Disclosure of Invention
In view of this, embodiments of the present invention provide a method, an apparatus, and an electronic device for determining a jointless node, which can automatically and intelligently identify whether a suspicious node is a jointless node, and can ensure timeliness and improve accuracy of an identification result.
In a first aspect, an embodiment of the present invention provides a method for determining an articulation point, where the method includes:
acquiring an analysis record of a domain name system DNS server for a domain name of a suspicious node;
calculating the resolution frequency of the DNS server to the domain name according to the resolution record;
acquiring a detection record for performing virus Trojan detection on the domain name by using a virus Trojan malicious library;
calculating the matching frequency of the domain name to match the malicious domain name in the virus Trojan horse malicious library according to the detection record;
acquiring a first number of virus Trojan sample identifications corresponding to the domain name in the virus Trojan malicious library;
calculating the weighted average of the analysis frequency, the matching frequency and the first number;
and if the weighted average value is larger than a preset threshold value, determining that the suspicious node is an unorthodox node.
Preferably, the parsing record includes: the DNS server records the resolution of the domain name in a past period of time and/or records the resolution of the domain name in a current period of time later; the detection record comprises: and utilizing a virus Trojan malicious library to detect and record virus Trojan detection of the domain name in a past period of time.
Preferably, the method further comprises: acquiring a second number of virus Trojan sample identifications corresponding to the Internet protocol IP address of the suspicious node in the virus Trojan malicious library; the calculating the weighted average of the analysis frequency, the matching frequency and the first number includes: and calculating the weighted average of the analysis frequency, the matching frequency, the first number and the second number.
Preferably, the method further comprises: acquiring a credibility value corresponding to the IP address; the calculating a weighted average of the analysis frequency, the matching frequency, the first number and the second number includes: and calculating the weighted average of the analysis frequency, the matching frequency, the first number, the second number and the reliability value.
Preferably, the obtaining of the reliability value corresponding to the IP address includes: acquiring a credibility value corresponding to the IP address from a cloud server; or determining the reliability value corresponding to the IP address according to the corresponding relation between the preset IP address and the reliability value.
In a second aspect, an embodiment of the present invention provides an apparatus for joint-free point determination, including:
the first acquisition unit is used for acquiring the resolution record of a domain name system DNS server on the domain name of the suspicious node;
the first calculating unit is used for calculating the resolution frequency of the DNS server to the domain name according to the resolution record;
the second acquisition unit is used for acquiring a detection record of virus Trojan horse detection on the domain name by using a virus Trojan horse malicious library;
the second calculation unit is used for calculating the matching frequency of the domain name matched with the malicious domain name in the virus Trojan horse malicious library according to the detection record;
a third obtaining unit, configured to obtain a first number of virus Trojan sample identifiers corresponding to the domain name in the virus Trojan malicious library;
a third calculating unit, configured to calculate a weighted average of the analysis frequency, the matching frequency, and the first number;
and the determining unit is used for determining the suspicious node as an unorthodox node if the weighted average value is greater than a preset threshold value.
Preferably, the parsing record includes: the DNS server records the resolution of the domain name in a past period of time and/or records the resolution of the domain name in a current period of time later; the detection record comprises: and utilizing a virus Trojan malicious library to detect and record virus Trojan detection of the domain name in a past period of time.
Preferably, the apparatus further comprises: a fourth obtaining unit, configured to obtain a second number of virus Trojan sample identifiers corresponding to the internet protocol IP address of the suspicious node in the virus Trojan malicious library; the third computing unit is specifically configured to: and calculating the weighted average of the analysis frequency, the matching frequency, the first number and the second number.
Preferably, the apparatus further comprises: a fifth obtaining unit, configured to obtain a reliability value corresponding to the IP address; the third computing unit is specifically configured to: and calculating the weighted average of the analysis frequency, the matching frequency, the first number, the second number and the reliability value.
Preferably, the fifth obtaining unit is specifically configured to: acquiring a credibility value corresponding to the IP address from a cloud server; or determining the reliability value corresponding to the IP address according to the corresponding relation between the preset IP address and the reliability value.
In a third aspect, an embodiment of the present invention provides an electronic device, where the electronic device includes: the device comprises a shell, a processor, a memory, a circuit board and a power circuit, wherein the circuit board is arranged in a space enclosed by the shell, and the processor and the memory are arranged on the circuit board; a power supply circuit for supplying power to each circuit or device of the electronic apparatus; the memory is used for storing executable program codes; the processor executes a program corresponding to the executable program code by reading the executable program code stored in the memory, for executing the joint-free point determination method described in the foregoing first aspect.
According to the method, the device and the electronic equipment for determining the joint-free point, provided by the embodiment of the invention, whether the suspicious node is the joint-free point or not can be determined according to the resolution frequency of the domain name of the suspicious node by the DNS server, the matching frequency of the domain name of the suspicious node with the malicious domain name in the virus Trojan malicious library and the number of virus Trojan sample identifications corresponding to the domain name of the suspicious node in the virus Trojan malicious library, manual participation is not needed, whether the suspicious node is the joint-free point or not can be automatically and intelligently identified, the timeliness can be ensured, and the accuracy of an identification result can be improved.
Detailed Description
Embodiments of the present invention will be described in detail below with reference to the accompanying drawings.
It should be understood that the described embodiments are only some embodiments of the invention, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Fig. 1 is a schematic flow chart of a method for determining a joint-free point according to an embodiment of the present invention. The joint-point-free determination method can be applied to electronic equipment.
As shown in fig. 1, the joint-free point determination method of the present embodiment may include:
step 101, obtaining an analysis record of a domain name system DNS server for a domain name of a suspicious node.
In one example, the parse record may include: the DNS server resolves records for the domain name of the suspect node for a period of time in the past (for ease of description, this period of time is subsequently referred to as a first period of time) and/or within a period of time after the present (for ease of description, this period of time is subsequently referred to as a second period of time). For example, the period of time in the past may be two years before the method begins to be performed. The current period of time thereafter may be within one week after the method begins to be performed).
Correspondingly, in step 101, obtaining an analysis record of the domain name of the suspicious node by the domain name system DNS server may include:
and acquiring a resolution record of the domain name resolved by the DNS server in the first time period, which is recorded by the DNS server, from the DNS server, and monitoring the resolution record of the domain name resolved by the DNS server in the second time period so as to update the resolution record of the domain name resolved by the DNS server in the second time period in real time.
In one example, the number of DNS servers may be one or more, the selection of the DNS server may be determined manually, and the address of the DNS server that may resolve the domain name is input into the electronic device by a command, so as to execute step 101.
And 102, calculating the resolution frequency of the DNS to the domain name of the suspicious node according to the acquired resolution record.
Specifically, after the resolution record is obtained, the number of times that the DNS server recorded in the resolution record resolves the domain name of the suspicious node is counted, and then the number of times is divided by the length of the time period corresponding to the resolution record, so as to obtain the resolution frequency.
And 103, acquiring a detection record of virus Trojan detection on the domain name of the suspicious node by using the virus Trojan malicious library.
In one example, the virus trojan malicious library may include: and the malicious domain name (for example, the domain name which is downloaded by the virus Trojan horse once) corresponds to the virus Trojan horse sample identification which corresponds to the virus Trojan horse provided by the malicious domain name. One malicious domain name can correspond to a plurality of virus Trojan sample identifications, and each virus Trojan sample identification uniquely corresponds to one virus Trojan sample identification. Based on this, the device for detecting the virus trojan horse by using the virus trojan horse malicious library (for convenience of description, the device is hereinafter referred to as a detection device) detects whether the domain name is a malicious domain name according to the virus trojan horse malicious library. Specifically, after the DNS resolution server resolves the domain name each time, the DNS resolution server notifies the detection device to perform virus trojan detection on the domain name, and if the domain name is the same as any malicious domain name in the virus trojan malicious library, the number of times that the domain name matches a malicious domain name in the virus trojan malicious library is increased by 1. Thus, the detection record may be obtained from the detection device.
In one example, the detection record includes: and (3) utilizing a virus Trojan malicious library to perform detection recording of virus Trojan detection on the domain name of the suspicious node within a past period (for convenience of description, the period is subsequently referred to as a third period). The third time period may be the same as or different from the first time period.
And 104, calculating the matching frequency of the domain name of the suspicious node matched with the malicious domain name in the virus Trojan horse malicious library according to the obtained detection record.
Specifically, after the detection record is obtained, the number of times that the domain name recorded in the detection record matches the malicious domain name in the virus Trojan horse malicious library is obtained, and then the length of the time period corresponding to the detection record is divided by the number of times to obtain the matching frequency.
Step 105, obtaining a first number of virus Trojan sample identifications corresponding to the domain name of the suspicious node in the virus Trojan malicious library.
Specifically, the first number of the virus Trojan sample identifications corresponding to the domain name of the suspicious node in the virus Trojan malicious library may be obtained from the detection device.
It should be noted that, if there is no malicious domain name in the virus trojan malicious library that is the same as the domain name of the suspicious node, the matching frequency and the first number are both 0.
In this embodiment, the order of step 101, step 103 and step 105 is not limited.
And 106, calculating the analysis frequency, the matching frequency and the weighted average of the first number.
The weighted average may be considered a parameter characterizing the degree of maliciousness of the suspect node.
In one example, in order to more accurately determine whether the suspicious node is an arthroseless node, a parameter of one dimension may be added to calculate a weighted average value for characterizing the malicious degree of the suspicious node. This parameter may be: and the second number of the virus Trojan sample identifications corresponding to the IP address of the suspicious node in the virus Trojan malicious library. Correspondingly, as shown in fig. 2, the method for determining a joint-free point according to this embodiment may further include:
and step 108, acquiring a second number of virus Trojan sample identifications corresponding to the IP address of the suspicious node in the virus Trojan malicious library from the equipment for virus Trojan detection by using the virus Trojan malicious library.
The virus Trojan horse malicious library can comprise: and the corresponding relation between the IP address corresponding to the malicious domain name and the virus Trojan sample identification corresponding to the virus Trojan provided by the malicious domain name. Based on the above, the number of the virus Trojan sample identifications corresponding to the IP address in the virus Trojan malicious library is used as the second number.
Based on step 108, step 106, calculating a weighted average of the parsing frequency, the matching frequency, and the first number, including:
step 1061, calculating a weighted average of the analysis frequency, the matching frequency, the first number and the second number.
In another example, in order to further improve the accuracy of determining whether the suspicious node is an arthroseless node, a parameter of another dimension may be added to calculate a weighted average value for characterizing the malicious degree of the suspicious node. This parameter may be: and the credibility value corresponding to the IP address of the suspicious node. Correspondingly, as shown in fig. 3, the method for determining a joint-free point according to this embodiment may further include:
step 109, obtaining the reliability value corresponding to the IP address.
In one example, this step 109 may include: acquiring a credibility value corresponding to the IP address from a cloud server; or determining the reliability value corresponding to the IP address according to the corresponding relation between the preset IP address and the reliability value.
Based on step 109, step 1061, calculating a weighted average of the parsing frequency, the matching frequency, the first number, and the second number, includes:
step 10611, calculating a weighted average of the parsing frequency, the matching frequency, the first number, the second number, and the confidence value.
And 107, if the weighted average value is greater than a preset threshold value, determining that the suspicious node is a joint-free node.
Wherein, the preset threshold value can be set by a worker according to experience. If the weighted mean value is larger than a preset threshold value, determining the suspicious node as a joint-free node; and if the weighted mean value is not larger than the preset threshold value, determining the suspicious node as the node needing anti-attack analysis.
By using the method for determining the jointless node provided by the embodiment of the invention, whether the suspicious node is the jointless node or not can be determined according to the resolution frequency of the domain name of the suspicious node by the DNS server, the matching frequency of the domain name of the suspicious node with the malicious domain name in the virus Trojan malicious library and the number of virus Trojan sample identifications corresponding to the domain name of the suspicious node in the virus Trojan malicious library, so that the method for determining the jointless node can automatically and intelligently identify whether the suspicious node is the jointless node or not without manual participation, can ensure the timeliness and improve the accuracy of an identification result.
The method for determining a joint-free point provided by the embodiment of the invention is further described by a specific example.
Assume that the electronic device for identifying whether the suspect node X is an unorthodox node (for convenience of description, referred to as device Y in this example) starts to identify the suspect node at 12 o' clock of 12 m/12 m 2017. The first time period is within two years before the start of identifying whether the suspect node is an arthroscopic node, i.e., the first time period is from 12 o 'clock at 10 o' clock at 2015 to 12 o 'clock at 10 o' clock at 2017. The second time period is within one week after the start of identifying whether the suspect node is an jointless node, i.e., the second time period is from 12 o 'clock at 10 p' clock in 2017 to 12 o 'clock at 17 p' clock in 2017. The third time period is the same as the first time period.
The device Y determines to first determine the IP address 1 and the domain name 2 corresponding to the suspicious node X. And then, acquiring an analysis record 1 of the domain name 2 of the suspicious node analyzed by the DNS server in the period from 12/10/12 in 2015 to 12/10/12/2017 from the selected DNS server, and calculating an analysis frequency A1 corresponding to the first time period according to the analysis record 1. And the device Y monitors the resolution record 2 of the DNS server for resolving the domain name 2 in the period from 12 o 'clock in 12/10/2017 to 12 o' clock in 12/17/2017, calculates the resolution frequency a2 corresponding to the second period from the resolution record 2, and calculates the sum of a1 and a2, which is the resolution frequency a of the DNS server for the domain name 2.
The device Y acquires, from a device (for convenience of description, referred to as a device Z in this embodiment) that performs virus trojan detection by using a virus trojan malicious library, a detection record of performing virus trojan detection on the domain name 2 in a period from 12 o 'clock in 12 months and 10 o' clock in 2017 to 12 o 'clock in 12 months and 17 o' clock in 2017, and calculates, according to the detection record, a matching frequency B at which the domain name 2 matches a malicious domain name in the virus trojan malicious library.
And the device Y acquires the number C of the virus Trojan sample identifications corresponding to the domain name 2 in the virus Trojan malicious library from the device Z.
And the device Y acquires the number D of the virus Trojan sample identifications corresponding to the IP address 1 in the virus Trojan malicious library from the device Z.
And the device Y acquires the credibility value E corresponding to the IP address 1 from the cloud server.
When device Y acquires A, B, C, D, E these five values, a weighted average H of A, B, C, D, E is calculated. If the weighted average value H is larger than a preset threshold value, determining the suspicious node X as an unorthodox node; and if the weighted average value H is not larger than the preset threshold value, determining the suspicious node X as the node needing anti-attack analysis.
Fig. 4 is a schematic structural diagram of a joint-point-free determination device according to an embodiment of the present invention. The apparatus may be applied to an electronic device.
As shown in fig. 4, the apparatus of the present embodiment may include: a first acquisition unit 401, a first calculation unit 402, a second acquisition unit 403, a second calculation unit 404, a third acquisition unit 405, a third calculation unit 406, and a determination unit 407.
The first obtaining unit 401 is configured to obtain a resolution record of a domain name of a suspicious node by a domain name system DNS server.
The first calculating unit 402 is configured to calculate a resolution frequency of the DNS server for the domain name according to the resolution record.
The second obtaining unit 403 is configured to obtain a detection record for performing virus trojan detection on the domain name by using a virus trojan malicious library.
The second calculating unit 404 is configured to calculate, according to the detection record, a matching frequency of the domain name matching a malicious domain name in the virus trojan horse malicious library.
The third obtaining unit 405 is configured to obtain a first number of the virus Trojan sample identifiers corresponding to the domain name in the virus Trojan malicious library.
The third calculating unit 406 is configured to calculate a weighted average of the analyzing frequency, the matching frequency and the first number.
The determining unit 407 is configured to determine that the suspicious node is an arthrosis-free node if the weighted average is greater than a preset threshold.
Preferably, the parsing record comprises: the DNS server records the resolution of the domain name in a past period of time and/or records the resolution of the domain name in a current period of time later; the detection record includes: and utilizing a virus Trojan malicious library to detect and record virus Trojan detection of the domain name in a past period of time.
Preferably, as shown in fig. 5, the apparatus further comprises: a fourth acquisition unit 408.
The fourth obtaining unit 408 is configured to obtain a second number of the virus trojan sample identifiers corresponding to the IP address of the suspicious node in the virus trojan malicious library.
Correspondingly, the third calculating unit 406 is specifically configured to: and calculating the weighted average of the analysis frequency, the matching frequency, the first number and the second number.
Preferably, as shown in fig. 6, the apparatus further comprises: a fifth acquisition unit 409.
The fifth obtaining unit 409 is configured to obtain the reliability value corresponding to the IP address.
Correspondingly, the third calculating unit 406 is specifically configured to: and calculating the weighted average of the analysis frequency, the matching frequency, the first number, the second number and the reliability value.
Preferably, the fifth obtaining unit 409 is specifically configured to: acquiring a credibility value corresponding to the IP address from a cloud server; or determining the reliability value corresponding to the IP address according to the corresponding relation between the preset IP address and the reliability value.
The device for determining the jointless node provided by the embodiment of the invention can determine whether the suspicious node is the jointless node or not according to the resolution frequency of the domain name of the suspicious node by the DNS server, the matching frequency of the domain name of the suspicious node with the malicious domain name in the virus Trojan malicious library and the number of virus Trojan sample identifications corresponding to the domain name of the suspicious node in the virus Trojan malicious library, automatically and intelligently identify whether the suspicious node is the jointless node or not without manual participation, can ensure the timeliness and improve the accuracy of an identification result.
The embodiment of the invention also provides the electronic equipment. Fig. 7 is a schematic structural diagram of an embodiment of an electronic device of the present invention, which can implement the flows of the embodiments shown in fig. 1, fig. 2, and fig. 3 of the present invention, and as shown in fig. 5, the electronic device may include: the device comprises a shell 71, a processor 72, a memory 73, a circuit board 74 and a power circuit 75, wherein the circuit board 74 is arranged inside a space enclosed by the shell 71, and the processor 72 and the memory 73 are arranged on the circuit board 74; a power supply circuit 75 for supplying power to each circuit or device of the electronic apparatus; the memory 73 is used to store executable program code; the processor 72 executes a program corresponding to the executable program code by reading the executable program code stored in the memory 73, for executing the joint-free point determination method described in any one of the foregoing embodiments.
The electronic device exists in a variety of forms, including but not limited to:
(1) a mobile communication device: such devices are characterized by mobile communications capabilities and are primarily targeted at providing voice, data communications. Such terminals include: smart phones (e.g., iphones), multimedia phones, functional phones, and low-end phones, among others.
(2) Ultra mobile personal computer device: the equipment belongs to the category of personal computers, has calculation and processing functions and generally has the characteristic of mobile internet access. Such terminals include: PDA, MID, and UMPC devices, etc., such as ipads.
(3) A portable entertainment device: such devices can display and play multimedia content. This type of device comprises: audio and video playing modules (such as an iPod), handheld game consoles, electronic books, and intelligent toys and portable car navigation devices.
(4) A server: the device for providing the computing service comprises a processor, a hard disk, a memory, a system bus and the like, and the server is similar to a general computer architecture, but has higher requirements on processing capacity, stability, reliability, safety, expandability, manageability and the like because of the need of providing high-reliability service.
(5) And other electronic equipment with data interaction function.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. The term "comprising", without further limitation, means that the element so defined is not excluded from the group consisting of additional identical elements in the process, method, article, or apparatus that comprises the element.
All the embodiments in the present specification are described in a related manner, and the same and similar parts among the embodiments may be referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, as for the apparatus embodiment, since it is substantially similar to the method embodiment, the description is relatively simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
For convenience of description, the above devices are described separately in terms of functional division into various units/modules. Of course, the functionality of the units/modules may be implemented in one or more software and/or hardware implementations of the invention.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by a computer program, which can be stored in a computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. The storage medium may be a magnetic disk, an optical disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), or the like.
The above description is only for the specific embodiment of the present invention, but the scope of the present invention is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present invention are included in the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.