Looking for breakthrough ideas for innovation challenges? Try Patsnap Eureka!

Method and device for actively finding malicious code control end

A malicious code, active discovery technology, applied in the field of information security, can solve the problems of huge time cost, high time cost, efficiency consideration and optimization of scanning, etc., to achieve the effect of important information security guarantee and avoid time cost

Active Publication Date: 2010-12-22
NAT COMP NETWORK & INFORMATION SECURITY MANAGEMENT CENT
View PDF10 Cites 18 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0021] 1. Existing solutions are aimed at scanning a single host or a small range of hosts, without considering the actual needs of large-scale scanning, so there is no special consideration and optimization of scanning efficiency
If the existing technology is used to scan a large number of Internet hosts and all their ports, the time overhead will be huge, so the output of the results is no longer practical
[0022] 2. Existing solutions are all aimed at scanning a single host or a small range of hosts, without considering the pressure caused by large-scale batch scanning tasks on the system resources of the local environment where the scanning tasks are performed
[0023] 3. Disadvantages of the ICMP echo method: with firewalls, security protection software, or specially configured hosts, ICMP echo requests will not generate ICMP echo responses, that is, the results obtained by ICMP echo methods are wrong.
[0024] 4. Disadvantages of the port inference method: For hosts that have been specially configured, the common open ports are not necessarily in the open listening state, that is, to judge whether the host is online, which will cause missed judgments on such online hosts
[0025] 5. Disadvantages of TCP connection scanning: Establishing a TCP connection requires a three-step handshake communication, which requires a certain amount of time overhead
In addition, each connection requires a certain amount of local memory
[0026] 6. Disadvantages of TCP FIN scanning and TCP NULL scanning: After sending a TCP FIN frame or TCP NULL frame, it is judged that the port is open after a period of time when there is still no return frame, so the time overhead is relatively large
In addition, because the implementation details of the network protocol of the Windows operating system are different from the standard specifications, these two methods are invalid for Windows hosts

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Method and device for actively finding malicious code control end
  • Method and device for actively finding malicious code control end
  • Method and device for actively finding malicious code control end

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0062] The present invention will be described in further detail below in conjunction with the accompanying drawings and specific embodiments.

[0063] The present invention proposes a solution for the active discovery of malicious code control terminals, namely: actively scan hosts in the Internet to obtain their online status, open ports and operating system types; The port establishes a network connection to simulate the network behavior of the controlled terminal; compares the communication data returned by the host with the network behavior characteristics of the control terminal, and judges whether there is a control terminal in the host and what kind of control terminal it is based on the comparison results, so as to finally realize active discovery and identify the console.

[0064] figure 1 It is a schematic flowchart of the method for actively discovering malicious code control terminals of the present invention. As shown, the method for discovering malicious code c...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The invention discloses a method for actively finding a malicious code control end, which comprises the following steps of: scanning host information, namely finding a host computer in an on-line state of which the operating system is Windows and which is provided with open ports in an IP address range needing to be scanned and determining at least one open ports of the host computer; and scanning control end information, namely establishing network connection with the open ports of the host computer, simulating a network behavior of a controlled end host computer corresponding to the known type of the malicious code control end, sending data to the host computer, analyzing the received return data, and if the data meets the characteristic of the known type of the malicious code control end, indicating that the type of the malicious code control end exists in the host computer. The method can effectively identify the malicious code control end, is suitable for large-scale scanning of the host computer in the Internet and has great practical significance for guaranteeing information security. Correspondingly, the invention also provides a device for actively finding the malicious code control end.

Description

technical field [0001] The invention belongs to the technical field of information security, and in particular relates to a method and a device for actively discovering and identifying a malicious code control terminal in the Internet. [0002] Terminology Explanation [0003] ICMP: full name Internet Control Message Protocol, Chinese translation Internet Control Message Protocol, is a kind of network protocol, used to transmit control information between hosts. There are many types of ICMP frames. The ICMP echo request, ICMP echo response, ICMP timestamp, and ICMP subnet mask mentioned in this article are all different types of ICMP frames. [0004] TCP: The full name is Transmission Control Protocol, which is a Chinese translation of Transmission Control Protocol. It is a kind of network protocol and is used to establish network connections between hosts. The establishment process of a TCP connection is divided into three steps, commonly known as the three-step handshake p...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
Patent Type & Authority Applications(China)
IPC IPC(8): H04L29/06
Inventor 孙波许俊峰杜跃进黄彩洪李柏松张冰袁春阳朱春鸽严寒冰焦英楠
Owner NAT COMP NETWORK & INFORMATION SECURITY MANAGEMENT CENT
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Patsnap Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Patsnap Eureka Blog
Learn More
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic, Popular Technical Reports.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap|About US| Contact US: help@patsnap.com