SSL/TLS encrypted malicious service discovery method based on certificate characteristic generalization and server change behavior

A service discovery and malicious server technology, applied to electrical components, transmission systems, etc., can solve problems such as insufficient real-time performance, performance degradation, and insufficient robustness, so as to avoid the increase of missed detection rate, improve robustness, and fast The effect of effective extraction

Active Publication Date: 2017-04-26
INST OF INFORMATION ENG CAS
View PDF3 Cites 19 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

Such methods often rely on the training data set itself, which requires repeated training and adjustment of parameters to obtain higher performance, and the real-time performance is insufficient in practical applications.
At the same time, these methods are only aimed at services such as phishing, and do not conduct research on malicious services with remote control functions such as Trojan horses and botnets.
In addition, this type of method only starts from the certificate, without considering the specific behavior attributes of the service. When the malicious opponent deliberately changes the certificate attributes greatly, the performance of the method will drop sharply, and the robustness is insufficient.
[0008] The fingerprint generated based on certificate SHA1 and other hash algorithms and the detection method of the corresponding malicious server IP port belong to the traditional known blacklist filtering in principle, which is obviously lagging; at the same time, because the controller can quickly and frequently update the certificate and server IP at any time , and the attributes of the certificate itself have no fixed fingerprint features that can be extracted, which makes it difficult to detect similar malicious services in a large area by only relying on a small number of known SHA1 fingerprints and IP address blacklist detection methods, which is of little practical significance

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • SSL/TLS encrypted malicious service discovery method based on certificate characteristic generalization and server change behavior
  • SSL/TLS encrypted malicious service discovery method based on certificate characteristic generalization and server change behavior

Examples

Experimental program
Comparison scheme
Effect test

example 1

[0044] Example 1 Based on the generalization of certificate features, a new bank stealing Trojan service was found in a scientific research network

[0045] More similar malicious services were found based on part of the certificate information of the Dyre online banking stealing Trojan horse in SSLBL. On August 31, 2015, 3,127 Dyre certificate brief information and corresponding blacklisted IP ports (653 in total) were collected from the SSLBL website (https: / / sslbl.abuse.ch). With the help of feature generalization, the following two main types of generalized features are obtained:

[0046]

[0047] Obtain certificates from the traffic of a domestic scientific research network, and detect the above two types of characteristics. Within a week, 520 new certificates were found, corresponding to 1741 suspicious servers, of which 1708 were new discoveries, and 33 were in Dyre of SSLBL. in the complete blacklist list. Through the active scanning method, the newly discovered s...

example 2

[0048] Example 2 Based on the generalization of certificate characteristics and the entire network scanning certificate data set, a bank secret-stealing Trojan service is discovered

[0049] More similar malicious services were found based on part of the certificate information of the Dridex online banking stealing Trojan horse in SSLBL. In October 2015, the certificate features adopted by the Dridex Trojan horse in SSLBL were generalized, and then the generalized features were applied to the certificate scanning data set of port 443 of the entire IPv4 network of RAPID7 for experiments (https: / / scans.io ), about 500 suspicious SSL / TLS server IPs were found.

example 3

[0050] Example 3 Discover unknown encrypted malicious remote control services based on coarse-grained features and server certificate update frequency

[0051] Through a month's monitoring of known malicious servers, it was found that the remote server certificate update frequency of a Trojan horse control service was 3 days, but the generalization characteristics were not obvious. Therefore, with the help of certificate renewal frequency screening, 5 unknown remote control servers were successfully found in the 24-hour traffic of an enterprise network egress.

[0052] In addition to the above-mentioned embodiments, the present invention can also adopt other implementation modes, including:

[0053] 1. Step 1) is the collection of certificates for known malicious services. There are various ways to obtain certificates for malicious services. In addition to the methods listed, you can also obtain them from security companies and other channels. In addition, the certificate acq...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention relates to an SSL/TLS encrypted malicious service discovery method based on certificate characteristic generalization and server change behavior. The method includes 1) collecting certificates of known malicious services; 2) extracting the attributes of the collected certificates, classifying the certificates according to different service types, and extracting a generalization characteristic from attribute domains and attribute relations of various certificates; and 3) based on the extracted generalization characteristic, performing potential malicious service discovery based on the certificate generalization characteristic in a real network environment. If the Step 2) cannot extract the generalization characteristic, the certificate change law is discovered by tracking the certificates of the known malicious servers, thereby discovering malicious services. The SSL/TLS encrypted malicious service discovery method based on certificate characteristic generalization and server change behavior can aim at SSL/TLS encrypted remote control malicious services, reasonable screening is performed in a controllable range, and a set of malicious servers that are discovered is expanded, thereby providing a basis for further deep safety analysis and evidence obtaining.

Description

technical field [0001] The invention belongs to the technical field of information security, and in particular relates to an SSL / TLS encryption malicious service discovery method based on certificate feature generalization and server change behavior. Background technique [0002] In recent years, in consideration of data security and privacy, Secure Sockets Layer / Transport Layer Security (SSL / TLS, namely Secure Sockets Layer Protocol and Transport Layer Security Protocol) encryption application services represented by HTTPS have increased significantly. Malicious services are also gradually migrating to SSL / TLS, using this public encryption scheme to hide themselves and avoid security detection. It has been found that a variety of malicious software uses SSL / TLS encrypted command and control channels, such as Dyre and Dridex Trojans (stealing bank accounts), Gozi (financial crimes, stealing accounts) and TorrentLocker and other ransomware, which are very harmful. [0003] T...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
Patent Type & Authority Applications(China)
IPC IPC(8): H04L29/06
CPCH04L63/0823H04L63/1425H04L63/145
Inventor 曹自刚熊刚李镇石俊峥
Owner INST OF INFORMATION ENG CAS
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap