[go: up one dir, main page]

CN107086978B - Method and device for identifying Trojan horse virus - Google Patents

Method and device for identifying Trojan horse virus Download PDF

Info

Publication number
CN107086978B
CN107086978B CN201610085868.5A CN201610085868A CN107086978B CN 107086978 B CN107086978 B CN 107086978B CN 201610085868 A CN201610085868 A CN 201610085868A CN 107086978 B CN107086978 B CN 107086978B
Authority
CN
China
Prior art keywords
data
trojan horse
business
service data
suspected
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201610085868.5A
Other languages
Chinese (zh)
Other versions
CN107086978A (en
Inventor
杨慰民
谢璨
罗卫鸿
万伟雄
李灵慧
傅子僖
卢宇辰
蔡鸿祥
潘延涛
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Group Fujian Co Ltd
Original Assignee
China Mobile Group Fujian Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Group Fujian Co Ltd filed Critical China Mobile Group Fujian Co Ltd
Priority to CN201610085868.5A priority Critical patent/CN107086978B/en
Publication of CN107086978A publication Critical patent/CN107086978A/en
Application granted granted Critical
Publication of CN107086978B publication Critical patent/CN107086978B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

本发明公开了一种识别木马病毒的方法及装置,包括:采集核心网数据和计费数据,所述核心网数据包括信令数据和业务数据;对所述周期业务数据进行历史习惯分析和周期行为分析,并结合所述计费数据识别出疑似感染木马用户;判定出所述业务数据对应的业务信息不属于白名单库且属于黑名单库时,将所述业务数据添加至疑似木马行为事件表中;判定出所述业务数据对应的业务信息不属于白名单库且不属于黑名单库时,将满足所述筛选策略的业务数据添加至疑似木马行为事件表中;对所述疑似木马行为事件表中的业务数据进行集中性分析,确定出属于木马的业务数据,并将所述属于木马的业务数据的业务信息添加至所述黑名单库。

The invention discloses a method and device for identifying a Trojan horse virus, comprising: collecting core network data and billing data, the core network data including signaling data and service data; performing historical habit analysis and periodical analysis on the periodical service data Behavior analysis, and combined with the billing data to identify suspected Trojan-infected users; when it is determined that the business information corresponding to the business data does not belong to the whitelist database but belongs to the blacklist database, add the business data to the suspected Trojan horse behavior event In the table; when it is determined that the business information corresponding to the business data does not belong to the whitelist database and does not belong to the blacklist database, the business data that meets the screening strategy will be added to the suspected Trojan horse behavior event table; the suspected Trojan horse behavior The business data in the event table is centrally analyzed to determine the business data belonging to the Trojan horse, and the business information of the business data belonging to the Trojan horse is added to the blacklist database.

Description

一种识别木马病毒的方法及装置A method and device for identifying Trojan horse virus

技术领域technical field

本发明涉及移动通信领域,尤其涉及一种通过网络上的用户行为识别手机木马病毒的方法及装置。The invention relates to the field of mobile communication, in particular to a method and device for identifying mobile phone Trojan horse viruses through user behavior on the network.

背景技术Background technique

随着移动互联网的发展,移动终端特别是智能终端的普及,手机病毒或者手机恶意程序即将甚至已经造成很多危害。在所有病毒种类中,以消耗资费、窃取用户身份信息、交易信息、支付信息为目的的木马类病毒占比超过75%,成为影响用户信息安全、经济安全的最重要方面。With the development of the mobile Internet and the popularization of mobile terminals, especially smart terminals, mobile phone viruses or malicious programs on mobile phones are about to cause a lot of harm. Among all virus types, Trojan horse viruses for the purpose of consuming tariffs, stealing user identity information, transaction information, and payment information account for more than 75%, becoming the most important aspect affecting user information security and economic security.

手机病毒起源于计算机病毒。沿用计算机木马的定义,手机木马可以定义为:木马是有隐藏性的、自发性的可被用来进行恶意行为的程序,多不会直接对手机产生危害,而是以控制为主。Mobile phone viruses originated from computer viruses. Following the definition of computer Trojan horses, mobile phone Trojan horses can be defined as: Trojan horses are hidden and spontaneous programs that can be used to perform malicious acts. Most of them will not directly cause harm to mobile phones, but mainly control them.

目前,木马病毒的发现和处理主要是通过移动终端主动安装安全类应用(App)如QQ安全卫士、360安全卫士、金山卫士等完成,同时需要移动终端用户对移动支付、网页浏览等联网应用树立防范意识。At present, the discovery and treatment of Trojan viruses are mainly completed through the active installation of security applications (Apps) such as QQ Security Guard, 360 Security Guard, Jinshan Guard, etc. on mobile terminals. Prevention awareness.

由于中老年用户群、女性用户群等广大用户群体的相关防范意识和主动性较弱,基于现有方案,手机木马较难进行遏制。手机木马造成的危害也与日俱增。Due to the relatively weak prevention awareness and initiative of the middle-aged and elderly user groups, female user groups and other user groups, it is difficult to contain mobile phone Trojan horses based on existing solutions. The harm caused by mobile phone Trojans is also increasing day by day.

此外,因为手机木马程序都带有明显的趋利性,危害更大。主要危害有以下几种:In addition, because mobile phone Trojan horse programs have obvious profit-seeking properties, they are even more harmful. The main hazards are as follows:

1、通过发送垃圾短信,推送广告。1. Push advertisements by sending spam messages.

2、窃取用户信息,进行敲诈欺骗。2. Steal user information and conduct blackmail and deception.

3、非法定制各种服务提供商(sp,service provider)服务。3. Illegally customizing various service provider (sp, service provider) services.

4、利用各种陷阱吸费。4. Use various traps to absorb fees.

在手机用户无法进行主动防御、查杀木马的情况下,木马病毒涉及的另一主体——运营商也会受到较大影响。由手机木马造成的吸费、消耗流量等危害一般会通过用户的投诉、离网间接对运营商造成不良影响。若运营商无法及时查明原因,就需要对用户关于资费损失的投诉进行补偿处理,造成经济和品牌满意度损失。针对此类问题,现有方案较难解决。In the case that mobile phone users cannot actively defend and check and kill Trojan horses, another subject involved in Trojan horse viruses-operators will also be greatly affected. The harm caused by mobile phone Trojans, such as charging fees and consuming traffic, will generally have an indirect adverse impact on operators through user complaints and off-network. If the operator cannot find out the reason in time, it needs to compensate the user's complaint about the tariff loss, resulting in the loss of economy and brand satisfaction. For this type of problem, existing solutions are more difficult to solve.

发明内容Contents of the invention

为解决上述技术问题,本发明实施例提供了一种识别木马病毒的方法及装置。In order to solve the above technical problems, the embodiments of the present invention provide a method and device for identifying a Trojan horse virus.

本发明实施例提供的识别木马病毒的方法,包括:The method for identifying Trojan horse virus that the embodiment of the present invention provides, comprises:

采集核心网数据和计费数据,所述核心网数据包括信令数据和业务数据,对所述业务数据进行周期性统计,得到周期业务数据;collecting core network data and billing data, the core network data including signaling data and service data, performing periodic statistics on the service data to obtain periodic service data;

对所述周期业务数据进行历史习惯分析和周期行为分析,并结合所述计费数据识别出疑似感染木马用户;Performing historical habit analysis and periodic behavior analysis on the periodic business data, and identifying suspected Trojan-infected users in combination with the billing data;

判定出所述业务数据对应的业务信息不属于白名单库且属于黑名单库时,将所述业务数据添加至疑似木马行为事件表中;When it is determined that the business information corresponding to the business data does not belong to the whitelist database but belongs to the blacklist database, adding the business data to the suspected Trojan horse behavior event table;

判定出所述业务数据对应的业务信息不属于白名单库且不属于黑名单库时,按照筛选策略对所述业务数据进行过滤,将满足所述筛选策略的业务数据添加至疑似木马行为事件表中;所述筛选策略与所述信令数据和所述疑似感染木马用户相关;When it is determined that the business information corresponding to the business data does not belong to the whitelist database or the blacklist database, filter the business data according to the screening strategy, and add the business data satisfying the screening strategy to the suspected Trojan horse behavior event table In; the screening strategy is related to the signaling data and the suspected Trojan-infected user;

对所述疑似木马行为事件表中的业务数据进行集中性分析,确定出属于木马的业务数据,并将所述属于木马的业务数据的业务信息添加至所述黑名单库。Centrally analyzing the business data in the suspected Trojan horse behavior event table, determining the business data belonging to the Trojan horse, and adding the business information of the business data belonging to the Trojan horse to the blacklist database.

本发明实施例中,所述判定出所述业务数据对应的业务信息不属于白名单库且属于黑名单库时,将所述业务数据添加至疑似木马行为事件表中,包括:In the embodiment of the present invention, when it is determined that the business information corresponding to the business data does not belong to the whitelist database but belongs to the blacklist database, the business data is added to the suspected Trojan horse behavior event table, including:

判断所述业务数据对应的业务信息是否属于白名单库;Judging whether the business information corresponding to the business data belongs to the whitelist library;

当判定出所述业务数据对应的业务信息属于白名单库时,不作处理;When it is determined that the business information corresponding to the business data belongs to the whitelist database, no processing is performed;

当判定出所述业务数据对应的业务信息不属于白名单库时,判断所述业务数据对应的业务信息是否属于黑名单库;When it is determined that the business information corresponding to the business data does not belong to the whitelist database, it is determined whether the business information corresponding to the business data belongs to the blacklist database;

当判定出所述业务数据对应的业务信息属于黑名单库时,将所述业务数据添加至疑似木马行为事件表中。When it is determined that the business information corresponding to the business data belongs to the blacklist database, the business data is added to the suspected Trojan horse behavior event table.

本发明实施例中,所述筛选策略,包括:第一筛选规则、第二筛选规则、第三筛选规则;其中,In the embodiment of the present invention, the screening strategy includes: a first screening rule, a second screening rule, and a third screening rule; wherein,

所述第一筛选规则是指:根据所述信令数据和所述业务数据,确定出联网行为和业务行为的时间差;根据所述时间差,判断联网后是否立即产生流量;是时,则所述业务数据满足筛选策略;The first screening rule refers to: according to the signaling data and the service data, determine the time difference between the networking behavior and the business behavior; according to the time difference, judge whether traffic is generated immediately after networking; if yes, then the The business data satisfies the screening strategy;

所述第二筛选规则是指:根据所述业务数据,确定出上传事件和下载事件;判断产生上传事件后是否紧接着产生下载事件;是时,则所述业务数据满足筛选策略;The second screening rule refers to: determining an upload event and a download event according to the business data; judging whether a download event is generated immediately after the upload event; if yes, the business data satisfies the screening strategy;

所述第三筛选规则是指:判断所述业务数据是否属于疑似感染木马用户名单,所述疑似感染木马用户名单由所述疑似感染木马用户组成;是时,则所述业务数据满足筛选策略。The third screening rule refers to: judging whether the business data belongs to the list of suspected Trojan-infected users, and the suspected Trojan-infected user list is composed of the suspected Trojan-infected users; if yes, the business data meets the screening strategy.

本发明实施例中,所述对所述疑似木马行为事件表中的业务数据进行集中性分析,确定出属于木马的业务数据,并将所述属于木马的业务数据的业务信息添加至所述黑名单库,包括:In the embodiment of the present invention, the business data in the suspected Trojan horse behavior event table is centrally analyzed to determine the business data belonging to the Trojan horse, and the business information of the business data belonging to the Trojan horse is added to the black List library, including:

对所述疑似木马行为事件表中的业务数据,进行周期性或非周期性的进行集中性分析,以判断所述疑似木马行为事件表中的业务数据是否收敛;Perform periodic or non-periodic centralized analysis of the business data in the suspected Trojan horse behavior event table to determine whether the business data in the suspected Trojan horse behavior event table is convergent;

对于收敛的业务数据,根据获得的验证操作进一步判断所述业务数据是否属于木马;For converged business data, it is further judged whether the business data belongs to a Trojan horse according to the verification operation obtained;

当判定出所述业务数据属于木马时,将所述属于木马的业务数据的业务信息添加至所述黑名单库。When it is determined that the service data belongs to a Trojan horse, the service information of the service data belonging to a Trojan horse is added to the blacklist library.

本发明实施例中,所述方法还包括:In an embodiment of the present invention, the method further includes:

当判定出所述业务数据属于木马时,将所述属于木马的业务数据的相关用户添加至所述疑似感染木马用户名单;When it is determined that the business data belongs to a Trojan horse, the relevant users of the business data belonging to a Trojan horse are added to the list of users suspected of being infected with a Trojan horse;

当判定出所述业务数据不属于木马时,将所述不属于木马的业务数据的业务信息添加至所述白名单库。When it is determined that the service data does not belong to the Trojan horse, the service information of the service data not belonging to the Trojan horse is added to the white list database.

本发明实施例中,所述对所述周期业务数据进行历史习惯分析和周期行为分析,并结合所述计费数据识别出疑似感染木马用户,包括:In the embodiment of the present invention, performing historical habit analysis and periodic behavior analysis on the periodic business data, and identifying suspected Trojan-infected users in combination with the billing data includes:

对历史周期业务数据分别进行流量习惯分析、业务习惯分析以及时间习惯分析,得到历史分析结果;Carry out flow habit analysis, business habit analysis and time habit analysis on historical cycle business data respectively to obtain historical analysis results;

根据当前周期业务数据,得到基于流量、业务以及时间的与历史周期业务数据相关的数据,作为当前分析结果;According to the current cycle business data, get the data related to the historical cycle business data based on traffic, business and time, as the current analysis result;

将所述当前分析结果与所述历史分析结果进行比对,当所述当前分析结果与所述历史分析结果不符时,将所述当前分析结果与所述计费数据进行比对,当所述当前分析结果与所述计费数据不符时,则识别出疑似感染木马用户。comparing the current analysis result with the historical analysis result, and comparing the current analysis result with the billing data when the current analysis result is inconsistent with the historical analysis result, and when the When the current analysis result does not match the billing data, the suspected Trojan-infected user is identified.

本发明实施例提供的识别木马病毒的装置,包括:The device for recognizing a Trojan horse virus provided by the embodiments of the present invention includes:

数据模块,用于采集核心网数据和计费数据,所述核心网数据包括信令数据和业务数据,对所述业务数据进行周期性统计,得到周期业务数据;The data module is used to collect core network data and billing data, the core network data includes signaling data and service data, and periodically collects statistics on the service data to obtain periodic service data;

周期行为分群模块,用于对所述周期业务数据进行历史习惯分析和周期行为分析,并结合所述计费数据识别出疑似感染木马用户;The periodic behavior grouping module is used to perform historical habit analysis and periodic behavior analysis on the periodic business data, and identify users who are suspected of being infected with a Trojan horse in combination with the charging data;

实时行为筛选模块,用于判定出所述业务数据对应的业务信息不属于白名单库且属于黑名单库时,将所述业务数据添加至疑似木马行为事件表中;判定出所述业务数据对应的业务信息不属于白名单库且不属于黑名单库时,按照筛选策略对所述业务数据进行过滤,将满足所述筛选策略的业务数据添加至疑似木马行为事件表中;所述筛选策略与所述信令数据和所述疑似感染木马用户相关;对所述疑似木马行为事件表中的业务数据进行集中性分析,确定出属于木马的业务数据,并将所述属于木马的业务数据的业务信息添加至所述黑名单库。The real-time behavior screening module is used to determine that the business information corresponding to the business data does not belong to the whitelist database and belongs to the blacklist database, and adds the business data to the suspected Trojan horse behavior event table; When the business information does not belong to the whitelist database and does not belong to the blacklist database, the business data is filtered according to the screening strategy, and the business data that meets the screening strategy is added to the suspected Trojan horse behavior event table; the screening strategy and The signaling data is related to the suspected Trojan-infected user; the business data in the suspected Trojan behavior event table is analyzed centrally to determine the business data belonging to the Trojan, and the business data of the business data belonging to the Trojan Information is added to the blacklist library.

本发明实施例中,所述实时行为筛选模块包括:In the embodiment of the present invention, the real-time behavior screening module includes:

白名单判断模块,用于判断所述业务数据对应的业务信息是否属于白名单库;当判定出所述业务数据对应的业务信息属于白名单库时,不作处理;The whitelist judging module is used to judge whether the business information corresponding to the business data belongs to the whitelist database; when it is determined that the business information corresponding to the business data belongs to the whitelist database, no processing is performed;

黑名单判断模块,用于当判定出所述业务数据对应的业务信息不属于白名单库时,判断所述业务数据对应的业务信息是否属于黑名单库;当判定出所述业务数据对应的业务信息属于黑名单库时,将所述业务数据添加至疑似木马行为事件表中。The blacklist judging module is used to determine whether the business information corresponding to the business data belongs to the blacklist database when it is determined that the business information corresponding to the business data does not belong to the whitelist database; when it is determined that the business information corresponding to the business data When the information belongs to the blacklist library, the business data is added to the suspected Trojan horse behavior event table.

本发明实施例中,所述实时行为筛选模块包括:In the embodiment of the present invention, the real-time behavior screening module includes:

筛选策略模块,用于判定出所述业务数据对应的业务信息不属于白名单库且不属于黑名单库时,按照筛选策略对所述业务数据进行过滤,将满足所述筛选策略的业务数据添加至疑似木马行为事件表中;所述筛选策略与所述信令数据和所述疑似感染木马用户相关;A filtering strategy module, configured to filter the business data according to the filtering strategy when it is determined that the business information corresponding to the business data does not belong to the whitelist database or the blacklist database, and add the business data satisfying the filtering strategy To the suspected Trojan horse behavior event table; the screening strategy is related to the signaling data and the suspected Trojan-infected user;

其中,所述筛选策略,包括:第一筛选规则、第二筛选规则、第三筛选规则;其中,Wherein, the screening strategy includes: a first screening rule, a second screening rule, and a third screening rule; wherein,

所述第一筛选规则是指:根据所述信令数据和所述业务数据,确定出联网行为和业务行为的时间差;根据所述时间差,判断联网后是否立即产生流量;是时,则所述业务数据满足筛选策略;The first screening rule refers to: according to the signaling data and the service data, determine the time difference between the networking behavior and the business behavior; according to the time difference, judge whether traffic is generated immediately after networking; if yes, then the The business data satisfies the screening strategy;

所述第二筛选规则是指:根据所述业务数据,确定出上传事件和下载事件;判断产生上传事件后是否紧接着产生下载事件;是时,则所述业务数据满足筛选策略;The second screening rule refers to: determining an upload event and a download event according to the business data; judging whether a download event is generated immediately after the upload event; if yes, the business data satisfies the screening strategy;

所述第三筛选规则是指:判断所述业务数据是否属于疑似感染木马用户名单,所述疑似感染木马用户名单由所述疑似感染木马用户组成;是时,则所述业务数据满足筛选策略。The third screening rule refers to: judging whether the business data belongs to the list of suspected Trojan-infected users, and the suspected Trojan-infected user list is composed of the suspected Trojan-infected users; if yes, the business data meets the screening strategy.

本发明实施例中,所述实时行为筛选模块包括:In the embodiment of the present invention, the real-time behavior screening module includes:

集中性分析模块,用于对所述疑似木马行为事件表中的业务数据,进行周期性或非周期性的进行集中性分析,以判断所述疑似木马行为事件表中的业务数据是否收敛;对于收敛的业务数据,根据获得的验证操作进一步判断所述业务数据是否属于木马;当判定出所述业务数据属于木马时,将所述属于木马的业务数据的业务信息添加至所述黑名单库。The centralized analysis module is used to perform periodic or aperiodic centralized analysis on the business data in the suspected Trojan horse behavior event table to determine whether the business data in the suspected Trojan horse behavior event table converges; for For the converged business data, further judge whether the business data belongs to a Trojan horse according to the obtained verification operation; when it is determined that the business data belongs to a Trojan horse, add the business information of the business data belonging to a Trojan horse to the blacklist library.

本发明实施例中,所述集中性分析模块,还用于当判定出所述业务数据属于木马时,将所述属于木马的业务数据的相关用户添加至所述疑似感染木马用户名单;当判定出所述业务数据不属于木马时,将所述不属于木马的业务数据的业务信息添加至所述白名单库。In the embodiment of the present invention, the centralized analysis module is also used to add the relevant users of the business data belonging to the Trojan horse to the list of users suspected of being infected with the Trojan horse when it is determined that the business data belongs to the Trojan horse; When it is determined that the business data does not belong to the Trojan horse, the business information of the business data that does not belong to the Trojan horse is added to the white list library.

本发明实施例中,所述周期行为分群模块包括:In the embodiment of the present invention, the periodic behavior grouping module includes:

历史习惯分析模块,用于对历史周期业务数据分别进行流量习惯分析、业务习惯分析以及时间习惯分析,得到历史分析结果;The historical habit analysis module is used to conduct flow habit analysis, business habit analysis and time habit analysis on historical cycle business data respectively, and obtain historical analysis results;

周期行为分析模块,用于根据当前周期业务数据,得到基于流量、业务以及时间的与历史周期业务数据相关的数据,作为当前分析结果;The periodic behavior analysis module is used to obtain data related to historical periodic business data based on traffic, business and time according to the current periodic business data, as the current analysis result;

比对模块,用于将所述当前分析结果与所述历史分析结果进行比对,当所述当前分析结果与所述历史分析结果不符时,将所述当前分析结果与所述计费数据进行比对,当所述当前分析结果与所述计费数据不符时,则识别出疑似感染木马用户。A comparison module, configured to compare the current analysis result with the historical analysis result, and compare the current analysis result with the billing data when the current analysis result does not match the historical analysis result Comparison, when the current analysis result does not match the billing data, then identify the suspected Trojan-infected user.

本发明实施例的技术方案中,采集核心网数据和计费数据,所述核心网数据包括信令数据和业务数据,对所述业务数据进行周期性统计,得到周期业务数据;对所述周期业务数据进行历史习惯分析和周期行为分析,并结合所述计费数据识别出疑似感染木马用户;判定出所述业务数据对应的业务信息不属于白名单库且属于黑名单库时,将所述业务数据添加至疑似木马行为事件表中;判定出所述业务数据对应的业务信息不属于白名单库且不属于黑名单库时,按照筛选策略对所述业务数据进行过滤,将满足所述筛选策略的业务数据添加至疑似木马行为事件表中;所述筛选策略与所述信令数据和所述疑似感染木马用户相关;对所述疑似木马行为事件表中的业务数据进行集中性分析,确定出属于木马的业务数据,并将所述属于木马的业务数据的业务信息添加至所述黑名单库。可见,本发明实施例通过在网络中对用户的行为进行监测识别出用户是否感染了木马病毒。为安全意识薄弱的中老年、女性群体提供了重要的安全保护措施,保障了用户信息的安全。此外,对运营商使用大数据、提升用户感知、维护网络安全环境也具有重要意义。In the technical solution of the embodiment of the present invention, core network data and billing data are collected, and the core network data includes signaling data and service data, and periodic statistics are performed on the service data to obtain periodic service data; Perform historical habit analysis and periodic behavior analysis on business data, and identify suspected Trojan-infected users in combination with the billing data; when it is determined that the business information corresponding to the business data does not belong to the whitelist database and belongs to the blacklist database, the Business data is added to the suspected Trojan horse behavior event table; when it is determined that the business information corresponding to the business data does not belong to the whitelist database or the blacklist database, the business data is filtered according to the screening strategy, which will satisfy the screening The business data of the strategy is added to the suspected Trojan horse behavior event table; the screening strategy is related to the signaling data and the suspected Trojan infected user; the business data in the suspected Trojan horse behavior event table is analyzed centrally to determine Get the business data belonging to the Trojan horse, and add the business information of the business data belonging to the Trojan horse to the blacklist database. It can be seen that the embodiment of the present invention identifies whether the user is infected with a Trojan horse virus by monitoring the behavior of the user in the network. Provides important security protection measures for the middle-aged, elderly and female groups with weak security awareness, ensuring the security of user information. In addition, it is also of great significance for operators to use big data, improve user perception, and maintain a network security environment.

附图说明Description of drawings

图1为本发明实施例的识别木马病毒的方法的流程示意图;Fig. 1 is the schematic flow chart of the method for identifying Trojan horse virus of the embodiment of the present invention;

图2为2/3/G和LTE等网络的核心网接口示意图;Fig. 2 is a schematic diagram of the core network interface of networks such as 2/3/G and LTE;

图3为本发明实施例的识别木马病毒的装置的结构组成示意图,如图3所示;Fig. 3 is a schematic diagram of the structural composition of the device for identifying a Trojan horse virus according to an embodiment of the present invention, as shown in Fig. 3;

图4为本发明实施例的识别木马病毒的装置中各个模块的流程交互示意图;FIG. 4 is a schematic flow diagram of each module in the device for identifying a Trojan virus according to an embodiment of the present invention;

图5为本发明实施例的识别木马病毒的装置中各个模块关系示意图。FIG. 5 is a schematic diagram of the relationship between modules in the device for identifying a Trojan horse virus according to an embodiment of the present invention.

具体实施方式Detailed ways

为了能够更加详尽地了解本发明实施例的特点与技术内容,下面结合附图对本发明实施例的实现进行详细阐述,所附附图仅供参考说明之用,并非用来限定本发明实施例。In order to understand the characteristics and technical contents of the embodiments of the present invention in more detail, the implementation of the embodiments of the present invention will be described in detail below in conjunction with the accompanying drawings. The attached drawings are only for reference and description, and are not intended to limit the embodiments of the present invention.

本发明实施例的技术方案主要基于移动通信网络中采集的用户业务行为数据、计费系统数据、用户套餐数据等信息,通过用户的行为识别其手机是否受到木马病毒的侵袭。The technical solution of the embodiment of the present invention is mainly based on information such as user business behavior data collected in the mobile communication network, billing system data, user package data, etc., and identifies whether the mobile phone of the user is attacked by a Trojan horse virus through the user's behavior.

图1为本发明实施例的识别木马病毒的方法的流程示意图,如图1所示,所述识别木马病毒的方法包括以下步骤:Fig. 1 is the schematic flow sheet of the method for identifying Trojan horse virus of the embodiment of the present invention, as shown in Fig. 1, described method for identifying Trojan horse virus comprises the following steps:

步骤101:采集核心网数据和计费数据,所述核心网数据包括信令数据和业务数据,对所述业务数据进行周期性统计,得到周期业务数据。Step 101: Collect core network data and charging data, the core network data includes signaling data and service data, perform periodic statistics on the service data, and obtain periodic service data.

本发明实施例中,基于核心网接口的数据采集系统进行数据的采集。如图2所示,图2为2/3/G和LTE等网络的核心网接口示意图。这里,针对核心网接口,在通用分组无线服务(GPRS,General Packet Radio Service)、时分同步码分多址(TD-SCDMA,TimeDivision-Synchronous Code Division Multiple Access)、宽带码分多址(WCDMA,Wideband Code Division Multiple Access)、时分双工LTE(TDD-LTE)、频分双工LTE(FDD-LTE)网络中都是适用的。In the embodiment of the present invention, the data collection system based on the core network interface performs data collection. As shown in FIG. 2 , FIG. 2 is a schematic diagram of core network interfaces of networks such as 2/3/G and LTE. Here, for the core network interface, in General Packet Radio Service (GPRS, General Packet Radio Service), Time Division Synchronous Code Division Multiple Access (TD-SCDMA, TimeDivision-Synchronous Code Division Multiple Access), Wideband Code Division Multiple Access (WCDMA, Wideband Code Division Multiple Access), Time Division Duplex LTE (TDD-LTE), and Frequency Division Duplex LTE (FDD-LTE) networks are applicable.

步骤102:对所述周期业务数据进行历史习惯分析和周期行为分析,并结合所述计费数据识别出疑似感染木马用户。Step 102: Perform historical habit analysis and periodic behavior analysis on the periodical business data, and identify suspected Trojan-infected users in combination with the billing data.

具体地,对历史周期业务数据分别进行流量习惯分析、业务习惯分析以及时间习惯分析,得到历史分析结果;Specifically, the traffic habit analysis, business habit analysis and time habit analysis are respectively performed on the historical cycle business data to obtain the historical analysis results;

根据当前周期业务数据,得到基于流量、业务以及时间的与历史周期业务数据相关的数据,作为当前分析结果;According to the current cycle business data, get the data related to the historical cycle business data based on traffic, business and time, as the current analysis result;

将所述当前分析结果与所述历史分析结果进行比对,当所述当前分析结果与所述历史分析结果不符时,将所述当前分析结果与所述计费数据进行比对,当所述当前分析结果与所述计费数据不符时,则识别出疑似感染木马用户。comparing the current analysis result with the historical analysis result, and comparing the current analysis result with the billing data when the current analysis result is inconsistent with the historical analysis result, and when the When the current analysis result does not match the billing data, the suspected Trojan-infected user is identified.

步骤103:判定出所述业务数据对应的业务信息不属于白名单库且属于黑名单库时,将所述业务数据添加至疑似木马行为事件表中。Step 103: When it is determined that the business information corresponding to the business data does not belong to the whitelist database but belongs to the blacklist database, add the business data to the suspected Trojan horse behavior event table.

具体地,判断所述业务数据对应的业务信息是否属于白名单库;Specifically, it is judged whether the business information corresponding to the business data belongs to the whitelist database;

当判定出所述业务数据对应的业务信息属于白名单库时,不作处理;When it is determined that the business information corresponding to the business data belongs to the whitelist database, no processing is performed;

当判定出所述业务数据对应的业务信息不属于白名单库时,判断所述业务数据对应的业务信息是否属于黑名单库;When it is determined that the business information corresponding to the business data does not belong to the whitelist database, it is determined whether the business information corresponding to the business data belongs to the blacklist database;

当判定出所述业务数据对应的业务信息属于黑名单库时,将所述业务数据添加至疑似木马行为事件表中。When it is determined that the business information corresponding to the business data belongs to the blacklist database, the business data is added to the suspected Trojan horse behavior event table.

步骤104:判定出所述业务数据对应的业务信息不属于白名单库且不属于黑名单库时,按照筛选策略对所述业务数据进行过滤,将满足所述筛选策略的业务数据添加至疑似木马行为事件表中;所述筛选策略与所述信令数据和所述疑似感染木马用户相关。Step 104: When it is determined that the business information corresponding to the business data does not belong to the whitelist database or the blacklist database, filter the business data according to the screening strategy, and add the business data satisfying the screening strategy to the suspected Trojan horse In the behavior event table; the screening strategy is related to the signaling data and the suspected Trojan-infected user.

所述筛选策略,包括:第一筛选规则、第二筛选规则、第三筛选规则;其中,The screening strategy includes: a first screening rule, a second screening rule, and a third screening rule; wherein,

所述第一筛选规则是指:根据所述信令数据和所述业务数据,确定出联网行为和业务行为的时间差;根据所述时间差,判断联网后是否立即产生流量;是时,则所述业务数据满足筛选策略;The first screening rule refers to: according to the signaling data and the service data, determine the time difference between the networking behavior and the business behavior; according to the time difference, judge whether traffic is generated immediately after networking; if yes, then the The business data satisfies the screening strategy;

所述第二筛选规则是指:根据所述业务数据,确定出上传事件和下载事件;判断产生上传事件后是否紧接着产生下载事件;是时,则所述业务数据满足筛选策略;The second screening rule refers to: determining an upload event and a download event according to the business data; judging whether a download event is generated immediately after the upload event; if yes, the business data satisfies the screening strategy;

所述第三筛选规则是指:判断所述业务数据是否属于疑似感染木马用户名单,所述疑似感染木马用户名单由所述疑似感染木马用户组成;是时,则所述业务数据满足筛选策略。The third screening rule refers to: judging whether the business data belongs to the list of suspected Trojan-infected users, and the suspected Trojan-infected user list is composed of the suspected Trojan-infected users; if yes, the business data meets the screening strategy.

步骤105:对所述疑似木马行为事件表中的业务数据进行集中性分析,确定出属于木马的业务数据,并将所述属于木马的业务数据的业务信息添加至所述黑名单库。Step 105: Perform centralized analysis on the business data in the suspected Trojan horse behavior event table, determine the business data belonging to the Trojan horse, and add the business information of the business data belonging to the Trojan horse to the blacklist database.

具体地,对所述疑似木马行为事件表中的业务数据,进行周期性或非周期性的进行集中性分析,以判断所述疑似木马行为事件表中的业务数据是否收敛;Specifically, perform periodic or non-periodic centralized analysis on the business data in the suspected Trojan horse behavior event table to determine whether the business data in the suspected Trojan horse behavior event table is convergent;

对于收敛的业务数据,根据获得的验证操作进一步判断所述业务数据是否属于木马;For converged business data, it is further judged whether the business data belongs to a Trojan horse according to the verification operation obtained;

当判定出所述业务数据属于木马时,将所述属于木马的业务数据的业务信息添加至所述黑名单库。When it is determined that the service data belongs to a Trojan horse, the service information of the service data belonging to a Trojan horse is added to the blacklist library.

本发明实施例中,当判定出所述业务数据属于木马时,将所述属于木马的业务数据的相关用户添加至所述疑似感染木马用户名单;In the embodiment of the present invention, when it is determined that the business data belongs to a Trojan horse, the relevant users of the business data belonging to the Trojan horse are added to the list of users suspected of being infected with a Trojan horse;

当判定出所述业务数据不属于木马时,将所述不属于木马的业务数据的业务信息添加至所述白名单库。When it is determined that the service data does not belong to the Trojan horse, the service information of the service data not belonging to the Trojan horse is added to the white list database.

图3为本发明实施例的识别木马病毒的装置的结构组成示意图,如图3所示,所述装置包括:Fig. 3 is a schematic diagram of the structural composition of the device for identifying a Trojan horse virus according to an embodiment of the present invention. As shown in Fig. 3, the device includes:

数据模块31,用于采集核心网数据和计费数据,所述核心网数据包括信令数据和业务数据,对所述业务数据进行周期性统计,得到周期业务数据;The data module 31 is used to collect core network data and billing data, the core network data includes signaling data and service data, and periodically collects statistics on the service data to obtain periodic service data;

周期行为分群模块32,用于对所述周期业务数据进行历史习惯分析和周期行为分析,并结合所述计费数据识别出疑似感染木马用户;The periodic behavior grouping module 32 is used for performing historical habit analysis and periodic behavior analysis on the periodic business data, and identifying suspected Trojan-infected users in combination with the billing data;

实时行为筛选模块33,用于判定出所述业务数据对应的业务信息不属于白名单库且属于黑名单库时,将所述业务数据添加至疑似木马行为事件表中;判定出所述业务数据对应的业务信息不属于白名单库且不属于黑名单库时,按照筛选策略对所述业务数据进行过滤,将满足所述筛选策略的业务数据添加至疑似木马行为事件表中;所述筛选策略与所述信令数据和所述疑似感染木马用户相关;对所述疑似木马行为事件表中的业务数据进行集中性分析,确定出属于木马的业务数据,并将所述属于木马的业务数据的业务信息添加至所述黑名单库。The real-time behavior screening module 33 is used to determine that when the business information corresponding to the business data does not belong to the whitelist database and belongs to the blacklist database, add the business data to the suspected Trojan horse behavior event table; determine that the business data When the corresponding business information does not belong to the whitelist database and does not belong to the blacklist database, the business data is filtered according to the screening strategy, and the business data satisfying the screening strategy is added to the suspected Trojan horse behavior event table; the screening strategy Related to the signaling data and the suspected Trojan-infected user; perform centralized analysis on the business data in the suspected Trojan-horse behavior event table, determine the business data belonging to the Trojan horse, and store the business data belonging to the Trojan horse Business information is added to the blacklist library.

所述实时行为筛选模块33包括:Described real-time behavior screening module 33 comprises:

白名单判断模块331,用于判断所述业务数据对应的业务信息是否属于白名单库;当判定出所述业务数据对应的业务信息属于白名单库时,不作处理;A whitelist judging module 331, configured to judge whether the business information corresponding to the business data belongs to a whitelist database; when it is determined that the business information corresponding to the business data belongs to a whitelist database, no processing is performed;

黑名单判断模块332,用于当判定出所述业务数据对应的业务信息不属于白名单库时,判断所述业务数据对应的业务信息是否属于黑名单库;当判定出所述业务数据对应的业务信息属于黑名单库时,将所述业务数据添加至疑似木马行为事件表中。The blacklist judging module 332 is used for judging whether the business information corresponding to the business data belongs to the blacklist database when it is determined that the business information corresponding to the business data does not belong to the whitelist database; When the business information belongs to the blacklist library, the business data is added to the suspected Trojan horse behavior event table.

所述实时行为筛选模块33包括:Described real-time behavior screening module 33 comprises:

筛选策略模块333,用于判定出所述业务数据对应的业务信息不属于白名单库且不属于黑名单库时,按照筛选策略对所述业务数据进行过滤,将满足所述筛选策略的业务数据添加至疑似木马行为事件表中;所述筛选策略与所述信令数据和所述疑似感染木马用户相关;A screening strategy module 333, configured to filter the business data according to the screening strategy when it is determined that the business information corresponding to the business data does not belong to the whitelist database or the blacklist database, and the business data satisfying the screening strategy Added to the suspected Trojan horse behavior event table; the screening strategy is related to the signaling data and the suspected Trojan infected user;

其中,所述筛选策略,包括:第一筛选规则、第二筛选规则、第三筛选规则;其中,Wherein, the screening strategy includes: a first screening rule, a second screening rule, and a third screening rule; wherein,

所述第一筛选规则是指:根据所述信令数据和所述业务数据,确定出联网行为和业务行为的时间差;根据所述时间差,判断联网后是否立即产生流量;是时,则所述业务数据满足筛选策略;The first screening rule refers to: according to the signaling data and the service data, determine the time difference between the networking behavior and the business behavior; according to the time difference, judge whether traffic is generated immediately after networking; if yes, then the The business data satisfies the screening strategy;

所述第二筛选规则是指:根据所述业务数据,确定出上传事件和下载事件;判断产生上传事件后是否紧接着产生下载事件;是时,则所述业务数据满足筛选策略;The second screening rule refers to: determining an upload event and a download event according to the business data; judging whether a download event is generated immediately after the upload event; if yes, the business data satisfies the screening strategy;

所述第三筛选规则是指:判断所述业务数据是否属于疑似感染木马用户名单,所述疑似感染木马用户名单由所述疑似感染木马用户组成;是时,则所述业务数据满足筛选策略。The third screening rule refers to: judging whether the business data belongs to the list of suspected Trojan-infected users, and the suspected Trojan-infected user list is composed of the suspected Trojan-infected users; if yes, the business data meets the screening strategy.

所述实时行为筛选模块33包括:Described real-time behavior screening module 33 comprises:

集中性分析模块334,用于对所述疑似木马行为事件表中的业务数据,进行周期性或非周期性的进行集中性分析,以判断所述疑似木马行为事件表中的业务数据是否收敛;对于收敛的业务数据,根据获得的验证操作进一步判断所述业务数据是否属于木马;当判定出所述业务数据属于木马时,将所述属于木马的业务数据的业务信息添加至所述黑名单库。The centralized analysis module 334 is used to perform periodic or aperiodic centralized analysis on the business data in the suspected Trojan horse behavior event table to determine whether the business data in the suspected Trojan horse behavior event table is converged; For converged business data, further judge whether the business data belongs to a Trojan horse according to the verification operation obtained; when it is determined that the business data belongs to a Trojan horse, add the business information of the business data belonging to a Trojan horse to the blacklist library .

所述集中性分析模块334,还用于当判定出所述业务数据属于木马时,将所述属于木马的业务数据的相关用户添加至所述疑似感染木马用户名单;当判定出所述业务数据不属于木马时,将所述不属于木马的业务数据的业务信息添加至所述白名单库。The centralized analysis module 334 is also used to add the relevant users of the business data belonging to the Trojan horse to the list of suspected Trojan-infected users when it is determined that the business data belongs to a Trojan horse; If it does not belong to the Trojan horse, add the service information of the service data that does not belong to the Trojan horse to the white list database.

所述周期行为分群模块32包括:Described periodic behavior grouping module 32 comprises:

历史习惯分析模块321,用于对历史周期业务数据分别进行流量习惯分析、业务习惯分析以及时间习惯分析,得到历史分析结果;The historical habit analysis module 321 is used to respectively perform flow habit analysis, business habit analysis and time habit analysis on historical cycle business data to obtain historical analysis results;

周期行为分析模块322,用于根据当前周期业务数据,得到基于流量、业务以及时间的与历史周期业务数据相关的数据,作为当前分析结果;The periodic behavior analysis module 322 is used to obtain data related to historical periodic business data based on traffic, business and time according to the current periodic business data, as the current analysis result;

比对模块323,用于将所述当前分析结果与所述历史分析结果进行比对,当所述当前分析结果与所述历史分析结果不符时,将所述当前分析结果与所述计费数据进行比对,当所述当前分析结果与所述计费数据不符时,则识别出疑似感染木马用户。A comparison module 323, configured to compare the current analysis result with the historical analysis result, and compare the current analysis result with the billing data when the current analysis result is inconsistent with the historical analysis result comparison, and when the current analysis result does not match the billing data, the suspected Trojan-infected user is identified.

图4为本发明实施例的识别木马病毒的装置中各个模块的流程交互示意图,如图4所示:Fig. 4 is the flowchart interaction schematic diagram of each module in the device of identifying Trojan horse virus of the embodiment of the present invention, as shown in Fig. 4:

1)、数据模块1), data module

该模块主要提供方案所需的数据,主要分为核心网采集系统数据和计费系统数据两部分。This module mainly provides the data required by the solution, which is mainly divided into two parts: core network acquisition system data and billing system data.

而核心网采集系统的数据又分为信令数据和业务数据两类。The data of the core network collection system is divided into two types: signaling data and business data.

信令数据指的是2/3G的用户建立分组数据协议(PDP,Packet Data Protocol)上下文,与4G的附着(Attach)、承载建立等过程,主要体现了用户连接网络的行为和时间。Signaling data refers to the 2/3G user establishment of the Packet Data Protocol (PDP, Packet Data Protocol) context, and the 4G attach (Attach), bearer establishment and other processes, mainly reflecting the behavior and time of the user connecting to the network.

业务数据指的是用户访问了哪些网站、产生的流量是多少、业务的持续时间多长等数据,主要体现了用户使用业务的行为和时间。Business data refers to data such as which websites users visit, how much traffic they generate, and how long the business lasts. It mainly reflects the behavior and time of users using the business.

在业务数据的基础上,通过划定周期进行统计,可以得到用户的业务数据的周期性统计,即周期业务数据,主要体现了用户的周期性业务行为。On the basis of business data, periodic statistics of user's business data can be obtained by specifying a cycle for statistics, that is, periodic business data, which mainly reflects the user's periodic business behavior.

计费系统数据主要提供用户的套餐情况,特别是数据业务套餐的订购、变更情况等。The billing system data mainly provides information about the user’s package, especially the order and change of the data service package.

2)实时行为筛选模块2) Real-time behavior screening module

该模块主要是基于实时数据,完成准实时的疑似木马记录的筛选和周期性的疑似木马记录的集中性分析工作。This module is mainly based on real-time data to complete quasi-real-time screening of suspected Trojan records and periodic centralized analysis of suspected Trojan records.

该模块的主要流程描述如下。The main process of this module is described as follows.

实时的用户的业务数据输入之后,由白名单判断模块根据此次业务行为的业务名称、目的IP等信息,与白名单库进行比对,判断该次业务的业务名称、目的IP是否正常。After the real-time user's business data is input, the whitelist judging module compares the business name and destination IP of the business behavior with the whitelist database to determine whether the business name and destination IP of the business are normal.

若是该次业务的业务名称、目的IP属于白名单库,则不做任何处理继续下一条记录的处理工作。If the business name and destination IP of this business belong to the white list library, then do not do any processing and continue to the processing work of the next record.

若是该次业务的业务名称、目的IP不属于白名单库,则进入黑名单判断模块进行比对工作。需要完成该次业务的业务名称、目的IP是否属于黑名单库的判断操作。If the service name and destination IP of this service do not belong to the whitelist library, then enter the blacklist judgment module for comparison. It is necessary to complete the operation of judging whether the service name and destination IP of this service belong to the blacklist database.

若是该次业务的业务名称、目的IP属于黑名单库,则把该条记录添加至疑似木马行为事件表中,留待后续的集中性分析工作。If the business name and destination IP of this business belong to the blacklist library, then add this record to the suspected Trojan horse behavior event table and leave it for subsequent centralized analysis.

若是该次业务的业务名称、目的IP不属于黑名单库,则需通过筛选策略完成过滤工作,把满足筛选策略的记录添加至疑似木马行为事件表中。If the business name and destination IP of this business do not belong to the blacklist library, the filtering work needs to be completed through the screening strategy, and the records satisfying the filtering strategy are added to the suspected Trojan horse behavior event table.

筛选策略是基于手机收到木马类病毒侵袭后产生的行为而定义的,现在主要有以下三点。The screening strategy is defined based on the behavior of mobile phones after being attacked by Trojan horse viruses. Now there are three main points.

第一筛选规则:联网即产生流量。主要是很多木马病毒通过控制(或者监测)受侵袭手机进行联网的行为,并接着上传窃取的数据或下载更多的病毒插件操作的情况设计。主要通过用户的联网行为和业务行为的时间差进行筛选。时间差的设定可以通过经验或者统计得到。根据经验用时间差为500~1000ms,需要短于用户的操作时间。统计用时间差通过分析该值的分布范围得到,一般通过十分位数得到。The first screening rule: Networking generates traffic. The main reason is that many Trojan horse viruses control (or monitor) the behavior of the attacked mobile phone to connect to the Internet, and then upload stolen data or download more virus plug-in operations. Screening is mainly based on the time difference between the user's networking behavior and business behavior. The setting of the time difference can be obtained through experience or statistics. According to experience, the time difference is 500-1000ms, which needs to be shorter than the user's operation time. The time difference used for statistics is obtained by analyzing the distribution range of the value, usually through the deciles.

第二筛选规则:产生上传行为后紧跟着下载行为。这也是根据很多木马病毒的行为定义的。很多木马病毒不仅会手机用户的隐私信息,还会自动更新、自动下载更多恶意程序,且一般顺序是先上传再下载。该规则通过用户的业务行为数据进行判断,通过HTTPPOST/GET信息、上下行包大小比例来判断上传和下载行为。The second screening rule: the upload behavior is followed by the download behavior. This is also defined according to the behavior of many Trojan horse viruses. Many Trojan horse viruses not only delete the private information of mobile phone users, but also automatically update and download more malicious programs, and the general order is to upload first and then download. This rule is judged by the user's business behavior data, and the upload and download behavior is judged by the HTTP POST/GET information and the size ratio of the upstream and downstream packets.

第三筛选规则:用户属于疑似感染木马用户名单。疑似感染木马用户名单通过周期行为分析模块,即第三个主要模块产生。The third screening rule: the user belongs to the list of suspected Trojan-infected users. The list of suspected Trojan-infected users is generated through the periodic behavior analysis module, which is the third main module.

这些筛选规则对单条或多条记录产生作用,把满足规则的单条或多条记录添加至疑似木马行为事件表。These screening rules have an effect on one or more records, and add the single or multiple records satisfying the rules to the suspected Trojan horse behavior event table.

基于疑似木马行为事件数据,可以通过周期或不定期(满足一定记录量)的进行集中性分析,分析这些记录在业务名称、目的IP方面的收敛情况。Based on the suspected Trojan horse behavior event data, centralized analysis can be performed periodically or irregularly (satisfying a certain amount of records), and the convergence of these records in terms of business names and destination IPs can be analyzed.

若是发现具有集中性的业务名称或目的IP,则接着进行手动验证操作,以便确认是否与木马有关。经过前面的一些流程,需要手动确认的工作量并不大,一般在100个/天这样的数量级。If it is found that there is a centralized business name or destination IP, then a manual verification operation is performed to confirm whether it is related to a Trojan horse. After some of the previous processes, the workload that requires manual confirmation is not large, generally on the order of 100 per day.

最后,把经过手动确认,属于木马业务、目的IP的添加入黑名单库,相关的用户添加入疑似感染木马用户名单;把与木马无关的业务名称、目的IP添加入白名单库。从而,完成该模块的一次循环。Finally, after manual confirmation, those belonging to the Trojan business and destination IP are added to the blacklist library, and the relevant users are added to the list of suspected Trojan-infected users; business names and destination IPs that have nothing to do with the Trojan horse are added to the whitelist library. Thus, one cycle of the module is completed.

3)周期行为分群模块3) Periodic behavior grouping module

该模块主要通过对周期业务数据进行历史习惯分析、周期行为分析、以及两者之间的比对等操作,完成对疑似感染木马用户的识别和输出任务。This module mainly completes the identification and output tasks of users suspected of being infected with Trojan horses by performing operations such as historical habit analysis, periodic behavior analysis, and comparison between the periodic business data.

历史习惯分析模块:主要通过历史周期业务数据(与当前周期进行区分),通过流量、业务、时间等三个方面的上网习惯进行分析。这些习惯均来自于木马病毒侵袭用户手机后,产生用户行为变化的几个方面。Historical habit analysis module: mainly analyze the Internet habits in three aspects: traffic, business, and time through the historical cycle business data (distinguish from the current cycle). These habits all come from several aspects of user behavior changes after the Trojan horse virus invades the user's mobile phone.

1>流量习惯:指的是用户在分析周期中的上、下行流量的平均值、标准差、变异系数等统计指标,体现了用户使用流量的高低、流量变化幅度的大小等习惯。可以基于该习惯把用户分为稳定型高流量用户、稳定性低流量用户、波动性流量用户等。该分析角度来自于木马病毒对用户流量的影响方面。1> Traffic habit: refers to statistical indicators such as the average value, standard deviation, and coefficient of variation of the user's upstream and downstream traffic in the analysis period, reflecting the user's habits such as the level of traffic usage and the magnitude of traffic changes. Based on this habit, users can be divided into stable high-traffic users, stable low-traffic users, and fluctuating traffic users. This analysis angle comes from the impact of Trojan viruses on user traffic.

2>业务习惯:指的是用户在分析周期中流量较高的TOPN业务的名称和排序情况,一般选用10个业务作为考察对象。也可以根据正常用户的业务个数的分布情况来确定具体使用几个业务作为考察对象。该分析过程的数据组织形式是向量,并通过向量间的重心、距离来表现用户的业务稳定性。可以把用户分成稳定型、波动型两种。该分析角度来自于广告类、自动下载类木马病毒对用户的影响。2> Business habits: refers to the names and rankings of the TOPN services with high traffic volume in the analysis period. Generally, 10 services are selected as the investigation objects. It can also be determined according to the distribution of the number of services of normal users to determine how many services are used as the investigation object. The data organization form of the analysis process is a vector, and the user's business stability is represented by the center of gravity and distance between vectors. Users can be divided into two types: stable and fluctuating. This analysis angle comes from the impact of advertising and automatic download Trojan horse viruses on users.

3>时间习惯:指的是用户上网时间的分布情况。一般通过把一个周期内的时间按工作日/非工作日、业务忙时/业务闲时、按相同的时间间隔等方式进行分组,从而把连续的时间变量变为离散变量。在此基础上,统计用户的流量、时长等指标的平均值、标准差、变异系数等指标,得出用户的时间习惯。该分析角度来自于窃取隐私类、广告类、自动下载类木马进行或者定时,或者非常随机的上网控制对用户的影响。3> Time habits: refers to the distribution of users' online time. Generally, the time in a cycle is grouped by working day/non-working day, business busy time/business free time, and the same time interval, so that the continuous time variable is changed into a discrete variable. On this basis, the average value, standard deviation, coefficient of variation and other indicators of the user's traffic and duration are counted to obtain the user's time habits. The perspective of this analysis comes from the impact on users of privacy-stealing, advertising, and automatic downloading Trojan horses, either at regular intervals or very random access control.

周期行为分析模块:该模块主要是获得当前周期的数据,得出流量、业务、时间等维度与历史习惯分析模块相关的数据结构。Periodic behavior analysis module: This module mainly obtains the data of the current period, and obtains the data structure related to the historical habit analysis module in dimensions such as traffic, business, and time.

比对模块:主要进行当前周期行为与习惯的比对,当前周期异于习惯时与套餐变化情况的比对两方面的工作。Comparison module: It mainly performs the comparison of the current cycle behavior and habits, and the comparison of the current cycle and the change of the package when the current cycle is different from the habit.

1>当前周期行为与习惯的比对:通过当前周期数据与习惯数据的比对,发现用户当前周期的行为是否发生变化、变化幅度、变化时间点等情况和数据。1> Comparison of current period behavior and habits: Through the comparison of current period data and habit data, it is found whether the user's current period behavior has changed, the extent of change, the time point of change, etc. and data.

2>当前周期异于习惯时与套餐的比对:在用户当前周期行为与习惯不符时,通过用户套餐特别是数据业务套餐在当前周期所属自然月的变化情况来进行检验。若套餐也发生了与用户业务行为相似的变化,如用户流量突增且流量套餐也相应增大,则认为用户的行为异常是由套餐引起,故不做处理。若套餐没有变化或与用户行为变化不符,则把该用户添加至疑似感染木马用户名单,供实时行为筛选模块使用。2> Comparison with the package when the current period is different from the habit: When the user's current period behavior does not match the habit, the user package, especially the change of the data service package in the natural month of the current period, is tested. If the package also changes similarly to the user's business behavior, such as a sudden increase in user traffic and a corresponding increase in the data package, it is considered that the abnormal behavior of the user is caused by the package, so no processing is performed. If the package does not change or does not match the change in user behavior, the user is added to the list of suspected Trojan-infected users for use by the real-time behavior screening module.

图5为本发明实施例的识别木马病毒的装置中各个模块关系示意图,如图5所示:1、2表示:提供数据。3表示:提供疑似感染木马用户名单,即疑似感染木马用户名单。FIG. 5 is a schematic diagram of the relationship between modules in the device for identifying a Trojan horse virus according to an embodiment of the present invention. As shown in FIG. 5 , 1 and 2 represent: provide data. 3 means: provide a list of users suspected of being infected with a Trojan horse, that is, a list of users suspected of being infected with a Trojan horse.

本发明实施例中涉及到的文件的具体内容如下:The specific contents of the files involved in the embodiments of the present invention are as follows:

白名单库:业务名称和目的IP的集合,集合内的代表与木马病毒无关。Whitelist database: a collection of business names and destination IPs, the representatives in the collection have nothing to do with Trojan horse viruses.

黑名单库:业务名称和目的IP的集合,集合内的代表与木马病毒有关,是木马病毒的分发站点、控制IP、受感染的应用、赚取点击率的广告发布站点等。Blacklist library: A collection of business names and destination IPs. Representatives in the collection are related to Trojan horse viruses, distribution sites of Trojan horse viruses, control IPs, infected applications, and advertising sites that earn clicks, etc.

疑似感染木马用户名单:较大概率受到木马病毒侵袭的用户名单,可以用于客户服务、业务支撑等部门,进行客户服务、业务封堵等工作时参考使用。List of suspected Trojan-infected users: The list of users with a high probability of being attacked by Trojan horse viruses can be used in customer service, business support and other departments for reference in customer service and business blocking.

感染木马用户名单:确认受到木马病毒侵袭的用户名单。可以支持主动关怀、网络管理、业务管理、网络优化等工作。User list infected with Trojan horse: Confirm the list of users who have been infected by Trojan horse virus. It can support active care, network management, service management, network optimization and other work.

本发明实施例所记载的技术方案之间,在不冲突的情况下,可以任意组合。The technical solutions described in the embodiments of the present invention may be combined arbitrarily if there is no conflict.

在本发明所提供的几个实施例中,应该理解到,所揭露的方法和智能设备,可以通过其它的方式实现。以上所描述的设备实施例仅仅是示意性的,例如,所述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,如:多个单元或组件可以结合,或可以集成到另一个系统,或一些特征可以忽略,或不执行。另外,所显示或讨论的各组成部分相互之间的耦合、或直接耦合、或通信连接可以是通过一些接口,设备或单元的间接耦合或通信连接,可以是电性的、机械的或其它形式的。In the several embodiments provided by the present invention, it should be understood that the disclosed methods and smart devices can be implemented in other ways. The device embodiments described above are only illustrative. For example, the division of the units is only a logical function division. In actual implementation, there may be other division methods, such as: multiple units or components can be combined, or May be integrated into another system, or some features may be ignored, or not implemented. In addition, the coupling, or direct coupling, or communication connection between the components shown or discussed may be through some interfaces, and the indirect coupling or communication connection of devices or units may be electrical, mechanical or other forms of.

上述作为分离部件说明的单元可以是、或也可以不是物理上分开的,作为单元显示的部件可以是、或也可以不是物理单元,即可以位于一个地方,也可以分布到多个网络单元上;可以根据实际的需要选择其中的部分或全部单元来实现本实施例方案的目的。The units described above as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, they may be located in one place or distributed to multiple network units; Part or all of the units can be selected according to actual needs to achieve the purpose of the solution of this embodiment.

另外,在本发明各实施例中的各功能单元可以全部集成在一个第二处理单元中,也可以是各单元分别单独作为一个单元,也可以两个或两个以上单元集成在一个单元中;上述集成的单元既可以采用硬件的形式实现,也可以采用硬件加软件功能单元的形式实现。In addition, each functional unit in each embodiment of the present invention may be fully integrated into a second processing unit, or each unit may be separately used as a unit, or two or more units may be integrated into one unit; The above-mentioned integrated units can be implemented in the form of hardware, or in the form of hardware plus software functional units.

以上所述,仅为本发明的具体实施方式,但本发明的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本发明揭露的技术范围内,可轻易想到变化或替换,都应涵盖在本发明的保护范围之内。The above is only a specific embodiment of the present invention, but the scope of protection of the present invention is not limited thereto. Anyone skilled in the art can easily think of changes or substitutions within the technical scope disclosed in the present invention. Should be covered within the protection scope of the present invention.

Claims (12)

1. a method of identifying a trojan horse virus, the method comprising:
Collecting core network data and charging data, wherein the core network data comprises signaling data and service data, and periodically counting the service data to obtain periodic service data; the charging data provides package conditions of the user;
performing historical habit analysis and periodic behavior analysis on the periodic service data, and identifying suspected infected Trojan horse users by combining the charging data;
When the business information corresponding to the business data is judged not to belong to a white list library and belongs to a blacklist library, adding the business data to a suspected Trojan behavior event table;
When the business information corresponding to the business data is judged not to belong to the white name list library and not to belong to the black name list library, filtering the business data according to a screening strategy, and adding the business data meeting the screening strategy into a suspected Trojan behavior event table; the screening strategy is related to the signaling data and the suspected infected Trojan horse user;
And carrying out centralized analysis on the service data in the suspected Trojan horse behavior event table to determine the service data belonging to the Trojan horse, and adding the service information of the service data belonging to the Trojan horse to the blacklist library.
2. The method according to claim 1, wherein when it is determined that the service information corresponding to the service data does not belong to a whitelist library and belongs to a blacklist library, adding the service data to a suspected Trojan horse behavior event table includes:
Judging whether the service information corresponding to the service data belongs to a white list library or not;
When the business information corresponding to the business data is judged to belong to the white list library, no processing is carried out;
when the business information corresponding to the business data is judged not to belong to the white list library, judging whether the business information corresponding to the business data belongs to the black list library or not;
and when the service information corresponding to the service data is judged to belong to the blacklist library, adding the service data to a suspected Trojan behavior event table.
3. the method for identifying Trojan horse viruses according to claim 1, wherein the screening strategy comprises: a first screening rule, a second screening rule, a third screening rule; wherein,
the first screening rule is that: determining the time difference between the networking behavior and the service behavior according to the signaling data and the service data; judging whether the flow is generated immediately after networking according to the time difference; if yes, the service data meets the screening strategy;
The second screening rule is that: determining an uploading event and a downloading event according to the service data; judging whether an uploading event is generated and then a downloading event is generated; if yes, the service data meets the screening strategy;
The third screening rule is that: judging whether the service data belongs to a suspected infected Trojan horse user list, wherein the suspected infected Trojan horse user list is composed of suspected infected Trojan horse users; if yes, the service data meets the screening strategy.
4. the method according to claim 3, wherein the performing a centralized analysis on the business data in the suspected Trojan horse behavior event table to determine the business data belonging to the Trojan horse, and adding the business information of the business data belonging to the Trojan horse to the blacklist library comprises:
Carrying out periodic or aperiodic centralized analysis on the service data in the suspected Trojan horse behavior event table to judge whether the service data in the suspected Trojan horse behavior event table is converged;
for the converged service data, further judging whether the service data belongs to the Trojan horse or not according to the obtained verification operation;
and when the business data is judged to belong to the Trojan horse, adding the business information of the business data belonging to the Trojan horse to the blacklist library.
5. The method of identifying Trojan horse viruses of claim 4, further comprising:
When the business data are judged to belong to the Trojan horse, adding the relevant users of the business data belonging to the Trojan horse to the suspected infected Trojan horse user list;
and when the business data are judged not to belong to the Trojan horse, adding the business information of the business data not belonging to the Trojan horse to the white list library.
6. The method for identifying Trojan horse viruses according to any one of claims 1 to 5, wherein the performing historical habit analysis and periodic behavior analysis on the periodic business data and the identifying suspected Trojan horse infected users by combining the billing data comprises:
Respectively carrying out flow habit analysis, service habit analysis and time habit analysis on historical periodic service data to obtain a historical analysis result;
Obtaining data related to historical periodic service data based on flow, service and time according to the current periodic service data, and taking the data as a current analysis result;
comparing the current analysis result with the historical analysis result, comparing the current analysis result with the charging data when the current analysis result is not consistent with the historical analysis result, and identifying a suspected infected Trojan horse user when the current analysis result is not consistent with the charging data.
7. An apparatus for identifying a Trojan horse virus, the apparatus comprising:
The data module is used for acquiring core network data and charging data, the core network data comprises signaling data and service data, and the service data is periodically counted to obtain periodic service data; the charging data provides package conditions of the user;
the periodic behavior clustering module is used for performing historical habit analysis and periodic behavior analysis on the periodic service data and identifying suspected infected Trojan horse users by combining the charging data;
The real-time behavior screening module is used for adding the business data into a suspected Trojan behavior event table when judging that the business information corresponding to the business data does not belong to a white list library and belongs to a blacklist library; when the business information corresponding to the business data is judged not to belong to the white name list library and not to belong to the black name list library, filtering the business data according to a screening strategy, and adding the business data meeting the screening strategy into a suspected Trojan behavior event table; the screening strategy is related to the signaling data and the suspected infected Trojan horse user; and carrying out centralized analysis on the service data in the suspected Trojan horse behavior event table to determine the service data belonging to the Trojan horse, and adding the service information of the service data belonging to the Trojan horse to the blacklist library.
8. the apparatus for identifying Trojan horse virus according to claim 7, wherein the real-time behavior screening module comprises:
the white list judging module is used for judging whether the service information corresponding to the service data belongs to a white list library; when the business information corresponding to the business data is judged to belong to the white list library, no processing is carried out;
The blacklist judging module is used for judging whether the service information corresponding to the service data belongs to a blacklist library or not when the service information corresponding to the service data is judged not to belong to a whitelist library; and when the service information corresponding to the service data is judged to belong to the blacklist library, adding the service data to a suspected Trojan behavior event table.
9. The apparatus for identifying Trojan horse virus according to claim 7, wherein the real-time behavior screening module comprises:
The screening strategy module is used for filtering the service data according to a screening strategy when the service information corresponding to the service data is judged not to belong to a white list library and not to belong to a black list library, and adding the service data meeting the screening strategy into a suspected Trojan behavior event table; the screening strategy is related to the signaling data and the suspected infected Trojan horse user;
wherein the screening strategy comprises: a first screening rule, a second screening rule, a third screening rule; wherein,
The first screening rule is that: determining the time difference between the networking behavior and the service behavior according to the signaling data and the service data; judging whether the flow is generated immediately after networking according to the time difference; if yes, the service data meets the screening strategy;
the second screening rule is that: determining an uploading event and a downloading event according to the service data; judging whether an uploading event is generated and then a downloading event is generated; if yes, the service data meets the screening strategy;
The third screening rule is that: judging whether the service data belongs to a suspected infected Trojan horse user list, wherein the suspected infected Trojan horse user list is composed of suspected infected Trojan horse users; if yes, the service data meets the screening strategy.
10. the apparatus for identifying Trojan horse virus according to claim 9, wherein the real-time behavior screening module comprises:
The centralized analysis module is used for periodically or non-periodically performing centralized analysis on the service data in the suspected Trojan horse behavior event table to judge whether the service data in the suspected Trojan horse behavior event table is converged; for the converged service data, further judging whether the service data belongs to the Trojan horse or not according to the obtained verification operation; and when the business data is judged to belong to the Trojan horse, adding the business information of the business data belonging to the Trojan horse to the blacklist library.
11. The apparatus for identifying Trojan horse virus according to claim 10, wherein the centralized analysis module is further configured to add the relevant users of the business data belonging to Trojan horse to the list of suspected infected Trojan horse users when the business data is determined to belong to Trojan horse; and when the business data are judged not to belong to the Trojan horse, adding the business information of the business data not belonging to the Trojan horse to the white list library.
12. the apparatus for identifying Trojan horse virus according to any one of claims 7 to 11, wherein the periodic behavior clustering module comprises:
the historical habit analysis module is used for respectively carrying out flow habit analysis, business habit analysis and time habit analysis on historical periodic business data to obtain a historical analysis result;
the periodic behavior analysis module is used for obtaining data related to historical periodic service data based on flow, service and time according to the current periodic service data and taking the data as a current analysis result;
And the comparison module is used for comparing the current analysis result with the historical analysis result, comparing the current analysis result with the charging data when the current analysis result is not consistent with the historical analysis result, and identifying a suspected infected Trojan horse user when the current analysis result is not consistent with the charging data.
CN201610085868.5A 2016-02-15 2016-02-15 Method and device for identifying Trojan horse virus Active CN107086978B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610085868.5A CN107086978B (en) 2016-02-15 2016-02-15 Method and device for identifying Trojan horse virus

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610085868.5A CN107086978B (en) 2016-02-15 2016-02-15 Method and device for identifying Trojan horse virus

Publications (2)

Publication Number Publication Date
CN107086978A CN107086978A (en) 2017-08-22
CN107086978B true CN107086978B (en) 2019-12-10

Family

ID=59614351

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610085868.5A Active CN107086978B (en) 2016-02-15 2016-02-15 Method and device for identifying Trojan horse virus

Country Status (1)

Country Link
CN (1) CN107086978B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107395650B (en) * 2017-09-07 2020-06-09 杭州安恒信息技术股份有限公司 Method and device for identifying Trojan back connection based on sandbox detection file
CN115408420B (en) * 2022-09-02 2023-08-01 自然资源部地图技术审查中心 Method and apparatus for automatically filtering map notes and points of interest using a computer

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1343288A1 (en) * 2002-02-28 2003-09-10 NTT DoCoMo, Inc. Server apparatus and information processing method
CN101299660A (en) * 2007-04-30 2008-11-05 华为技术有限公司 Method, system and equipment for executing security control
CN101621511A (en) * 2009-06-09 2010-01-06 北京安天电子设备有限公司 Multilayer detecting method without local virus library and multilayer detecting system
CN102801740A (en) * 2012-08-30 2012-11-28 苏州山石网络有限公司 Trojan horse virus prevention method and equipment
CN103475663A (en) * 2013-09-13 2013-12-25 无锡华御信息技术有限公司 Trojan recognition method based on network communication behavior characteristics
CN103632096A (en) * 2013-11-29 2014-03-12 北京奇虎科技有限公司 Method and device for carrying out safety detection on equipment
CN104468507A (en) * 2014-10-28 2015-03-25 刘胜利 Torjan detection method based on uncontrolled end flow analysis

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1343288A1 (en) * 2002-02-28 2003-09-10 NTT DoCoMo, Inc. Server apparatus and information processing method
CN101299660A (en) * 2007-04-30 2008-11-05 华为技术有限公司 Method, system and equipment for executing security control
CN101621511A (en) * 2009-06-09 2010-01-06 北京安天电子设备有限公司 Multilayer detecting method without local virus library and multilayer detecting system
CN102801740A (en) * 2012-08-30 2012-11-28 苏州山石网络有限公司 Trojan horse virus prevention method and equipment
CN103475663A (en) * 2013-09-13 2013-12-25 无锡华御信息技术有限公司 Trojan recognition method based on network communication behavior characteristics
CN103632096A (en) * 2013-11-29 2014-03-12 北京奇虎科技有限公司 Method and device for carrying out safety detection on equipment
CN104468507A (en) * 2014-10-28 2015-03-25 刘胜利 Torjan detection method based on uncontrolled end flow analysis

Also Published As

Publication number Publication date
CN107086978A (en) 2017-08-22

Similar Documents

Publication Publication Date Title
US11595792B2 (en) System and method for triggering on platform usage
US7801985B1 (en) Data transfer for network interaction fraudulence detection
CN108337652B (en) A method and device for detecting traffic fraud
CN103605791B (en) Information transmission system and information-pushing method
US10193908B2 (en) Data transfer for network interaction fraudulence detection
CN106911675B (en) Method and device for early warning of mobile phone malware
CN107818133A (en) A kind of residential block network capabilities analysis method and system based on big data
CN106899987B (en) Method and device for calibrating data flow of mobile terminal
CN106657689A (en) Method for preventing and controlling international fraud call and apparatus thereof
CN106067879B (en) The detection method and device of information
CN108322354B (en) A method and device for identifying a sneak traffic account
CN107086978B (en) Method and device for identifying Trojan horse virus
CN102945254B (en) The method of the data that note abnormalities in TB level magnanimity Audit data
CN109963292B (en) Complaint prediction method, complaint prediction device, electronic apparatus, and storage medium
CN106897619B (en) Mobile terminal malware perception method and device
US20140068061A1 (en) Methods and apparatus for detecting and filtering forced traffic data from network data
CN111294311B (en) A traffic accounting method and system for preventing traffic fraud
CN104363256B (en) A kind of identification and control method, equipment and system of mobile phone viruses
CN103856920B (en) A kind of data processing method and device
CN108023859B (en) License control method and system
WO2015101024A1 (en) Quality of experience evaluation method and device
US20180131814A1 (en) Method and system for revenue maximization in a communication network
CN205566374U (en) Multinuclear cloud network information real -time detection analytic system that collects evidence
CN118509271A (en) Block chain-based service system data flow charging method, device, terminal and medium
CN118798904A (en) Object recognition method, device, storage medium and electronic device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant