[go: up one dir, main page]

CN105119938A - Method for defending against innerport recall trojan - Google Patents

Method for defending against innerport recall trojan Download PDF

Info

Publication number
CN105119938A
CN105119938A CN201510585555.1A CN201510585555A CN105119938A CN 105119938 A CN105119938 A CN 105119938A CN 201510585555 A CN201510585555 A CN 201510585555A CN 105119938 A CN105119938 A CN 105119938A
Authority
CN
China
Prior art keywords
message
program
value
intranet
trojan
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201510585555.1A
Other languages
Chinese (zh)
Other versions
CN105119938B (en
Inventor
张小松
白金
牛伟纳
徐浩然
吴安彬
唐海洋
张�林
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
University of Electronic Science and Technology of China
Original Assignee
University of Electronic Science and Technology of China
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by University of Electronic Science and Technology of China filed Critical University of Electronic Science and Technology of China
Priority to CN201510585555.1A priority Critical patent/CN105119938B/en
Publication of CN105119938A publication Critical patent/CN105119938A/en
Application granted granted Critical
Publication of CN105119938B publication Critical patent/CN105119938B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0245Filtering by information in the payload

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Health & Medical Sciences (AREA)
  • Information Transfer Between Computers (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention belongs to the technical field of information security under the network environment, provides a method for defending against an innerport recall trojan, and aims to solve a problem that anti-virus software cannot well find variations of a known Trojan and a new Trojan. The method comprises: firstly establishing a credible program list, and storing the credible program list at an intranet exit gateway; secondly, performing security context marking on a message to be sent; and finally, extracting a security context of the message at the intranet exit, comparing the extracted security context with the content of the credible program list, and releasing the message if a program name and a MD5 value in the message are consistent with the program name and the MD5 value of one application in the credible program list, or discarding the message, restricting the release and adding an application associated with the message into a blacklist if the program name and the MD5 value are different from the program name and the MD5 value of any application in the credible program list. Therefore, a problem of poor intranet security caused by the fact that the variations of the known Trojan and the new Trojan cannot be effectively detected through a traditional Trojan detection method is effectively solved.

Description

一种针对内网端口反弹型木马的防范方法A preventive method against bounce-back Trojans at intranet ports

技术领域technical field

本发明属于网络环境下信息安全技术领域,具体是一种针对内网端口反弹型木马的防范方法。The invention belongs to the technical field of information security under the network environment, and in particular relates to a method for preventing a bounce-back Trojan at an intranet port.

背景技术Background technique

在网络安全领域,恶意代码快速增长,各种各样的恶意代码充斥在互联网中,最严重的当属病毒和木马,病毒的目的在于破坏计算机系统和文件,而木马则更倾向于机密信息窃取。木马有客户端和服务器端,一般来说服务器端和客户端相互配合,以完成一些破坏和信息窃取活动。当前,木马完全可以做到免杀并且隐藏自身的痕迹,由于防火墙限制,现在大部分木马都是反弹型木马。In the field of network security, malicious codes are growing rapidly, and various malicious codes are flooding the Internet. The most serious ones are viruses and Trojan horses. The purpose of viruses is to destroy computer systems and files, while Trojan horses are more inclined to steal confidential information. . A Trojan has a client and a server. Generally speaking, the server and the client cooperate with each other to complete some activities of destruction and information theft. At present, Trojan horses can completely avoid killing and hide their own traces. Due to firewall restrictions, most Trojan horses are now rebounding Trojan horses.

反弹端口型木马利用了防火墙的弱点:Rebound port Trojan exploits the weakness of the firewall:

防火墙对于连入的链接往往会进行非常严格的过滤,但是对于连出的链接却疏于防范;于是,与一般的木马相反,反弹端口型木马的服务端(被控制端)使用主动端口,客户端(控制端)使用被动端口,木马定时监测控制端的存在,发现控制端上线立即弹出端口主动连结控制端打开的主动端口。Firewall often can carry out very strict filtering to the link that connects, but neglects to guard against the link that connects; So, contrary to general Trojan horse, the service end (controlled end) of rebounding port type Trojan horse uses active port, the client The terminal (control terminal) uses a passive port, and the Trojan horse regularly monitors the existence of the control terminal, and when it finds that the control terminal is online, it will immediately pop up the port to actively connect to the active port opened by the control terminal.

为了隐蔽起见,控制端的被动端口一般开在80,这样,即使用户使用端口扫描软件检查自己的端口,发现的也是正常的网络连接,不会产生怀疑。For the sake of concealment, the passive port of the control terminal is generally opened at 80, so that even if the user uses port scanning software to check his own port, what he finds is a normal network connection, and there will be no suspicion.

目前针对木马的检测方法主要是特征码扫描和主动防御的方法,根据扫描特征码的方法判断木马的方法其缺陷是:一旦木马发生变种或者产生一个新的木马则杀毒软件就没有办法更好的检测。At present, the detection methods for Trojans are mainly signature scanning and active defense methods. The method of judging Trojans based on scanning signatures has the disadvantage that once a Trojan mutates or a new Trojan is generated, there is no way for antivirus software to be better. detection.

而主动防御的方法也没有办法很好地检测使用内核技术的木马。And the method of active defense also has no way to detect the Trojan horse that uses kernel technology well.

发明内容Contents of the invention

本发明的目的在于提供了一种针对内网端口反弹型木马的防范方法,用于克服杀毒软件不能很好的发现已知木马的变种和新的木马的问题。The purpose of the present invention is to provide a method for preventing rebounding Trojan horses at intranet ports, which is used to overcome the problem that anti-virus software cannot find known variants of Trojan horses and new Trojan horses well.

为解决上述问题,本发明的技术方案为:In order to solve the above problems, the technical solution of the present invention is:

一种针对内网端口反弹型木马的防范方法,包括以下步骤:A method for preventing rebounding Trojans at intranet ports, comprising the following steps:

步骤1.确定可信程序名单:Step 1. Determine the list of trusted programs:

为所有可信程序设定key-value,其中key为程序名称,value值为可执行程序的MD5(MessageDigestAlgorithm5)值;Set the key-value for all trusted programs, where the key is the program name, and the value is the MD5 (MessageDigestAlgorithm5) value of the executable program;

内网出口网关保存一份key-value名单,即可信程序名单;The intranet egress gateway saves a key-value list, which is the list of trusted programs;

步骤2.打安全标签:Step 2. Hit the security tab:

对内网中每台主机应用程序发出的网络报文进行安全上下文标记,安全上下文标记内容包括:Mark the network packets sent by each host application in the intranet with a security context. The content of the security context label includes:

(1)发送此报文的程序名称,(1) The name of the program that sent this message,

(2)程序的MD5值,(2) MD5 value of the program,

(3)主机的MAC(Medium/MediaAccessControl)地址;(3) MAC (Medium/MediaAccessControl) address of the host;

步骤3.内网出口网关处捕获内网中流出的所有报文;Step 3. The egress gateway of the intranet captures all outgoing messages in the intranet;

步骤4.检测报文中提供的安全上下文并分析报文内容:Step 4. Detect the security context provided in the message and analyze the content of the message:

提取报文中的安全上下文,将其与网关的可信程序名单(key-value名单)进行对比,如果程序名称及MD5值与可信程序名单一致,则放行并建立一个cache(缓存);预设时间内,再次捕获到由此MAC地址所对应主机的相同程序发出的网络报文则直接放行;Extract the security context in the message, compare it with the trusted program list (key-value list) of the gateway, if the program name and MD5 value are consistent with the trusted program list, then release and create a cache (cache); Within the set time, if the network message sent by the same program of the host corresponding to the MAC address is captured again, it will be released directly;

反之则丢掉数据包,限制放行,并将相关信息记录于日志中;同时,对报文连接的外网IP地址记入黑名单。Otherwise, the data packet will be discarded, the release will be restricted, and the relevant information will be recorded in the log; at the same time, the external network IP address connected by the message will be recorded in the blacklist.

