CN110213255A - A kind of pair of host carries out the method, apparatus and electronic equipment of trojan horse detection - Google Patents
A kind of pair of host carries out the method, apparatus and electronic equipment of trojan horse detection Download PDFInfo
- Publication number
- CN110213255A CN110213255A CN201910446832.9A CN201910446832A CN110213255A CN 110213255 A CN110213255 A CN 110213255A CN 201910446832 A CN201910446832 A CN 201910446832A CN 110213255 A CN110213255 A CN 110213255A
- Authority
- CN
- China
- Prior art keywords
- domain name
- host
- access
- intranet
- situation data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 98
- 238000000034 method Methods 0.000 title claims abstract description 38
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 title claims abstract description 29
- 230000006399 behavior Effects 0.000 claims description 74
- 238000004891 communication Methods 0.000 claims description 26
- 238000012545 processing Methods 0.000 claims description 7
- 238000012360 testing method Methods 0.000 claims description 7
- 108010001267 Protein Subunits Proteins 0.000 claims description 6
- 238000004590 computer program Methods 0.000 claims description 6
- 208000015181 infectious disease Diseases 0.000 claims description 6
- 230000001537 neural effect Effects 0.000 claims description 6
- 238000004364 calculation method Methods 0.000 claims description 4
- 238000012549 training Methods 0.000 claims description 3
- 239000002023 wood Substances 0.000 claims 1
- 238000010586 diagram Methods 0.000 description 4
- 241000700605 Viruses Species 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 2
- 230000002093 peripheral effect Effects 0.000 description 2
- 239000007787 solid Substances 0.000 description 2
- 230000002159 abnormal effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000000802 evaporation-induced self-assembly Methods 0.000 description 1
- 238000000605 extraction Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 238000007689 inspection Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 238000002360 preparation method Methods 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 238000011895 specific detection Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4505—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
- H04L61/4511—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The method, apparatus and electronic equipment for carrying out trojan horse detection the embodiment of the invention provides a kind of pair of host therefrom obtain domain name to be identified this method comprises: obtaining the Intranet domain name access log of host to be detected;Then, each domain name to be identified is identified, obtains the common domain name and non-common domain name in the log of Intranet domain name access, and from Intranet domain name access log, obtain the domain name access situation data of host;Finally, the domain name access situation data of host and the domain name access behavior baseline being pre-created are compared, whether detection host infects wooden horse.Since domain name access situation data are obtained according to the access log dynamic of record host access behavior, using its comparison result with domain name access behavior baseline as foundation is detected, without the feature of known wooden horse, thus the detection to UNKNOWN TYPE wooden horse may be implemented.
Description
Technical field
The present invention relates to the method, apparatus that technical field of network security, in particular to a kind of pair of host carry out trojan horse detection
And electronic equipment.
Background technique
With the extensive use of computer and Internet technology, network security problem is also gradually highlighted.Wooden horse is that network is attacked
The person of hitting implements the common tool of attack, and attacker, not only can the maliciously company of consumption by the control authority of wooden horse acquisition destination host
It is connected to the resource of the user equipment of destination host, additionally it is possible to steal the important informations such as user account, password.Therefore, for wooden horse
Detection have become the Important Problems of network safety filed research.
Currently, collecting the access day generated when host accesses domain name by Intranet first when carrying out trojan horse detection to host
Will, that is, Intranet domain name access log, the letter such as time of source IP, the domain name of access, domain name access in log comprising host
Breath;Then, feature extraction is carried out to the log being collected into, by the spy of the wooden horse of known type in the feature extracted and virus base
Sign is matched;If successful match, then it represents that host is infected by wooden horse;It fails to match, then it represents that host is not infected wooden horse.
However, since wooden horse is constantly updated, and the wooden horse in virus base has been detected, thus existing skill
Art can only also detect the wooden horse of known type in virus base, and the wooden horse of UNKNOWN TYPE is difficult to detect.
Summary of the invention
The method, apparatus for being designed to provide a kind of pair of host progress trojan horse detection and electronics of the embodiment of the present invention are set
It is standby, to solve the problems, such as to detect UNKNOWN TYPE wooden horse.Specific technical solution is as follows:
In a first aspect, the embodiment of the invention provides the methods that a kind of pair of host carries out trojan horse detection, which is characterized in that answer
Server for being connect with the main-machine communication, which comprises
Obtain the Intranet domain name access log of host to be detected;
Domain name to be identified is obtained from the Intranet domain name access log;
Each domain name to be identified is identified, common domain name in the Intranet domain name access log and non-common is obtained
Domain name;
From the Intranet domain name access log, the domain name access situation data of the host are obtained;Domain name access
Comprising accessing the common domain name and accessing the data of the non-common domain name in situation data;
The domain name access situation data of the host and the domain name access behavior baseline being pre-created are compared, are detected
Whether the host infects wooden horse;Domain name accesses behavior baseline, are as follows: domain of host in the state of being uninfected by wooden horse
Name access situation data.
Optionally, the step of Intranet domain name access log for obtaining host to be detected, comprising:
Obtain the Intranet domain name access log that host to be detected generates in the current detection period;
It is described from the Intranet domain name access log, the step of obtaining the domain name access situation data of the host, packet
It includes:
From the Intranet domain name access log that the host to be detected generates in the current detection period, the host is obtained
In the domain name access situation data in current detection period;
Domain name accesses behavior baseline, are as follows: the host is uninfected by the state of wooden horse in a upper detection cycle
Domain name access situation data.
Optionally, described the step of obtaining domain name to be identified from the Intranet domain name access log, comprising:
Obtain all domain names for including in the Intranet domain name access log;
The access domain name for the built-in system for including in all domain names is filtered, remaining domain name is obtained, as to
Identify domain name.
Optionally, described that each domain name to be identified is identified, it obtains common in the Intranet domain name access log
The step of domain name and non-common domain name, comprising:
The first kind is chosen from the domain name to be identified often uses domain name;The first kind often uses domain name, are as follows: the comprehensive row of domain name
Domain name before name public data is concentrated in preset quantity ranking;
Using preparatory trained domain name identification model, in the domain name to be identified except the first kind is often in addition to domain name
Domain name to be identified identified, obtain non-common domain name and the second class often use domain name;The domain name identification trained in advance
Model, are as follows: in advance to preset the common domain name of the first quantity and/or the non-common domain name of default second quantity as sample, train
The two Classification Neural models obtained;
Merge the first kind and often often use domain name with domain name and second class, obtains in the Intranet domain name access log
Common domain name.
Optionally, in the domain name access situation data by the host and the domain name access behavior baseline being pre-created
It is compared, after detecting the step of whether host infects wooden horse, further includes:
If testing result is that host is uninfected by wooden horse, the host is saved in the domain name access feelings in current detection period
Condition data, the domain name access behavior baseline as next detection cycle.
Optionally, the current detection period is 1;
In the Intranet domain name access log generated in the current detection period from the host to be detected, described in acquisition
Host is the domain name access situation data in current detection period the step of, comprising:
From the host to be detected in the Intranet domain name access log that the same day generates, the host is obtained in the domain on the same day
Name access situation data;
Domain name access situation data of the host on the same day, comprising: domain name access amount in Intranet domain name access log,
Access the domain name number of different domain names, the same day newly accesses the number of domain name, the number of the non-common domain name of access, non-common domain name
The amount of access of amount of access, the number for accessing common domain name and common domain name.
Optionally, the domain name access situation data by the host and the domain name access behavior baseline being pre-created into
Row compares, and detects the step of whether host infects wooden horse, comprising:
Calculate domain name access behavior baseline and the domain name access situation data of the host between similarity and partially
From degree;
According to the calculated result of similarity and irrelevance, judge whether the host infects wooden horse.
Optionally, the calculated result according to similarity and irrelevance, judges whether the host infects the step of wooden horse
Suddenly, comprising:
If the similarity is more than or equal to preset first threshold and the irrelevance is less than or equal to preset second threshold
Value, then the host is judged as not infecting wooden horse;
If the similarity is less than preset first threshold and the irrelevance is greater than preset second threshold, described
Host is judged as infection wooden horse.
Optionally, the similarity is calculated using following formula:
The irrelevance is calculated using following formula:
Wherein, n indicates the data dimension of domain name access behavior baseline and domain name access situation data, XiFor institute
State the i-th dimension data in domain name access behavior baseline, YiThe i-th dimension data in situation data are accessed for domain name.
Second aspect, the embodiment of the invention provides the devices that a kind of pair of host carries out trojan horse detection, which is characterized in that answers
Server for connecting with the main-machine communication, described device include:
Log acquisition module, for obtaining the Intranet domain name access log of host to be detected;
Domain Name acquisition module, for obtaining domain name to be identified from the Intranet domain name access log;
Domain name identification module obtains in the Intranet domain name access log for identifying to each domain name to be identified
Common domain name and non-common domain name;
Data acquisition module, for obtaining the domain name access situation of the host from the Intranet domain name access log
Data;Domain name accesses in situation data comprising accessing the non-common domain name and accessing the data of common domain name;
Trojan horse detection module, for by the domain name access situation data of the host and the domain name access behavior that is pre-created
Baseline is compared, and detects whether the host infects wooden horse;Domain name accesses behavior baseline are as follows: the host is being uninfected by
Domain name access situation data in the state of wooden horse.
Optionally, the log acquisition module, comprising:
First acquisition unit, the Intranet domain name access day generated in the current detection period for obtaining host to be detected
Will;
The data acquisition module, comprising:
Second acquisition unit, the Intranet domain name access day for being generated in the current detection period from the host to be detected
In will, the host is obtained in the domain name access situation data in current detection period;
Domain name accesses behavior baseline, are as follows: the host is uninfected by the state of wooden horse in a upper detection cycle
Domain name access situation data.
Optionally, domain name obtains module, comprising:
Third acquiring unit, for obtaining all domain names for including in the Intranet domain name access log;
Filter element is filtered for the access domain name to the built-in system for including in all domain names, is remained
Co-domain name, as domain name to be identified.
Optionally, domain name identification module, comprising:
Selection unit often uses domain name for choosing the first kind from the domain name to be identified;The first kind often uses domain name,
Are as follows: the domain name before domain name overall ranking public data is concentrated in preset quantity ranking;
Recognition unit, for using preparatory trained domain name identification model, in the domain name to be identified except described the
Domain name to be identified outside the common domain name of one kind is identified, obtains non-common domain name and the second class often uses domain name;The preparatory instruction
The domain name identification model perfected, are as follows: in advance to preset the common domain name of the first quantity and/or the non-common domain of default second quantity
Entitled sample, the two Classification Neural models that training obtains;
Combining unit often often uses domain name with domain name and second class for merging the first kind, obtains the Intranet
Common domain name in domain name access log.
Optionally, described device further include:
Preserving module is executed for the trojan horse detection module by the domain name access situation data of the host and preparatory wound
The domain name access behavior baseline built is compared, after detecting the step of whether host infects wooden horse, if testing result
It is uninfected by wooden horse for host, then saves the host in the domain name access situation data in current detection period, as next detection
The domain name access behavior baseline in period.
Optionally, the current detection period is 1;
The second acquisition unit, comprising:
Data acquisition subelement, in the Intranet domain name access log that the same day generates, being obtained from the host to be detected
Take the host in the domain name access situation data on the same day;
Domain name access situation data of the host on the same day, comprising: domain name access amount in Intranet domain name access log,
Access the domain name number of different domain names, the same day newly accesses the number of domain name, the number of the non-common domain name of access, non-common domain name
The amount of access of amount of access, the number for accessing common domain name and common domain name.
Optionally, the trojan horse detection module, comprising:
Computing unit, for calculating between domain name access behavior baseline and the domain name access situation data of the host
Similarity and irrelevance;
Judging unit judges whether the host infects wooden horse for the calculated result according to similarity and irrelevance.
Optionally, the judging unit, comprising:
First judgment sub-unit, if be used for, the similarity is more than or equal to preset first threshold and the irrelevance is small
In being equal to preset second threshold, then the host is judged as not infecting wooden horse;
Second judgment sub-unit, if be used for, the similarity is less than preset first threshold and the irrelevance is greater than in advance
If second threshold, then the host be judged as infection wooden horse.
Optionally, the computing unit, comprising:
Similarity calculation subelement, for similarity to be calculated using following formula:
Irrelevance computation subunit, for irrelevance to be calculated using following formula:
Wherein, n indicates the data dimension of domain name access behavior baseline and domain name access situation data, XiFor institute
State the i-th dimension data in domain name access behavior baseline, YiThe i-th dimension data in situation data are accessed for domain name.
The third aspect, the embodiment of the invention provides a kind of electronic equipment, which is characterized in that connects including processor, communication
Mouth, memory and communication bus, wherein processor, communication interface, memory complete mutual communication by communication bus;
Memory, for storing computer program;
Processor when for executing the program stored on memory, realizes any method and step of first aspect.
A kind of pair of host provided in an embodiment of the present invention carries out the method, apparatus and electronic equipment of trojan horse detection, by obtaining
The Intranet domain name access log for taking host to be detected, therefrom obtains domain name to be identified;Then, each domain name to be identified is known
Not, the common domain name and non-common domain name in the log of Intranet domain name access are obtained, and from Intranet domain name access log, obtains master
The domain name access situation data of machine;Finally, by the domain name access situation data of host and the domain name access behavior base being pre-created
Line is compared, and whether detection host infects wooden horse.Since domain name access situation data are according to record host access behavior
Access log dynamic obtains, using its comparison result with domain name access behavior baseline as detection foundation, without known wooden horse
Feature, thus the detection to UNKNOWN TYPE wooden horse may be implemented.
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below
There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this
Some embodiments of invention for those of ordinary skill in the art without creative efforts, can be with
It obtains other drawings based on these drawings.
Fig. 1 is a kind of flow diagram of the method provided in an embodiment of the present invention that trojan horse detection is carried out to host;
Fig. 2 is another flow diagram of the method provided in an embodiment of the present invention that trojan horse detection is carried out to host;
Fig. 3 is the structural schematic diagram for the device that a kind of pair of host provided in an embodiment of the present invention carries out trojan horse detection;
Fig. 4 is a kind of electronic equipment schematic diagram provided in an embodiment of the present invention.
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete
Site preparation description.
In order to realize the detection to UNKNOWN TYPE wooden horse, the embodiment of the invention provides a kind of pair of hosts to carry out trojan horse detection
Method, apparatus and electronic equipment.Firstly, obtaining the Intranet domain name access log of host to be detected, domain to be identified is therefrom obtained
Name;Then, each domain name to be identified is identified, obtains the common domain name in the log of Intranet domain name access and non-common domain
Name, and from Intranet domain name access log, obtain the domain name access situation data of host;Finally, by the domain name access feelings of host
Condition data and the domain name access behavior baseline being pre-created are compared, and whether detection host infects wooden horse.Due to domain name access
Situation data are obtained according to the access log dynamic of record host access behavior, by the ratio of itself and domain name access behavior baseline
As detection foundation without the feature of known wooden horse, thus the detection to UNKNOWN TYPE wooden horse may be implemented in relatively result.
As a kind of embodiment of the embodiment of the present invention, a kind of pair of host provided in an embodiment of the present invention carries out wooden horse inspection
The method of survey, applied to the server being connect with the main-machine communication.Since control machine is attacking host implementation using wooden horse
Later, if host is infected by wooden horse, it will be established and be communicated to connect with control machine by way of accessing malice domain name, controlled in this way
Machine processed can control infected host, and malice domain name is usually some non-common domain names.Therefore, wooden horse is carried out
When detection, host need to only be accessed to non-common domain name and access the data for commonly using domain name and the domain name access behavior base being pre-created
Line is compared, and can judge whether host to be detected infects wooden horse according to comparison result.
Specifically, as shown in Figure 1, this method comprises:
S101 obtains the Intranet domain name access log of host to be detected.
It include domain name, the access domain name of host to be detected access in this step, in the Intranet domain name access log of acquisition
The log informations such as time and source IP address.
S102 obtains domain name to be identified from Intranet domain name access log.
It optionally, can be by Intranet since the access domain name of built-in system is not the unknown non-common domain name in source
The access domain name for the built-in system for including in domain name access log is first filtered, this part domain name no longer needs to be identified.
S103 identifies each domain name to be identified, obtains common domain name in the log of Intranet domain name access and very
Use domain name.
In the present embodiment, the step of identification to each domain name to be identified, comprising: choose first in domain name to be identified
Class often identifies that the second class often uses domain name and non-common domain name with domain name, using domain name identification model.Optionally, the first kind often uses domain
Domain name before entitled domain name overall ranking public data is concentrated in preset quantity ranking.
S104 obtains the domain name access situation data of host from Intranet domain name access log;Domain name access situation data
In comprising accessing common domain name and accessing the data of non-common domain name.
Specifically, statistics side can be used after obtaining the common domain name and non-common domain name in the log of Intranet domain name access
The domain name access situation data of method acquisition host.
The domain name access situation data of host and the domain name access behavior baseline being pre-created are compared by S105, are examined
Survey whether host infects wooden horse;Domain name access behavior baseline are as follows: domain name access situation of host in the state of being uninfected by wooden horse
Data.
Specifically, domain name access behavior baseline are as follows: host to be detected is uninfected by the shape of wooden horse in a upper detection cycle
Domain name access situation data under state.It, can be with by comparing the domain name access situation data of domain name access behavior baseline and host
Judge that host to be detected whether there is abnormal access behavior, and then obtains testing result.
The method that a kind of pair of host provided in an embodiment of the present invention carries out trojan horse detection, by obtaining in host to be detected
Domain name access log, therefrom obtains domain name to be identified;Then, each domain name to be identified is identified, obtains Intranet domain name
Common domain name and non-common domain name in access log, and from Intranet domain name access log, obtain the domain name access feelings of host
Condition data;Finally, the domain name access situation data of host and the domain name access behavior baseline being pre-created are compared, detect
Whether host infects wooden horse.Since domain name access situation data are obtained according to the access log dynamic of record host access behavior
, using its comparison result with domain name access behavior baseline as detection foundation, without the feature of known wooden horse, thus can be real
Now to the detection of UNKNOWN TYPE wooden horse.
It is provided in an embodiment of the present invention another to host progress wooden horse as a kind of embodiment of the embodiment of the present invention
The method of detection, applied to the server being connect with the main-machine communication.
Specifically, as shown in Fig. 2, this method comprises:
S201 obtains the Intranet domain name access log that host to be detected generates in the current detection period.
Optionally, the current detection period can need according to specific detection and is arranged.For example, the current detection period can be with
It is set as one day, one week etc..
S202 obtains all domain names for including in the log of Intranet domain name access and carries out domain filter, obtains domain to be identified
Name.
In the present embodiment, all domain names for including in acquisition Intranet domain name access log first, then in all domain names
The access domain name for the built-in system for including is filtered, and using the residue field name of acquisition as domain name to be identified.
S203 chooses the first kind from domain name to be identified and often uses domain name.
Specifically, selecting the first kind after obtaining domain name to be identified from domain name to be identified and often using domain name.The present embodiment
In, domain name overall ranking public data can be concentrated to domain name of the ranking previous ten thousand, often use domain name as the first kind.
S204, using preparatory trained domain name identification model, in domain name to be identified except the first kind is often in addition to domain name
Domain name to be identified is identified.
S205 obtains common domain name and non-common domain name in the log of Intranet domain name access.
