Equipment back door detection method for network flow safety detectionTechnical Field
The invention belongs to the technical field of network security, and particularly relates to a device back door detection method for network traffic security detection.
Background
The back doors of the device refer to a program which bypasses the security monitoring of the system and directly obtains the direct access right and control right to related programs and the system, the back doors are generally left by developers when the system program is developed and are convenient for modifying the system program in the development process, and the like, but if the back doors are not removed before the device software is released, the back doors become so-called loopholes, and immeasurable losses can be caused if the back doors are utilized by illegal personnel.
The general developer can remove the back door of the product after the product is released, but lawless persons can still utilize some other holes of the software to transplant other back doors into the software, so that the equipment software needs to be subjected to check work on the back door in unscheduled maintenance, but the existing check means generally monitor data of the equipment program and the software after the equipment program and the software run and check whether the equipment program and other IP addresses are communicated, but the back door program must be communicated and downloaded after being activated, and the like, so that the step can not necessarily check the equipment back door, and whether the registered item is really the back door program is difficult to judge by only depending on the registry of the equipment program, so that a new mode is required for checking the check difficulty.
Disclosure of Invention
The invention aims to provide a device back door detection method for network traffic safety detection, which aims to solve the problems in the background technology.
In order to achieve the above object, the present invention provides the following technical solutions: the equipment back door detection method for network traffic safety detection comprises a sandbox virtual system program, a unshelling program, a tracking program, a judging program, an abnormal release file sample recorded by a registry and a file packet sample received when traffic is abnormally increased, comparing the consistency between the abnormal release file sample recorded by the registry and detected by a retrospective registry and the file packet sample received when the retrospective traffic is abnormally increased, and judging whether a back door exists according to the consistency;
the specific steps of the abnormal release file sample check recorded by the registry are as follows:
the first step: setting up a sandbox virtual system, dragging a suspicious device program and software into the sandbox to prepare operation, firstly, running a fileinfo.exe in the sandbox, checking whether the suspicious device program and the software are shelled, judging the type of the shell to be applied according to a detection result, calling a corresponding shelling program to prepare shelling, wherein the software shelling is a method for protecting program resources, the software shells are divided into a plurality of types including encryption shells, disguised shells, compression shells, multi-layer shells and the like, the purpose of which is to hide OEP entry points of the program, place and be broken, and the shelling is to remove disguises and protective shells of the program and be used for modifying the program resources;
and a second step of: if the suspicious program and software of the device are shelled, the method such as ESP theorem shelling and the like can be adopted to unshelling, OEP of the suspicious program is exposed, conditions are provided for the following tracking program, and if the checking result of the fileinfo.exe is not shelled, the method can directly jump to the third step;
and a third step of: the method comprises the steps of directly running suspicious programs and software, loading tracking programs and judging programs, wherein the tracking programs can carry out data transmission tracking on the suspicious programs and the software to be detected, check whether communication behaviors between the suspicious programs and the software exist between the suspicious programs and external unknown IP addresses and whether new registration items are added, display and record all the IP addresses of the current communication, display the byte numbers of data transmission and reception in unit time in real time, record flow mutation behaviors in a time period, judge whether the new registration items are suspicious registration items or not, and record and list the suspicious registration items;
fourth step: the past registration items of the registry are traced back, the registration items are listed and brought into a judging program for checking, the judging program lists and records suspicious registration items, the record of new files with past anomalies in the registration items is searched, the position of suspicious files is determined through checking operation logs, the past suspicious files are compared with the newly-added files released by the suspicious programs and the software of the current equipment, whether the types of the past suspicious files are similar or identical is judged, if the types of the past suspicious files are similar or identical, the starting time of the current equipment program and the software for executing the operation in the past can be judged, and if no new files are currently added, only the adding position and time information of the past suspicious files are recorded.
Fifth step: and checking whether the current equipment program and software automatically download suspicious file packages, if yes, directly judging that a back door exists, and if not, checking file package samples received when the past flow is abnormally increased in the past suspicious files.
