CN108881151B - Joint-point-free determination method and device and electronic equipment - Google Patents

Joint-point-free determination method and device and electronic equipment Download PDF

Info

Publication number
CN108881151B
CN108881151B CN201711498571.2A CN201711498571A CN108881151B CN 108881151 B CN108881151 B CN 108881151B CN 201711498571 A CN201711498571 A CN 201711498571A CN 108881151 B CN108881151 B CN 108881151B
Authority
CN
China
Prior art keywords
domain name
record
virus trojan
node
resolution
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201711498571.2A
Other languages
Chinese (zh)
Other versions
CN108881151A (en
Inventor
康学斌
邓琮
王小丰
肖新光
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Antiy Technology Group Co Ltd
Original Assignee
Harbin Antian Science And Technology Group Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Harbin Antian Science And Technology Group Co ltd filed Critical Harbin Antian Science And Technology Group Co ltd
Priority to CN201711498571.2A priority Critical patent/CN108881151B/en
Publication of CN108881151A publication Critical patent/CN108881151A/en
Application granted granted Critical
Publication of CN108881151B publication Critical patent/CN108881151B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/10Mapping addresses of different types
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks

Abstract

The embodiment of the invention discloses a method and a device for determining a joint-free point and electronic equipment. The method comprises the following steps: acquiring an analysis record of a domain name system DNS server for a domain name of a suspicious node; calculating the resolution frequency of the DNS server to the domain name according to the resolution record; acquiring a detection record for performing virus Trojan detection on the domain name by using a virus Trojan malicious library; calculating the matching frequency of the domain name to match the malicious domain name in the virus Trojan horse malicious library according to the detection record; acquiring a first number of virus Trojan sample identifications corresponding to the domain name in the virus Trojan malicious library; calculating the weighted average of the analysis frequency, the matching frequency and the first number; and if the weighted average value is larger than a preset threshold value, determining that the suspicious node is an unorthodox node. The method can automatically and intelligently identify whether the suspicious node is a joint-free node, can ensure timeliness and improve the accuracy of an identification result.

Description

Joint-point-free determination method and device and electronic equipment
Technical Field
The present invention relates to the field of communications technologies, and in particular, to a method and an apparatus for determining a joint-free point, and an electronic device.
Background
With the frequent occurrence of internet attack events in recent years, it is necessary to analyze internet attack events, i.e. suspicious nodes, so as to prevent attacks. At present, suspicious nodes are usually determined and all the determined suspicious nodes are analyzed, but some nodes for experiments set by an official network organization or other companies usually exist in the suspicious nodes, and the nodes usually have multiple network attack events, so that the significance of performing anti-attack analysis on the nodes is not great, and the nodes for experiments can be called as the nodes without joints. Therefore, when performing anti-attack analysis on suspicious nodes, it is common to exclude the non-joint points to avoid meaningless analysis.
Currently, the authentication for the unorthodox point is usually performed manually, and it is determined which suspicious nodes are the unorthodox points and which suspicious nodes are the suspicious nodes needing anti-attack analysis based on the white list released by the official organization or other companies through the internet. In this way, there may be a case that the white list is not updated in time by the official organization, so that the timeliness of the white list cannot be guaranteed, and the authentication result is inaccurate.
Disclosure of Invention
In view of this, embodiments of the present invention provide a method, an apparatus, and an electronic device for determining a jointless node, which can automatically and intelligently identify whether a suspicious node is a jointless node, and can ensure timeliness and improve accuracy of an identification result.
In a first aspect, an embodiment of the present invention provides a method for determining an articulation point, where the method includes:
acquiring an analysis record of a domain name system DNS server for a domain name of a suspicious node;
calculating the resolution frequency of the DNS server to the domain name according to the resolution record;
acquiring a detection record for performing virus Trojan detection on the domain name by using a virus Trojan malicious library;
calculating the matching frequency of the domain name to match the malicious domain name in the virus Trojan horse malicious library according to the detection record;
acquiring a first number of virus Trojan sample identifications corresponding to the domain name in the virus Trojan malicious library;
calculating the weighted average of the analysis frequency, the matching frequency and the first number;
and if the weighted average value is larger than a preset threshold value, determining that the suspicious node is an unorthodox node.
Preferably, the parsing record includes: the DNS server records the resolution of the domain name in a past period of time and/or records the resolution of the domain name in a current period of time later; the detection record comprises: and utilizing a virus Trojan malicious library to detect and record virus Trojan detection of the domain name in a past period of time.
Preferably, the method further comprises: acquiring a second number of virus Trojan sample identifications corresponding to the Internet protocol IP address of the suspicious node in the virus Trojan malicious library; the calculating the weighted average of the analysis frequency, the matching frequency and the first number includes: and calculating the weighted average of the analysis frequency, the matching frequency, the first number and the second number.
Preferably, the method further comprises: acquiring a credibility value corresponding to the IP address; the calculating a weighted average of the analysis frequency, the matching frequency, the first number and the second number includes: and calculating the weighted average of the analysis frequency, the matching frequency, the first number, the second number and the reliability value.
Preferably, the obtaining of the reliability value corresponding to the IP address includes: acquiring a credibility value corresponding to the IP address from a cloud server; or determining the reliability value corresponding to the IP address according to the corresponding relation between the preset IP address and the reliability value.
In a second aspect, an embodiment of the present invention provides an apparatus for joint-free point determination, including:
the first acquisition unit is used for acquiring the resolution record of a domain name system DNS server on the domain name of the suspicious node;
the first calculating unit is used for calculating the resolution frequency of the DNS server to the domain name according to the resolution record;
the second acquisition unit is used for acquiring a detection record of virus Trojan horse detection on the domain name by using a virus Trojan horse malicious library;
the second calculation unit is used for calculating the matching frequency of the domain name matched with the malicious domain name in the virus Trojan horse malicious library according to the detection record;
a third obtaining unit, configured to obtain a first number of virus Trojan sample identifiers corresponding to the domain name in the virus Trojan malicious library;
a third calculating unit, configured to calculate a weighted average of the analysis frequency, the matching frequency, and the first number;
and the determining unit is used for determining the suspicious node as an unorthodox node if the weighted average value is greater than a preset threshold value.
Preferably, the parsing record includes: the DNS server records the resolution of the domain name in a past period of time and/or records the resolution of the domain name in a current period of time later; the detection record comprises: and utilizing a virus Trojan malicious library to detect and record virus Trojan detection of the domain name in a past period of time.
Preferably, the apparatus further comprises: a fourth obtaining unit, configured to obtain a second number of virus Trojan sample identifiers corresponding to the internet protocol IP address of the suspicious node in the virus Trojan malicious library; the third computing unit is specifically configured to: and calculating the weighted average of the analysis frequency, the matching frequency, the first number and the second number.
Preferably, the apparatus further comprises: a fifth obtaining unit, configured to obtain a reliability value corresponding to the IP address; the third computing unit is specifically configured to: and calculating the weighted average of the analysis frequency, the matching frequency, the first number, the second number and the reliability value.
Preferably, the fifth obtaining unit is specifically configured to: acquiring a credibility value corresponding to the IP address from a cloud server; or determining the reliability value corresponding to the IP address according to the corresponding relation between the preset IP address and the reliability value.
In a third aspect, an embodiment of the present invention provides an electronic device, where the electronic device includes: the device comprises a shell, a processor, a memory, a circuit board and a power circuit, wherein the circuit board is arranged in a space enclosed by the shell, and the processor and the memory are arranged on the circuit board; a power supply circuit for supplying power to each circuit or device of the electronic apparatus; the memory is used for storing executable program codes; the processor executes a program corresponding to the executable program code by reading the executable program code stored in the memory, for executing the joint-free point determination method described in the foregoing first aspect.
According to the method, the device and the electronic equipment for determining the joint-free point, provided by the embodiment of the invention, whether the suspicious node is the joint-free point or not can be determined according to the resolution frequency of the domain name of the suspicious node by the DNS server, the matching frequency of the domain name of the suspicious node with the malicious domain name in the virus Trojan malicious library and the number of virus Trojan sample identifications corresponding to the domain name of the suspicious node in the virus Trojan malicious library, manual participation is not needed, whether the suspicious node is the joint-free point or not can be automatically and intelligently identified, the timeliness can be ensured, and the accuracy of an identification result can be improved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a schematic flow chart of a method for determining a joint-free point according to an embodiment of the present invention;
FIG. 2 is a schematic flow chart illustrating another method for determining an unorthodox point according to an embodiment of the present invention;
FIG. 3 is a schematic flow chart of another method for determining a joint-free point according to an embodiment of the present invention;
FIG. 4 is a schematic structural diagram of a joint-free point determination apparatus according to an embodiment of the present invention;
FIG. 5 is a schematic structural diagram of another apparatus for determining an articulated point according to an embodiment of the present invention;
FIG. 6 is a schematic structural diagram of another apparatus for determining a joint-free point according to an embodiment of the present invention;
fig. 7 is a schematic structural diagram of an embodiment of an electronic device according to the present invention.
Detailed Description
Embodiments of the present invention will be described in detail below with reference to the accompanying drawings.
It should be understood that the described embodiments are only some embodiments of the invention, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Fig. 1 is a schematic flow chart of a method for determining a joint-free point according to an embodiment of the present invention. The joint-point-free determination method can be applied to electronic equipment.
As shown in fig. 1, the joint-free point determination method of the present embodiment may include:
step 101, obtaining an analysis record of a domain name system DNS server for a domain name of a suspicious node.
In one example, the parse record may include: the DNS server resolves records for the domain name of the suspect node for a period of time in the past (for ease of description, this period of time is subsequently referred to as a first period of time) and/or within a period of time after the present (for ease of description, this period of time is subsequently referred to as a second period of time). For example, the period of time in the past may be two years before the method begins to be performed. The current period of time thereafter may be within one week after the method begins to be performed).
Correspondingly, in step 101, obtaining an analysis record of the domain name of the suspicious node by the domain name system DNS server may include:
and acquiring a resolution record of the domain name resolved by the DNS server in the first time period, which is recorded by the DNS server, from the DNS server, and monitoring the resolution record of the domain name resolved by the DNS server in the second time period so as to update the resolution record of the domain name resolved by the DNS server in the second time period in real time.
In one example, the number of DNS servers may be one or more, the selection of the DNS server may be determined manually, and the address of the DNS server that may resolve the domain name is input into the electronic device by a command, so as to execute step 101.
And 102, calculating the resolution frequency of the DNS to the domain name of the suspicious node according to the acquired resolution record.
Specifically, after the resolution record is obtained, the number of times that the DNS server recorded in the resolution record resolves the domain name of the suspicious node is counted, and then the number of times is divided by the length of the time period corresponding to the resolution record, so as to obtain the resolution frequency.
And 103, acquiring a detection record of virus Trojan detection on the domain name of the suspicious node by using the virus Trojan malicious library.
In one example, the virus trojan malicious library may include: and the malicious domain name (for example, the domain name which is downloaded by the virus Trojan horse once) corresponds to the virus Trojan horse sample identification which corresponds to the virus Trojan horse provided by the malicious domain name. One malicious domain name can correspond to a plurality of virus Trojan sample identifications, and each virus Trojan sample identification uniquely corresponds to one virus Trojan sample identification. Based on this, the device for detecting the virus trojan horse by using the virus trojan horse malicious library (for convenience of description, the device is hereinafter referred to as a detection device) detects whether the domain name is a malicious domain name according to the virus trojan horse malicious library. Specifically, after the DNS resolution server resolves the domain name each time, the DNS resolution server notifies the detection device to perform virus trojan detection on the domain name, and if the domain name is the same as any malicious domain name in the virus trojan malicious library, the number of times that the domain name matches a malicious domain name in the virus trojan malicious library is increased by 1. Thus, the detection record may be obtained from the detection device.
In one example, the detection record includes: and (3) utilizing a virus Trojan malicious library to perform detection recording of virus Trojan detection on the domain name of the suspicious node within a past period (for convenience of description, the period is subsequently referred to as a third period). The third time period may be the same as or different from the first time period.
And 104, calculating the matching frequency of the domain name of the suspicious node matched with the malicious domain name in the virus Trojan horse malicious library according to the obtained detection record.
Specifically, after the detection record is obtained, the number of times that the domain name recorded in the detection record matches the malicious domain name in the virus Trojan horse malicious library is obtained, and then the length of the time period corresponding to the detection record is divided by the number of times to obtain the matching frequency.
Step 105, obtaining a first number of virus Trojan sample identifications corresponding to the domain name of the suspicious node in the virus Trojan malicious library.
Specifically, the first number of the virus Trojan sample identifications corresponding to the domain name of the suspicious node in the virus Trojan malicious library may be obtained from the detection device.
It should be noted that, if there is no malicious domain name in the virus trojan malicious library that is the same as the domain name of the suspicious node, the matching frequency and the first number are both 0.
In this embodiment, the order of step 101, step 103 and step 105 is not limited.
And 106, calculating the analysis frequency, the matching frequency and the weighted average of the first number.
The weighted average may be considered a parameter characterizing the degree of maliciousness of the suspect node.
In one example, in order to more accurately determine whether the suspicious node is an arthroseless node, a parameter of one dimension may be added to calculate a weighted average value for characterizing the malicious degree of the suspicious node. This parameter may be: and the second number of the virus Trojan sample identifications corresponding to the IP address of the suspicious node in the virus Trojan malicious library. Correspondingly, as shown in fig. 2, the method for determining a joint-free point according to this embodiment may further include:
and step 108, acquiring a second number of virus Trojan sample identifications corresponding to the IP address of the suspicious node in the virus Trojan malicious library from the equipment for virus Trojan detection by using the virus Trojan malicious library.
The virus Trojan horse malicious library can comprise: and the corresponding relation between the IP address corresponding to the malicious domain name and the virus Trojan sample identification corresponding to the virus Trojan provided by the malicious domain name. Based on the above, the number of the virus Trojan sample identifications corresponding to the IP address in the virus Trojan malicious library is used as the second number.
Based on step 108, step 106, calculating a weighted average of the parsing frequency, the matching frequency, and the first number, including:
step 1061, calculating a weighted average of the analysis frequency, the matching frequency, the first number and the second number.
In another example, in order to further improve the accuracy of determining whether the suspicious node is an arthroseless node, a parameter of another dimension may be added to calculate a weighted average value for characterizing the malicious degree of the suspicious node. This parameter may be: and the credibility value corresponding to the IP address of the suspicious node. Correspondingly, as shown in fig. 3, the method for determining a joint-free point according to this embodiment may further include:
step 109, obtaining the reliability value corresponding to the IP address.
In one example, this step 109 may include: acquiring a credibility value corresponding to the IP address from a cloud server; or determining the reliability value corresponding to the IP address according to the corresponding relation between the preset IP address and the reliability value.
Based on step 109, step 1061, calculating a weighted average of the parsing frequency, the matching frequency, the first number, and the second number, includes:
step 10611, calculating a weighted average of the parsing frequency, the matching frequency, the first number, the second number, and the confidence value.
And 107, if the weighted average value is greater than a preset threshold value, determining that the suspicious node is a joint-free node.
Wherein, the preset threshold value can be set by a worker according to experience. If the weighted mean value is larger than a preset threshold value, determining the suspicious node as a joint-free node; and if the weighted mean value is not larger than the preset threshold value, determining the suspicious node as the node needing anti-attack analysis.
By using the method for determining the jointless node provided by the embodiment of the invention, whether the suspicious node is the jointless node or not can be determined according to the resolution frequency of the domain name of the suspicious node by the DNS server, the matching frequency of the domain name of the suspicious node with the malicious domain name in the virus Trojan malicious library and the number of virus Trojan sample identifications corresponding to the domain name of the suspicious node in the virus Trojan malicious library, so that the method for determining the jointless node can automatically and intelligently identify whether the suspicious node is the jointless node or not without manual participation, can ensure the timeliness and improve the accuracy of an identification result.
The method for determining a joint-free point provided by the embodiment of the invention is further described by a specific example.
Assume that the electronic device for identifying whether the suspect node X is an unorthodox node (for convenience of description, referred to as device Y in this example) starts to identify the suspect node at 12 o' clock of 12 m/12 m 2017. The first time period is within two years before the start of identifying whether the suspect node is an arthroscopic node, i.e., the first time period is from 12 o 'clock at 10 o' clock at 2015 to 12 o 'clock at 10 o' clock at 2017. The second time period is within one week after the start of identifying whether the suspect node is an jointless node, i.e., the second time period is from 12 o 'clock at 10 p' clock in 2017 to 12 o 'clock at 17 p' clock in 2017. The third time period is the same as the first time period.
The device Y determines to first determine the IP address 1 and the domain name 2 corresponding to the suspicious node X. And then, acquiring an analysis record 1 of the domain name 2 of the suspicious node analyzed by the DNS server in the period from 12/10/12 in 2015 to 12/10/12/2017 from the selected DNS server, and calculating an analysis frequency A1 corresponding to the first time period according to the analysis record 1. And the device Y monitors the resolution record 2 of the DNS server for resolving the domain name 2 in the period from 12 o 'clock in 12/10/2017 to 12 o' clock in 12/17/2017, calculates the resolution frequency a2 corresponding to the second period from the resolution record 2, and calculates the sum of a1 and a2, which is the resolution frequency a of the DNS server for the domain name 2.
The device Y acquires, from a device (for convenience of description, referred to as a device Z in this embodiment) that performs virus trojan detection by using a virus trojan malicious library, a detection record of performing virus trojan detection on the domain name 2 in a period from 12 o 'clock in 12 months and 10 o' clock in 2017 to 12 o 'clock in 12 months and 17 o' clock in 2017, and calculates, according to the detection record, a matching frequency B at which the domain name 2 matches a malicious domain name in the virus trojan malicious library.
And the device Y acquires the number C of the virus Trojan sample identifications corresponding to the domain name 2 in the virus Trojan malicious library from the device Z.
And the device Y acquires the number D of the virus Trojan sample identifications corresponding to the IP address 1 in the virus Trojan malicious library from the device Z.
And the device Y acquires the credibility value E corresponding to the IP address 1 from the cloud server.
When device Y acquires A, B, C, D, E these five values, a weighted average H of A, B, C, D, E is calculated. If the weighted average value H is larger than a preset threshold value, determining the suspicious node X as an unorthodox node; and if the weighted average value H is not larger than the preset threshold value, determining the suspicious node X as the node needing anti-attack analysis.
Fig. 4 is a schematic structural diagram of a joint-point-free determination device according to an embodiment of the present invention. The apparatus may be applied to an electronic device.
As shown in fig. 4, the apparatus of the present embodiment may include: a first acquisition unit 401, a first calculation unit 402, a second acquisition unit 403, a second calculation unit 404, a third acquisition unit 405, a third calculation unit 406, and a determination unit 407.
The first obtaining unit 401 is configured to obtain a resolution record of a domain name of a suspicious node by a domain name system DNS server.
The first calculating unit 402 is configured to calculate a resolution frequency of the DNS server for the domain name according to the resolution record.
The second obtaining unit 403 is configured to obtain a detection record for performing virus trojan detection on the domain name by using a virus trojan malicious library.
The second calculating unit 404 is configured to calculate, according to the detection record, a matching frequency of the domain name matching a malicious domain name in the virus trojan horse malicious library.
The third obtaining unit 405 is configured to obtain a first number of the virus Trojan sample identifiers corresponding to the domain name in the virus Trojan malicious library.
The third calculating unit 406 is configured to calculate a weighted average of the analyzing frequency, the matching frequency and the first number.
The determining unit 407 is configured to determine that the suspicious node is an arthrosis-free node if the weighted average is greater than a preset threshold.
Preferably, the parsing record comprises: the DNS server records the resolution of the domain name in a past period of time and/or records the resolution of the domain name in a current period of time later; the detection record includes: and utilizing a virus Trojan malicious library to detect and record virus Trojan detection of the domain name in a past period of time.
Preferably, as shown in fig. 5, the apparatus further comprises: a fourth acquisition unit 408.
The fourth obtaining unit 408 is configured to obtain a second number of the virus trojan sample identifiers corresponding to the IP address of the suspicious node in the virus trojan malicious library.
Correspondingly, the third calculating unit 406 is specifically configured to: and calculating the weighted average of the analysis frequency, the matching frequency, the first number and the second number.
Preferably, as shown in fig. 6, the apparatus further comprises: a fifth acquisition unit 409.
The fifth obtaining unit 409 is configured to obtain the reliability value corresponding to the IP address.
Correspondingly, the third calculating unit 406 is specifically configured to: and calculating the weighted average of the analysis frequency, the matching frequency, the first number, the second number and the reliability value.
Preferably, the fifth obtaining unit 409 is specifically configured to: acquiring a credibility value corresponding to the IP address from a cloud server; or determining the reliability value corresponding to the IP address according to the corresponding relation between the preset IP address and the reliability value.
The device for determining the jointless node provided by the embodiment of the invention can determine whether the suspicious node is the jointless node or not according to the resolution frequency of the domain name of the suspicious node by the DNS server, the matching frequency of the domain name of the suspicious node with the malicious domain name in the virus Trojan malicious library and the number of virus Trojan sample identifications corresponding to the domain name of the suspicious node in the virus Trojan malicious library, automatically and intelligently identify whether the suspicious node is the jointless node or not without manual participation, can ensure the timeliness and improve the accuracy of an identification result.
The embodiment of the invention also provides the electronic equipment. Fig. 7 is a schematic structural diagram of an embodiment of an electronic device of the present invention, which can implement the flows of the embodiments shown in fig. 1, fig. 2, and fig. 3 of the present invention, and as shown in fig. 5, the electronic device may include: the device comprises a shell 71, a processor 72, a memory 73, a circuit board 74 and a power circuit 75, wherein the circuit board 74 is arranged inside a space enclosed by the shell 71, and the processor 72 and the memory 73 are arranged on the circuit board 74; a power supply circuit 75 for supplying power to each circuit or device of the electronic apparatus; the memory 73 is used to store executable program code; the processor 72 executes a program corresponding to the executable program code by reading the executable program code stored in the memory 73, for executing the joint-free point determination method described in any one of the foregoing embodiments.
The electronic device exists in a variety of forms, including but not limited to:
(1) a mobile communication device: such devices are characterized by mobile communications capabilities and are primarily targeted at providing voice, data communications. Such terminals include: smart phones (e.g., iphones), multimedia phones, functional phones, and low-end phones, among others.
(2) Ultra mobile personal computer device: the equipment belongs to the category of personal computers, has calculation and processing functions and generally has the characteristic of mobile internet access. Such terminals include: PDA, MID, and UMPC devices, etc., such as ipads.
(3) A portable entertainment device: such devices can display and play multimedia content. This type of device comprises: audio and video playing modules (such as an iPod), handheld game consoles, electronic books, and intelligent toys and portable car navigation devices.
(4) A server: the device for providing the computing service comprises a processor, a hard disk, a memory, a system bus and the like, and the server is similar to a general computer architecture, but has higher requirements on processing capacity, stability, reliability, safety, expandability, manageability and the like because of the need of providing high-reliability service.
(5) And other electronic equipment with data interaction function.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. The term "comprising", without further limitation, means that the element so defined is not excluded from the group consisting of additional identical elements in the process, method, article, or apparatus that comprises the element.
All the embodiments in the present specification are described in a related manner, and the same and similar parts among the embodiments may be referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, as for the apparatus embodiment, since it is substantially similar to the method embodiment, the description is relatively simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
For convenience of description, the above devices are described separately in terms of functional division into various units/modules. Of course, the functionality of the units/modules may be implemented in one or more software and/or hardware implementations of the invention.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by a computer program, which can be stored in a computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. The storage medium may be a magnetic disk, an optical disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), or the like.
The above description is only for the specific embodiment of the present invention, but the scope of the present invention is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present invention are included in the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.

Claims (7)

1. A method of joint-free point determination, the method comprising:
acquiring an analysis record of a domain name system DNS server for a domain name of a suspicious node;
calculating the resolution frequency of the DNS server to the domain name according to the resolution record;
acquiring a detection record for performing virus Trojan detection on the domain name by using a virus Trojan malicious library;
calculating the matching frequency of the domain name to match the malicious domain name in the virus Trojan horse malicious library according to the detection record;
acquiring a first number of virus Trojan sample identifications corresponding to the domain name in the virus Trojan malicious library; acquiring a second number of virus Trojan sample identifications corresponding to the Internet protocol IP address of the suspicious node in the virus Trojan malicious library and a reliability value corresponding to the Internet protocol IP address of the suspicious node;
calculating the weighted average of the analysis frequency, the matching frequency, the first number, the second number and the reliability value;
if the weighted average value is larger than a preset threshold value, determining the suspicious node as a joint-free node;
the calculating the resolution frequency of the domain name by the DNS according to the resolution record comprises: after the analysis record is obtained, counting the times of analyzing the domain name of the suspicious node by the DNS server recorded in the analysis record;
and dividing the time by the length of the time period corresponding to the analysis record to obtain the analysis frequency.
2. The method of claim 1, wherein parsing the record comprises: the DNS server records the resolution of the domain name in a past period of time and/or records the resolution of the domain name in a current period of time later;
the detection record comprises: and utilizing a virus Trojan malicious library to detect and record virus Trojan detection of the domain name in a past period of time.
3. The method of claim 1, wherein the obtaining the confidence value corresponding to the IP address comprises:
acquiring a credibility value corresponding to the IP address from a cloud server; or the like, or, alternatively,
and determining the reliability value corresponding to the IP address according to the corresponding relation between the preset IP address and the reliability value.
4. An articulationless point determination device, the device comprising:
the first acquisition unit is used for acquiring the resolution record of a domain name system DNS server on the domain name of the suspicious node;
the first calculating unit is used for calculating the resolution frequency of the DNS server to the domain name according to the resolution record;
the second acquisition unit is used for acquiring a detection record of virus Trojan horse detection on the domain name by using a virus Trojan horse malicious library;
the second calculation unit is used for calculating the matching frequency of the domain name matched with the malicious domain name in the virus Trojan horse malicious library according to the detection record;
a third obtaining unit, configured to obtain a first number of virus Trojan sample identifiers corresponding to the domain name in the virus Trojan malicious library; the fourth obtaining unit is used for obtaining a second number of virus Trojan sample identifications corresponding to the Internet protocol IP address of the suspicious node in the virus Trojan malicious library; the fifth obtaining unit is used for obtaining the credibility value corresponding to the internet protocol IP address of the suspicious node;
a third calculating unit, configured to calculate a weighted average of the parsing frequency, the matching frequency, the first number, the second number, and the confidence value;
the determining unit is used for determining the suspicious node as a joint-free node if the weighted average value is greater than a preset threshold value;
the first calculating unit is specifically configured to, after the analysis record is obtained, count the number of times that the DNS server recorded in the analysis record analyzes the domain name of the suspicious node;
and dividing the time by the length of the time period corresponding to the analysis record to obtain the analysis frequency.
5. The apparatus of claim 4, wherein parsing the record comprises: the DNS server records the resolution of the domain name in a past period of time and/or records the resolution of the domain name in a current period of time later;
the detection record comprises: and utilizing a virus Trojan malicious library to detect and record virus Trojan detection of the domain name in a past period of time.
6. The apparatus according to claim 4, wherein the fifth obtaining unit is specifically configured to:
acquiring a credibility value corresponding to the IP address from a cloud server; or the like, or, alternatively,
and determining the reliability value corresponding to the IP address according to the corresponding relation between the preset IP address and the reliability value.
7. An electronic device, characterized in that the electronic device comprises: the device comprises a shell, a processor, a memory, a circuit board and a power circuit, wherein the circuit board is arranged in a space enclosed by the shell, and the processor and the memory are arranged on the circuit board; a power supply circuit for supplying power to each circuit or device of the electronic apparatus; the memory is used for storing executable program codes; the processor executes a program corresponding to the executable program code by reading the executable program code stored in the memory, for performing the joint-free point determination method of any one of the preceding claims 1 to 3.
CN201711498571.2A 2017-12-29 2017-12-29 Joint-point-free determination method and device and electronic equipment Active CN108881151B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711498571.2A CN108881151B (en) 2017-12-29 2017-12-29 Joint-point-free determination method and device and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711498571.2A CN108881151B (en) 2017-12-29 2017-12-29 Joint-point-free determination method and device and electronic equipment

Publications (2)

Publication Number Publication Date
CN108881151A CN108881151A (en) 2018-11-23
CN108881151B true CN108881151B (en) 2021-08-03

Family

ID=64325854

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711498571.2A Active CN108881151B (en) 2017-12-29 2017-12-29 Joint-point-free determination method and device and electronic equipment

Country Status (1)

Country Link
CN (1) CN108881151B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113395246B (en) * 2020-03-13 2022-04-26 中国互联网络信息中心 Method and system for determining bad domain name

Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101184094A (en) * 2007-12-06 2008-05-21 北京启明星辰信息技术有限公司 Network node scanning detection method and system for LAN environment
CN101702660A (en) * 2009-11-12 2010-05-05 中国科学院计算技术研究所 Abnormal domain name detection method and system
CN103024092A (en) * 2011-09-28 2013-04-03 中国移动通信集团公司 Method, system and device for blocking domain
CN104700033A (en) * 2015-03-30 2015-06-10 北京瑞星信息技术有限公司 Virus detection method and virus detection device
CN104967629A (en) * 2015-07-16 2015-10-07 网宿科技股份有限公司 Network attack detection method and apparatus
CN105187367A (en) * 2015-06-04 2015-12-23 何飚 Big data discovery based bot Trojan virus detection and control method
CN105827594A (en) * 2016-03-08 2016-08-03 北京航空航天大学 Suspicion detection method based on domain name readability and domain name analysis behavior
CN106131016A (en) * 2016-07-13 2016-11-16 北京知道创宇信息技术有限公司 Maliciously URL detection interference method, system and device
CN106411965A (en) * 2016-12-22 2017-02-15 北京知道创宇信息技术有限公司 Method for determining network server providing counterfeit service, equipment and calculating equipment thereof
CN106603557A (en) * 2016-12-30 2017-04-26 哈尔滨安天科技股份有限公司 Trojan detection method and system based on configuration information structure
CN107249049A (en) * 2017-07-21 2017-10-13 北京亚鸿世纪科技发展有限公司 A kind of method and apparatus screened to the domain name data that network is gathered

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI478561B (en) * 2012-04-05 2015-03-21 Inst Information Industry Domain tracing method and system and computer-readable storage medium storing the method
US20160171415A1 (en) * 2014-12-13 2016-06-16 Security Scorecard Cybersecurity risk assessment on an industry basis

Patent Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101184094A (en) * 2007-12-06 2008-05-21 北京启明星辰信息技术有限公司 Network node scanning detection method and system for LAN environment
CN101702660A (en) * 2009-11-12 2010-05-05 中国科学院计算技术研究所 Abnormal domain name detection method and system
CN103024092A (en) * 2011-09-28 2013-04-03 中国移动通信集团公司 Method, system and device for blocking domain
CN104700033A (en) * 2015-03-30 2015-06-10 北京瑞星信息技术有限公司 Virus detection method and virus detection device
CN105187367A (en) * 2015-06-04 2015-12-23 何飚 Big data discovery based bot Trojan virus detection and control method
CN104967629A (en) * 2015-07-16 2015-10-07 网宿科技股份有限公司 Network attack detection method and apparatus
CN105827594A (en) * 2016-03-08 2016-08-03 北京航空航天大学 Suspicion detection method based on domain name readability and domain name analysis behavior
CN106131016A (en) * 2016-07-13 2016-11-16 北京知道创宇信息技术有限公司 Maliciously URL detection interference method, system and device
CN106411965A (en) * 2016-12-22 2017-02-15 北京知道创宇信息技术有限公司 Method for determining network server providing counterfeit service, equipment and calculating equipment thereof
CN106603557A (en) * 2016-12-30 2017-04-26 哈尔滨安天科技股份有限公司 Trojan detection method and system based on configuration information structure
CN107249049A (en) * 2017-07-21 2017-10-13 北京亚鸿世纪科技发展有限公司 A kind of method and apparatus screened to the domain name data that network is gathered

Also Published As

Publication number Publication date
CN108881151A (en) 2018-11-23

Similar Documents

Publication Publication Date Title
CN111030986B (en) Attack organization traceability analysis method and device and storage medium
CN109951435B (en) Equipment identifier providing method and device and risk control method and device
CN110868377B (en) Method and device for generating network attack graph and electronic equipment
CN105809471B (en) Method and device for acquiring user attribute and electronic equipment
CN108038398B (en) Two-dimensional code analysis capability test method and device and electronic equipment
CN103297267A (en) Method and system for network behavior risk assessment
CN114329448A (en) System security detection method and device, electronic equipment and storage medium
CN113973012A (en) Threat detection method and device, electronic equipment and readable storage medium
CN109815702B (en) Software behavior safety detection method, device and equipment
CN114189378A (en) Network security event analysis method and device, electronic equipment and storage medium
CN111030974A (en) APT attack event detection method, device and storage medium
CN108881151B (en) Joint-point-free determination method and device and electronic equipment
CN106651183B (en) Communication data security audit method and device of industrial control system
CN111030968A (en) Detection method and device capable of customizing threat detection rule and storage medium
CN111030977A (en) Attack event tracking method and device and storage medium
CN110611675A (en) Vector magnitude detection rule generation method and device, electronic equipment and storage medium
CN111027065A (en) Lesovirus identification method and device, electronic equipment and storage medium
CN110688319A (en) Application keep-alive capability test method and related device
CN114338102A (en) Security detection method and device, electronic equipment and storage medium
CN110858132A (en) Configuration safety detection method and device for printing equipment
CN114817928A (en) Network space data fusion analysis method and system, electronic device and storage medium
CN114760216A (en) Scanning detection event determination method and device and electronic equipment
CN113987489A (en) Method and device for detecting unknown threat of network, electronic equipment and storage medium
CN110659490B (en) Malicious sample processing method and device, electronic equipment and storage medium
CN111800391A (en) Method and device for detecting port scanning attack, electronic equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information

Address after: 150028 Building 7, Innovation Plaza, Science and Technology Innovation City, Harbin High-tech Industrial Development Zone, Heilongjiang Province (838 Shikun Road)

Applicant after: Harbin antiy Technology Group Limited by Share Ltd

Address before: 150090 506, room 162, Hongqi Street, Nangang 17 building, Harbin hi tech Industrial Development Zone, Heilongjiang.

Applicant before: Harbin Antiy Technology Co., Ltd.

CB02 Change of applicant information
GR01 Patent grant
GR01 Patent grant
CP03 Change of name, title or address

Address after: 150028 building 7, innovation and entrepreneurship square, science and technology innovation city, Harbin high tech Industrial Development Zone, Heilongjiang Province (No. 838, Shikun Road)

Patentee after: Antan Technology Group Co.,Ltd.

Address before: 150028 Building 7, Innovation Plaza, Science and Technology Innovation City, Harbin High-tech Industrial Development Zone, Heilongjiang Province (838 Shikun Road)

Patentee before: Harbin Antian Science and Technology Group Co.,Ltd.

CP03 Change of name, title or address