Specifically, using preparatory trained domain name identification model, in domain name to be identified except the first kind is often in addition to domain name
Domain name to be identified identified, obtain non-common domain name and the second class often use domain name;Then, the first kind is often used to domain name and the
Two classes are often merged with domain name to get to the common domain name in Intranet domain name access log.Wherein, trained domain name identification in advance
Model, are as follows: in advance to preset the common domain name of the first quantity and/or the non-common domain name of default second quantity as sample, train
The two Classification Neural models obtained.After domain name to be identified is inputted the domain name identification model, if the output of model is 1,
Then indicate that the domain name to be identified is non-common domain name;If the output of domain name identification model is 0, then it represents that the domain name to be identified is
Second class often uses domain name.
Generally, due to the data volume of Intranet domain name access log be up to 1W/QPS (Query Per Second, it is per second
Query rate), in order to reduce the data processing amount of domain name identification model, first to the access domain name of built-in system in the embodiment of the present invention
It is filtered, such domain name accounts for about the 50% of domain name total amount;Then, it then using residue field name as domain name to be identified, and chooses
The first kind in domain name to be identified often uses domain name out, such domain name accounts for about the 30% of domain name total amount.In this way, only need to be to domain to be identified
Except the first kind is often identified with the domain name to be identified in addition to domain name in name, domain name quantity reduces about 80%, improves data processing
Efficiency.
Certainly, in other embodiments of the invention, all domain names in Intranet domain name access log can also be made
For domain name to be identified, common domain name and non-common domain name directly are identified using domain name identification model.
S206 obtains the domain name access situation data of host from Intranet domain name access log.
Specifically, obtaining host from the Intranet domain name access log that host to be detected generates in the current detection period
In the domain name access situation data in current detection period.Wherein, the current detection period can be 1, then host was on the same day
Domain name access situation data, comprising: the domain name number of domain name access amount, the different domain names of access in Intranet domain name access log,
The same day newly accesses the number of domain name, the number of the non-common domain name of access, the amount of access of non-common domain name, the number for accessing common domain name
The amount of access of mesh and common domain name.
S207 calculates similarity and deviation between domain name access behavior baseline and the domain name access situation data of host
Degree.
Optionally, it is calculated between domain name access behavior baseline and the domain name access situation data of host using following formula
Similarity:
Wherein, n indicates the data dimension of domain name access behavior baseline and domain name access situation data, XiFor domain name access row
For the i-th dimension data in baseline, YiFor the i-th dimension data in domain name access situation data.
Optionally, it is calculated between domain name access behavior baseline and the domain name access situation data of host using following formula
Irrelevance:
Wherein, n indicates the data dimension of domain name access behavior baseline and domain name access situation data, XiFor domain name access row
For the i-th dimension data in baseline, YiFor the i-th dimension data in domain name access situation data.For example, working as domain name access situation data
It include: newly to access the number of domain name on domain name access amount in Intranet domain name access log, the domain name number of the different domain names of access, the same day
Mesh, the amount of access of non-common domain name, accesses the access for commonly using the number and common domain name of domain name at the number of the non-common domain name of access
When amount, data dimension n=7, Y1、Y2…Y7Respectively indicate domain name access amount, the different domain names of access in Intranet domain name access log
Domain name number ..., access the number of common domain name and the amount of access of common domain name.
S208 judges whether host infects wooden horse according to the calculated result of similarity and irrelevance.
Specifically, if similarity is more than or equal to preset first threshold and irrelevance is less than or equal to preset second threshold
Value, then host to be detected is judged as not infecting wooden horse;If similarity is less than preset first threshold and irrelevance is greater than
Preset second threshold, then host to be detected is judged as infection wooden horse.For example, preset first threshold is 0.7, preset the
Two threshold values are 0.3, if calculated similarity is 0.8, irrelevance 0.2, then, it is clear that meet similarity more than or equal to default
First threshold and irrelevance be less than or equal to the condition of preset second threshold, therefore host to be detected is uninfected by wooden horse.
Optionally, if testing result is that host is uninfected by wooden horse, host to be detected can be saved in current detection
The domain name access situation data in period, the domain name access behavior baseline as next detection cycle.
The method that a kind of pair of host provided in an embodiment of the present invention carries out trojan horse detection, by obtaining in host to be detected
Domain name access log, therefrom obtains domain name to be identified;Then, each domain name to be identified is identified, obtains Intranet domain name
Common domain name and non-common domain name in access log, and from Intranet domain name access log, obtain the domain name access feelings of host
Condition data;Finally, the domain name access situation data of host and the domain name access behavior baseline being pre-created are compared, detect
Whether host infects wooden horse.Since domain name access situation data are obtained according to the access log dynamic of record host access behavior
, using its comparison result with domain name access behavior baseline as detection foundation, without the feature of known wooden horse, thus can be real
Now to the detection of UNKNOWN TYPE wooden horse.
As a kind of embodiment of the embodiment of the present invention, as shown in figure 3, a kind of pair of host provided in an embodiment of the present invention
The device of trojan horse detection is carried out, applied to the server connecting with the main-machine communication, described device includes:
Log acquisition module 310, for obtaining the Intranet domain name access log of host to be detected;
Domain Name acquisition module 320, for obtaining domain name to be identified from Intranet domain name access log;
Domain name identification module 330 obtains in the log of Intranet domain name access for identifying to each domain name to be identified
Common domain name and non-common domain name;
Data acquisition module 340, for obtaining the domain name access situation data of host from Intranet domain name access log;
Comprising accessing non-common domain name and accessing the data of common domain name in domain name access situation data;
Trojan horse detection module 350, for by the domain name access situation data of host and the domain name access behavior that is pre-created
Baseline is compared, and whether detection host infects wooden horse;Domain name access behavior baseline are as follows: host is in the state of being uninfected by wooden horse
Domain name access situation data.
A kind of pair of host provided in an embodiment of the present invention carries out the device of trojan horse detection, by obtaining in host to be detected
Domain name access log, therefrom obtains domain name to be identified;Then, each domain name to be identified is identified, obtains Intranet domain name
Common domain name and non-common domain name in access log, and from Intranet domain name access log, obtain the domain name access feelings of host
Condition data;Finally, the domain name access situation data of host and the domain name access behavior baseline being pre-created are compared, detect
Whether host infects wooden horse.Since domain name access situation data are obtained according to the access log dynamic of record host access behavior
, using its comparison result with domain name access behavior baseline as detection foundation, without the feature of known wooden horse, thus can be real
Now to the detection of UNKNOWN TYPE wooden horse.
As a kind of embodiment of the embodiment of the present invention, the log acquisition module 310 may include:
First acquisition unit, the Intranet domain name access day generated in the current detection period for obtaining host to be detected
Will;
The data acquisition module 340 may include:
Second acquisition unit, the Intranet domain name access day for being generated in the current detection period from the host to be detected
In will, the host is obtained in the domain name access situation data in current detection period;
Domain name accesses behavior baseline are as follows: the host is uninfected by the state of wooden horse in a upper detection cycle
Domain name access situation data.
As a kind of embodiment of the embodiment of the present invention, domain name obtains module 320, may include:
Third acquiring unit, for obtaining all domain names for including in the Intranet domain name access log;
Filter element is filtered for the access domain name to the built-in system for including in all domain names, is remained
Co-domain name, as domain name to be identified.
As a kind of embodiment of the embodiment of the present invention, domain name identification module 330 may include:
Selection unit often uses domain name for choosing the first kind from the domain name to be identified;The first kind often uses domain name,
Are as follows: the domain name before domain name overall ranking public data is concentrated in preset quantity ranking;
Recognition unit, for using preparatory trained domain name identification model, in the domain name to be identified except described the
Domain name to be identified outside the common domain name of one kind is identified, obtains non-common domain name and the second class often uses domain name;The preparatory instruction
The domain name identification model perfected, are as follows: in advance to preset the common domain name of the first quantity and/or the non-common domain of default second quantity
Entitled sample, the two Classification Neural models that training obtains;
Combining unit often often uses domain name with domain name and second class for merging the first kind, obtains the Intranet
Common domain name in domain name access log.
As a kind of embodiment of the embodiment of the present invention, described device further include:
Preserving module is executed for the trojan horse detection module by the domain name access situation data of the host and preparatory wound
The domain name access behavior baseline built is compared, after detecting the step of whether host infects wooden horse, if testing result
It is uninfected by wooden horse for host, then saves the host in the domain name access situation data in current detection period, as next detection
The domain name access behavior baseline in period.
As a kind of embodiment of the embodiment of the present invention, the current detection period is 1;
The second acquisition unit, comprising:
Data acquisition subelement, in the Intranet domain name access log that the same day generates, being obtained from the host to be detected
Take the host in the domain name access situation data on the same day;
Domain name access situation data of the host on the same day, comprising: domain name access amount in Intranet domain name access log,
Access the domain name number of different domain names, the same day newly accesses the number of domain name, the number of the non-common domain name of access, non-common domain name
The amount of access of amount of access, the number for accessing common domain name and common domain name.
As a kind of embodiment of the embodiment of the present invention, the trojan horse detection module 350, comprising:
Computing unit, for calculating between domain name access behavior baseline and the domain name access situation data of the host
Similarity and irrelevance;
Judging unit judges whether the host infects wooden horse for the calculated result according to similarity and irrelevance.
As a kind of embodiment of the embodiment of the present invention, the judging unit, comprising:
First judgment sub-unit, if be used for, the similarity is more than or equal to preset first threshold and the irrelevance is small
In being equal to preset second threshold, then the host is judged as not infecting wooden horse;
Second judgment sub-unit, if be used for, the similarity is less than preset first threshold and the irrelevance is greater than in advance
If second threshold, then the host be judged as infection wooden horse.
As a kind of embodiment of the embodiment of the present invention, the computing unit, comprising:
Similarity calculation subelement, for similarity to be calculated using following formula:
Irrelevance computation subunit, for irrelevance to be calculated using following formula:
Wherein, n indicates the data dimension of domain name access behavior baseline and domain name access situation data, XiFor institute
State the i-th dimension data in domain name access behavior baseline, YiThe i-th dimension data in situation data are accessed for domain name.
A kind of pair of host provided in an embodiment of the present invention carries out the device of trojan horse detection, firstly, obtaining host to be detected
Intranet domain name access log, therefrom obtains domain name to be identified;Then, each domain name to be identified is identified, obtains interior domain
Common domain name and non-common domain name in name access log, and from Intranet domain name access log, obtain the domain name access of host
Situation data;Finally, the domain name access situation data of host and the domain name access behavior baseline being pre-created are compared, examine
Survey whether host infects wooden horse.Since domain name access situation data are obtained according to the access log dynamic of record host access behavior
, using its comparison result with domain name access behavior baseline as foundation is detected, without the feature of known wooden horse, thus can be with
Realize the detection to UNKNOWN TYPE wooden horse.
The embodiment of the invention also provides a kind of electronic equipment, as shown in figure 4, include processor 401, communication interface 402,
Memory 403 and communication bus 404, wherein processor 401, communication interface 402, memory 403 are complete by communication bus 404
At mutual communication,
Memory 403, for storing computer program;
Processor 401 when for executing the program stored on memory 403, realizes following steps:
Obtain the Intranet domain name access log of host to be detected;
Domain name to be identified is obtained from Intranet domain name access log;
Each domain name to be identified is identified, the common domain name in the log of Intranet domain name access and non-common domain are obtained
Name;
From Intranet domain name access log, the domain name access situation data of host are obtained;It is wrapped in domain name access situation data
Containing the data for accessing the common domain name and the access non-common domain name;
The domain name access situation data of host and the domain name access behavior baseline being pre-created are compared, host is detected
Whether wooden horse is infected;Domain name access behavior baseline are as follows: domain name access situation data of host in the state of being uninfected by wooden horse.
The communication bus that above-mentioned electronic equipment is mentioned can be Peripheral Component Interconnect standard (Peripheral Component
Interconnect, PCI) bus or expanding the industrial standard structure (Extended Industry Standard
Architecture, EISA) bus etc..The communication bus can be divided into address bus, data/address bus, control bus etc..For just
It is only indicated with a thick line in expression, figure, it is not intended that an only bus or a type of bus.
Communication interface is for the communication between above-mentioned electronic equipment and other equipment.
Memory may include random access memory (Random Access Memory, RAM), also may include non-easy
The property lost memory (Non-Volatile Memory, NVM), for example, at least a magnetic disk storage.Optionally, memory may be used also
To be storage device that at least one is located remotely from aforementioned processor.
Above-mentioned processor can be general processor, including central processing unit (Central Processing Unit,
CPU), network processing unit (Network Processor, NP) etc.;It can also be digital signal processor (Digital Signal
Processing, DSP), it is specific integrated circuit (Application Specific Integrated Circuit, ASIC), existing
It is field programmable gate array (Field-Programmable Gate Array, FPGA) or other programmable logic device, discrete
Door or transistor logic, discrete hardware components.
In the above-described embodiments, can come wholly or partly by software, hardware, firmware or any combination thereof real
It is existing.When implemented in software, it can entirely or partly realize in the form of a computer program product.The computer program
Product includes one or more computer instructions.When loading on computers and executing the computer program instructions, all or
It partly generates according to process or function described in the embodiment of the present invention.The computer can be general purpose computer, dedicated meter
Calculation machine, computer network or other programmable devices.The computer instruction can store in computer readable storage medium
In, or from a computer readable storage medium to the transmission of another computer readable storage medium, for example, the computer
Instruction can pass through wired (such as coaxial cable, optical fiber, number from a web-site, computer, server or data center
User's line (DSL)) or wireless (such as infrared, wireless, microwave etc.) mode to another web-site, computer, server or
Data center is transmitted.The computer readable storage medium can be any usable medium that computer can access or
It is comprising data storage devices such as one or more usable mediums integrated server, data centers.The usable medium can be with
It is magnetic medium, (for example, floppy disk, hard disk, tape), optical medium (for example, DVD) or semiconductor medium (such as solid state hard disk
Solid State Disk (SSD)) etc..
It should be noted that, in this document, relational terms such as first and second and the like are used merely to a reality
Body or operation are distinguished with another entity or operation, are deposited without necessarily requiring or implying between these entities or operation
In any actual relationship or order or sequence.Moreover, the terms "include", "comprise" or its any other variant are intended to
Non-exclusive inclusion, so that the process, method, article or equipment including a series of elements is not only wanted including those
Element, but also including other elements that are not explicitly listed, or further include for this process, method, article or equipment
Intrinsic element.In the absence of more restrictions, the element limited by sentence "including a ...", it is not excluded that
There is also other identical elements in process, method, article or equipment including the element.
Each embodiment in this specification is all made of relevant mode and describes, same and similar portion between each embodiment
Dividing may refer to each other, and each embodiment focuses on the differences from other embodiments.Especially for device reality
For applying example, since it is substantially similar to the method embodiment, so being described relatively simple, related place is referring to embodiment of the method
Part explanation.
The foregoing is merely illustrative of the preferred embodiments of the present invention, is not intended to limit the scope of the present invention.It is all
Any modification, equivalent replacement, improvement and so within the spirit and principles in the present invention, are all contained in protection scope of the present invention
It is interior.
Claims (19)
1. the method that a kind of pair of host carries out trojan horse detection, which is characterized in that applied to the service being connect with the main-machine communication
Device, which comprises
Obtain the Intranet domain name access log of host to be detected;
Domain name to be identified is obtained from the Intranet domain name access log;
Each domain name to be identified is identified, the common domain name in the Intranet domain name access log and non-common domain are obtained
Name;
From the Intranet domain name access log, the domain name access situation data of the host are obtained;Domain name accesses situation
Comprising accessing the common domain name and accessing the data of the non-common domain name in data;
The domain name access situation data of the host and the domain name access behavior baseline being pre-created are compared, described in detection
Whether host infects wooden horse;Domain name accesses behavior baseline, are as follows: domain name of host in the state of being uninfected by wooden horse is visited
Ask situation data.
2. the method according to claim 1, wherein the Intranet domain name access log for obtaining host to be detected
The step of, comprising:
Obtain the Intranet domain name access log that host to be detected generates in the current detection period;
It is described from the Intranet domain name access log, the step of obtaining the domain name access situation data of the host, comprising:
From the Intranet domain name access log that the host to be detected generates in the current detection period, obtains the host and working as
The domain name access situation data of preceding detection cycle;
Domain name accesses behavior baseline, are as follows: the host is uninfected by the domain in the state of wooden horse in a upper detection cycle
Name access situation data.
3. according to the method described in claim 2, it is characterized in that, described obtain from the Intranet domain name access log wait know
The step of other domain name, comprising:
Obtain all domain names for including in the Intranet domain name access log;
The access domain name for the built-in system for including in all domain names is filtered, remaining domain name is obtained, as to be identified
Domain name.
4. according to the method described in claim 3, obtaining institute it is characterized in that, described identify each domain name to be identified
The step of stating the common domain name and non-common domain name in Intranet domain name access log, comprising:
The first kind is chosen from the domain name to be identified often uses domain name;The first kind often uses domain name, are as follows: domain name overall ranking is public
Open the domain name in data set in preceding preset quantity ranking;
Using preparatory trained domain name identification model, in the domain name to be identified except the first kind often in addition to domain name to
Identification domain name is identified, obtains non-common domain name and the second class often uses domain name;The trained domain name identification model in advance,
Are as follows: in advance to preset the common domain name of the first quantity and/or the non-common domain name of default second quantity as sample, train acquisition
Two Classification Neural models;
Merge the first kind and often often use domain name with domain name and second class, obtains normal in the Intranet domain name access log
Use domain name.
5. according to the method described in claim 4, it is characterized in that, in the domain name access situation data by the host and
The domain name access behavior baseline being pre-created is compared, after detecting the step of whether host infects wooden horse, further includes:
If testing result is that host is uninfected by wooden horse, the host is saved in the domain name access situation number in current detection period
According to domain name access behavior baseline as next detection cycle.
6. according to the method described in claim 5, it is characterized in that, the current detection period is 1;
In the Intranet domain name access log generated in the current detection period from the host to be detected, the host is obtained
The domain name access situation data in current detection period the step of, comprising:
From the host to be detected in the Intranet domain name access log that the same day generates, the domain name for obtaining the host on the same day is visited
Ask situation data;
Domain name access situation data of the host on the same day, comprising: domain name access amount, access in Intranet domain name access log
The domain name number of different domain names, the same day newly access the access of the number of domain name, the number, non-common domain name of the non-common domain name of access
The amount of access of amount, the number for accessing common domain name and common domain name.
7. according to the method described in claim 2, it is characterized in that, domain name access situation data by the host and pre-
The domain name access behavior baseline first created is compared, and detects the step of whether host infects wooden horse, comprising:
Calculate the similarity and irrelevance between domain name access behavior baseline and the domain name access situation data of the host;
According to the calculated result of similarity and irrelevance, judge whether the host infects wooden horse.
8. the method according to the description of claim 7 is characterized in that the calculated result according to similarity and irrelevance, sentences
The step of whether host that breaks infects wooden horse, comprising:
If the similarity is more than or equal to preset first threshold and the irrelevance is less than or equal to preset second threshold,
The host is judged as not infecting wooden horse;
If the similarity is less than preset first threshold and the irrelevance is greater than preset second threshold, the host
It is judged as infection wooden horse.
9. according to the method described in claim 8, it is characterized in that, the similarity, is calculated using following formula:
The irrelevance is calculated using following formula:
Wherein, n indicates the data dimension of domain name access behavior baseline and domain name access situation data, XiFor the domain
I-th dimension data in name access behavior baseline, YiThe i-th dimension data in situation data are accessed for domain name.
10. the device that a kind of pair of host carries out trojan horse detection, which is characterized in that applied to the service being connect with the main-machine communication
Device, described device include:
Log acquisition module, for obtaining the Intranet domain name access log of host to be detected;
Domain Name acquisition module, for obtaining domain name to be identified from the Intranet domain name access log;
Domain name identification module obtains normal in the Intranet domain name access log for identifying to each domain name to be identified
With domain name and non-common domain name;
Data acquisition module, for obtaining the domain name access situation data of the host from the Intranet domain name access log;
Domain name accesses in situation data comprising accessing the common domain name and accessing the data of the non-common domain name;
Trojan horse detection module, for by the domain name access situation data of the host and the domain name access behavior baseline that is pre-created
It is compared, detects whether the host infects wooden horse;Domain name accesses behavior baseline, are as follows: the host is being uninfected by wood
Domain name access situation data in the state of horse.
11. device according to claim 10, which is characterized in that the log acquisition module, comprising:
First acquisition unit, the Intranet domain name access log generated in the current detection period for obtaining host to be detected;
The data acquisition module, comprising:
Second acquisition unit, the Intranet domain name access log for being generated in the current detection period from the host to be detected
In, the host is obtained in the domain name access situation data in current detection period;
Domain name accesses behavior baseline, are as follows: the host is uninfected by the domain in the state of wooden horse in a upper detection cycle
Name access situation data.
12. device according to claim 11, which is characterized in that domain name obtains module, comprising:
Third acquiring unit, for obtaining all domain names for including in the Intranet domain name access log;
Filter element is filtered for the access domain name to the built-in system for including in all domain names, obtains residue field
Name, as domain name to be identified.
13. device according to claim 12, which is characterized in that domain name identification module, comprising:
Selection unit often uses domain name for choosing the first kind from the domain name to be identified;The first kind often uses domain name, are as follows:
Domain name before domain name overall ranking public data is concentrated in preset quantity ranking;
Recognition unit, for using preparatory trained domain name identification model, to removing the first kind in the domain name to be identified
Domain name to be identified outside common domain name is identified, obtains non-common domain name and the second class often uses domain name;It is described to train in advance
Domain name identification model, are as follows: be with the non-common domain name of the common domain name and/or default second quantity of presetting the first quantity in advance
Sample, the two Classification Neural models that training obtains;
Combining unit often often uses domain name with domain name and second class for merging the first kind, obtains the Intranet domain name
Common domain name in access log.
14. device according to claim 13, which is characterized in that described device further include:
Preserving module is executed the domain name access situation data of the host and is pre-created for the trojan horse detection module
Domain name access behavior baseline is compared, after detecting the step of whether host infects wooden horse, if based on testing result
Machine is uninfected by wooden horse, then saves the host in the domain name access situation data in current detection period, as next detection cycle
Domain name access behavior baseline.
15. device according to claim 14, which is characterized in that the current detection period is 1;
The second acquisition unit, comprising:
Data acquisition subelement, in the Intranet domain name access log that the same day generates, obtaining institute from the host to be detected
Host is stated in the domain name access situation data on the same day;
Domain name access situation data of the host on the same day, comprising: domain name access amount, access in Intranet domain name access log
The domain name number of different domain names, the same day newly access the access of the number of domain name, the number, non-common domain name of the non-common domain name of access
The amount of access of amount, the number for accessing common domain name and common domain name.
16. device according to claim 11, which is characterized in that the trojan horse detection module, comprising:
Computing unit, for calculating the phase between domain name access behavior baseline and the domain name access situation data of the host
Like degree and irrelevance;
Judging unit judges whether the host infects wooden horse for the calculated result according to similarity and irrelevance.
17. device according to claim 16, which is characterized in that the judging unit, comprising:
First judgment sub-unit, if being used for the similarity is more than or equal to preset first threshold and the irrelevance is less than etc.
In preset second threshold, then the host is judged as not infecting wooden horse;
Second judgment sub-unit, if be used for, the similarity is less than preset first threshold and the irrelevance is greater than preset
Second threshold, then the host is judged as infection wooden horse.
18. device according to claim 17, which is characterized in that the computing unit, comprising:
Similarity calculation subelement, for similarity to be calculated using following formula:
Irrelevance computation subunit, for irrelevance to be calculated using following formula:
Wherein, n indicates the data dimension of domain name access behavior baseline and domain name access situation data, XiFor the domain
I-th dimension data in name access behavior baseline, YiThe i-th dimension data in situation data are accessed for domain name.
19. a kind of electronic equipment, which is characterized in that including processor, communication interface, memory and communication bus, wherein processing
Device, communication interface, memory complete mutual communication by communication bus;
Memory, for storing computer program;
Processor when for executing the program stored on memory, realizes any method and step of claim 1-9.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910446832.9A CN110213255B (en) | 2019-05-27 | 2019-05-27 | Method and device for detecting Trojan horse of host and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910446832.9A CN110213255B (en) | 2019-05-27 | 2019-05-27 | Method and device for detecting Trojan horse of host and electronic equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110213255A true CN110213255A (en) | 2019-09-06 |
| CN110213255B CN110213255B (en) | 2022-03-04 |
Family
ID=67788764
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910446832.9A Active CN110213255B (en) | 2019-05-27 | 2019-05-27 | Method and device for detecting Trojan horse of host and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110213255B (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111490976A (en) * | 2020-03-24 | 2020-08-04 | 浙江中烟工业有限责任公司 | A dynamic baseline management and monitoring method for industrial control network |
| CN111541647A (en) * | 2020-03-25 | 2020-08-14 | 杭州数梦工场科技有限公司 | Security detection method and device, storage medium and computer equipment |
| CN112468484A (en) * | 2020-11-24 | 2021-03-09 | 山西三友和智慧信息技术股份有限公司 | Internet of things equipment infection detection method based on abnormity and reputation |
| CN115134164A (en) * | 2022-07-18 | 2022-09-30 | 深信服科技股份有限公司 | Uploading behavior detection method, system, equipment and computer storage medium |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102594825A (en) * | 2012-02-22 | 2012-07-18 | 北京百度网讯科技有限公司 | Method and device for detecting intranet Trojans |
| US9049221B1 (en) * | 2013-11-12 | 2015-06-02 | Emc Corporation | Detecting suspicious web traffic from an enterprise network |
| CN106101104A (en) * | 2016-06-15 | 2016-11-09 | 国家计算机网络与信息安全管理中心 | A kind of malice domain name detection method based on domain name mapping and system |
| US20170013003A1 (en) * | 2013-12-14 | 2017-01-12 | Hewlett Packard Enterprise Development Lp | Log Analysis Based on User Activity Volume |
| CN106453412A (en) * | 2016-12-01 | 2017-02-22 | 绵阳灵先创科技有限公司 | Malicious domain name determination method based on frequency characteristics |
| CN106657001A (en) * | 2016-11-10 | 2017-05-10 | 广州赛讯信息技术有限公司 | Botnet detection method based on Netflow and DNS blog |
| CN107770132A (en) * | 2016-08-18 | 2018-03-06 | 中兴通讯股份有限公司 | A kind of method and device detected to algorithm generation domain name |
| CN109284613A (en) * | 2018-09-30 | 2019-01-29 | 北京神州绿盟信息安全科技股份有限公司 | Label detection and counterfeit site detecting method, device, equipment and storage medium |
| CN109495423A (en) * | 2017-09-11 | 2019-03-19 | 网宿科技股份有限公司 | A kind of method and system preventing network attack |
| CN109660502A (en) * | 2018-09-28 | 2019-04-19 | 平安科技(深圳)有限公司 | Detection method, device, equipment and the storage medium of abnormal behaviour |
-
2019
- 2019-05-27 CN CN201910446832.9A patent/CN110213255B/en active Active
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102594825A (en) * | 2012-02-22 | 2012-07-18 | 北京百度网讯科技有限公司 | Method and device for detecting intranet Trojans |
| US9049221B1 (en) * | 2013-11-12 | 2015-06-02 | Emc Corporation | Detecting suspicious web traffic from an enterprise network |
| US20170013003A1 (en) * | 2013-12-14 | 2017-01-12 | Hewlett Packard Enterprise Development Lp | Log Analysis Based on User Activity Volume |
| CN106101104A (en) * | 2016-06-15 | 2016-11-09 | 国家计算机网络与信息安全管理中心 | A kind of malice domain name detection method based on domain name mapping and system |
| CN107770132A (en) * | 2016-08-18 | 2018-03-06 | 中兴通讯股份有限公司 | A kind of method and device detected to algorithm generation domain name |
| CN106657001A (en) * | 2016-11-10 | 2017-05-10 | 广州赛讯信息技术有限公司 | Botnet detection method based on Netflow and DNS blog |
| CN106453412A (en) * | 2016-12-01 | 2017-02-22 | 绵阳灵先创科技有限公司 | Malicious domain name determination method based on frequency characteristics |
| CN109495423A (en) * | 2017-09-11 | 2019-03-19 | 网宿科技股份有限公司 | A kind of method and system preventing network attack |
| CN109660502A (en) * | 2018-09-28 | 2019-04-19 | 平安科技(深圳)有限公司 | Detection method, device, equipment and the storage medium of abnormal behaviour |
| CN109284613A (en) * | 2018-09-30 | 2019-01-29 | 北京神州绿盟信息安全科技股份有限公司 | Label detection and counterfeit site detecting method, device, equipment and storage medium |
Non-Patent Citations (1)
| Title |
|---|
| 张永斌等: "基于组行为特征的恶意域名检测", 《计算机科学》 * |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111490976A (en) * | 2020-03-24 | 2020-08-04 | 浙江中烟工业有限责任公司 | A dynamic baseline management and monitoring method for industrial control network |
| CN111490976B (en) * | 2020-03-24 | 2022-04-15 | 浙江中烟工业有限责任公司 | A dynamic baseline management and monitoring method for industrial control network |
| CN111541647A (en) * | 2020-03-25 | 2020-08-14 | 杭州数梦工场科技有限公司 | Security detection method and device, storage medium and computer equipment |
| CN112468484A (en) * | 2020-11-24 | 2021-03-09 | 山西三友和智慧信息技术股份有限公司 | Internet of things equipment infection detection method based on abnormity and reputation |
| CN115134164A (en) * | 2022-07-18 | 2022-09-30 | 深信服科技股份有限公司 | Uploading behavior detection method, system, equipment and computer storage medium |
| CN115134164B (en) * | 2022-07-18 | 2024-02-23 | 深信服科技股份有限公司 | Uploading behavior detection method, system, equipment and computer storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110213255B (en) | 2022-03-04 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111949803B (en) | A method, device and equipment for detecting abnormal network users based on knowledge graph | |
| CN110213255A (en) | A kind of pair of host carries out the method, apparatus and electronic equipment of trojan horse detection | |
| CN112866023B (en) | Network detection method, model training method, device, equipment and storage medium | |
| CN110099059B (en) | Domain name identification method and device and storage medium | |
| CN106548343B (en) | Method and device for detecting illegal transactions | |
| CN111866024B (en) | Network encryption traffic identification method and device | |
| CN112839014B (en) | Establish methods, systems, equipment and media for identifying abnormal visitor models | |
| CN104156490A (en) | Method and device for detecting suspicious fishing webpage based on character recognition | |
| CN106874253A (en) | Recognize the method and device of sensitive information | |
| CN106603555A (en) | Method and device for preventing library-hit attacks | |
| CN110414277B (en) | Gate-level hardware Trojan detection method based on multi-feature parameters | |
| CN108573146A (en) | A malicious URL detection method and device | |
| CN108334758A (en) | A kind of detection method, device and the equipment of user's ultra vires act | |
| CN107733902A (en) | A kind of monitoring method and device of target data diffusion process | |
| CN107292168A (en) | Detect method and device, the server of program code | |
| CN108718298A (en) | Connect flow rate testing methods and device outside a kind of malice | |
| US20200342095A1 (en) | Rule generaton apparatus and computer readable medium | |
| CN107992738A (en) | A kind of account logs in method for detecting abnormality, device and electronic equipment | |
| CN113852625B (en) | A weak password monitoring method, device, equipment and storage medium | |
| CN108390856A (en) | A kind of ddos attack detection method, device and electronic equipment | |
| CN111385272B (en) | Weak password detection method and device | |
| CN107135199B (en) | Method and device for detecting webpage backdoor | |
| CN113810372A (en) | A low-throughput DNS covert channel detection method and device | |
| CN103475673B (en) | Fishing website recognition methods, device and client | |
| CN108156127B (en) | Network attack mode judging device, judging method and computer readable storage medium thereof |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |