Unlock instant, AI-driven research and patent intelligence for your innovation.

A method and device for detecting a lost host

A detection method and host technology, applied in the field of network security, can solve the problems of low detection efficiency, host detection of encrypted traffic loss, poor applicability, etc.

Active Publication Date: 2022-02-15
北京微步在线科技有限公司
View PDF4 Cites 0 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

However, in the existing method, it is necessary to decrypt the traffic first and then detect it, and it is impossible to detect the compromised host for the encrypted traffic
It can be seen that if the existing method cannot be decrypted, it cannot be detected, and its applicability is poor, resulting in missed or undetectable situations, and low detection efficiency

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • A method and device for detecting a lost host
  • A method and device for detecting a lost host
  • A method and device for detecting a lost host

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0054] Please see figure 1 , figure 1 A schematic flowchart of a method for detecting a compromised host is provided for the embodiment of the present application. This method is applied in the scenario of compromised host detection based on TLS encrypted communication. Wherein, the compromised host detection method includes:

[0055] S101. Obtain communication traffic to be detected.

[0056] In the embodiment of the present application, the execution subject of the method may be a defect detection device, and the defect detection device may specifically be a computing device such as a computer or a server, which is not limited in this embodiment.

[0057] In the embodiment of the present application, the defect detection device may specifically be an electronic device such as a smart phone, a tablet computer, etc., which is not limited in this embodiment.

[0058] In the embodiment of the present application, the communication traffic to be detected may specifically be T...

Embodiment approach

[0074] As an optional implementation, the method also includes:

[0075] Obtain the original fingerprint data used to build the malicious fingerprint database, the original fingerprint data includes the original fingerprint data obtained by malicious fingerprint crawling and the original fingerprint data obtained by sandbox running malicious program files;

[0076] Construct a malicious fingerprint library based on the original fingerprint data.

[0077] In the embodiment of the present application, the original fingerprint data obtained by malicious fingerprint crawling includes continuously crawling open source malicious TLS fingerprints, and the original fingerprint data obtained by sandbox running malicious program files includes sandbox continuous running of different malicious program files (such as Trojan horses) files, etc.) to obtain malicious TLS fingerprints, specifically, TLS fingerprints include MD5 and other hash values.

[0078] S104. Perform source tracing acc...

Embodiment 2

[0084] Please see figure 2 , figure 2 It is a schematic flowchart of another method for detecting a compromised host provided in the embodiment of the present application. Such as figure 2 As shown, wherein, the compromised host detection method includes:

[0085] S201. Obtain communication traffic to be detected.

[0086] S202. Analyze and process the communication traffic by using a communication fingerprint extraction algorithm to obtain fingerprint information, where the fingerprint information includes a client communication fingerprint and a server communication fingerprint for encrypted communication.

[0087] In this embodiment of the present application, the encrypted communication may specifically be TLS encrypted communication, and the communication fingerprint may specifically be a TLS fingerprint, which is not limited in this embodiment of the present application.

[0088] In this embodiment of the application, the TLS fingerprint extraction module can be u...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The embodiments of the present application provide a method and device for detecting a compromised host, which relate to the technical field of network security. The method for detecting a compromised host includes: first obtaining the communication traffic to be detected; and extracting the fingerprint information of the communication traffic; Database and fingerprint information to determine whether there is a defect; if so, trace the source according to the communication flow to obtain the communication protocol address of the compromised host; finally mark the target host corresponding to the communication protocol address of the compromised host as a compromised host, which can be realized without decrypting the traffic The defect detection has good applicability, so that it can avoid missed or undetected situations, and improve the detection efficiency of the defected host.

Description

technical field [0001] The present application relates to the technical field of network security, in particular, to a method and device for detecting a compromised host. Background technique [0002] In recent years, in order to detect the threats existing in the network and find the compromised host, the traffic to be detected is usually decrypted first, and then packet detection and behavior pattern detection are performed on the decrypted traffic to obtain the detection results, and then the compromised host is determined according to the detection results. However, in the existing method, the traffic needs to be decrypted first and then detected, and the compromised host cannot be detected for the encrypted traffic. It can be seen that if the existing method cannot be decrypted, it cannot be detected, and its applicability is poor, resulting in missed or undetectable situations, and low detection efficiency. Contents of the invention [0003] The purpose of the embod...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
Patent Type & Authority Patents(China)
IPC IPC(8): H04L9/40
CPCH04L63/1416H04L2463/146
Inventor 康吉金贾振樊兴华
Owner 北京微步在线科技有限公司