Unlock instant, AI-driven research and patent intelligence for your innovation.

Malicious C and C (Command and Control) server determining method and device

A determination method and server technology, applied in the field of information security, can solve the problems such as the inability to guarantee the accuracy of malicious C&C servers, low efficiency, and inability to process data effectively.

Active Publication Date: 2017-03-29
NSFOCUS INFORMATION TECHNOLOGY CO LTD +1
View PDF4 Cites 14 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0004] The present invention provides a method and device for determining a malicious C&C server, which is used to solve the problems in the prior art that the data of a large number of C&C files cannot be effectively processed, the efficiency is too low, and the accuracy of the determined malicious C&C server cannot be guaranteed

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Malicious C and C (Command and Control) server determining method and device
  • Malicious C and C (Command and Control) server determining method and device
  • Malicious C and C (Command and Control) server determining method and device

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0043] figure 1 A schematic diagram of a malicious C&C server determination process provided by an embodiment of the present invention, the process includes:

[0044]S101: simulate the received C&C file, obtain the IP address or Uniform Resource Locator URL associated with the C&C file, and identify whether each preset operation exists in the C&C file, and if the IP address is obtained, proceed to S102, If the URL is acquired, go to S103.

[0045] In the embodiment of the present invention, for the received C&C file, the C&C file is simulated in a windows sandbox, and the message digest algorithm (MessageDigest) of the C&C file can be used during the simulated operation of the C&C file. Algorithm, MD5) value as the unique identifier of the C&C file, when the C&C file is simulated in the windows sandbox, the C&C file can be identified by the MD5 value of the C&C file, and the C&C file association can be obtained IP address or URL, and identify whether each preset operation ex...

Embodiment 2

[0056] On the basis of the above-mentioned embodiments, in the embodiment of the present invention, in order to facilitate the protection and tracking operations on the malicious C&C server, the method further includes:

[0057] If it is determined that the C&C server is a malicious C&C server, the IP address or URL associated with the obtained C&C file is added to the blacklist.

[0058] Specifically, if it is determined that the C&C server is a malicious C&C server, the obtained IP address or URL associated with the C&C file is added to the blacklist. The IP addresses or URLs corresponding to malicious C&C servers saved in the blacklist can be used by technicians to track malicious C&C servers, and can also be used as security protection to reject C&C servers that match the IP addresses or URLs saved in the blacklist Carry out data transmission.

[0059] In order to improve the determination efficiency of the malicious C&C server, on the basis of the above implementations, ...

Embodiment 3

[0073] In order to improve the accuracy of determining the malicious C&C server, on the basis of the above-mentioned embodiments, in the embodiment of the present invention, each preset operation includes at least one of the following operations:

[0074] Registry operations, disable or hide operations, deploy invoke tool operations, network connection operations, hide active interface operations, other process operations, browser operations, and user information collection operations.

[0075] Specifically, the C&C file of a malicious C&C server usually contains registry operations, disabling or hiding operations, deploying and calling tool operations, network connection operations, hiding active interface operations, other process operations, browser operations, and user information collection operations. One or more, so as to change the settings of the host, realize the control of the host, collect user information, etc. In the embodiment of the present invention, for each ...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The invention discloses a malicious C and C (Command and Control) server determining method and device. The method comprises the following steps: running a received C and C file in a simulation manner, and acquiring an IP address or a URL (Uniform Resource Locator) which is associated with the C and C file; if the IP address is acquired, determining an evaluation score of the C and C file according to whether preset operations exist in the C and C file or not and weight coefficients corresponding to the existing operations, and determining whether the C and C server corresponding to the IP address is a malicious C and C server or not according to the evaluation score; and if the URL is acquired, acquiring feature parameters in a feature vector corresponding to the URL, and determining whether a C and C server corresponding to the URL is a malicious C and C server or not according to a pre-training completion detection model and the feature vector. Through adoption of the malicious C and C server determining method and device, the problems of incapability of effectively processing data of a large quantity of C and C files and incapability of ensuring the accuracy of the determined malicious C and C server in the prior art are solved.

Description

technical field [0001] The present invention relates to the technical field of information security, in particular to a method and device for determining a malicious command and control (Command&Control, C&C) server. Background technique [0002] A botnet refers to a one-to-many controllable network formed between the controller (C&C server) and the infected hosts by infecting a large number of hosts with bots using one or more means of propagation. The controller spreads bots through various channels to infect a large number of hosts on the Internet, and the infected hosts will receive the controller's control instructions through a control channel to form a botnet. The C&C server is a command and control server. In the botnet, the C&C server is used to send control instructions to the infected host to control the infected host to conduct distributed denial of service (Distributed Denial of Service, DDOS) attacks on servers and other devices. , takes up a lot of server res...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
Patent Type & Authority Applications(China)
IPC IPC(8): H04L29/06
CPCH04L63/1408H04L63/1416H04L63/1441
Inventor 周素华张宏斌范敦球叶晓虎史龙安
Owner NSFOCUS INFORMATION TECHNOLOGY CO LTD