CN101702660A - Abnormal domain name detection method and system - Google Patents
Abnormal domain name detection method and system Download PDFInfo
- Publication number
- CN101702660A CN101702660A CN200910237594A CN200910237594A CN101702660A CN 101702660 A CN101702660 A CN 101702660A CN 200910237594 A CN200910237594 A CN 200910237594A CN 200910237594 A CN200910237594 A CN 200910237594A CN 101702660 A CN101702660 A CN 101702660A
- Authority
- CN
- China
- Prior art keywords
- domain name
- address
- dns resolution
- detected characteristics
- dns
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to an abnormal domain name detection method and a system. The method comprises: 1. receiving and resolving a DNS response message, performing statistics by taking preset statistics time interval as a statistics period, and generating information containing the DNS response message and the DNS resolving statistics vector set of a number statistic in the statistics period; 2. detecting by taking the preset detection time interval as the detection period, performing detection characteristic statistics on a DNS resolving statistics vector in the DNS resolving statistics vector set generated in the detection period according to the preset detection characteristics in the detection period, and generating the detection characteristic vector set, wherein the same domain name of each detection characteristic vector in the detection characteristic vector set corresponds; and 3. detecting the detection characteristic vector in the detection characteristic vector set, and generating the abnormal domain name. The invention can detect the unknown abnormal domain name.
Description
Technical field
The present invention relates to network safety filed, relate in particular to the detection method and the system of abnormal domain name.
Background technology
Along with development of internet technology, domain name (DNS, Domain Name System) technology is widely used, the security incident relevant with domain name is also increasing, amplifies distributed denial of service attack (DNS Amplification DDoS Attack), hangs horse website or the like such as Botnet (BotNet), domain name.
With the Botnet is example, detects and shutoff in order to evade, and Botnet often utilizes the method for DDNS (DDNS, Dynamic DNS) to come specified control server (C﹠amp; C, Command-and-Controlserver) IP address, thereby reach purpose hidden and migration Control Server address, bot program (Bot) is then by dynamically obtaining the address of Control Server to the parsing of these domain names, so that obtain from assailant's information releasing and order, this shows that domain name becomes communication tie important between bot program and the Control Server, detection, measurement and the control of Botnet is had important function.
Abnormal domain name detection method mainly comprises following method in the prior art.
Method based on the query requests number, Botnet Detection and Response, The Networkis the Infection, OARC Workshop, 2005., obtaining network address is http://www.caida.org/projects/oarc/200507/slides/oarc0507-Dagon .pdf, this method is utilized the unusual many and query requests of query requests number to have feature such as interim centrality to come the domain name of decision request to be abnormal domain name, but among the document Identifying Botnets Using AnomalyDetection Techniques Applied to DNS Traffic.In Proceedings of the 5thIEEE Consumer Communications and Networking Conference.2008:476-481, estimate by experiment point out this method rate of false alarm than higher, effect is undesirable.
Document The Domain Name Service as an IDS, Master ' s Project, University of Amsterdam, Netherlands, Feb.2006, obtaining network address and be http://staff.science.uva.nl/~delaat/snb-2005-2006/p12/report.pdf discloses a kind of based on the method that does not have domain name (NXDOMAIN) repetitive requests on the basis based on the method for query requests number, the rate of false alarm of this method is lower, but the domain name that only meets this situation just can be found, and can't detect the abnormal domain name of a large amount of existence.
Document Botnet Detection by Monitoring Group Activities in DNSTraffic.In Proceedings of the 7th IEEE International Conference onComputer and Information Technology table of contents.2007:715-720, disclose a kind of based on initiating the method that query requests IP address distributes, this method mainly utilizes features such as the IP address similitude of the request of initiating in the continuous time section and IP address list size similitude to judge that domain name is unusual, yet the domain name request of forging source IP address will have a strong impact on the detection effect of this method.
Document Bayesian bot detection based on DNS traffic similarity.InProceedings of the 2009 ACM Symposium on Applied Computing (SAC) .Hawaii, USA.2009:2035-2041, disclose a kind of method, but this method lacks the discovery to unknown abnormal domain name based on known bot program DNS request flow.
Summary of the invention
For addressing the above problem, the invention provides abnormal domain name detection method and system, can detect unknown abnormal domain name.
The invention discloses a kind of abnormal domain name detection method, comprising:
Step 1 receives and resolves the DNS response message, is that measurement period is added up with default statistics time interval, and generation comprises the information of DNS response message and the dns resolution statistics vector set of number statistical value in described measurement period;
Step 2, detect to be spaced apart sense cycle default detection time, in described sense cycle, the dns resolution statistics vector in the dns resolution statistics vector set that generates in the described sense cycle is carried out the detected characteristics statistics by default detected characteristics, generate the detected characteristics vector set, the same domain name correspondence of each detected characteristics vector in the described detected characteristics vector set;
Step 3 detects the detected characteristics vector in the detected characteristics vector set, generates abnormal domain name.
Described step 1 further is,
Step 21, the information that the dns resolution statistics vector record of described dns resolution statistics vector set is set comprises type information, domain-name information, IP address information and the number statistical value of DNS response message;
Step 22 receives the corresponding message of described DNS in described measurement period, parse type information, domain-name information and IP address information that described DNS response message comprises;
Step 23 judges whether the type that described DNS response message comprises is the IP address class type, if then execution in step 24, otherwise, described DNS response message is not done statistics;
Step 24, if had the domain-name information of the DNS response message that comprises parsing and the dns resolution statistics vector of IP address information in described dns resolution statistics vector set, then the number statistical value with described dns resolution statistics vector adds one; If there is no, then in described dns resolution statistics vector set, increase a dns resolution statistics vector, type information, domain-name information, the IP address information of described dns resolution statistics vector are type information, domain-name information, the IP address information of described DNS response message, and the number statistical value of described dns resolution statistics vector is 1.
Described default detected characteristics comprises: the domain name length of name, the spcial character number that exists in the domain name name, the IP address of domain name correspondence is the number of special address, the sudden change degree of the parsing number of times of domain name correspondence, the periodicity of domain name mapping number of times, the number of the network segment under the IP address of domain name correspondence, the nearest transformation period of the different segment IP address that domain name mapping goes out belongs to the number of times of corresponding default specific period, with the change frequency of the network segment under the IP address of domain name correspondence, in one or more.
Described detected characteristics is the sudden change of the parsing number of times of domain name correspondence when spending, and described step 2 further is,
Step 41, for each described detection time of the interior at interval dns resolution statistics vector set that generates, calculate the dns resolution statistics vector that comprises domain name in the described dns resolution statistics vector set the number statistical value add and, the described parsing number of times that adds and be domain name in the measurement period of vector set correspondence is added up in described dns resolution;
Step 42 is calculated the difference of the interior domain name in described detection time of interval at the parsing number of times of adjacent measurement period;
Step 43 finds out described maximum value in difference and minimum value, if minimum value is 0, minimum value is added 1, with described maximum divided by the merchant of minimum value be described detection time at interval in the sudden change degree of parsing number of times of domain name correspondence.
When described detected characteristics was the number of the network segment under the IP address of domain name correspondence, described step 2 further was,
Step 51 is searched the dns resolution statistics vector that comprises domain name in the dns resolution that the generates statistics vector set in described sense cycle, the IP address set of the synthetic domain name correspondence of IP group of addresses that all described dns resolution statistics are vectorial;
Step 52 is by the number of the network segment under the described IP address set calculating IP address.
Described detected characteristics is the nearest transformation period of the different segment IP address that goes out of domain name mapping when belonging to the number of times of corresponding default specific period, and described step 2 further is,
Step 61 is set up a nearest transformation period tabulation of parse addresses for each domain name, and length is first preset length;
Step 62, if the IP address in the current dns resolution statistics vector is different with the IP address of resolving last time, and the tabulation of the nearest transformation period of described parse addresses less than, then the rise time with current dns resolution statistics vector set does not repeatedly join in the nearest transformation period tabulation of described parse addresses; If the nearest transformation period tabulation of parse addresses is full, then replace the oldest time interocclusal record with the current rise time;
Step 63, the nearest transformation period of the different segment IP address that domain name mapping goes out according to the nearest transformation period tabulation of the parse addresses of each domain name statistics belongs to the number of times of corresponding default specific period.
When described detected characteristics was the change frequency of the network segment under the IP address of domain name correspondence, described step 2 further was,
Step 71 if the IP address in the current dns resolution statistics vector is different with the affiliated network segment in the IP address of resolving last time, then make the statistical value with described detected characteristics add 1, and the IP address that will resolve last time record is updated to current IP address.
When described detected characteristics was the periodicity of domain name mapping number of times, described step 2 further was,
Step 81 is set up one for each domain name and is resolved the tabulation of number of times record, and length is second preset length;
Step 82, if resolve the tabulation of number of times record less than, then with detection time at interval in the parsing number of times summation of domain name join and resolve in the tabulation of number of times record; If it is full to resolve the tabulation of number of times record, then replace the oldest record with the parsing number of times summation of domain name;
Step 83, the parsing number of times record tabulation according to domain name utilizes periodicity or similarity calculation method to calculate described detected characteristics.
The invention also discloses a kind of abnormal domain name detection system, comprising:
The dns resolution statistical module is used for receiving and resolving the DNS response message, is that measurement period is added up with default statistics time interval, and generation comprises the information of DNS response message and the dns resolution statistics vector set of number statistical value in described measurement period;
The detected characteristics statistical module, be used for detecting to be spaced apart sense cycle default detection time, in described sense cycle, the dns resolution statistics vector in the dns resolution statistics vector set that generates in the described sense cycle is carried out the detected characteristics statistics by default detected characteristics, generate the detected characteristics vector set, the same domain name correspondence of each detected characteristics vector in the described detected characteristics vector set;
The abnormality detection module is used for the detected characteristics vector of detected characteristics vector set is detected, and generates abnormal domain name.
Described dns resolution statistical module further comprises:
The initial setting up module is used to be provided with described dns resolution and adds up type information, domain-name information, IP address information and the number statistical value that the information of the dns resolution statistics vector record of vector set comprises the DNS response message;
Data acquisition module is used for receiving the corresponding message of described DNS in described measurement period, parses type information, domain-name information and IP address information that described DNS response message comprises;
Type judging module is used to judge whether the type that described DNS response message comprises is the IP address class type, if, then start statistical module, otherwise, described DNS response message is not done statistics;
Resolve statistics vector set generation module, be used for when there has been the dns resolution statistics vector of the domain-name information of the DNS response message that comprises parsing and IP address information in described dns resolution statistics vector set, the number statistical value of described dns resolution statistics vector is added one; When not existing, in described dns resolution statistics vector set, increase a dns resolution statistics vector, type information, domain-name information, the IP address information of described dns resolution statistics vector are type information, domain-name information, the IP address information of described DNS response message, and the number statistical value of described dns resolution statistics vector is 1.
Described default detected characteristics comprises: the domain name length of name, the spcial character number that exists in the domain name name, the IP address of domain name correspondence is the number of special address, the sudden change degree of the parsing number of times of domain name correspondence, the periodicity of domain name mapping number of times, the number of the network segment under the IP address of domain name correspondence, the nearest transformation period of the different segment IP address that domain name mapping goes out belongs to the number of times of corresponding default specific period, with the change frequency of the network segment under the IP address of domain name correspondence, in one or more.
Described detected characteristics is that the sudden change of the parsing number of times of domain name correspondence is when spending, described detected characteristics statistical module is further used for for each described detection time of the interior at interval dns resolution statistics vector set that generates, calculate the dns resolution statistics vector that comprises domain name in the described dns resolution statistics vector set the number statistical value add and, the described parsing number of times that adds and be domain name in the measurement period of vector set correspondence is added up in described dns resolution; Calculate the difference of the interior domain name in described detection time of interval at the parsing number of times of adjacent measurement period; Find out described maximum value in difference and minimum value,, minimum value added 1 if minimum value is 0, with described maximum divided by the merchant of minimum value be described detection time at interval in the sudden change degree of parsing number of times of domain name correspondence.
When described detected characteristics is the number of the affiliated network segment in the IP address of domain name correspondence, search the dns resolution statistics vector that comprises domain name in the dns resolution statistics vector set that described detected characteristics statistical module is further used for generating in described sense cycle, the IP address set of the synthetic domain name correspondence of IP group of addresses that all described dns resolution statistics are vectorial; Number by the network segment under the described IP address set calculating IP address.
Described detected characteristics is that the nearest transformation period of the different segment IP address that goes out of domain name mapping is when belonging to the number of times of corresponding default specific period, described detected characteristics statistical module is further used for setting up a nearest transformation period tabulation of parse addresses for each domain name, and length is first preset length; If the IP address in the current dns resolution statistics vector is different with the IP address of resolving last time, and the tabulation of the nearest transformation period of described parse addresses less than, then the rise time with current dns resolution statistics vector set does not repeatedly join in the nearest transformation period tabulation of described parse addresses; If the nearest transformation period tabulation of parse addresses is full, then replace the oldest time interocclusal record with the current rise time; The nearest transformation period of the different segment IP address that domain name mapping goes out according to the nearest transformation period tabulation of the parse addresses of each domain name statistics belongs to the number of times of corresponding default specific period.
When described detected characteristics is the change frequency of the affiliated network segment in the IP address of domain name correspondence, if the IP address that described detected characteristics statistical module is further used in the current dns resolution statistics vector is different with the affiliated network segment in the IP address of resolving last time, then make statistical value add 1, and the IP address that will resolve last time record is updated to current IP address with described detected characteristics.
When described detected characteristics was the periodicity of domain name mapping number of times, described detected characteristics statistical module was further used for setting up one for each domain name and resolves the tabulation of number of times record, and length is second preset length; If resolve the tabulation of number of times record less than, then with detection time at interval in the parsing number of times summation of domain name join and resolve in the tabulation of number of times record; If it is full to resolve the tabulation of number of times record, then replace the oldest record with the parsing number of times summation of domain name; Parsing number of times record tabulation according to domain name utilizes periodicity or similarity calculation method to calculate described detected characteristics.
Beneficial effect of the present invention is, does not need to check domain name request information, and by having adopted more detected characteristics accurately, can find more abnormal domain name; By adopting multiple detected characteristics, reduce rate of false alarm simultaneously, experiment effect show use those detected characteristics can reduce rate of false alarm based on threshold method.
Description of drawings
Fig. 1 is the flow chart of abnormal domain name detection method;
Fig. 2 is the structure chart of abnormal domain name detection system.
Embodiment
Below in conjunction with accompanying drawing, the present invention is described in further detail.
Method flow of the present invention as shown in Figure 1.
Step S100 receives and resolves the DNS response message, is that measurement period is added up with default statistics time interval, generates the dns resolution statistics vector set that comprises DNS response message information and message number statistical value in this measurement period.
The embodiment of step S100 is as described below.
Step S110, initialization coherent detection parameter.
Among the embodiment, timer T is set to 0, and statistics time interval is Ts second, is set to T0=n * Ts second detection time, and wherein n is a positive integer.Ts=300 in the present embodiment, T0=6 * 300=1800.The nearest transformation period list length of parse addresses is set, is expressed as Lt and resolves number of times record list length, be expressed as Lp, Lt=2 in the present embodiment, Lp=48.
The information of the dns resolution statistics vector record of dns resolution statistics vector set comprises type information, domain-name information, IP address information and the number statistical value of DNS response message, is expressed as<Type Domain, IP, Num 〉.Wherein, Type represents type information, refers to answer in the DNS response message query type in the field resource record (RR, Resource Record); Domain represents domain-name information; IP represents the IP address information that this domain name mapping goes out; Num represents the number statistical value, becomes the number of times of this IP address for this domain name mapping.
Step S120 receives the corresponding message of described DNS in measurement period, parse type information, domain-name information and IP address information that this DNS response message comprises.
Among the embodiment, the DNS response message refers to that the QR position of attribute field in the DNS heading is 1 data message.
Step S130 judges whether the type that this DNS response message comprises is the IP address class type, if, execution in step S140 then, otherwise, this DNS response message is not done statistics.
Step S140, if had the domain-name information of the DNS response message that comprises parsing and the dns resolution statistics vector of IP address information in described dns resolution statistics vector set, then the number statistical value with this dns resolution statistics vector adds one; If there is no, then in described dns resolution statistics vector set, increase a dns resolution statistics vector, type information, domain-name information, the IP address information of this dns resolution statistics vector are type information, domain-name information, the IP address information of described DNS response message, and the number statistical value of this dns resolution statistics vector is 1.
The embodiment of step S100 is as follows.
Receive a DNS response message from network, carry out the DNS Protocol reduction, obtain the DNS header message and comprise type Type, domain name Domain, IP address, this IP address is for answering the IP address that parses in the field.Judge the type of this DNS message, if not type A, expression IP address class type is then lost this message, continues to wait for reception back DNS response message; If type A then searches Domain and IP in the current message in dns resolution statistics vector set, if exist the Domain of a dns resolution statistics vector consistent with Domain and IP in the message with IP, then the Num with this dns resolution statistics vector adds 1; If there is no, then generate a new dns resolution statistics vector and join in the dns resolution statistics vector set, the Type of this new dns resolution statistics vector is A, and Num is 1, and Domain and IP are respectively domain name and the IP address in the current message.Above-mentioned statistic processes circular treatment, the dns resolution statistics vector that will produce every the statistics time interval time generates a dns resolution statistics vector set, and the rise time of writing down this dns resolution statistics vector set, surpassed interval T 0 detection time until timer T, begun to carry out abnormal domain name and detect.
Step S200, detect to be spaced apart sense cycle default detection time, in sense cycle, the dns resolution statistics vector in the dns resolution statistics vector set that generates in the sense cycle is carried out the detected characteristics statistics by default detected characteristics, generate the detected characteristics vector set, the same domain name correspondence of each detected characteristics vector in the described detected characteristics vector set.
The embodiment of step S200 is as described below.
Whether timer T has been surpassed the detection time interval T 0 is judged, if surpass then vector added up in each dns resolution in interval T 0 interior n the dns resolution statistics vector set that generates detection time, carry out detected characteristics vector statistics and calculating, and form the detected characteristics vector set.If do not surpass then execution in step S100, continue to receive and statistics DNS response message.
Described default detected characteristics comprises: the domain name length of name, the spcial character number that exists in the domain name name, the IP address of domain name correspondence is the number of special address, the sudden change degree of the parsing number of times of domain name correspondence, the update time of the network segment under the number of the network segment under the periodicity of domain name mapping number of times, the IP address of domain name correspondence, the up-to-date IP address of domain name correspondence, with the change frequency of the network segment under the IP address of domain name correspondence, in one or more.
(1) the domain name length of name is expressed as domain_length, and unit is a byte number.
Use this feature to be because thereby DNS amplifies ddos attack produces huge network traffics and reach denial of service purpose by a large amount of requests of pre-configured overlength domain name name and parsing are replied, simultaneously, Botnet also usually uses the overlength domain name to express certain implication, therefore chooses this feature as detected characteristics.
(2) the spcial character number that exists in the domain name name is expressed as domain_specialchar.
Among the embodiment, spcial character refers to non-print character.
Because using the purpose of domain name is exactly people's memory for convenience and expression, so spcial character seldom appears in normal domain name, and the spcial character domain name is usually used by Botnet in the practice, therefore chooses this feature as detected characteristics.
(3) the IP address of domain name correspondence is the number of special address, is expressed as special_ip.
Special IP address comprises among the embodiment: 0.0.0.0 is the arbitrary network address; 127.x.x.x, be the loopback loop-back address; 10.x.x.x; 172.16-31.x.x; 192.168.x.x, be privately owned address; X.x.x.255 is broadcast address.
If domain name mapping becomes special IP address generally speaking, the user can't access server, so because this kind abnormal conditions have been chosen this feature as detected characteristics.
(4) the sudden change degree of the parsing number of times of domain name correspondence is expressed as resolve_saltation.
This detected characteristics statistic processes is as described below.
For each described detection time of the interior at interval dns resolution statistics vector set that generates, calculate the dns resolution statistics vector that comprises this domain name in the dns resolution statistics vector set the number statistical value add and, this adds and the parsing number of times that be domain name in the measurement period of vector set correspondence is added up in described dns resolution; Calculate the difference of interior this domain name in interval detection time at the parsing number of times of adjacent measurement period; Find out described maximum value in difference and minimum value,, minimum value added 1 if minimum value is 0, with described maximum divided by the merchant of minimum value be described detection time at interval in the sudden change degree of parsing number of times of domain name correspondence.
In Botnet, huge bot program can utilize domain name mapping to visit Control Server in certain fixed time section, can cause the sudden change of domain name mapping number of times in some periods usually, therefore chooses this feature as detected characteristics.
(5) periodicity of domain name mapping number of times is expressed as resolve_period.
For calculating this feature, set up one for each domain name and resolve the tabulation of number of times record, its length is made as Lp, and its statistical method is as follows: if tabulation less than, then the parsing number of times summation with this domain name in the detection time interval T 0 joins in the tabulation, if tabulation is full then replace the oldest record.
After obtaining the record tabulation, utilize periodicity of the prior art or similarity calculation method to calculate this feature.
In active Botnet, bot program can periodically be visited domain name to obtain up-to-date Control Server address and corresponding order, therefore chooses this feature as detected characteristics.
(6) number of the network segment under the IP address of domain name correspondence is expressed as nonpool_ipnum.
This detected characteristics statistic processes is as described below.
Search the dns resolution statistics vector that comprises domain name in the dns resolution statistics vector set that in sense cycle, generates, the IP address set of the synthetic domain name correspondence of IP group of addresses that all described dns resolution statistics are vectorial; Number by the network segment under the IP address set calculating IP address.
Different IP addresses number under the non-IP pond situation that this detected characteristics representative domain name analysis goes out, non-IP pond situation refers to that the IP address that domain name mapping goes out does not belong to the same network segment.In the present embodiment, if the IP address that domain name mapping goes out belongs to a network segment together, the C class network segment for example, the preceding 24bit of this network segment is the network segment of the network address, then the IP address of the same network segment does not count in the detected characteristics statistics.For example, the IP address that same domain name mapping goes out is respectively: 222.118.37.56,222.118.37.58,222.118.37.60,222.110.111.11, then the detected characteristics nonpool_ipnum of this domain name is 1.
Among the embodiment, statistical method is as follows, and the Domain that establishes in the current dns resolution statistics vector is di, and IP is IPi, the IP set of records ends of this domain name di correspondence is Q, IP is recorded as<IP among the Q, Flag 〉, Flag is a marker bit, represent whether this IP belongs to an IP in the IP pond, 0 expression is not the IP pool address, and 1 is expressed as the IP pool address, and initialization Q in season is empty.
Statistic processes is as follows, if Q is empty, and general<IPi then, 0〉adding Q adds 1 with nonpool_ipnum.If Q is not empty, then all IP records among IPi and the Q are compared, if IPi is identical with a IP among the Q, then returns and continue to handle next dns resolution and add up vectorial; If it is inequality, if an IP then among IPi and the Q belongs to a C class net together, then judge the Flag marker bit of this record, if F1ag is 1 then general<IPi, 1〉add Q, and return and continue to handle next dns resolution statistics vector, if Flag is 0 then nonpool_ipnum is subtracted 1, Flag is revised as 1, general<IPi, 1〉adding Q.If arbitrary IP does not belong to a C class net among IPi and the Q, general<IPi then, 0〉add Q, nonpool_ipnum is added 1.
Because Botnet usually uses DDNS mechanism, the domain name that has caused its use is the IP address of corresponding a plurality of different segments often, and therefore choosing this is characterized as detected characteristics.
(7) the nearest transformation period of the different segment IP address that goes out of domain name mapping belongs to the number of times of respective specific period, is expressed as nonpool_specialchangetime.
For calculating the nonpool_specialchangetime feature, for each domain name is set up a nearest transformation period tabulation of parse addresses, its length is made as Lt, its statistical method is as follows, if the IP in the current dns resolution statistics vector is different with the IP that resolved last time, and the tabulation less than, then the rise time with current dns resolution statistics vector set does not repeatedly join in the tabulation, if tabulation is expired then is replaced the oldest time interocclusal record, otherwise return, continue to handle next statistics vector, promptly this list records a nearest Lt transformation period.
The nearest transformation period of the different segment IP address that domain name mapping goes out according to the nearest transformation period tabulation of the parse addresses of each domain name statistics belongs to the number of times of corresponding default specific period.
Practice shows, Botnet is in order to reach hidden purpose, often with the DDNS that uses in special time period, as the commuter time, resolve to non-Control Server IP, therefore choose and use this feature.
(8) change frequency of the network segment under the IP address of domain name correspondence is expressed as nonpool_changenum.
This characteristic statistics method is as follows: if the IP in the current dns resolution statistics vector is different with the affiliated network segment of the IP that resolved last time, then make nonpool_changenum add 1, and the IP that will resolve last time record is updated to current IP, otherwise return, continue to handle next statistics vector, promptly, then nonpool_changenum is added 1 as long as the adjacent IP address that parses for twice is different under the situation of non-IP pond.
Because Botnet adopts DDNS mechanism, so the IP address frequent variations that its domain name mapping goes out usually can occur, to reach purpose hidden and migration Control Server IP, therefore choosing this is characterized as detected characteristics.
Step S300 detects the detected characteristics vector in the detected characteristics vector set, generates abnormal domain name.
Using abnormality detection technology of the prior art implements to detect to each characteristic vector in the detected characteristics vector set, generate abnormal domain name, write the abnormal domain name storehouse, after handling all characteristic vectors, vector set is added up in dns resolution and the detected characteristics vector set empties, and with timer T zero setting, execution in step S100 continues to receive and statistics DNS response message.
The implementation method that the abnormal domain name of abnormality detection technology detects in the prior art has multiple, such as the detection method based on threshold value, based on the detection method of model, as based on Bayesian network.
Respectively to be example, the process that how to realize abnormality detection is described below based on the detection method of threshold value with based on the detection method of model.
(1) in a embodiment based on threshold detection method, at first whether detected characteristics is existed unusually and judge, according to the unusual judged result of detected characteristics whether domain name is existed unusually then and judge.For each detected characteristics is set detection threshold, each detection threshold can be an independent threshold value, also can be a threshold range or one group of threshold value, then detected characteristics and relevant detection threshold value are compared, if detected characteristics is greater than or less than or belongs to or deviate from this detected characteristics relevant detection threshold value, it is unusual just to think that this feature takes place.
Described detection threshold can be provided with respectively for each detected characteristics according to practical experience and applied environment, for example, in an example with domain_length, domain_specialchar, special_ip, resolve_saltation, resolve_period, nonpool_ipnum, nonpool_specialchangetime, the detection threshold of nonpool_changenum is set to 80,1 respectively, 1,10,0.9,4,2 (the wherein specific period is made as respectively: 7:30~9:00,16:30~18:00), 18.All features are during respectively more than or equal to the respective detection threshold value, then think the respective detection feature abnormalities.
In addition, described detection threshold also can be by carrying out training in advance and learning to be provided with to the network data of using environment.
After the unusual judged result of each detected characteristics that obtains forming the detected characteristics vector, can whether exist domain name and do further judgement unusually.In one embodiment, the criterion that is set as follows:, think that then the corresponding domain name of this detected characteristics vector is unusual as long as arbitrary detected characteristics is unusual; If all detected characteristics are not unusual, think that then the current field is called normal domain name.
(2) in a embodiment based on model checking method, be example with method based on disclosed Bayesian network, the abnormality detection process is described.
At first work out the training sample set that has the incident conclusion, provided the example of a described training sample set below in the table 1 based on detected characteristics.
| Detected characteristics | Sample 1 | Sample 2 | Sample 3 | Sample 4 | Sample 5 |
| ??domain_length | ??48 | ??89 | ??29 | ??26 | ??18 |
| ??domain_specialchar | ??0 | ??0 | ??0 | ??0 | ??0 |
| ??special_ip | ??0 | ??0 | ??1 | ??0 | ??0 |
| ??resolve_saltation | ??2 | ??3 | ??4 | ??1 | ??5 |
| ??resolve_period | ??0.2 | ??0.95 | ??0.57 | ??0.62 | ??0.05 |
| ??nonpool_ipnum | ??2 | ??3 | ??4 | ??2 | ??3 |
| ??nonpool_specialchangetime | ??0 | ??1 | ??2 | ??0 | ??1 |
| ??nonpool_changenum | ??6 | ??4 | ??20 | ??15 | ??11 |
| ??conclusion | ??Normal | ??Anomaly | ??Anomaly | ??Normal | ??Normal |
Table 1
After obtaining training sample set, this training sample set is imported in the corresponding model, thereby calculated the parameter of model by training.Can be after model training is finished to secret stealing behavior for detecting.When detecting, the DNS response message is carried out previously described collection, reduction, statistics, generate detected characteristics, the model that detected characteristics input is trained then, model can calculate the probable value of this domain name for unusual (Anomaly) and normal (Normal) usually, as be 0.3 for unusual probability, for normal probability is 0.7 etc., whether then getting have the big probable value conclusion of (or surpassing predetermined threshold) usually, to pass judgment on domain name unusual.
Except above-mentioned method based on Bayesian network, in the prior art method also comprise detection method based on credibility model, based on the detection method that directly pushes away the reliability machine, based on K-neighbour's detection method, based on the detection method of SVMs.
A kind of abnormal domain name detection system, as shown in Figure 2.
Dns resolution statistical module 100 is used for receiving and resolving the DNS response message, is that measurement period is added up with default statistics time interval, and generation comprises the information of DNS response message and the dns resolution statistics vector set of number statistical value in described measurement period.
Preferable, dns resolution statistical module 100 further comprises:
The initial setting up module is used to be provided with described dns resolution and adds up type information, domain-name information, IP address information and the number statistical value that the information of the dns resolution statistics vector record of vector set comprises the DNS response message.
Data acquisition module is used for receiving the corresponding message of described DNS in described measurement period, parses type information, domain-name information and IP address information that described DNS response message comprises.
Type judging module is used to judge whether the type that described DNS response message comprises is the IP address class type, if, then start statistical module, otherwise, described DNS response message is not done statistics.
Resolve statistics vector set generation module, be used for when there has been the dns resolution statistics vector of the domain-name information of the DNS response message that comprises parsing and IP address information in described dns resolution statistics vector set, the number statistical value of described dns resolution statistics vector is added one; When not existing, in described dns resolution statistics vector set, increase a dns resolution statistics vector, type information, domain-name information, the IP address information of described dns resolution statistics vector are type information, domain-name information, the IP address information of described DNS response message, and the number statistical value of described dns resolution statistics vector is 1.
Detected characteristics statistical module 200, be used for detecting to be spaced apart sense cycle default detection time, in described sense cycle, the dns resolution statistics vector in the dns resolution statistics vector set that generates in the described sense cycle is carried out the detected characteristics statistics by default detected characteristics, generate the detected characteristics vector set, the same domain name correspondence of each detected characteristics vector in the described detected characteristics vector set;
Described abnormality detection module 300 is according to the resulting detected characteristics vector set of above-mentioned detected characteristics statistical module, and the detected characteristics vector of each domain name correspondence is carried out abnormality juding, generates the abnormal domain name alert event, writes the abnormal domain name storehouse; Described abnormal domain name storehouse is used to store by the abnormality detection module quotes next abnormal domain name alert event.
Preferable, described default detected characteristics comprises: the domain name length of name, the spcial character number that exists in the domain name name, the IP address of domain name correspondence is the number of special address, the sudden change degree of the parsing number of times of domain name correspondence, the periodicity of domain name mapping number of times, the number of the network segment under the IP address of domain name correspondence, the nearest transformation period of the different segment IP address that domain name mapping goes out belongs to the number of times of corresponding default specific period, with the change frequency of the network segment under the IP address of domain name correspondence, in one or more.
Preferable, detected characteristics is that the sudden change of the parsing number of times of domain name correspondence is when spending, detected characteristics statistical module 200 is further used for for each described detection time of the interior at interval dns resolution statistics vector set that generates, calculate the dns resolution statistics vector that comprises domain name in the described dns resolution statistics vector set the number statistical value add and, the described parsing number of times that adds and be domain name in the measurement period of vector set correspondence is added up in described dns resolution; Calculate the difference of the interior domain name in described detection time of interval at the parsing number of times of adjacent measurement period; Find out described maximum value in difference and minimum value,, minimum value added 1 if minimum value is 0, with described maximum divided by the merchant of minimum value be described detection time at interval in the sudden change degree of parsing number of times of domain name correspondence.
Preferable, when detected characteristics is the number of the affiliated network segment in the IP address of domain name correspondence, search the dns resolution statistics vector that comprises domain name in the dns resolution statistics vector set that detected characteristics statistical module 200 is further used for generating in described sense cycle, the IP address set of the synthetic domain name correspondence of IP group of addresses that all described dns resolution statistics are vectorial; Number by the network segment under the described IP address set calculating IP address.
Preferable, detected characteristics is that the nearest transformation period of the different segment IP address that goes out of domain name mapping is when belonging to the number of times of corresponding default specific period, detected characteristics statistical module 200 is further used for setting up a nearest transformation period tabulation of parse addresses for each domain name, and length is first preset length; If the IP address in the current dns resolution statistics vector is different with the IP address of resolving last time, and the tabulation of the nearest transformation period of described parse addresses less than, then the rise time with current dns resolution statistics vector set does not repeatedly join in the nearest transformation period tabulation of described parse addresses; If the nearest transformation period tabulation of parse addresses is full, then replace the oldest time interocclusal record with the current rise time; The nearest transformation period of the different segment IP address that domain name mapping goes out according to the nearest transformation period tabulation of the parse addresses of each domain name statistics belongs to the number of times of corresponding default specific period.
Preferable, when detected characteristics is the change frequency of the affiliated network segment in the IP address of domain name correspondence, if the IP address that detected characteristics statistical module 200 is further used in the current dns resolution statistics vector is different with the affiliated network segment in the IP address of resolving last time, then make statistical value add 1, and the IP address that will resolve last time record is updated to current IP address with described detected characteristics.
Preferable, when detected characteristics was the periodicity of domain name mapping number of times, described detected characteristics statistical module 200 was further used for setting up one for each domain name and resolves the tabulation of number of times record, and length is second preset length; If resolve the tabulation of number of times record less than, then with detection time at interval in the parsing number of times summation of domain name join and resolve in the tabulation of number of times record; If it is full to resolve the tabulation of number of times record, then replace the oldest record with the parsing number of times summation of domain name; Parsing number of times record tabulation according to domain name utilizes periodicity or similarity calculation method to calculate described detected characteristics.
Experiment effect
(a) experimental data: adopt certain DNS data of economizing core name server whole day on July 31st, 2009 as experimental data.
(b) software and hardware experimental situation: adopt dawn server (2 Intel CPU, dominant frequency 2.00GHZ, internal memory 4GB), operating system is CentOS 5.2Linux.
(c) detection method and parameter: we are example with the detection method based on threshold value, make dns resolution statistics time interval Ts=300 second, interval T 0=1800 second detection time, the nearest transformation period list length of parse addresses Lt=2, resolve number of times record list length Lp=48,150,1,2,400,0.95,13,2 the detected characteristics threshold value is respectively: (the wherein specific period is made as respectively: 7:30~9:00,16:30~18:00), [47,50].
(d) experimental result: as shown in table 2, wherein the decision method of known malicious domain name is: this domain name is by professional association KISA (Korea Information Security Agency.Bothet C﹠amp; Cserver domain list.http: //www.knsp.org/sink_dns/total.uniq.dns.rr.txt), ShadowServer (ShadowServer, network address http://www.shadowserver.org) and Cymru (network address is http://www.team-cymru.org/) announce; The abnormal domain name verification method by: used because most domain names are served by web service and mail, therefore whether we are by providing normal web and mail service method to verify whether domain name is unusual, this method also is one of extensive verification method that adopts in present this area, if the IP address of this domain name mapping is unreachable, think that then this domain name is unusual, if can reach but also think unusually by the associated dns name that artificial visit determines that it is suspicious camouflage website (having only characteristics such as default homepage face), otherwise think normal.
Table 2
By above-mentioned experiment as can be seen, the inventive method can detect abnormal domain name from true DNS data, comprising the malice domain name of having announced, and can find more abnormal domain name than existing methods, unusual as name, resolve that special IP is unusual, to resolve time numerical mutation different IP addresses number unusual, that resolve non-IP pond unusual or the like, and have lower rate of false alarm.
Those skilled in the art can also carry out various modifications to above content under the condition that does not break away from the definite the spirit and scope of the present invention of claims.Therefore scope of the present invention is not limited in above explanation, but determine by the scope of claims.
Claims (16)
1. an abnormal domain name detection method is characterized in that, comprising:
Step 1 receives and resolves the DNS response message, is that measurement period is added up with default statistics time interval, and generation comprises the information of DNS response message and the dns resolution statistics vector set of number statistical value in described measurement period;
Step 2, detect to be spaced apart sense cycle default detection time, in described sense cycle, the dns resolution statistics vector in the dns resolution statistics vector set that generates in the described sense cycle is carried out the detected characteristics statistics by default detected characteristics, generate the detected characteristics vector set, the same domain name correspondence of each detected characteristics vector in the described detected characteristics vector set;
Step 3 detects the detected characteristics vector in the detected characteristics vector set, generates abnormal domain name.
2. abnormal domain name detection method as claimed in claim 1 is characterized in that,
Described step 1 further is,
Step 21, the information that the dns resolution statistics vector record of described dns resolution statistics vector set is set comprises type information, domain-name information, IP address information and the number statistical value of DNS response message;
Step 22 receives the corresponding message of described DNS in described measurement period, parse type information, domain-name information and IP address information that described DNS response message comprises;
Step 23 judges whether the type that described DNS response message comprises is the IP address class type, if then execution in step 24, otherwise, described DNS response message is not done statistics;
Step 24, if had the domain-name information of the DNS response message that comprises parsing and the dns resolution statistics vector of IP address information in described dns resolution statistics vector set, then the number statistical value with described dns resolution statistics vector adds one; If there is no, then in described dns resolution statistics vector set, increase a dns resolution statistics vector, type information, domain-name information, the IP address information of described dns resolution statistics vector are type information, domain-name information, the IP address information of described DNS response message, and the number statistical value of described dns resolution statistics vector is 1.
3. abnormal domain name detection method as claimed in claim 1 is characterized in that,
Described default detected characteristics comprises: the domain name length of name, the spcial character number that exists in the domain name name, the IP address of domain name correspondence is the number of special address, the sudden change degree of the parsing number of times of domain name correspondence, the periodicity of domain name mapping number of times, the number of the network segment under the IP address of domain name correspondence, the nearest transformation period of the different segment IP address that domain name mapping goes out belongs to the number of times of corresponding default specific period, with the change frequency of the network segment under the IP address of domain name correspondence, in one or more.
4. abnormal domain name detection method as claimed in claim 2 is characterized in that,
Described detected characteristics is the sudden change of the parsing number of times of domain name correspondence when spending, and described step 2 further is,
Step 41, for each described detection time of the interior at interval dns resolution statistics vector set that generates, calculate the dns resolution statistics vector that comprises domain name in the described dns resolution statistics vector set the number statistical value add and, the described parsing number of times that adds and be domain name in the measurement period of vector set correspondence is added up in described dns resolution;
Step 42 is calculated the difference of the interior domain name in described detection time of interval at the parsing number of times of adjacent measurement period;
Step 43 finds out described maximum value in difference and minimum value, if minimum value is 0, minimum value is added 1, with described maximum divided by the merchant of minimum value be described detection time at interval in the sudden change degree of parsing number of times of domain name correspondence.
5. abnormal domain name detection method as claimed in claim 2 is characterized in that,
When described detected characteristics was the number of the network segment under the IP address of domain name correspondence, described step 2 further was,
Step 51 is searched the dns resolution statistics vector that comprises domain name in the dns resolution that the generates statistics vector set in described sense cycle, the IP address set of the synthetic domain name correspondence of IP group of addresses that all described dns resolution statistics are vectorial;
Step 52 is by the number of the network segment under the described IP address set calculating IP address.
6. abnormal domain name detection method as claimed in claim 2 is characterized in that,
Described detected characteristics is the nearest transformation period of the different segment IP address that goes out of domain name mapping when belonging to the number of times of corresponding default specific period, and described step 2 further is,
Step 61 is set up a nearest transformation period tabulation of parse addresses for each domain name, and length is first preset length;
Step 62, if the IP address in the current dns resolution statistics vector is different with the IP address of resolving last time, and the tabulation of the nearest transformation period of described parse addresses less than, then the rise time with current dns resolution statistics vector set does not repeatedly join in the nearest transformation period tabulation of described parse addresses; If the nearest transformation period tabulation of parse addresses is full, then replace the oldest time interocclusal record with the current rise time;
Step 63, the nearest transformation period of the different segment IP address that domain name mapping goes out according to the nearest transformation period tabulation of the parse addresses of each domain name statistics belongs to the number of times of corresponding default specific period.
7. abnormal domain name detection method as claimed in claim 2 is characterized in that,
When described detected characteristics was the change frequency of the network segment under the IP address of domain name correspondence, described step 2 further was,
Step 71 if the IP address in the current dns resolution statistics vector is different with the affiliated network segment in the IP address of resolving last time, then make the statistical value with described detected characteristics add 1, and the IP address that will resolve last time record is updated to current IP address.
8. abnormal domain name detection method as claimed in claim 2 is characterized in that,
When described detected characteristics was the periodicity of domain name mapping number of times, described step 2 further was,
Step 81 is set up one for each domain name and is resolved the tabulation of number of times record, and length is second preset length;
Step 82, if resolve the tabulation of number of times record less than, then with detection time at interval in the parsing number of times summation of domain name join and resolve in the tabulation of number of times record; If it is full to resolve the tabulation of number of times record, then replace the oldest record with the parsing number of times summation of domain name;
Step 83, the parsing number of times record tabulation according to domain name utilizes periodicity or similarity calculation method to calculate described detected characteristics.
9. an abnormal domain name detection system is characterized in that, comprising:
The dns resolution statistical module is used for receiving and resolving the DNS response message, is that measurement period is added up with default statistics time interval, and generation comprises the information of DNS response message and the dns resolution statistics vector set of number statistical value in described measurement period;
The detected characteristics statistical module, be used for detecting to be spaced apart sense cycle default detection time, in described sense cycle, the dns resolution statistics vector in the dns resolution statistics vector set that generates in the described sense cycle is carried out the detected characteristics statistics by default detected characteristics, generate the detected characteristics vector set, the same domain name correspondence of each detected characteristics vector in the described detected characteristics vector set;
The abnormality detection module is used for the detected characteristics vector of detected characteristics vector set is detected, and generates abnormal domain name.
10. abnormal domain name detection system as claimed in claim 9 is characterized in that,
Described dns resolution statistical module further comprises:
The initial setting up module is used to be provided with described dns resolution and adds up type information, domain-name information, IP address information and the number statistical value that the information of the dns resolution statistics vector record of vector set comprises the DNS response message;
Data acquisition module is used for receiving the corresponding message of described DNS in described measurement period, parses type information, domain-name information and IP address information that described DNS response message comprises;
Type judging module is used to judge whether the type that described DNS response message comprises is the IP address class type, if, then start statistical module, otherwise, described DNS response message is not done statistics;
Resolve statistics vector set generation module, be used for when there has been the dns resolution statistics vector of the domain-name information of the DNS response message that comprises parsing and IP address information in described dns resolution statistics vector set, the number statistical value of described dns resolution statistics vector is added one; When not existing, in described dns resolution statistics vector set, increase a dns resolution statistics vector, type information, domain-name information, the IP address information of described dns resolution statistics vector are type information, domain-name information, the IP address information of described DNS response message, and the number statistical value of described dns resolution statistics vector is 1.
11. abnormal domain name detection system as claimed in claim 9 is characterized in that,
Described default detected characteristics comprises: the domain name length of name, the spcial character number that exists in the domain name name, the IP address of domain name correspondence is the number of special address, the sudden change degree of the parsing number of times of domain name correspondence, the periodicity of domain name mapping number of times, the number of the network segment under the IP address of domain name correspondence, the nearest transformation period of the different segment IP address that domain name mapping goes out belongs to the number of times of corresponding default specific period, with the change frequency of the network segment under the IP address of domain name correspondence, in one or more.
12. abnormal domain name detection system as claimed in claim 10 is characterized in that,
Described detected characteristics is that the sudden change of the parsing number of times of domain name correspondence is when spending, described detected characteristics statistical module is further used for for each described detection time of the interior at interval dns resolution statistics vector set that generates, calculate the dns resolution statistics vector that comprises domain name in the described dns resolution statistics vector set the number statistical value add and, the described parsing number of times that adds and be domain name in the measurement period of vector set correspondence is added up in described dns resolution; Calculate the difference of the interior domain name in described detection time of interval at the parsing number of times of adjacent measurement period; Find out described maximum value in difference and minimum value,, minimum value added 1 if minimum value is 0, with described maximum divided by the merchant of minimum value be described detection time at interval in the sudden change degree of parsing number of times of domain name correspondence.
13. abnormal domain name detection system as claimed in claim 10 is characterized in that,
When described detected characteristics is the number of the affiliated network segment in the IP address of domain name correspondence, search the dns resolution statistics vector that comprises domain name in the dns resolution statistics vector set that described detected characteristics statistical module is further used for generating in described sense cycle, the IP address set of the synthetic domain name correspondence of IP group of addresses that all described dns resolution statistics are vectorial; Number by the network segment under the described IP address set calculating IP address.
14. abnormal domain name detection system as claimed in claim 10 is characterized in that,
Described detected characteristics is that the nearest transformation period of the different segment IP address that goes out of domain name mapping is when belonging to the number of times of corresponding default specific period, described detected characteristics statistical module is further used for setting up a nearest transformation period tabulation of parse addresses for each domain name, and length is first preset length; If the IP address in the current dns resolution statistics vector is different with the IP address of resolving last time, and the tabulation of the nearest transformation period of described parse addresses less than, then the rise time with current dns resolution statistics vector set does not repeatedly join in the nearest transformation period tabulation of described parse addresses; If the nearest transformation period tabulation of parse addresses is full, then replace the oldest time interocclusal record with the current rise time; The nearest transformation period of the different segment IP address that domain name mapping goes out according to the nearest transformation period tabulation of the parse addresses of each domain name statistics belongs to the number of times of corresponding default specific period.
15. abnormal domain name detection system as claimed in claim 10 is characterized in that,
When described detected characteristics is the change frequency of the affiliated network segment in the IP address of domain name correspondence, if the IP address that described detected characteristics statistical module is further used in the current dns resolution statistics vector is different with the affiliated network segment in the IP address of resolving last time, then make statistical value add 1, and the IP address that will resolve last time record is updated to current IP address with described detected characteristics.
16. abnormal domain name detection system as claimed in claim 10 is characterized in that,
When described detected characteristics was the periodicity of domain name mapping number of times, described detected characteristics statistical module was further used for setting up one for each domain name and resolves the tabulation of number of times record, and length is second preset length; If resolve the tabulation of number of times record less than, then with detection time at interval in the parsing number of times summation of domain name join and resolve in the tabulation of number of times record; If it is full to resolve the tabulation of number of times record, then replace the oldest record with the parsing number of times summation of domain name; Parsing number of times record tabulation according to domain name utilizes periodicity or similarity calculation method to calculate described detected characteristics.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009102375947A CN101702660B (en) | 2009-11-12 | 2009-11-12 | abnormal domain name detection method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009102375947A CN101702660B (en) | 2009-11-12 | 2009-11-12 | abnormal domain name detection method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101702660A true CN101702660A (en) | 2010-05-05 |
| CN101702660B CN101702660B (en) | 2011-12-14 |
Family
ID=42157555
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2009102375947A Expired - Fee Related CN101702660B (en) | 2009-11-12 | 2009-11-12 | abnormal domain name detection method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101702660B (en) |
Cited By (39)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102075592A (en) * | 2010-12-30 | 2011-05-25 | 吕晓雯 | Method for screening DNS (Domain Name System) request |
| WO2011113239A1 (en) * | 2010-03-19 | 2011-09-22 | 中国科学院计算机网络信息中心 | Flow detection method for domain name system and domain name server thereof |
| CN102223422A (en) * | 2011-08-02 | 2011-10-19 | 杭州迪普科技有限公司 | Domain name system (DNS) message processing method and network safety equipment |
| CN102413197A (en) * | 2011-08-01 | 2012-04-11 | 中国科学院计算机网络信息中心 | Access statistics processing method and device |
| CN102624706A (en) * | 2012-02-22 | 2012-08-01 | 上海交通大学 | Method for detecting DNS (domain name system) covert channels |
| CN102882881A (en) * | 2012-10-10 | 2013-01-16 | 常州大学 | Special data filtering method for eliminating denial-of-service attacks to DNS (domain name system) service |
| CN103152222A (en) * | 2013-01-05 | 2013-06-12 | 中国科学院信息工程研究所 | Method for detecting quick-changing attack domain name based on host group characteristics |
| CN103152442A (en) * | 2013-01-31 | 2013-06-12 | 中国科学院计算机网络信息中心 | Detection and processing method and system for botnet domain names |
| CN103327015A (en) * | 2013-06-06 | 2013-09-25 | 西安交通大学 | Method for estimating scale of host infected by malicious code based on DNS cache detection |
| CN103581363A (en) * | 2013-11-29 | 2014-02-12 | 杜跃进 | Method and device for controlling baleful domain name and illegal access |
| CN103581347A (en) * | 2012-07-23 | 2014-02-12 | 深圳市世纪光速信息技术有限公司 | Inundation sub-domain identification method and system |
| CN103973827A (en) * | 2013-02-05 | 2014-08-06 | 中国移动通信集团公司 | Domain name resolution method and device |
| CN104079421A (en) * | 2013-03-27 | 2014-10-01 | 中国移动通信集团北京有限公司 | Method and system for protecting domain name system (DNS) |
| CN104954505A (en) * | 2015-06-12 | 2015-09-30 | 中国互联网络信息中心 | Monitoring method and monitoring system for whole data updating process of DNS (Domain Name Server) |
| CN105072214A (en) * | 2015-08-28 | 2015-11-18 | 携程计算机技术(上海)有限公司 | C&C domain name identification method based on domain name feature |
| CN105262730A (en) * | 2015-09-14 | 2016-01-20 | 北京华青融天技术有限责任公司 | Monitoring method and device based on enterprise domain name safety |
| CN105827594A (en) * | 2016-03-08 | 2016-08-03 | 北京航空航天大学 | Suspicion detection method based on domain name readability and domain name analysis behavior |
| CN106209845A (en) * | 2016-07-12 | 2016-12-07 | 国家计算机网络与信息安全管理中心 | A kind of malicious HTTP based on Bayesian Learning Theory request decision method |
| CN106375351A (en) * | 2016-11-29 | 2017-02-01 | 神州网云(北京)信息技术有限公司 | Abnormal domain name detection method and device |
| CN106713312A (en) * | 2016-12-21 | 2017-05-24 | 深圳市深信服电子科技有限公司 | Method and device for detecting illegal domain name |
| CN106992969A (en) * | 2017-03-03 | 2017-07-28 | 南京理工大学 | DGA based on domain name character string statistical nature generates the detection method of domain name |
| CN107360185A (en) * | 2017-08-18 | 2017-11-17 | 中国移动通信集团海南有限公司 | A kind of assessing network method and system based on DNS behavioural characteristics |
| CN107517195A (en) * | 2016-06-17 | 2017-12-26 | 阿里巴巴集团控股有限公司 | A kind of method and apparatus of content distributing network seat offence domain name |
| CN107528904A (en) * | 2017-09-01 | 2017-12-29 | 星环信息科技(上海)有限公司 | Method and apparatus for data distribution formula abnormality detection |
| CN107733867A (en) * | 2017-09-12 | 2018-02-23 | 北京神州绿盟信息安全科技股份有限公司 | It is a kind of to find Botnet and the method and system of protection |
| CN108200054A (en) * | 2017-12-29 | 2018-06-22 | 北京奇安信科技有限公司 | A kind of malice domain name detection method and device based on dns resolution |
| CN108881151A (en) * | 2017-12-29 | 2018-11-23 | 哈尔滨安天科技股份有限公司 | A kind of no artis determines method, apparatus and electronic equipment |
| CN109120579A (en) * | 2017-06-26 | 2019-01-01 | 中国电信股份有限公司 | Detection method, device and the computer readable storage medium of malice domain name |
| CN109246083A (en) * | 2018-08-09 | 2019-01-18 | 北京奇安信科技有限公司 | A kind of detection method and device of DGA domain name |
| CN109660486A (en) * | 2017-10-10 | 2019-04-19 | 阿里巴巴集团控股有限公司 | The method and system and data processing method of attack is isolated |
| CN109889616A (en) * | 2018-05-21 | 2019-06-14 | 新华三信息安全技术有限公司 | A kind of method and device identifying domain name |
| CN110071829A (en) * | 2019-04-12 | 2019-07-30 | 腾讯科技(深圳)有限公司 | DNS tunnel detection method, device and computer readable storage medium |
| CN110636072A (en) * | 2019-09-26 | 2019-12-31 | 腾讯科技(深圳)有限公司 | Target domain name scheduling method, device, equipment and storage medium |
| CN111049784A (en) * | 2018-10-12 | 2020-04-21 | 北京奇虎科技有限公司 | Network attack detection method, device, equipment and storage medium |
| TWI703846B (en) * | 2018-03-06 | 2020-09-01 | 香港商阿里巴巴集團服務有限公司 | URL abnormal location method, device, server and storage medium |
| CN112565249A (en) * | 2020-12-02 | 2021-03-26 | 中国联合网络通信集团有限公司 | Domain name detection method and device |
| CN113792291A (en) * | 2021-09-10 | 2021-12-14 | 全球能源互联网研究院有限公司 | Host identification method and device infected by domain generation algorithm malicious software |
| CN114172707A (en) * | 2021-11-29 | 2022-03-11 | 北京恒安嘉新安全技术有限公司 | Fast-Flux botnet detection method, device, equipment and storage medium |
| WO2024036822A1 (en) * | 2022-08-16 | 2024-02-22 | 天翼安全科技有限公司 | Method and apparatus for determining malicious domain name, device, and medium |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106230775B (en) * | 2016-07-13 | 2020-01-03 | 新华三技术有限公司 | Method and device for preventing URL rule base from being attacked |
-
2009
- 2009-11-12 CN CN2009102375947A patent/CN101702660B/en not_active Expired - Fee Related
Cited By (63)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2011113239A1 (en) * | 2010-03-19 | 2011-09-22 | 中国科学院计算机网络信息中心 | Flow detection method for domain name system and domain name server thereof |
| CN102075592B (en) * | 2010-12-30 | 2013-02-20 | 吕晓雯 | Method for screening DNS (Domain Name System) request |
| CN102075592A (en) * | 2010-12-30 | 2011-05-25 | 吕晓雯 | Method for screening DNS (Domain Name System) request |
| CN102413197A (en) * | 2011-08-01 | 2012-04-11 | 中国科学院计算机网络信息中心 | Access statistics processing method and device |
| CN102223422A (en) * | 2011-08-02 | 2011-10-19 | 杭州迪普科技有限公司 | Domain name system (DNS) message processing method and network safety equipment |
| CN102223422B (en) * | 2011-08-02 | 2014-07-09 | 杭州迪普科技有限公司 | Domain name system (DNS) message processing method and network safety equipment |
| CN102624706A (en) * | 2012-02-22 | 2012-08-01 | 上海交通大学 | Method for detecting DNS (domain name system) covert channels |
| CN102624706B (en) * | 2012-02-22 | 2015-07-15 | 上海交通大学 | Method for detecting DNS (domain name system) covert channels |
| CN103581347A (en) * | 2012-07-23 | 2014-02-12 | 深圳市世纪光速信息技术有限公司 | Inundation sub-domain identification method and system |
| CN102882881A (en) * | 2012-10-10 | 2013-01-16 | 常州大学 | Special data filtering method for eliminating denial-of-service attacks to DNS (domain name system) service |
| CN102882881B (en) * | 2012-10-10 | 2015-06-24 | 常州大学 | Special data filtering method for eliminating denial-of-service attacks to DNS (domain name system) service |
| CN103152222A (en) * | 2013-01-05 | 2013-06-12 | 中国科学院信息工程研究所 | Method for detecting quick-changing attack domain name based on host group characteristics |
| CN103152222B (en) * | 2013-01-05 | 2015-11-18 | 中国科学院信息工程研究所 | A kind of Intrusion Detection based on host group character detects speed and becomes the method for attacking domain name |
| CN103152442A (en) * | 2013-01-31 | 2013-06-12 | 中国科学院计算机网络信息中心 | Detection and processing method and system for botnet domain names |
| CN103152442B (en) * | 2013-01-31 | 2016-06-01 | 中国科学院计算机网络信息中心 | A kind of detection and treatment method of corpse domain names and system |
| CN103973827A (en) * | 2013-02-05 | 2014-08-06 | 中国移动通信集团公司 | Domain name resolution method and device |
| CN104079421A (en) * | 2013-03-27 | 2014-10-01 | 中国移动通信集团北京有限公司 | Method and system for protecting domain name system (DNS) |
| CN104079421B (en) * | 2013-03-27 | 2017-09-15 | 中国移动通信集团北京有限公司 | A kind of method and system of domain name system protection |
| CN103327015B (en) * | 2013-06-06 | 2016-02-24 | 西安交通大学 | Based on the malicious code infections main frame scale estimation method of DNS cache detection |
| CN103327015A (en) * | 2013-06-06 | 2013-09-25 | 西安交通大学 | Method for estimating scale of host infected by malicious code based on DNS cache detection |
| CN103581363B (en) * | 2013-11-29 | 2017-12-12 | 哈尔滨工业大学(威海) | To malice domain name and the control method and device of unauthorized access |
| CN103581363A (en) * | 2013-11-29 | 2014-02-12 | 杜跃进 | Method and device for controlling baleful domain name and illegal access |
| CN104954505A (en) * | 2015-06-12 | 2015-09-30 | 中国互联网络信息中心 | Monitoring method and monitoring system for whole data updating process of DNS (Domain Name Server) |
| CN104954505B (en) * | 2015-06-12 | 2021-03-12 | 中国互联网络信息中心 | Monitoring method and system for DNS data updating overall process |
| CN105072214B (en) * | 2015-08-28 | 2018-10-09 | 携程计算机技术(上海)有限公司 | C&C domain name recognition methods based on domain name feature |
| CN105072214A (en) * | 2015-08-28 | 2015-11-18 | 携程计算机技术(上海)有限公司 | C&C domain name identification method based on domain name feature |
| CN105262730A (en) * | 2015-09-14 | 2016-01-20 | 北京华青融天技术有限责任公司 | Monitoring method and device based on enterprise domain name safety |
| CN105262730B (en) * | 2015-09-14 | 2018-07-17 | 北京华青融天技术有限责任公司 | Monitoring method and device based on enterprise domain name safety |
| CN105827594B (en) * | 2016-03-08 | 2018-11-27 | 北京航空航天大学 | A kind of dubiety detection method based on domain name readability and domain name mapping behavior |
| CN105827594A (en) * | 2016-03-08 | 2016-08-03 | 北京航空航天大学 | Suspicion detection method based on domain name readability and domain name analysis behavior |
| CN107517195A (en) * | 2016-06-17 | 2017-12-26 | 阿里巴巴集团控股有限公司 | A kind of method and apparatus of content distributing network seat offence domain name |
| CN107517195B (en) * | 2016-06-17 | 2021-01-29 | 阿里巴巴集团控股有限公司 | Method and device for positioning attack domain name of content distribution network |
| CN106209845A (en) * | 2016-07-12 | 2016-12-07 | 国家计算机网络与信息安全管理中心 | A kind of malicious HTTP based on Bayesian Learning Theory request decision method |
| CN106375351A (en) * | 2016-11-29 | 2017-02-01 | 神州网云(北京)信息技术有限公司 | Abnormal domain name detection method and device |
| CN106713312A (en) * | 2016-12-21 | 2017-05-24 | 深圳市深信服电子科技有限公司 | Method and device for detecting illegal domain name |
| CN106992969A (en) * | 2017-03-03 | 2017-07-28 | 南京理工大学 | DGA based on domain name character string statistical nature generates the detection method of domain name |
| CN109120579B (en) * | 2017-06-26 | 2021-05-07 | 中国电信股份有限公司 | Malicious domain name detection method and device and computer readable storage medium |
| CN109120579A (en) * | 2017-06-26 | 2019-01-01 | 中国电信股份有限公司 | Detection method, device and the computer readable storage medium of malice domain name |
| CN107360185B (en) * | 2017-08-18 | 2020-09-25 | 中国移动通信集团海南有限公司 | Network evaluation method and device based on DNS behavior characteristics |
| CN107360185A (en) * | 2017-08-18 | 2017-11-17 | 中国移动通信集团海南有限公司 | A kind of assessing network method and system based on DNS behavioural characteristics |
| CN107528904A (en) * | 2017-09-01 | 2017-12-29 | 星环信息科技(上海)有限公司 | Method and apparatus for data distribution formula abnormality detection |
| CN107733867A (en) * | 2017-09-12 | 2018-02-23 | 北京神州绿盟信息安全科技股份有限公司 | It is a kind of to find Botnet and the method and system of protection |
| CN109660486A (en) * | 2017-10-10 | 2019-04-19 | 阿里巴巴集团控股有限公司 | The method and system and data processing method of attack is isolated |
| CN108200054B (en) * | 2017-12-29 | 2021-02-12 | 奇安信科技集团股份有限公司 | Malicious domain name detection method and device based on DNS (Domain name Server) resolution |
| CN108881151B (en) * | 2017-12-29 | 2021-08-03 | 哈尔滨安天科技集团股份有限公司 | Joint-point-free determination method and device and electronic equipment |
| CN108200054A (en) * | 2017-12-29 | 2018-06-22 | 北京奇安信科技有限公司 | A kind of malice domain name detection method and device based on dns resolution |
| CN108881151A (en) * | 2017-12-29 | 2018-11-23 | 哈尔滨安天科技股份有限公司 | A kind of no artis determines method, apparatus and electronic equipment |
| US10819745B2 (en) | 2018-03-06 | 2020-10-27 | Advanced New Technologies Co., Ltd. | URL abnormality positioning method and device, and server and storage medium |
| TWI703846B (en) * | 2018-03-06 | 2020-09-01 | 香港商阿里巴巴集團服務有限公司 | URL abnormal location method, device, server and storage medium |
| CN109889616A (en) * | 2018-05-21 | 2019-06-14 | 新华三信息安全技术有限公司 | A kind of method and device identifying domain name |
| CN109246083B (en) * | 2018-08-09 | 2021-08-03 | 奇安信科技集团股份有限公司 | DGA domain name detection method and device |
| CN109246083A (en) * | 2018-08-09 | 2019-01-18 | 北京奇安信科技有限公司 | A kind of detection method and device of DGA domain name |
| CN111049784A (en) * | 2018-10-12 | 2020-04-21 | 北京奇虎科技有限公司 | Network attack detection method, device, equipment and storage medium |
| CN110071829A (en) * | 2019-04-12 | 2019-07-30 | 腾讯科技(深圳)有限公司 | DNS tunnel detection method, device and computer readable storage medium |
| CN110071829B (en) * | 2019-04-12 | 2022-03-04 | 腾讯科技(深圳)有限公司 | DNS tunnel detection method and device and computer readable storage medium |
| CN110636072A (en) * | 2019-09-26 | 2019-12-31 | 腾讯科技(深圳)有限公司 | Target domain name scheduling method, device, equipment and storage medium |
| CN112565249A (en) * | 2020-12-02 | 2021-03-26 | 中国联合网络通信集团有限公司 | Domain name detection method and device |
| CN112565249B (en) * | 2020-12-02 | 2023-04-07 | 中国联合网络通信集团有限公司 | Domain name detection method and device |
| CN113792291A (en) * | 2021-09-10 | 2021-12-14 | 全球能源互联网研究院有限公司 | Host identification method and device infected by domain generation algorithm malicious software |
| CN113792291B (en) * | 2021-09-10 | 2023-08-18 | 全球能源互联网研究院有限公司 | Host recognition method and device infected by domain generation algorithm malicious software |
| CN114172707A (en) * | 2021-11-29 | 2022-03-11 | 北京恒安嘉新安全技术有限公司 | Fast-Flux botnet detection method, device, equipment and storage medium |
| CN114172707B (en) * | 2021-11-29 | 2024-04-26 | 北京恒安嘉新安全技术有限公司 | Fast-Flux botnet detection method, device, equipment and storage medium |
| WO2024036822A1 (en) * | 2022-08-16 | 2024-02-22 | 天翼安全科技有限公司 | Method and apparatus for determining malicious domain name, device, and medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101702660B (en) | 2011-12-14 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101702660B (en) | abnormal domain name detection method and system | |
| CN109951500B (en) | Network attack detection method and device | |
| Zhang et al. | A survey on latest botnet attack and defense | |
| US11797671B2 (en) | Cyberanalysis workflow acceleration | |
| US8341742B2 (en) | Network attack detection devices and methods | |
| Jiang et al. | Identifying suspicious activities through dns failure graph analysis | |
| CN109474575B (en) | DNS tunnel detection method and device | |
| KR101010302B1 (en) | Security management system and method of irc and http botnet | |
| Passerini et al. | Fluxor: Detecting and monitoring fast-flux service networks | |
| US7953852B2 (en) | Method and system for detecting and reducing botnet activity | |
| CN105141598A (en) | APT (Advanced Persistent Threat) attack detection method and APT attack detection device based on malicious domain name detection | |
| KR100748246B1 (en) | Multi-step integrated security monitoring system and method using intrusion detection system log collection engine and traffic statistic generation engine | |
| CN105827594A (en) | Suspicion detection method based on domain name readability and domain name analysis behavior | |
| CN102137111A (en) | Method and device for preventing CC (Challenge Collapsar) attack and content delivery network server | |
| CN105072120A (en) | Method and device for malicious domain name detection based on domain name service state analysis | |
| CN105072119A (en) | Domain name resolution conversation mode analysis-based method and device for detecting malicious domain name | |
| CN105119915A (en) | Malicious domain detection method and device based on intelligence analysis | |
| US10965697B2 (en) | Indicating malware generated domain names using digits | |
| CN103916379A (en) | CC attack identification method and system based on high frequency statistics | |
| CN110061998B (en) | Attack defense method and device | |
| CN109120733B (en) | Detection method for communication by using DNS (Domain name System) | |
| CN110266832A (en) | A kind of domain name analytic method and device | |
| CN110381074B (en) | Distributed attack defense method aiming at DHCP framework based on big data | |
| Bartos et al. | IFS: Intelligent flow sampling for network security–an adaptive approach | |
| CN115296904B (en) | Domain name reflection attack detection method and device, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20111214 Termination date: 20201112 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |