A c&c channel discrimination method and system
A discrimination method and channel technology, applied in the field of C&, can solve the problems of inability to distinguish, unfavorable regular retraining of discriminant models, timely deployment and deployment impact, etc.
Active Publication Date: 2022-06-03
INST OF INFORMATION ENG CHINESE ACAD OF SCI
View PDF0 Cites 0 Cited by
- Summary
- Abstract
- Description
- Claims
- Application Information
AI Technical Summary
Problems solved by technology
[0005] However, the above-mentioned main C&C channel architecture type identification methods all have some limitations
The discriminant method based on group analysis needs to monitor a certain number of infected hosts / network malicious program nodes, and even the entire monitored network at the same time, and its deployment and use conditions are relatively high. Not only is it not practical, but it cannot be used to analyze and protect network scenarios In , there are only a few or even a single infected host
Although the analysis and discrimination method based on a single host does not have the above limitations, many of them can only give malicious label judgments such as certain types of malicious programs / botnets, and cannot distinguish between P2P and C&S type C&C channels
Although some methods can distinguish P2P and C&S type C&C channels, the training and analysis process of the discriminant model takes too long. The timely deployment and deployment of measures have a negative impact
Method used
the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View moreImage
Smart Image Click on the blue labels to locate them in the text.
Smart ImageViewing Examples
Examples
Experimental program
Comparison scheme
Effect test
Embodiment Construction
[0071] Using the behavior characterization to classify the second network flow set to obtain the several original features.
[0074] Determine the NODNS IP address dispersion degree category, and set to obtain a pair of dstip attribute sets in a network flow set
[0075] Determine the NODNS port dispersion degree category, extract the TCP flow in the second network flow set, according to the TCP flow
[0076] Determine the NODNS scale dispersion degree category, extract the TCP flow and the UDP flow in the second network flow set, and calculate respectively
[0077] Determine the NODNS communication similarity category, and extract all of the second network flow sets with the same protocol
[0086] The fifth category is NODNS communication similarity: since the infected hosts in the same botnet will
[0088] W
[0089] The Type attribute represents the type of the C&C channel structure generated by the infected host in the time slot. When Wi is
[0096]
[0097] where p(x, y) is th...
the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More PUM
Login to View More Abstract
The present invention provides a method and system for discriminating C&C channels, including: obtaining traffic to be identified; classifying the traffic to be identified based on behavioral descriptions, and obtaining several original features with a preset number of categories and preset numbers of behavioral features ; Perform feature selection on the several original features to obtain behavioral characteristics to be judged; identify the behavioral characteristics to be judged based on a preset machine learning algorithm, and obtain a time slot channel type inference result; The result of inferring the slot channel type is comprehensively judged, and the judgment result of the C&C channel architecture type is obtained. By monitoring the network traffic of a single host, the proposed mechanism of behavioral characteristics, time slot division, reasoning and comprehensive judgment is applicable to malicious programs with complex network behaviors, and the feature selection method is used to effectively improve the accuracy of the judgment under the premise of ensuring the correctness of the judgment. Speed of channel architecture type analysis.
Description
A C&C channel discrimination method and system technical field [0001] The present invention relates to the technical field of network security, and in particular, to a C&C channel discrimination method and system. Background technique C&C channel (Command&Control Channel: C&C Channel) is botnet program, and Trojan horse etc. An essential functional component of advanced cyber malware. The C&C channel is responsible for running malicious programs as well as controlling the server / Attackers constantly transmit the latest operation and attack commands, the status of infected hosts and devices, and command execution results. information, so that attackers can fully grasp the current attack situation, support subsequent attack decisions, and realize combined attacks. In short, C& The function undertaken by the C channel is particularly important and indispensable. Therefore, after detecting the existence of the C&C channel, it is related to itself Accurate and in-de...
Claims
the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More Application Information
Patent Timeline
Login to View More Patent Type & Authority Patents(China)
IPC IPC(8): H04L9/40
CPCH04L63/1416H04L63/145Y02D30/50
Inventor 黄伟庆姜建国石志鑫殷其雷吕彬康肖钰
Owner INST OF INFORMATION ENG CHINESE ACAD OF SCI