Eureka AIR delivers breakthrough ideas for toughest innovation challenges, trusted by R&D personnel around the world.

Detection method, device and system of command and control channel

A technology of control channel and detection method, which is applied in the field of Internet security, can solve the problems of low detection efficiency of command and control channels, achieve the effects of improving network security, improving detection accuracy, and solving low detection efficiency

Active Publication Date: 2018-07-24
HILLSTONE NETWORKS CORP
View PDF11 Cites 3 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0008] Embodiments of the present invention provide a command and control channel detection method, device, and system to at least solve the technical problem of low detection efficiency of command and control channels in the prior art

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Detection method, device and system of command and control channel
  • Detection method, device and system of command and control channel
  • Detection method, device and system of command and control channel

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0037] According to an embodiment of the present invention, an embodiment of a method for detecting a command and control channel is provided. It should be noted that the steps shown in the flow charts of the accompanying drawings can be executed in a computer system such as a set of computer-executable instructions , and, although a logical order is shown in the flowcharts, in some cases the steps shown or described may be performed in an order different from that shown or described herein.

[0038] figure 1 It is a flowchart of a method for detecting a command and control channel according to an embodiment of the present invention, such as figure 1 As shown, the method includes the following steps:

[0039] Step S102, acquiring a first request sequence of the object to be detected, wherein the first request sequence includes multiple domain name resolution requests.

[0040] Specifically, the above-mentioned objects to be detected may be computer terminals connected to the...

Embodiment 2

[0067] According to an embodiment of the present invention, an embodiment of a method for detecting a command and control channel is provided. It should be noted that the steps shown in the flow charts of the accompanying drawings can be executed in a computer system such as a set of computer-executable instructions , and, although a logical order is shown in the flowcharts, in some cases the steps shown or described may be performed in an order different from that shown or described herein.

[0068] image 3 is a flow chart of another command and control channel detection method according to an embodiment of the present invention, such as image 3 As shown, the method includes the following steps:

[0069] Step S302, acquiring a first sequence.

[0070] Specifically, the above-mentioned first sequence may be a DNS request sequence sent by a controlled host carrying malware or a normal host not carrying malware, including multiple DNS requests.

[0071] Step S304, obtaining...

Embodiment 3

[0083] According to an embodiment of the present invention, an embodiment of an apparatus for detecting a command and control channel is provided.

[0084] Figure 4 is a schematic diagram of a command and control channel detection device according to an embodiment of the present invention, such as Figure 4 As shown, the device includes:

[0085] The acquiring module 42 is configured to acquire a first request sequence of the object to be detected, wherein the first request sequence includes a plurality of domain name resolution requests.

[0086] Specifically, the above-mentioned objects to be detected may be computer terminals connected to the Internet, such as personal computers PC, notebook computers, etc., and may include: controlled hosts carrying malicious software and normal hosts not carrying malicious software.

[0087] The first processing module 44 is configured to change the sending order of multiple domain name resolution requests in the first request sequence...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The invention discloses a detection method, device and system of a command and control channel. The method comprises the following steps: acquiring a first request sequence of a to-be-detected object,wherein the first request sequence comprises multiple domain name resolution requests; changing sending order of multiple domain name resolution requests in the first request sequence to obtain a second request sequence; sending the second request sequence to a target server, and receiving a first response sequence returned by the target server according to the second request sequence; obtaininga first detection result of the to-be-detected object according to the first response sequence, wherein the first detection result is used for representing whether the to-be-detected object uses the command and control channel. Through the detection method disclosed by the invention, the technical problem that the command and control channel in the prior art is low in detection efficiency is solved.

Description

technical field [0001] The invention relates to the field of Internet security, in particular to a method, device and system for detecting command and control channels. Background technique [0002] Malware (Malware) refers to the control of another computer through a specific program. Hackers can use malicious software to remotely control the computer, arbitrarily destroy or steal files and user passwords on the host. A controlled host is a computer that has been breached by hackers and planted with malicious software. Malware usually obtains commands by connecting to the CC server, and the connection between the controlled host and the CC server and the protocol used become the control channel of the malware, referred to as the C2 channel (Command&Control Channel). DNS (full name: Domain Name System) is a core service of the Internet, which serves as a distributed database that can map domain names and IP addresses to each other. A domain name is composed of a string of...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
Patent Type & Authority Applications(China)
IPC IPC(8): H04L29/06
CPCH04L63/1425
Inventor 田勇於大维贾宇蒋东毅
Owner HILLSTONE NETWORKS CORP
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Eureka Blog
Learn More
PatSnap group products