本发明的优点在于:The advantages of the present invention are:

(1)解决了杀毒软件无法检测最新的木马以及已有木马的变种从而带来的威胁。(1) Solve the threat that the anti-virus software cannot detect the latest Trojans and variants of existing Trojans.

(2)不再只依赖于传统的网站白名单的方法,因反弹木马多连接第三方网站获取信息,而这些第三方网站多为安全可信的网站。(2) No longer only relying on the traditional website whitelist method, because the rebounding Trojans often connect to third-party websites to obtain information, and these third-party websites are mostly safe and credible websites.

本发明通过安全上下文,验证报文发送的主体,从而确定连接的安全性,不仅仅根据白名单中的信息判断。The present invention verifies the subject of the message sending through the security context, thereby determining the security of the connection, not only judging based on the information in the white list.

(3)不破坏现有的网络协议与网络应用。安全上下文只在应用程序通过本机网卡时,通过系统的内核模块在网络报文中添加,不影响现有的网络应用。(3) Do not destroy existing network protocols and network applications. The security context is only added in the network message through the kernel module of the system when the application program passes through the local network card, and does not affect the existing network application.

安全上下文的判断也是通过内核模块,将报文中的安全上下文提取出来并重新将报文恢复并传递给网关,判断模块会检查应用程序的校验码从而确定放行与否。The judgment of the security context is also through the kernel module, which extracts the security context in the message and restores the message and passes it to the gateway. The judgment module will check the verification code of the application program to determine whether it is released or not.

整个过程不会对用户以及程序造成任何影响,是一个完全透明的过程。The whole process will not have any impact on users and programs, and is a completely transparent process.

附图说明Description of drawings

图1为内网主机应用程序通过主机发送报文进行安全上下文标记过程。Figure 1 shows the security context marking process of the intranet host application through the host sending a message.

图2为内网网关在接收到外联数据包后提取安全上下文并分析数据报文的过程。Fig. 2 shows the process of the intranet gateway extracting the security context and analyzing the data packet after receiving the external data packet.

具体实施方式Detailed ways

根据以上所述,结合附图和实施例对本发明中的技术方案作进一步详细的说明。According to the above description, the technical solutions in the present invention will be further described in detail in conjunction with the drawings and embodiments.

本实施例中,假设一个内网主机为A,此主机上的一个网络应用程序为WA,安全标签添加模块MA,内网网关G,网关上的安全上下文解析与控制模块MG。In this embodiment, it is assumed that an intranet host is A, a network application program on this host is WA, a security label adding module MA, an intranet gateway G, and a security context analysis and control module MG on the gateway.

首先,先确定可信应用程序,将其程序名称和程序的MD5值存入可信程序名单(key-value名单)中存放到内网出口网关,可以根据需求动态增加或者删除可信应用名单中的内容;First, determine the trusted application program, store its program name and program MD5 value in the trusted program list (key-value list) and store it in the intranet egress gateway. You can dynamically add or delete the trusted application list according to your needs. Content;

WA连接外网发送报文,通过安全标签添加模块MA,在报文中添加安全上下文,包括本机MAC地址、发送报文的应用程序名称和该应用程序的MD5校验值,然后通过本机网卡将报文发送到内网出口网关,如图1所述;WA connects to the external network to send messages, adds module MA through the security label, adds security context to the message, including the MAC address of the machine, the name of the application that sends the message, and the MD5 check value of the application, and then passes the The network card sends the message to the egress gateway of the intranet, as shown in Figure 1;

网关控制模块MG捕获报文,提取出报文中的安全上下文,将发送报文的应用程序名称和相应的校验值与可信程序名单中的应用程序对比,如图2所示;The gateway control module MG captures the message, extracts the security context in the message, and compares the application program name and corresponding check value of the sending message with the application program in the trusted program list, as shown in Figure 2;

如果名单中不存在此应用名称则丢掉该报文,并将发送报文的主机地址和可疑应用程序记录在黑名单中,同时通知该主机的管理员或者操作人员,对该主机进行安全检查;如果安全上下文与网关中保存的MD5校验值不同,也进行相同处理;If the application name does not exist in the list, the message will be discarded, and the host address and suspicious application program that sent the message will be recorded in the blacklist, and the administrator or operator of the host will be notified to conduct a security check on the host; If the security context is different from the MD5 check value saved in the gateway, the same processing will be carried out;

如果安全上下文中的程序名称及MD5校验值与网关中的可信程序名单相同,则将该报文去掉安全上下文恢复成正常的报文传递给网关G,并建立一个缓存,同时通知该程序对应的主机对于该程序发出的数据包10分钟内不再进行安全上下文标记,10分钟之内再捕获到该主机程序发送的报文则直接放行,10分钟之后,再进行正常标记,捕获和处理。If the program name and MD5 check value in the security context are the same as the list of trusted programs in the gateway, remove the security context from the message and return it to a normal message and send it to the gateway G, create a cache, and notify the program at the same time The corresponding host will no longer mark the data packets sent by the program within 10 minutes, and will directly release the packets sent by the host program if they are captured within 10 minutes. After 10 minutes, normal marking, capture and processing will be performed. .

以上所述,仅为本发明的具体实施方式,本说明书中所公开的任一特征,除非特别叙述,均可被其他等效或具有类似目的的替代特征加以替换;所公开的所有特征、或所有方法或过程中的步骤,除了互相排斥的特征和/或步骤以外,均可以任何方式组合。The above is only a specific embodiment of the present invention. Any feature disclosed in this specification, unless specifically stated, can be replaced by other equivalent or alternative features with similar purposes; all the disclosed features, or All method or process steps may be combined in any way, except for mutually exclusive features and/or steps.

Claims (1)

1.一种针对内网端口反弹型木马的防范方法,包括以下步骤:1. A method for preventing bounce-back Trojans at intranet ports, comprising the following steps: 步骤1.确定可信程序名单:Step 1. Determine the list of trusted programs: 为所有可信程序设定key-value,其中key为程序名称,value值为可执行程序的MD5值;Set the key-value for all trusted programs, where the key is the program name, and the value is the MD5 value of the executable program; 内网出口网关保存一份key-value名单,即可信程序名单;The intranet egress gateway saves a key-value list, which is the list of trusted programs; 步骤2.打安全标签:Step 2. Hit the security tab: 对内网中每台主机应用程序发出的网络报文进行安全上下文标记,安全上下文标记内容包括:Mark the network packets sent by each host application in the intranet with a security context. The content of the security context label includes: (1)发送此报文的程序名称,(1) The name of the program that sent this message, (2)程序的MD5值,(2) MD5 value of the program, (3)主机的MAC地址;(3) MAC address of the host; 步骤3.内网出口网关处捕获内网中流出的所有报文;Step 3. The egress gateway of the intranet captures all outgoing messages in the intranet; 步骤4.检测报文中提供的安全上下文并分析报文内容:Step 4. Detect the security context provided in the message and analyze the content of the message: 提取报文中的安全上下文,将其与网关的可信程序名单进行对比,如果程序名称及MD5值与可信程序名单一致,则放行并建立一个cache;预设时间内,再次捕获到由此MAC地址所对应主机的相同程序发出的网络报文则直接放行;Extract the security context in the message and compare it with the trusted program list of the gateway. If the program name and MD5 value are consistent with the trusted program list, it will be released and a cache will be established; The network packets sent by the same program of the host corresponding to the MAC address are directly released; 反之则丢掉数据包,限制放行,并将相关信息记录于日志中;同时,对报文连接的外网IP地址记入黑名单。Otherwise, the data packet will be discarded, the release will be restricted, and the relevant information will be recorded in the log; at the same time, the external network IP address connected by the message will be recorded in the blacklist.
CN201510585555.1A 2015-09-14 2015-09-14 A kind of prevention method for Intranet Port Recall wooden horse Expired - Fee Related CN105119938B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510585555.1A CN105119938B (en) 2015-09-14 2015-09-14 A kind of prevention method for Intranet Port Recall wooden horse

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510585555.1A CN105119938B (en) 2015-09-14 2015-09-14 A kind of prevention method for Intranet Port Recall wooden horse

Publications (2)

Publication Number Publication Date
CN105119938A true CN105119938A (en) 2015-12-02
CN105119938B CN105119938B (en) 2018-05-18

Family

ID=54667826

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510585555.1A Expired - Fee Related CN105119938B (en) 2015-09-14 2015-09-14 A kind of prevention method for Intranet Port Recall wooden horse

Country Status (1)

Country Link
CN (1) CN105119938B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107786531A (en) * 2017-03-14 2018-03-09 平安科技(深圳)有限公司 APT attack detection methods and device
CN110135153A (en) * 2018-11-01 2019-08-16 哈尔滨安天科技股份有限公司 The credible detection method and device of software

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101572711A (en) * 2009-06-08 2009-11-04 北京理工大学 Network-based detection method of rebound ports Trojan horse
CN102761458A (en) * 2011-12-20 2012-10-31 北京安天电子设备有限公司 Detection method and system of rebound type Trojan
CN103051627A (en) * 2012-12-21 2013-04-17 公安部第一研究所 Rebound trojan horse detection method
CN104753955A (en) * 2015-04-13 2015-07-01 成都双奥阳科技有限公司 Interconnection auditing method based on rebound port Trojans

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101572711A (en) * 2009-06-08 2009-11-04 北京理工大学 Network-based detection method of rebound ports Trojan horse
CN102761458A (en) * 2011-12-20 2012-10-31 北京安天电子设备有限公司 Detection method and system of rebound type Trojan
CN103051627A (en) * 2012-12-21 2013-04-17 公安部第一研究所 Rebound trojan horse detection method
CN104753955A (en) * 2015-04-13 2015-07-01 成都双奥阳科技有限公司 Interconnection auditing method based on rebound port Trojans

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107786531A (en) * 2017-03-14 2018-03-09 平安科技(深圳)有限公司 APT attack detection methods and device
CN107786531B (en) * 2017-03-14 2020-02-18 平安科技(深圳)有限公司 APT attack detection method and device
CN110135153A (en) * 2018-11-01 2019-08-16 哈尔滨安天科技股份有限公司 The credible detection method and device of software

Also Published As

Publication number Publication date
CN105119938B (en) 2018-05-18

Similar Documents

Publication Publication Date Title
US10095866B2 (en) System and method for threat risk scoring of security threats
CN107888607B (en) Network threat detection method and device and network management equipment
US10354072B2 (en) System and method for detection of malicious hypertext transfer protocol chains
US9648029B2 (en) System and method of active remediation and passive protection against cyber attacks
CN108134761B (en) APT detection system and device
US9288220B2 (en) Methods and systems for malware detection
EP3374870B1 (en) Threat risk scoring of security threats
JP5832951B2 (en) Attack determination device, attack determination method, and attack determination program
Latha et al. A survey on network attacks and Intrusion detection systems
CN107612924A (en) Attacker's localization method and device based on wireless network invasion
CN107465702A (en) Method for early warning and device based on wireless network invasion
Banerjee et al. Network traffic analysis based iot botnet detection using honeynet data applying classification techniques
CN107509200A (en) Equipment localization method and device based on wireless network invasion
US8763121B2 (en) Mitigating multiple advanced evasion technique attacks
Kim et al. Design of quantification model for prevent of cryptolocker
CN105119938B (en) A kind of prevention method for Intranet Port Recall wooden horse
US20170346844A1 (en) Mitigating Multiple Advanced Evasion Technique Attacks
CN107517226A (en) Alarm method and device based on wireless network intrusion
Sharma et al. Intrusion detection system using shadow honeypot
Bhumika et al. Use of honeypots to increase awareness regarding network security
Kumar et al. A Network Based Approach to Malware Detection in Large IT Infrastructures
Szczepanik et al. Detecting New and Unknown Malwares Using Honeynet
Sawyer Potential threats and mitigation tools for Network Attacks
CN107484173A (en) Wireless network intrusion detection method and device
Li et al. Research of Intrusion Protection System using correlation policy

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20180518

CF01 Termination of patent right due to non-payment of annual fee