The specific steps of the examination of the received file packet samples when the past flow is abnormally increased are as follows:
the first step: monitoring whether abnormal flow increase exists in a period of time after the suspicious program and software of the equipment are operated, and if so, recording the size of a data receiving file packet and judging the type of the file packet;
and a second step of: backtracking to check the abnormal increase of the past flow, recording a time point, checking the IP address of a trigger source when the abnormal increase of the TCP communication recorded flow, and recording the receiving size of a receiving file packet;
and a third step of: and checking whether file sharing behavior exists between the suspicious program and software of the equipment and other non-trigger source IP addresses in the past traffic abnormal increasing time point.
Comparing the consistency between the abnormal release file sample of the registry record checked by the retrospective past registry and the file packet sample received when the retrospective past flow is abnormally increased comprises:
1) Comparing whether the past suspicious registry is matched with the time point of abnormal increase of the past flow or not;
2) Comparing whether the size of the received file packet is consistent with the file type or not when the release file sample found through the past suspicious registry is abnormally increased with the past flow;
3) Checking whether the size and the file type of the file packet shared with other non-trigger sources are consistent with those of the received file packet;
if any of the three items are matched, a backdoor exists and is associated with the relevant file released by the suspicious program.
Preferably, the steps of checking the abnormal release file samples recorded by the registry and checking the file package samples received when the past flow is abnormally increased are performed in a sandbox virtual system, and the two checking steps can be synchronously operated and compared in real time, so that the efficiency is improved.
Preferably, the ESP theorem shelling method can also be replaced by an OD loading method.
Preferably, the error of the size matching degree between the abnormally released file sample recorded by the registry and the file packet sample received when the retrospective past flow rate is abnormally increased is not more than 1MB, and can be considered as consistent, the size of the received file packet sample is generally obtained when the past flow rate is abnormally increased, the statistics is that the total size of the received file packet is obtained, the file packets are scattered everywhere, missing deviation exists in the data packet released at the time point of statistics, the missing deviation can be ignored in the comparison process, but the data packet must be removed when finally checking the door.
Preferably, the abnormal release file samples recorded in the registry are obtained by overlapping release files with different addresses at the same time point, if only a release file with a single certain address at the time point is adopted and the release file with different time points is not overlapped, the abnormal release file samples cannot be compared with the file packet samples received when the traffic is abnormally increased at the same time, unless three file exceptions are released from the time point.
The beneficial effects of the invention are as follows:
according to the invention, through checking the abnormally released file samples recorded in the registry and the file package samples received when the past flow is abnormally increased, the time points and the file package types and sizes of the file samples which are abnormally released are listed, the file package samples are compared with the file package samples received when the past flow is abnormally increased, whether the time points are identical or not is observed, whether the file sizes are identical or very close to each other is judged, if the file sizes are identical, a file sample with a back door in equipment software and the back door associated with the abnormally released can be directly obtained, when the past flow is abnormally increased, the abnormal phenomenon of the equipment is combined and compared with the registry, the current is monitored in real time, compared with the case that only the current IP abnormal communication and single investigation registry are checked, the efficiency is relatively high, and the accuracy is improved through comparison.
Drawings
FIG. 1 is a flowchart of a sample check of an abnormal release file recorded in a registry according to the present invention;
FIG. 2 is a flow chart of a received sample of a file packet when the past traffic is abnormally increased;
FIG. 3 is a schematic diagram showing the comparison conditions according to the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
As shown in fig. 1 to fig. 3, in the embodiment of the present invention, a device backdoor detection method for network traffic safety detection includes a sandbox virtual system program, a unshelling program, a tracking program, a judging program, an abnormal release file sample recorded in a registry, and a file packet sample received when traffic is abnormally increased, comparing a consistency between the abnormal release file sample recorded in the registry and detected by a backtracking past registry and the file packet sample received when traffic is abnormally increased, and judging whether a backdoor exists according to the consistency;
the specific steps of the abnormal release file sample check recorded by the registry are as follows:
the first step: setting up a sandbox virtual system, dragging a suspicious device program and software into the sandbox to prepare operation, firstly, running a fileinfo.exe in the sandbox, checking whether the suspicious device program and the software are shelled, judging the type of the shell to be applied according to a detection result, calling a corresponding shelling program to prepare shelling, wherein the software shelling is a method for protecting program resources, the software shells are divided into a plurality of types including encryption shells, disguised shells, compression shells, multi-layer shells and the like, the purpose of which is to hide OEP entry points of the program, place and be broken, and the shelling is to remove disguises and protective shells of the program and be used for modifying the program resources;
and a second step of: if the suspicious program and software of the device are shelled, the method such as ESP theorem shelling and the like can be adopted to unshelling, OEP of the suspicious program is exposed, conditions are provided for the following tracking program, and if the checking result of the fileinfo.exe is not shelled, the method can directly jump to the third step;
and a third step of: the method comprises the steps of directly running suspicious programs and software, loading tracking programs and judging programs, wherein the tracking programs can carry out data transmission tracking on the suspicious programs and the software to be detected, check whether communication behaviors between the suspicious programs and the software exist between the suspicious programs and external unknown IP addresses and whether new registration items are added, display and record all the IP addresses of the current communication, display the byte numbers of data transmission and reception in unit time in real time, record flow mutation behaviors in a time period, judge whether the new registration items are suspicious registration items or not, and record and list the suspicious registration items;
fourth step: the past registration items of the registry are traced back, the registration items are listed and brought into a judging program for checking, the judging program lists and records suspicious registration items, the record of new files with past anomalies in the registration items is searched, the position of suspicious files is determined through checking operation logs, the past suspicious files are compared with the newly-added files released by the suspicious programs and the software of the current equipment, whether the types of the past suspicious files are similar or identical is judged, if the types of the past suspicious files are similar or identical, the starting time of the current equipment program and the software for executing the operation in the past can be judged, and if no new files are currently added, only the adding position and time information of the past suspicious files are recorded.
Fifth step: and checking whether the current equipment program and software automatically download suspicious file packages, if yes, directly judging that a back door exists, and if not, checking file package samples received when the past flow is abnormally increased in the past suspicious files.
The specific steps of the examination of the received file packet samples when the past flow is abnormally increased are as follows:
the first step: monitoring whether abnormal flow increase exists in a period of time after the suspicious program and software of the equipment are operated, and if so, recording the size of a data receiving file packet and judging the type of the file packet;
and a second step of: backtracking to check the abnormal increase of the past flow, recording a time point, checking the IP address of a trigger source when the abnormal increase of the TCP communication recorded flow, and recording the receiving size of a receiving file packet;
and a third step of: and checking whether file sharing behavior exists between the suspicious program and software of the equipment and other non-trigger source IP addresses in the past traffic abnormal increasing time point.
Comparing the consistency between the abnormal release file sample of the registry record checked by the retrospective past registry and the file packet sample received when the retrospective past flow is abnormally increased comprises:
1) Comparing whether the past suspicious registry is matched with the time point of abnormal increase of the past flow or not;
2) Comparing whether the size of the received file packet is consistent with the file type or not when the release file sample found through the past suspicious registry is abnormally increased with the past flow;
3) Checking whether the size and the file type of the file packet shared with other non-trigger sources are consistent with those of the received file packet;
if any of the three items are matched, a backdoor exists and is associated with the relevant file released by the suspicious program.
The method comprises the steps of checking an abnormal release file sample recorded by the registry and checking a file packet sample received when the past flow is abnormally increased, wherein the checking steps of the abnormal release file sample recorded by the registry and the file packet sample received when the past flow is abnormally increased are performed in a sandbox virtual system, and the two checking steps can synchronously run and compare in real time, so that the efficiency is improved.
Wherein the ESP theorem shelling method can also be replaced by an OD loading method.
The size matching error between the abnormally released file sample recorded by the registry and the file packet sample received when the retrospective past flow is abnormally increased is not more than 1MB, and can be considered as consistent, the size of the received file packet sample is generally obtained when the past flow is abnormally increased, the statistics is that the total size of the received file packet is obtained, the file packets are scattered everywhere, missing deviation exists in the data packet released when the time point is counted, and the missing deviation can be ignored in the comparison process, but the data packet must be removed when finally checking the door.
The abnormal release file samples recorded in the registry are obtained by superposing release files at different addresses at the same time point, if only a release file at a single address at the time point is adopted and the release file at the different time point is not superposed with the release file at the same time point, the abnormal release file samples cannot be compared with the file packet samples received when the flow is abnormally increased at the same time, and unless three file exceptions are released from the time point.
It is noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus.
Although embodiments of the present invention have been shown and described, it will be understood by those skilled in the art that various changes, modifications, substitutions and alterations can be made therein without departing from the principles and spirit of the invention, the scope of which is defined in the appended claims and their equivalents.