Search

CN-121396575-B - Botnet treatment method, device and storage medium based on depth protocol reverse analysis

CN121396575BCN 121396575 BCN121396575 BCN 121396575BCN-121396575-B

Abstract

The embodiment of the disclosure provides a botnet treatment method and device based on deep protocol reverse analysis, the method comprises the steps of arranging a plurality of high-interaction honeypots in a virtual machine or a container, simulating a real operating system, application service or Internet of things equipment, trapping botnet nodes, acquiring data packets between the botnet nodes and the honeypots, performing reverse analysis on communication protocols in the data packets to obtain protocol analysis results, constructing a communication protocol of a virtual C & C communication network simulation attacker to send forged instructions to the connected botnet nodes based on the protocol analysis results, recording node information connected to the virtual C & C communication network, constructing a node relation map based on the node information, identifying abnormal behavior modes based on the node relation map, and triggering a defense mechanism or a countercheck mechanism when abnormal behaviors are detected. When encountering a botnet attack, the scheme not only can discover and analyze the botnet nodes, but also can counter and attack an attacker through an active virtual command and control network.

Inventors

  • LIU CEYUE
  • LIU GUANGMING
  • YANG TIANCHANG
  • ZHANG XIANGUO
  • XU MINGYE
  • ZHANG BINGZI
  • KUANG YE
  • TANG RAN
  • ZHAO JIEMIN
  • HOU ZHENGQI

Assignees

  • 中国电子科技集团公司第十五研究所

Dates

Publication Date
20260512
Application Date
20251015

Claims (7)

  1. 1. A botnet governance method based on depth protocol reverse analysis, the method comprising: Deploying a plurality of high-interaction honeypots in a virtual machine or a container, simulating a real operating system, application service or Internet of things equipment, and trapping zombie nodes; acquiring a data packet between the zombie node and the honeypot, and carrying out reverse analysis on a communication protocol in the data packet to obtain a protocol analysis result; Based on the protocol analysis result, constructing a communication protocol of a virtual C & C communication network simulation attacker to send fake instructions to the connected zombie nodes; Recording node information connected to the virtual C & C communication network, and constructing a node relation map based on the node information, wherein the node relation map comprises the steps of collecting and recording IP addresses, online time, communication frequency, communication protocols, response time and behavior pattern information of each node connected to the virtual C & C communication network, constructing the node relation map based on the collected node information, wherein the nodes in the node relation map represent bot nodes, edges represent communication relations among the nodes, identifying which nodes frequently communicate in a certain time period and have cooperative behaviors with other bot nodes through counting the relevance of the communication frequency of the nodes, analyzing which areas of the nodes have strong cooperative relations through the geographic position of an IP address, searching for potential abnormal behaviors or hidden bot network subsets based on clustering analysis and association rule analysis, and The method comprises the steps of identifying an abnormal behavior mode based on the node relation graph, triggering a defense mechanism or a countercheck mechanism when abnormal behaviors are detected, wherein the method comprises the steps of monitoring the request frequency and the connection quantity of each node in real time, recording the time stamp, the source IP address and the request type of the request each time when one node initiates the request or establishes the connection, calculating the request and the connection times in real time by using a sliding time window, marking the high-risk node as the high-risk node if the request times in the sliding time window exceed a preset threshold value, isolating the high-risk node from other network parts so that the high-risk node cannot continue to communicate with a virtual C & C communication network, or sending fake security holes or error instructions to the high-risk node, and guiding the high-risk node to execute harmless operations.
  2. 2. The botnet remediation method based on deep protocol reverse analysis of claim 1, wherein deploying a plurality of high-interaction honeypots in a virtual machine or container simulates a real operating system, application services, or internet of things device, trapping botnet nodes comprises: exposing an SMB service in a honeypot to simulate a Windows system, and attracting targeted attacks on the SMB service by using a weak password; simulating an Internet of things device, setting a default weak password or exposing available service to attract attacker connections, and When a zombie node or attacker attempts to connect to a honey pot, relevant behavior information is recorded, including IP addresses, services accessed, data packets transmitted.
  3. 3. The botnet remediation method based on deep protocol reverse analysis of claim 1, wherein the obtaining the data packet between the botnet node and the honeypot, and performing reverse analysis on the communication protocol in the data packet, obtaining a protocol analysis result includes: capturing the first 100 data packets between the bot nodes and the honeypot through a protocol reverse engine; Judging whether the data packet is encrypted or not through entropy analysis, and identifying an encryption mode; if the communication protocol uses an encryption mode of an XOR round key, a key replacement rule is deduced by comparing the ciphertext and plaintext relations of a plurality of captured data packets.
  4. 4. The botnet remediation method based on deep protocol reverse analysis of claim 1, wherein constructing a communication protocol for a virtual C & C communication network simulation attacker based on the protocol analysis result includes: A virtual C & C communication network disguised as a real C & C server using IP, port, protocol, and authentication mechanisms similar to those of the real C & C server; Simulating a communication protocol of an attacker, sending fake instructions to the connected bot nodes, and responding to requests of the bot nodes.
  5. 5. The botnet remediation method based on deep protocol reverse analysis of claim 1, further comprising: Updating the node relation map when a new node is added or the behavior of an existing node is changed; and optimizing a defense strategy according to real-time feedback and updated node relation patterns acquired by the honeypot and the virtual C & C communication network.
  6. 6. Botnet governance device based on deep protocol reverse analysis, characterized in that it comprises: at least one processor, and At least one memory storing a computer program; Wherein the computer program, when executed by the at least one processor, causes the apparatus to perform the steps of the botnet remediation method based on deep protocol reverse analysis according to any one of claims 1 to 5.
  7. 7. A computer readable storage medium storing a computer program, characterized in that the computer program when executed by a processor implements the steps of the botnet remediation method based on reverse depth protocol analysis according to any one of claims 1 to 5.

Description

Botnet treatment method, device and storage medium based on depth protocol reverse analysis Technical Field Embodiments of the present disclosure relate to the field of network security detection technology, and in particular, to a botnet governance method and apparatus based on deep protocol reverse analysis, and a computer readable storage medium storing a computer program. Background With the development of the internet and the popularization of the internet of things equipment, the network security problem is increasingly serious. In particular, botnet (Botnet) has become a major hidden danger in the field of network security. Botnets consist of a large number of malware-infected computers that are remotely controlled by hackers for performing various attack activities, such as distributed denial of service (DDoS) attacks, information theft, spam dissemination, and the like. Traditional botnet governance approaches mostly rely on firewalls, intrusion detection systems, and antivirus software, but these approaches often have difficulty coping with malicious behavior that encrypts communications, masquerading as normal traffic. Disclosure of Invention Embodiments described herein provide a botnet remediation method and apparatus based on deep protocol reverse analysis, and a computer readable storage medium storing a computer program, which can effectively attract and capture botnet nodes by further analyzing communication protocols of the botnet and constructing a virtual environment camouflaged as a real C & C network, thereby performing control and remediation. According to a first aspect of the disclosure, a botnet treatment method based on deep protocol reverse analysis is provided, and the botnet treatment method comprises the steps of arranging a plurality of high-interaction honeypots in a virtual machine or a container, simulating a real operating system, application service or Internet of things equipment, trapping botnet nodes, acquiring data packets between the botnet nodes and the honeypots, performing reverse analysis on communication protocols in the data packets to obtain protocol analysis results, constructing a communication protocol of a virtual C & C communication network simulation attacker to send fake instructions to connected botnet nodes based on the protocol analysis results, recording node information connected to the virtual C & C communication network, constructing a node relation map based on the node information, identifying abnormal behavior modes based on the node relation map, and triggering a defense mechanism or a countercheck mechanism when abnormal behaviors are detected. In some embodiments of the present disclosure, deploying a plurality of high-interaction honeypots in a virtual machine or container, simulating a real operating system, application services, or internet of things device, trapping zombie nodes includes exposing an SMB service in the honeypots to simulate a Windows system, attracting targeted attacks on the SMB service using a weak password, simulating internet of things device, setting a default weak password or exposing available service to attract attacker connections, and recording relevant behavior information including IP addresses, accessed services, transmitted data packets when the zombie nodes or the attacker attempts to connect to the honeypots. In some embodiments of the disclosure, obtaining a data packet between a zombie node and a honeypot, and performing reverse analysis on a communication protocol in the data packet to obtain a protocol analysis result, wherein the protocol analysis result comprises capturing the first 100 data packets between the zombie node and the honeypot by a protocol reverse engine, judging whether the data packets are encrypted by entropy analysis, identifying an encryption mode, and if the communication protocol uses the encryption mode of an XOR round key, calculating a key replacement rule by comparing ciphertext and plaintext relations of a plurality of captured data packets. In some embodiments of the present disclosure, constructing a communication protocol of a virtual C & C communication network to simulate an attacker to send fake instructions to a connected bot node based on the protocol analysis results includes using IP, port, protocol, and authentication mechanisms similar to those of a real C & C server to impersonate the virtual C & C communication network of the real C & C server, simulating the communication protocol of the attacker, sending fake instructions to the connected bot node, and responding to requests from the bot node. In some embodiments of the disclosure, recording node information connected to a virtual C & C communication network and constructing a node relationship graph based on the node information includes collecting and recording IP addresses, online times, communication frequencies, communication protocols, response times, behavior pattern information of each node connecte