Unlock instant, AI-driven research and patent intelligence for your innovation.

A method and device for identifying offline malware logs

A malware and log technology, applied in the field of offline malware log identification, can solve the problems of fast update, low efficiency, misidentification, etc., and achieve the effect of improving accuracy and efficiency

Active Publication Date: 2020-01-17
BEIJINGNETENTSEC
View PDF3 Cites 0 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0008] 1) It is necessary to be able to obtain malware samples for analysis, but the number of malware samples and variants is huge and updated rapidly;
[0009] 2) A large amount of manpower is required for sample analysis, which requires a large amount of resources and is inefficient;
[0010] 3) When malware is bound to normal software, the traffic samples contain a large amount of normal traffic, making it difficult to distinguish;
[0011] 4) There are many variants of malware and they are updated quickly. The above solutions cannot meet the timeliness requirements
This method takes advantage of the efficiency and timeliness of threat intelligence through the identification of botnets and malware infrastructure, but at the same time there are the following problems: on the one hand, multiple websites and services may be associated with the same IP at the same time, Part of the traffic of this IP is malicious traffic, while the other part of traffic is normal traffic, which needs to be distinguished and identified. Using only one IP or domain name as the identification standard is likely to cause problems of misidentification and false positives (False Positive); on the other hand, currently Botnets and malware network facilities change rapidly, and the intelligence of a single IP and domain name may fail, which is prone to misidentification and false positives

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • A method and device for identifying offline malware logs
  • A method and device for identifying offline malware logs
  • A method and device for identifying offline malware logs

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0075] figure 1 It is a schematic flow diagram of an implementation process of a method for identifying offline malware logs according to an embodiment of the present invention, the method comprising:

[0076] Step 101: Based on the first destination IP and destination port contained in the obtained multiple network logs, a matching search is performed in the IP and port reverse matching rule set to obtain a candidate network log set and a suspicious malware hash value set;

[0077] Specifically, the following processing is performed on each of the obtained multiple network logs, that is: based on the first destination IP and destination port contained in each network log, the IP and port reverse matching rule set is used to perform the following processing: The network log is matched and searched; when the first purpose IP and the destination port included in the network log are matched with the IP and port reverse matching rules in the IP and port reverse matching rule set, ...

Embodiment 2

[0153] Embodiment 1 of the present invention will be further described below through a specific example, image 3 It is a schematic diagram of the implementation flow of the malware matching rule generation method based on threat intelligence context information in Embodiment 2 of the present invention, and the method includes:

[0154] Step 201: collecting malware threat intelligence and storing it in a threat intelligence library;

[0155] Specifically, based on the threat intelligence of malware collected through the network and the threat intelligence generated by the malware in the local sandbox operation process, the threat intelligence is stored in the threat intelligence library to build a local massive threat intelligence library, and The threat intelligence of malicious software collected through the network or the local sandbox is also stored in the threat intelligence library.

[0156] In this embodiment, the threat intelligence generated by the malware during loc...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The invention discloses an offline malicious software log recognition method. The method comprises the following steps of: carrying out matching search in an IP and port reverse matching rule set on the basis of a first target IP and a target port included in a plurality of obtained network logs, so as to obtain an alternative network log set and a suspicious malicious software hash value set; grouping network logs in the alternative network log set according to a same source IP to obtain a network log group set; filtering network log groups according to a malicious software recognition rule set and the suspicious malicious software hash value set, so as to obtain a network log sub-group satisfying a first preset condition; and when the fact that a head-tail time interval of two network logs in the network log sub-group is smaller than a preset threshold value is determined, judging that network logs having the same source IP with the two network logs are infected by malicious software corresponding to a hash value corresponding to the two network logs. The invention furthermore discloses an offline malicious software log recognition device.

Description

technical field [0001] The invention relates to network security technology, in particular to a method and device for identifying offline malicious software logs. Background technique [0002] With the rapid development of the Internet, network security issues have gradually become prominent, among which malicious software represented by Trojan horses, viruses, backdoor programs, and adware have developed by leaps and bounds in terms of quantity, update speed, and use of technology. The impact and losses caused to Internet users are also increasing year by year. The above situation makes it increasingly difficult for traditional malware detection methods represented by static analysis methods such as file hashing to meet the requirements. Establishing a system that can effectively identify and control new malware has become one of the most urgent tasks for current network security. one. [0003] Threat intelligence is the inevitable result of the evolution of defense ideas...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
Patent Type & Authority Patents(China)
IPC IPC(8): G06F21/56G06F21/53H04L29/06
CPCG06F21/53G06F21/562H04L63/1425H04L63/145
Inventor 马勇周松松张永臣
Owner BEIJINGNETENTSEC