DDoS malicious code detection and traceability method based on breeding

Abstract

The invention discloses a breeding-based DDoS malicious code detection and tracing method, and relates to the technical field of network security. The method specifically comprises the steps that firstly, existing DDoS malicious codes or suspicious files under a Linux system serve as samples to be detected to be bred for a long time; constructing a Docker mirror image of the Linux system, runningthe Docker mirror image into each virtual environment of each server to form a container, successfully starting each container, storing running information into a database, and configuring a monitoring program of each container; then, putting each to-be-detected sample into a respective corresponding container, and carrying out multi-dimensional monitoring on the behavior of the to-be-detected sample by utilizing a monitoring program; and judging whether all traffic of each sample exceeds a DDoS attack traffic threshold, and if so, calling a DDoS event analysis function to cut off a discoveredDDoS attack event, comprehensively analyzing, tracking and tracing, and positioning an IP of a botnet main control end. Otherwise, the to-be-detected sample is a safe sample and is not processed. Themaster control end of the puppet machine can be effectively tracked.

Description

technical field [0001] The invention relates to the technical field of network security, in particular to a breeding-based DDoS malicious code detection and source tracing method. Background technique [0002] Distributed denial of service attack, or DDoS, is an attack method that sends abnormal requests to the target through a large-scale puppet machine, causing the target to be unable to receive and respond to normal requests due to excessive occupation of system hosts and network resources. Among them, the puppet machine is a machine remotely controlled by the attacker. The attacker often collects the puppet machine from the network by means of scanning, vulnerability exploitation, or weak password blasting, and implants malicious code in the successfully invaded server, thereby passing the C / S mode. Manipulate the puppet machine to launch DDoS attacks, or perform scanning and spreading. [0003] The existing DDoS malicious code detection and traceability have the follow...

AI Technical Summary

Problems solved by technology

[0003] The existing DDoS malicious code detection and traceability have the following problems: first, most of them are carried out around the victim of DDoS attacks, and are located downstream of the entire attack chain, making it difficult to track the main control end of the puppet machine; second, traceability of the main control end based on the victim , it is necessary to separate the attack-related traffic from the full traffic, and there are certain errors; third: it is limited to the passive discovery of DDoS attack events, it is difficult to accurately correlate information such as malicious code, DDoS conditional active defense

Images