TW202008749A - Domain name filtering method - Google Patents

Domain name filtering method Download PDF

Info

Publication number
TW202008749A
TW202008749A TW107125834A TW107125834A TW202008749A TW 202008749 A TW202008749 A TW 202008749A TW 107125834 A TW107125834 A TW 107125834A TW 107125834 A TW107125834 A TW 107125834A TW 202008749 A TW202008749 A TW 202008749A
Authority
TW
Taiwan
Prior art keywords
name
domain
domain name
malicious
computer host
Prior art date
Application number
TW107125834A
Other languages
Chinese (zh)
Other versions
TWI677209B (en
Inventor
詹益安
陳昱翰
蔡根元
Original Assignee
玉山商業銀行股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 玉山商業銀行股份有限公司 filed Critical 玉山商業銀行股份有限公司
Priority to TW107125834A priority Critical patent/TWI677209B/en
Application granted granted Critical
Publication of TWI677209B publication Critical patent/TWI677209B/en
Publication of TW202008749A publication Critical patent/TW202008749A/en

Links

Images

Abstract

A domain name filtering method is implemented by a computer host and includes: detecting a plurality of packets to be transmitted and externally connected and acquiring corresponding a plurality of domain names; determining whether one of the domain names belongs to a malicious domain name based on a LSTM model; when it is determined that one of the domain names belongs to the malicious domain name and does not belong to a cname list based on the cname list, blocking the corresponding packet from being transmitted. The method can instantly find the abnormal domain name generated by the suspected domain generation algorithm(DGA), and immediately block the devices infected by the malicious program from externally connecting to avoid the enterprise suffering from larger loss and damage.

Description

網名過濾方法Screen name filtering method

本發明是有關於一種過濾方法,特別是指一種網名過濾方法。The invention relates to a filtering method, in particular to a filtering method for net names.

在日新月異的網路攻擊中,一種網域變動(Domain Fluxing)方式是惡意程式利用網域產生演算法(Domain Generation Algorithm;DGA)的技術,產生大量的網域名稱(Domain Names)對C&C伺服器(Command-and-Control Servers)建立惡意連線的方式。In an ever-changing network attack, a method of domain fluctuation (Domain Fluxing) is that malicious programs use the technology of Domain Generation Algorithm (DGA) to generate a large number of domain names (Domain Names) to the C&C server (Command-and-Control Servers) A way to establish malicious connections.

習知的資安防禦方法中,建立黑名單來防堵惡意連線是一種普遍的作法,然而,在面對利用網域產生演算法(DGA)技術的惡意程式時,會面臨以下的問題:第一,黑名單的更新不夠即時;第二,當黑名單的數量龐大時,會影響企業內部對外的網路運作效能。因為現有的分析技術在分析網路訊息的特徵時是基於行為統計,以計算用戶被惡意程式感染的機率,或是行為模式來自惡意程式的機率,進而推斷受惡意程式入侵的設備。然而,基於行為分析的特徵,不論其時間的長或短,都需要經過一段時間的資料蒐集才可以建立足以辨識惡意連線的特徵數據,對於新興的攻擊手法也就無法滿足即時性的需求。更嚴重的是:當惡意程式利用網域產生演算法(DGA)技術不斷地動態生成網域名稱時,會使得以網域名稱為防堵基礎的黑名單機制失效。因此,是否存有其他的解決辦法便成為一個待解決的問題。It is a common practice to establish a blacklist to prevent malicious connections among the conventional security defense methods. However, when facing malicious programs that use domain generation algorithm (DGA) technology, they will face the following problems: First, the update of the blacklist is not real-time enough; second, when the number of blacklists is large, it will affect the internal and external network performance of the enterprise. Because the existing analysis technology is based on behavior statistics when analyzing the characteristics of network messages, to calculate the probability of the user being infected by the malicious program, or the probability that the behavior pattern comes from the malicious program, and then infer the device invaded by the malicious program. However, no matter how long or short the characteristics of behavior analysis are, it takes a period of time for data collection to create enough feature data to identify malicious connections, and it cannot meet the real-time requirements for emerging attack methods. What is more serious is that when malicious programs use domain generation algorithm (DGA) technology to dynamically generate domain names continuously, it will invalidate the blacklist mechanism that uses domain names as anti-blocking foundations. Therefore, whether there are other solutions becomes a problem to be solved.

因此,本發明的目的,即在提供一種改善習知問題的網名過濾方法。Therefore, the object of the present invention is to provide a method for filtering net names that improves conventional problems.

於是,本發明網名過濾方法,適用於一個電腦主機並藉由該電腦主機來實施,該網名過濾方法包含步驟(a) ~(c)。Therefore, the screen name filtering method of the present invention is applicable to a computer host and implemented by the computer host. The screen name filtering method includes steps (a) to (c).

於步驟(a),偵測多個欲傳送且對外連線的封包,並獲得分別對應的多個網域名稱。In step (a), multiple packets to be transmitted and connected to the outside are detected, and multiple corresponding domain names are obtained.

於步驟(b),根據一個長短期記憶模型,判斷該等網域名稱之其中一者是否屬於一個惡意網域名稱。In step (b), according to a long-short-term memory model, it is determined whether one of the domain names belongs to a malicious domain name.

於步驟(c),根據一個正規名稱(Canonical name, CNAME)名單,當判斷該等網域名稱之其中一者屬於該惡意網域名稱且不屬於該正規名稱名單時,該電腦主機阻擋對應的該封包作傳送。In step (c), according to a list of Canonical names (CNAME), when it is judged that one of the domain names belongs to the malicious domain name and does not belong to the list of regular names, the computer host blocks the corresponding The packet is transmitted.

在一些實施態樣中,其中,在步驟(c)中,該電腦主機判斷該等網域名稱之其中至少一者分別屬於一個第1惡意網域名稱、…一個第i惡意網域名稱,i為正整數,且還判斷該第1惡意網域名稱至該第i惡意網域名稱所對應的每一網際協定位址(Internet protocol address, IP Address)都相同,且該第1惡意網域名稱至該第i惡意網域名稱都不屬於該正規名稱名單時,該電腦主機阻擋對應的該封包作傳送。In some embodiments, in step (c), the computer host determines that at least one of the domain names belongs to a first malicious domain name, ... an i-th malicious domain name, i Is a positive integer, and it is also determined that each Internet protocol address (IP address) corresponding to the first malicious domain name to the i-th malicious domain name is the same, and the first malicious domain name When the name of the i-th malicious domain does not belong to the regular name list, the computer host blocks the corresponding packet for transmission.

在另一些實施態樣中,其中,在步驟(c)中,該電腦主機還根據一個白名單,當判斷該等網域名稱之其中一者屬於該惡意網域名稱且不屬於該正規名稱名單且不屬於該白名單時,該電腦主機阻擋對應的該封包作傳送。In other embodiments, wherein in step (c), the computer host also determines that one of the domain names belongs to the malicious domain name and does not belong to the regular name list according to a white list If it does not belong to the white list, the computer host blocks the corresponding packet for transmission.

在另一些實施態樣中,其中,在步驟(b)中,該電腦主機根據屬於一個白名單的多個網域名稱的多個二級域名及多個三級域名,及屬於一個黑名單的多個網域名稱的多個二級域名及多個三級域名,建立該長短期記憶模型。In some other implementations, wherein in step (b), the computer host is based on multiple second-level domain names and multiple third-level domain names of multiple domain names belonging to a whitelist, and those belonging to a blacklist Multiple second-level domain names and multiple third-level domain names of multiple domain names establish the long-short-term memory model.

在一些實施態樣中,其中,該網名過濾方法還包含步驟(d),該電腦主機根據每一該網域名稱的判斷結果,更新該白名單及該黑名單之其中至少一者,以更新該長短期記憶模型。In some implementation aspects, wherein the method for filtering the network name further includes step (d), the computer host updates at least one of the white list and the black list according to the judgment result of each of the domain names, to Update the long and short-term memory model.

本發明的功效在於:藉由根據該長短期記憶模型,偵測每一個封包的網域名稱是否屬於一種惡意網域名稱,再根據該正規名稱名單作第二重的判斷,不但能即時阻絕被惡意程式所感染之設備進行對外連線,而避免企業遭受損失及傷害,更可以進一步追蹤被感染之設備,而能根除被感染設備上的惡意程式。The effect of the present invention lies in: by detecting whether each packet domain name belongs to a malicious domain name according to the long-short-term memory model, and then making a second judgment based on the regular name list, not only can it be blocked in real time The equipment infected by the malicious program can be connected to the outside to avoid loss and harm to the enterprise. It can further track the infected device and eradicate the malicious program on the infected device.

在本發明被詳細描述之前,應當注意在以下的說明內容中,類似的元件是以相同的編號來表示。Before the present invention is described in detail, it should be noted that in the following description, similar elements are denoted by the same numbers.

參閱圖1,本發明網名過濾方法,適用於一個電腦主機,並包含步驟S1~S12。Referring to FIG. 1, the screen name filtering method of the present invention is applicable to a computer host and includes steps S1 to S12.

於步驟S1,該電腦主機獲得多個正常的網域名稱(Domain Name),並將該等正常的網域名稱歸屬於一個白名單。舉例來說,該電腦主機取得Alexa網站排名的前面複數個網域名稱作為該等正常的網域名稱,如google.com、esunbank.com、yahoo.com等等,但不以此為限。In step S1, the computer host obtains a plurality of normal domain names (Domain Name) and assigns the normal domain names to a white list. For example, the computer host obtains the first plurality of domain names on the Alexa website ranking as these normal domain names, such as google.com, esunbank.com, yahoo.com, etc., but not limited to this.

於步驟S2,該電腦主機獲得多個網域產生演算法(DGA)所產生的異常的網域名稱,並將該等異常的網域名稱歸屬於一個黑名單。該等異常的網域名稱例如xyafilk.com、uiteeraab.com等等,但不以此為限。In step S2, the computer host obtains abnormal domain names generated by multiple domain generation algorithms (DGA), and assigns the abnormal domain names to a blacklist. Such abnormal domain names such as xyafilk.com, uiteeraab.com, etc., but not limited to this.

於步驟S3,該電腦主機建立一個相關於網域名稱(Domain Name)的長短期記憶(Long Short-Term Memory;LSTM)模型。長短期記憶是一種時間遞歸神經網路(Recurrent Neural Network;RNN),透過建立帶有「記憶與忘卻」機制的模型,以分析前後文中辭彙的相關性,而作到語意分析。In step S3, the computer host creates a Long Short-Term Memory (LSTM) model related to the domain name (Domain Name). Long- and short-term memory is a Recurrent Neural Network (RNN). By establishing a model with a "memory and forget" mechanism, it analyzes the relevance of vocabulary before and after the text to make a semantic analysis.

更詳細地說,長短期記憶(LSTM)模型是一種已知的技術,利用類神經網路框架所建立的一個二元分類模型,其建立的過程,簡單說明如後。該電腦主機會根據步驟S1的該白名單,並將該等正常的網域名稱標記為正常域名的樣本。該電腦主機還根據步驟S2的該黑名單,並將該等異常的網域名稱標記為異常域名的樣本。In more detail, the long-short-term memory (LSTM) model is a known technique that uses a binary classification model created by a neural network-like framework. The process of its creation will be briefly explained as follows. The computer host will mark the normal domain names as samples of normal domain names according to the white list in step S1. The computer host also marks the abnormal domain names as samples of abnormal domain names according to the blacklist in step S2.

在本實施例中,該電腦主機會先在該白名單及該黑名單的每一網域名稱中,將全域名中的頂級域名(Top-level domain, TLD)排除,且保留其二級域名(Second-level domain, SLD)及三級域名(Third-level domain)的字串。舉例來說,全域名是www. google.com.tw,則其頂級域名為tw,其二級域名為com,其三級域名為google,所保留的字串是google及com。In this embodiment, the computer host will first exclude the top-level domain (TLD) of the full domain name in each domain name of the white list and the black list, and retain its second-level domain name (Second-level domain, SLD) and third-level domain (Third-level domain) string. For example, if the full domain name is www.google.com.tw, the top-level domain name is tw, the second-level domain name is com, and the third-level domain name is google. The reserved strings are google and com.

再者,該電腦主機擷取每一字串中的前八個字元,並將每一被擷取的字串轉換為一向量,也就是將每一個字元對應到一個預訂的數值,且當該被擷取的字串的字元長度小於八個時,以數值0填補,例如將a、b、c、…、z、…、-、_分別轉換為數值1、2、3、…、26、…、36、37等等。舉例來說,字串google、esunbank、yahoo、xyafilk、uiteeraaa會先被分別擷取為字串google、esunbank、yahoo、xyafilk、uiteeraa。再分別轉換為向量[7,15, 15,7,12,5,0,0]、[5,19,21,14,2,1,14,11]、[25,1,8,15,15,0,0, 0]、[24,25,1,6,9,12, 11,0]、[21,9,20,5,5,18,1,1]。Furthermore, the computer host extracts the first eight characters in each string, and converts each extracted string into a vector, that is, each character corresponds to a predetermined value, and When the character length of the extracted string is less than eight, it is padded with the value 0, for example, a, b, c, ..., z, ..., -, _ are converted into the values 1, 2, 3, ... , 26, ..., 36, 37, etc. For example, the strings google, esunbank, yahoo, xyafilk, uiteeraaa will first be extracted as the strings google, esunbank, yahoo, xyafilk, uiteeraa, respectively. Then convert to vectors [7,15, 15,7,12,5,0,0], [5,19,21,14,2,1,14,11], [25,1,8,15, 15,0,0, 0], [24,25,1,6,9,12, 11,0], [21,9,20,5,5,18,1,1].

該長短期記憶模型以屬於該白名單的正常域名的多個字串,及屬於該黑名單的異常域名的多個字串所轉換後的多個向量為兩種樣本作為輸入資料,以訓練模型如何分辨域名是否正常,且利用遞迴執行向前傳播(Forward Propagation)及反向傳播(Back Propagation),再透過給定的優化演算法修正模型。此外,在模型的建立過程中,經由該模型判斷域名的精確率(Precision)、召回率(Recall)、及參數(F1-value)等常用的數學評量指標,評估該模型的準確率。The long and short-term memory model uses multiple strings converted from multiple normal strings belonging to the whitelist and multiple strings belonging to the abnormal domain names from the blacklist as two types of samples as input data to train the model How to distinguish whether the domain name is normal, and use forward recursion (Forward Propagation) and back propagation (Back Propagation), and then modify the model through the given optimization algorithm. In addition, during the establishment of the model, the model is used to determine the accuracy rate of the model through commonly used mathematical evaluation indicators such as precision, recall, and parameter (F1-value) of the domain name.

於步驟S4,該電腦主機偵測多個欲傳送且對外連線的封包,並獲得分別對應該多個封包的多個網域名稱,也就是每一個封包會包括一個將要被傳送到的網域名稱。In step S4, the computer host detects multiple packets to be transmitted and connects to the outside world, and obtains multiple domain names corresponding to the multiple packets, that is, each packet will include a domain to be transferred to name.

於步驟S5,該電腦主機根據該長短期記憶模型,判斷該等網域名稱之其中一者是否屬於一個惡意網域名稱。當判斷該等網域名稱之其中一者不屬於一個惡意網域名稱時,執行步驟S6。當判斷該等網域名稱之其中一者屬於一個惡意網域名稱時,執行步驟S7。更具體地說,該電腦主機是擷取每一個偵測到的封包的網域名稱中最長的字串,並當該最長的字串大於八個字元時,刪減至八個字元,再對其作數值轉換,而獲得一個向量。該長短期記憶模型是接收該向量,並據以判斷是否屬於一個惡意網域名稱(即異常域名),且輸出一個介於0~1之間的數字作為一判斷數值,如0.4、0.98…等等。該長短期記憶模型具有一個預先設定的門檻值,例如0.9,當該判斷數值小於該門檻值時,如0.4<0.9,則判斷該網域名稱不屬於一個惡意網域名稱。反之,當該判斷數值大於該門檻值時,如0.98>0.9,則判斷該網域名稱屬於一個惡意網域名稱。In step S5, the computer host determines whether one of the domain names belongs to a malicious domain name according to the long-short-term memory model. When it is determined that one of the domain names does not belong to a malicious domain name, step S6 is executed. When it is determined that one of the domain names belongs to a malicious domain name, step S7 is executed. More specifically, the host computer retrieves the longest string in the domain name of each detected packet, and when the longest string is greater than eight characters, it is reduced to eight characters. Then it is numerically converted to obtain a vector. The long-term and short-term memory model receives the vector and judges whether it belongs to a malicious domain name (that is, abnormal domain name), and outputs a number between 0 and 1 as a judgment value, such as 0.4, 0.98, etc. Wait. The long-term and short-term memory model has a preset threshold value, for example, 0.9. When the judgment value is less than the threshold value, for example, 0.4 <0.9, it is judged that the domain name does not belong to a malicious domain name. Conversely, when the judgment value is greater than the threshold value, such as 0.98>0.9, it is judged that the domain name belongs to a malicious domain name.

另外,在其他實施例中,該電腦主機判斷該等網域名稱之其中至少一者分別屬於一個第1惡意網域名稱、…一個第i惡意網域名稱,i為正整數,且還判斷該第1惡意網域名稱至該第i惡意網域名稱所對應的每一網際協定位址(Internet Protocol Address;IP Address)都相同時,該電腦主機才執行步驟S7。In addition, in other embodiments, the computer host determines that at least one of the domain names belongs to a first malicious domain name, ... an i-th malicious domain name, i is a positive integer, and also determines the When each Internet Protocol Address (IP Address) corresponding to the first malicious domain name to the i-th malicious domain name is the same, the computer host executes step S7.

舉例來說,該電腦主機偵測九個欲傳送的封包,分別是第1封包至第9封包,且判斷該第1封包至該第9封包所分別對應的第1網域名稱至第9網域名稱,分別被判定為屬於第1惡意網域名稱至第9惡意網域名稱。該電腦主機還判斷該第1惡意網域名稱至該第9惡意網域名稱所分別對應的第1網際協定位址至第9網際協定位址,假設該第3惡意網域名稱至第8惡意網域名稱所分別對應的該第3網際協定位址至該第8網際協定位址都相同,則該電腦主機將該第3網域名稱至該第8網域名稱繼續執行步驟S7。也就是說,該第3惡意網域名稱至第8惡意網域名稱不但被判斷是一種非正常網域名稱(即屬於惡意網域名稱),且來源設備(即網際協定位址)都對應到多個連線(即多個網域名稱),則表示傳送出該等封包至該電腦主機的設備有很高的機率已被入侵,並且透過網域變動(Domain Fluxing)的方式嘗試連接C&C伺服器。For example, the host computer detects nine packets to be transmitted, which are the first packet to the ninth packet, and determines that the first domain name to the ninth network corresponding to the first packet to the ninth packet, respectively. The domain names are determined to belong to the first malicious domain name to the ninth malicious domain name, respectively. The computer host also judges that the first malicious domain name to the ninth malicious domain name correspond to the first internet protocol address to the ninth internet protocol address respectively, assuming that the third malicious domain name to the eighth malicious domain name The third Internet protocol address to the eighth Internet protocol address corresponding to the domain names are the same, and the computer host continues the step S7 from the third domain name to the eighth domain name. In other words, the third malicious domain name to the eighth malicious domain name are not only judged to be an abnormal domain name (that is, belong to a malicious domain name), but also the source device (that is, the Internet Protocol address) corresponds to Multiple connections (that is, multiple domain names) indicate that the device that sent these packets to the computer host has a high probability of being hacked, and attempts to connect to the C&C servo through domain fluctuation (Domain Fluxing) Device.

同樣地,假設該第1惡意網域名稱、該第2惡意網域名稱、及該第9惡意網域名稱所分別對應的該第1網際協定位址、該第2網際協定位址、及該第9網際協定位址都不相同,則該電腦主機繼續執行步驟S6,即該電腦主機不會阻擋該第1封包、該第2封包、及該第9封包的傳送。也就是說,該第1惡意網域名稱、該第2惡意網域名稱、及該第9惡意網域名稱雖然被判斷是一種非正常網域名稱(即屬於惡意網域名稱),但若來源設備(即網際協定位址)並不是對應到多個連線(即多個網域名稱),則有較高的機率是因為使用者非惡意的輸入錯誤所造成。Similarly, assume that the first malicious domain name, the second malicious domain name, and the ninth malicious domain name correspond to the first Internet protocol address, the second Internet protocol address, and the If the ninth Internet protocol address is different, the computer host continues to perform step S6, that is, the computer host will not block the transmission of the first packet, the second packet, and the ninth packet. In other words, although the first malicious domain name, the second malicious domain name, and the ninth malicious domain name are judged to be an abnormal domain name (that is, belong to a malicious domain name), but if the source The device (that is, the Internet Protocol address) does not correspond to multiple connections (that is, multiple domain names), and there is a higher probability that the user's non-malicious input errors are caused.

於步驟S6,該電腦主機讓對應的該封包繼續傳送。In step S6, the computer host allows the corresponding packet to continue to be transmitted.

於步驟S7,該電腦主機判斷屬於惡意網域名稱的該網域名稱是否屬於一個正規名稱(Canonical Name, Cname)名單。當判斷該網域名稱屬於該正規名稱名單時,執行步驟S8。當判斷該網域名稱不屬於該正規名稱名單時,執行步驟S9。另外要特別補充說明的是:該電腦主機在偵測該每一欲傳送且對外連線的封包時,當其中的任一個封包具有正規名稱記錄(或稱別名記錄)(Canonical Name record, Cname record)時,該電腦主機會將每一正規名稱記錄中的每一網域名稱作儲存而成為該正規名稱名單。In step S7, the computer host determines whether the domain name belonging to the malicious domain name belongs to a list of regular names (Canonical Name, Cname). When it is determined that the domain name belongs to the regular name list, step S8 is executed. When it is determined that the domain name does not belong to the regular name list, step S9 is executed. In addition, it should be particularly noted that when the computer host detects each packet to be transmitted and connected to the outside world, when any one of the packets has a formal name record (or alias record) (Canonical Name record, Cname record ), the computer host will store each domain name in each regular name record as a storage to become the regular name list.

於步驟S8,該電腦主機讓對應的該封包繼續傳送。In step S8, the computer host allows the corresponding packet to continue to be transmitted.

於步驟S9,該電腦主機判斷屬於惡意網域名稱且不屬於該個正規名稱名單的該網域名稱是否屬於一個白名單。當判斷該網域名稱屬於該白名單時,執行步驟S10。當判斷該網域名稱不屬於該白名單時,執行步驟S11。更詳細地說,該白名單例如是Alexa網站排名的前一百萬筆的網域名稱,另外,步驟S9中的該白名單與步驟S1的該白名單的內容不一定要相同,例如兩者的網域名稱的數量不同。此外,在其他實施例中,步驟S9也可以被省略。In step S9, the computer host determines whether the domain name that belongs to the malicious domain name and does not belong to the regular name list belongs to a white list. When it is determined that the domain name belongs to the white list, step S10 is executed. When it is determined that the domain name does not belong to the white list, step S11 is executed. More specifically, the white list is, for example, the top one million domain names ranked by the Alexa website. In addition, the content of the white list in step S9 and the white list in step S1 need not be the same, for example, both Has different numbers of domain names. In addition, in other embodiments, step S9 may also be omitted.

於步驟S10,該電腦主機讓對應的該封包繼續傳送。In step S10, the computer host allows the corresponding packet to continue to be transmitted.

於步驟S11,該電腦主機阻擋對應的該封包作傳送。在本實施例中,該電腦主機逐一偵測每一個封包的該網域名稱,當該電腦主機判斷到其中一個封包的該網域名稱是屬於一個惡意網域名稱時,會將該封包作即時地阻擋而不傳送。當該電腦主機又判斷到其中另一個封包的該網域名稱是屬於另一個惡意網域名稱時,也會將該另一個封包作即時阻擋而不傳送。In step S11, the computer host blocks the corresponding packet for transmission. In this embodiment, the computer host detects the domain name of each packet one by one, and when the computer host determines that the domain name of one of the packets belongs to a malicious domain name, it will take the packet as real-time Block without transmitting. When the computer host determines that the domain name of another packet belongs to another malicious domain name, it also blocks the other packet in real time and does not transmit it.

於步驟S12,該電腦主機根據每一該網域名稱的判斷結果,定期地更新該白名單及該黑名單之其中至少一者,以更新該長短期記憶模型。例如:每個月更新,但不在此限。In step S12, the computer host periodically updates at least one of the white list and the black list according to the judgment result of each domain name to update the long-short-term memory model. For example: updated every month, but not limited to this.

要特別補充的是:在本實施例中,步驟S1~S12都是由同一台該電腦主機(如伺服器)所實施,而在其他實施例中,步驟S1~S12也可以由不同的電腦主機來實施。舉例來說,步驟S1~S4由一台電腦主機實施,步驟S5~S12是由多台電腦主機來實施,如企業內部的網路設備中的代理伺服器(Proxy Server)、或域名系統(DNS)伺服器等等。It should be particularly added that in this embodiment, steps S1~S12 are implemented by the same computer host (such as a server), while in other embodiments, steps S1~S12 can also be implemented by different computer hosts To implement. For example, steps S1~S4 are implemented by one computer host, and steps S5~S12 are implemented by multiple computer hosts, such as a proxy server (Proxy Server) or a domain name system (DNS) in network devices within the enterprise ) Server etc.

綜上所述,該網名過濾方法所需要的資料特徵簡單,僅需要分析封包的網域名稱,毋須蒐集區間資料,即可分析出疑似網域產生演算法(DGA)所產生的域名,再根據該正規名稱名單或根據該正規名稱名單與該白名單,作進一步地判斷與確認,以即時地阻絕惡意連線。再者,長短期記憶模型不需要多數類神經網路過度複雜地堆疊隱藏層,計算速度快,可以實現異常域名的即時偵測。此外,透過異常域名的即時偵測,可以獲得惡意域名的來源,更能夠提早發覺被入侵的設備,故確實能達成本發明的目的。In summary, the data characteristics required by the method of filtering the network name are simple, only the domain name of the packet needs to be analyzed, and the domain name generated by the suspected domain generation algorithm (DGA) can be analyzed without collecting the interval data. Based on the regular name list or the regular name list and the white list, further judgment and confirmation are made to block malicious connections in real time. In addition, the long-short-term memory model does not require excessively complicated stacking of hidden layers by most neural networks, and the calculation speed is fast, which can realize real-time detection of abnormal domain names. In addition, through the real-time detection of anomalous domain names, the source of malicious domain names can be obtained, and devices that have been compromised can be detected earlier, so it can indeed achieve the purpose of costing the invention.

惟以上所述者,僅為本發明的實施例而已,當不能以此限定本發明實施的範圍,凡是依本發明申請專利範圍及專利說明書內容所作的簡單的等效變化與修飾,皆仍屬本發明專利涵蓋的範圍內。However, the above are only examples of the present invention, and the scope of implementation of the present invention cannot be limited by this, any simple equivalent changes and modifications made according to the scope of the patent application of the present invention and the content of the patent specification are still classified as Within the scope of the invention patent.

S1~S12‧‧‧步驟 S1~S12‧‧‧Step

本發明的其他的特徵及功效,將於參照圖式的實施方式中清楚地呈現,其中: 圖1是一個流程圖,說明本發明網名過濾方法的一個實施例。Other features and functions of the present invention will be clearly presented in the embodiments with reference to the drawings, in which: FIG. 1 is a flowchart illustrating an embodiment of the screen name filtering method of the present invention.

S1~S12‧‧‧步驟 S1~S12‧‧‧Step

Claims (5)

一種網名過濾方法,適用於一個電腦主機並藉由該電腦主機來實施,該網名過濾方法包含下列步驟: (a)偵測多個欲傳送且對外連線的封包,並獲得分別對應的多個網域名稱; (b)根據一個長短期記憶模型,判斷該等網域名稱之其中一者是否屬於一個惡意網域名稱;及 (c)根據一個正規名稱(Canonical name, CNAME)名單,當判斷該等網域名稱之其中一者屬於該惡意網域名稱且不屬於該正規名稱名單時,該電腦主機阻擋對應的該封包作傳送。A screen name filtering method suitable for a computer host and implemented by the computer host. The screen name filtering method includes the following steps: (a) Detecting multiple packets to be transmitted and connecting to the outside world, and obtaining corresponding corresponding Multiple domain names; (b) according to a long-term and short-term memory model, determine whether one of these domain names belongs to a malicious domain name; and (c) based on a list of regular names (Canonical name, CNAME), When it is determined that one of the domain names belongs to the malicious domain name and does not belong to the regular name list, the computer host blocks the corresponding packet for transmission. 如請求項1所述的網名過濾方法,其中,在步驟(c)中,該電腦主機判斷該等網域名稱之其中至少一者分別屬於一個第1惡意網域名稱、…一個第i惡意網域名稱,i為正整數,且還判斷該第1惡意網域名稱至該第i惡意網域名稱所對應的每一網際協定位址(Internet protocol address, IP Address)都相同,且該第1惡意網域名稱至該第i惡意網域名稱都不屬於該正規名稱名單時,該電腦主機阻擋對應的該封包作傳送。The method for filtering a network name according to claim 1, wherein in step (c), the computer host determines that at least one of the domain names belongs to a first malicious domain name, ... an i-th malicious The domain name, i is a positive integer, and it is also determined that each Internet protocol address (IP address) corresponding to the first malicious domain name to the i-th malicious domain name is the same, and the first 1 When the malicious domain name to the i-th malicious domain name do not belong to the regular name list, the computer host blocks the corresponding packet for transmission. 如請求項1所述的網名過濾方法,其中,在步驟(c)中,該電腦主機還根據一個白名單,當判斷該等網域名稱之其中一者屬於該惡意網域名稱且不屬於該正規名稱名單且不屬於該白名單時,該電腦主機阻擋對應的該封包作傳送。The method for filtering a network name according to claim 1, wherein, in step (c), the computer host further determines that one of the domain names belongs to the malicious domain name and does not belong to a white list When the regular name list does not belong to the white list, the computer host blocks the corresponding packet for transmission. 如請求項1所述的網名過濾方法,其中,在步驟(b)中,該電腦主機根據屬於一個白名單的多個網域名稱的多個二級域名及多個三級域名,及屬於一個黑名單的多個網域名稱的多個二級域名及多個三級域名,建立該長短期記憶模型。The method for filtering a network name according to claim 1, wherein in step (b), the computer host is based on multiple second-level domain names and multiple third-level domain names of multiple domain names belonging to a whitelist, and belongs to Multiple black domain names and multiple second-level domain names and multiple third-level domain names establish the long-term and short-term memory model. 如請求項4所述的網名過濾方法,還包含步驟(d),該電腦主機根據每一該網域名稱的判斷結果,更新該白名單及該黑名單之其中至少一者,以更新該長短期記憶模型。The method for filtering a network name according to claim 4, further comprising step (d), the computer host updates at least one of the white list and the black list according to the judgment result of each domain name to update the Long and short-term memory model.
TW107125834A 2018-07-26 2018-07-26 Domain name filtering method TWI677209B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW107125834A TWI677209B (en) 2018-07-26 2018-07-26 Domain name filtering method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW107125834A TWI677209B (en) 2018-07-26 2018-07-26 Domain name filtering method

Publications (2)

Publication Number Publication Date
TWI677209B TWI677209B (en) 2019-11-11
TW202008749A true TW202008749A (en) 2020-02-16

Family

ID=69188865

Family Applications (1)

Application Number Title Priority Date Filing Date
TW107125834A TWI677209B (en) 2018-07-26 2018-07-26 Domain name filtering method

Country Status (1)

Country Link
TW (1) TWI677209B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11558352B2 (en) 2020-10-19 2023-01-17 Cycraft Singapore Pte. Ltd. Cyber security protection system and related proactive suspicious domain alert system
TWI761122B (en) * 2020-10-19 2022-04-11 新加坡商賽博創新新加坡股份有限公司 Cyber security protection system and related proactive suspicious domain alert system
CN116318845A (en) * 2023-02-09 2023-06-23 国家计算机网络与信息安全管理中心甘肃分中心 DGA domain name detection method under unbalanced proportion condition of positive and negative samples

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10185761B2 (en) * 2015-08-07 2019-01-22 Cisco Technology, Inc. Domain classification based on domain name system (DNS) traffic
US10075458B2 (en) * 2016-04-29 2018-09-11 International Business Machines Corporation Cognitive and contextual detection of malicious DNS

Also Published As

Publication number Publication date
TWI677209B (en) 2019-11-11

Similar Documents

Publication Publication Date Title
US8990936B2 (en) Method and device for detecting flood attacks
TWI729320B (en) Suspicious packet detection device and suspicious packet detection method thereof
CN110324295B (en) Defense method and device for domain name system flooding attack
US8904524B1 (en) Detection of fast flux networks
JP5050781B2 (en) Malware detection device, monitoring device, malware detection program, and malware detection method
US20140047543A1 (en) Apparatus and method for detecting http botnet based on densities of web transactions
CN112929390B (en) Network intelligent monitoring method based on multi-strategy fusion
TWI677209B (en) Domain name filtering method
US10326794B2 (en) Anycast-based spoofed traffic detection and mitigation
CN111953673A (en) DNS hidden tunnel detection method and system
US20190238572A1 (en) Indicating malware generated domain names using n-grams
CA2990611A1 (en) Systems and methods for categorization of web assets
US10965697B2 (en) Indicating malware generated domain names using digits
Lei et al. Detecting malicious domains with behavioral modeling and graph embedding
TWI677803B (en) Suspicious domain detecting method, gateway apparatus and non-transitory computer readable medium apparatus
Echevarria et al. An experimental study on the applicability of SYN cookies to networked constrained devices
WO2024036822A1 (en) Method and apparatus for determining malicious domain name, device, and medium
TWI634769B (en) Method for detecting domain name transformation botnet through proxy server log
TWI777766B (en) System and method of malicious domain query behavior detection
Huang et al. A hybrid association rule-based method to detect and classify botnets
CN111371917B (en) Domain name detection method and system
Chen et al. Doctrina: annotated bipartite graph mining for malware-control domain detection
CN108347447B (en) P2P botnet detection method and system based on periodic communication behavior analysis
Bai et al. Defense against DNS man-in-the-middle spoofing
Bellaïche et al. SYN flooding attack detection by TCP handshake anomalies