測防護方法,其中,該虛擬機台係用以擴充受駭資訊執行與分析的能力。 For example, in the anti-hacker detection and protection method of claim 3, the virtual machine is used to expand the ability of the information to be executed and analyzed. 如申請專利範圍第1項之反駭客之偵測防護方法,其中,該惡意資訊記錄係為惡意攻擊者、病毒感染者、殭屍電腦、殭屍電腦控制站或惡意下載點的資訊。 For example, in the anti-hacker detection and protection method of claim 1, the malicious information record is information of a malicious attacker, a virus infected person, a zombie computer, a zombie computer control station or a malicious download point. 如申請專利範圍第1項之反駭客之偵測防護方法,其中,步驟(3)復包括判斷惡意站台是否存活與該惡意站台之危害等級,以形成惡意站台清單之步驟。 For example, in the anti-hacker detection and protection method of claim 1, the step (3) includes the step of judging whether the malicious station survives and the malicious station has a hazard level to form a malicious station list. 如申請專利範圍第6項之反駭客之偵測防護方法,其中,該惡意站台之危害等級係透過該惡意站台的發現時間與出現頻率進行判斷。 For example, in the anti-hacker detection and protection method of claim 6, wherein the malicious station's hazard level is judged by the discovery time and frequency of occurrence of the malicious station. 如申請專利範圍第1項之反駭客之偵測防護方法,其中,服務平台復包括用以儲存惡意站台清單之惡意站台資料庫,且步驟(3)復包括令該服務平台透過一資訊安全防護設備依據該惡意站台清單即時阻擋用戶所執行之惡意站台的連線之步驟。 For example, in the anti-hacker detection and protection method of claim 1, wherein the service platform includes a malicious platform database for storing a list of malicious stations, and step (3) includes enabling the service platform to pass an information security The protection device immediately blocks the connection of the malicious platform executed by the user according to the malicious website list. 如申請專利範圍第1項之反駭客之偵測防護方法,其中,服務平台復包括用以儲存惡意站台清單之惡意站台資料庫,且步驟(3)復包括令該服務平台將該惡意資 訊記錄與惡意站台資料庫中的惡意站台清單進行比對,以形成惡意活動分佈資訊、惡意活動情況和趨勢變化分析之步驟。 For example, in the anti-hacker detection and protection method of claim 1, wherein the service platform includes a malicious platform database for storing a list of malicious stations, and step (3) includes causing the service platform to use the malicious information. The record is compared with the list of malicious stations in the malicious platform database to form a step of analyzing malicious information, malicious activity and trend change analysis. 如申請專利範圍第9項之反駭客之偵測防護方法,其中,該趨勢變化分析係用以針對國家或區域之攻擊型態、攻擊弱點及常受駭之通信埠進行樣本分析。 For example, in the anti-hacker detection and protection method of claim 9, the trend change analysis is used for sample analysis of national or regional attack patterns, attack weaknesses, and frequently-recognized communications. 如申請專利範圍第8項之反駭客之偵測防護方法,其中,服務平台復包括受駭用戶資料庫,且步驟(3)復包括令該服務平台將該惡意資訊記錄與用戶資料進行比對,以將比對結果產生該受駭用戶資料庫,俾依據該受駭用戶資料庫之資料即時通知受駭之用戶端進行後續處理。 For example, in the anti-hacker detection and protection method of claim 8, wherein the service platform includes a database of the user database, and step (3) includes causing the service platform to compare the malicious information record with the user data. If yes, the affected user database is generated, and the affected user is immediately notified according to the data of the user database for subsequent processing. 如申請專利範圍第1項之反駭客之偵測防護方法,其中,該誘捕設備、分析設備及服務平台係設於同一電腦或分設於不同電腦。 For example, in the anti-hacker detection and protection method of claim 1, the trapping device, the analyzing device and the service platform are provided on the same computer or on different computers. 一種反駭客之偵測防護系統,係應用於一網路系統中,該反駭客之偵測防護系統至少包括:誘捕設備,係放置在預設之網段,用以於該誘捕設備遭受攻擊時形成受駭資訊;分析設備,包括有中控機台與至少一虛擬機台,該分析設備係輸入該受駭資訊以執行或分析該受駭資訊俾據之形成惡意資訊記錄;以及服務平台,係依據該惡意資訊記錄啟動相應之反駭客防護動作, 其中,該虛擬機台藉由執行該受駭資訊以找出被新增、刪除、修改或複製之檔案、檔案記錄、帳號、登錄檔,或對外連線、執行資料下載之惡意程式及組態。 An anti-hacker detection and protection system is applied to a network system, and the anti-hacker detection protection system includes at least: a trapping device, which is placed on a preset network segment for being subjected to the trapping device Forming the subject information during the attack; the analyzing device includes a central control unit and at least one virtual machine station, and the analyzing device inputs the subject information to perform or analyze the subject information to form a malicious information record; and the service The platform activates the corresponding anti-hacker protection action according to the malicious information record. The virtual machine station executes the information to find out files, file records, account numbers, login files, external files, and malicious programs and configurations that are added, deleted, modified, or copied. . 如申請專利範圍第13項之反駭客之偵測防護系統,其中,該至少一虛擬機台係用以執行該受駭資訊並進行分析,以將分析結果傳回該中控機台,再由該中控機台依據該分析結果形成惡意資訊記錄。 The anti-hacker detection and protection system of claim 13 wherein the at least one virtual machine is configured to perform the analysis and analyze the information to transmit the analysis result to the central control unit. The central control machine forms a malicious information record based on the analysis result. 如申請專利範圍第14項之反駭客之偵測防護系統,其中,該虛擬機台係用以擴充受駭資訊執行與分析的能力。 For example, in the anti-hacker detection and protection system of claim 14 of the patent scope, the virtual machine station is used to expand the ability of the information to be executed and analyzed. 如申請專利範圍第13項之反駭客之偵測防護系統,其中,該惡意資訊記錄係為惡意攻擊者、病毒感染者、殭屍電腦、殭屍電腦控制站或惡意下載點的資訊。 For example, in the anti-hacker detection and protection system of claim 13, wherein the malicious information record is information of a malicious attacker, a virus infected person, a zombie computer, a zombie computer control station or a malicious download point. 如申請專利範圍第13項之反駭客之偵測防護系統,其中,該服務平台復包括:惡意站台存活檢測模組,係用以判斷惡意站台是否存活;以及危害等級區分模組,係用以透過該惡意站台的發現時間與出現頻率判斷該惡意站台之危害等級,以由該服務平台形成惡意站台清單。 For example, in the anti-hacker detection and protection system of claim 13 of the patent scope, the service platform includes: a malicious station survival detection module, which is used to determine whether a malicious station is alive; and a hazard class distinguishing module is used The malicious station is determined by the discovery time and the frequency of occurrence of the malicious station, so that the malicious platform list is formed by the service platform. 如申請專利範圍第17項之反駭客之偵測防護系統,其中,該服務平台復包括惡意站台資料庫,用以儲存該 惡意站台清單,以由該服務平台透過一資訊安全防護設備依據該惡意站台清單即時阻擋用戶所執行之惡意站台的連線。 For example, in the anti-hacker detection and protection system of claim 17, wherein the service platform includes a malicious platform database for storing the A list of malicious stations, by which the service platform immediately blocks the connection of malicious stations executed by the user according to the malicious website list through an information security protection device. 如申請專利範圍第18項之反駭客之偵測防護系統,其中,該惡意站台資料庫將該惡意資訊記錄與惡意站台資料庫中的惡意站台清單進行比對,以形成惡意活動分佈資訊、惡意活動情況和趨勢變化分析。 For example, the anti-hacker detection and protection system of claim 18, wherein the malicious station database compares the malicious information record with the list of malicious stations in the malicious platform database to form malicious activity distribution information, Analysis of malicious activity and trend changes. 如申請專利範圍第13項之反駭客之偵測防護系統,其中,該服務平台復包括受駭用戶資料庫,係用以儲存受駭用戶資料,使該服務平台依據該受駭用戶資料即時通知受駭之用戶端進行後續處理。 For example, in the anti-hacker detection and protection system of claim 13 of the patent application, the service platform includes a database of user data for storing the user data, so that the service platform can immediately obtain the data of the user. Notify the affected client for subsequent processing. 如申請專利範圍第13項之反駭客之偵測防護系統,其中,該誘補設備、分析設備及服務平台係設於同一電腦或分設於不同電腦。For example, in the anti-hacker detection and protection system of claim 13 of the patent scope, the lure device, the analysis device and the service platform are provided on the same computer or on different computers.
TW98113594A 2009-04-24 2009-04-24 Anti-hacker detection and protection system and method TWI381284B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW98113594A TWI381284B (en) 2009-04-24 2009-04-24 Anti-hacker detection and protection system and method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW98113594A TWI381284B (en) 2009-04-24 2009-04-24 Anti-hacker detection and protection system and method

Publications (2)

Publication Number Publication Date
TW201039169A TW201039169A (en) 2010-11-01
TWI381284B true TWI381284B (en) 2013-01-01

Family

ID=44995351

Family Applications (1)

Application Number Title Priority Date Filing Date
TW98113594A TWI381284B (en) 2009-04-24 2009-04-24 Anti-hacker detection and protection system and method

Country Status (1)

Country Link
TW (1) TWI381284B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111726570B (en) * 2020-01-01 2021-11-02 上海大参林医疗健康科技有限公司 Continuous Image Recognition System Based on Data Analysis

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TW252976B (en) * 1993-03-24 1995-08-01 Bayer Ag
US20060191008A1 (en) * 2004-11-30 2006-08-24 Sensory Networks Inc. Apparatus and method for accelerating intrusion detection and prevention systems using pre-filtering

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TW252976B (en) * 1993-03-24 1995-08-01 Bayer Ag
US20060191008A1 (en) * 2004-11-30 2006-08-24 Sensory Networks Inc. Apparatus and method for accelerating intrusion detection and prevention systems using pre-filtering

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
Taiwan Malicious Webpage and Spyware Hacking", , 3rd Hacks in Taiwan Conference, July 21, 2007. http://hitcon.org/download/2007/-Taiwan%20Malicious%20Webpage%20and%20Spyware%20Hacking.pdf *

Also Published As

Publication number Publication date
TW201039169A (en) 2010-11-01

Similar Documents

Publication Publication Date Title
US12432225B2 (en) Inline malware detection
US9178852B2 (en) In-line filtering of insecure or unwanted mobile device software components or communications
US11636208B2 (en) Generating models for performing inline malware detection
US11861008B2 (en) Using browser context in evasive web-based malware detection
US9055090B2 (en) Network based device security and controls
Malik et al. CREDROID: Android malware detection by network traffic analysis
CN102413011B (en) A kind of method and system of LAN safety assessment
US9679140B2 (en) Outbreak pathology inference
CN106797375B (en) Behavioral detection of malware agents
US12056237B2 (en) Analysis of historical network traffic to identify network vulnerabilities
Zaidi et al. A survey on security for smartphone device
US11677786B1 (en) System and method for detecting and protecting against cybersecurity attacks on servers
TW201211817A (en) Network virus protection method and system
US12430437B2 (en) Specific file detection baked into machine learning pipelines
JP7662267B2 (en) Inline Malware Detection
US20250365311A1 (en) Inline ransomware detection via server message block (smb) traffic
Hyun et al. Design and Analysis of Push Notification‐Based Malware on Android
Faghani et al. Modeling the propagation of trojan malware in online social networks
TWI381284B (en) Anti-hacker detection and protection system and method
US20250039193A1 (en) Intrusion prevention based on infection chains
US20250047695A1 (en) Advanced threat prevention
Baliga et al. Triton: A carrier-based approach for detecting and mitigating mobile malware
US20250390576A1 (en) Specific file detection baked into machine learning pipelines

Legal Events

Date Code Title Description
MM4A Annulment or lapse of patent due to non-payment of fees