WO2024027079A1 - Domain-name reflection attack detection method and apparatus, and electronic device and storage medium - Google Patents

Domain-name reflection attack detection method and apparatus, and electronic device and storage medium Download PDF

Info

Publication number
WO2024027079A1
WO2024027079A1 PCT/CN2022/140321 CN2022140321W WO2024027079A1 WO 2024027079 A1 WO2024027079 A1 WO 2024027079A1 CN 2022140321 W CN2022140321 W CN 2022140321W WO 2024027079 A1 WO2024027079 A1 WO 2024027079A1
Authority
WO
WIPO (PCT)
Prior art keywords
request
time windows
domain name
time
requests
Prior art date
Application number
PCT/CN2022/140321
Other languages
French (fr)
Chinese (zh)
Inventor
刘东鑫
汪来富
史国水
温展鹏
肖宇峰
Original Assignee
中国电信股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中国电信股份有限公司 filed Critical 中国电信股份有限公司
Publication of WO2024027079A1 publication Critical patent/WO2024027079A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service

Definitions

  • the present disclosure relates to the field of security technology, and specifically to a domain name reflection attack detection method and device, electronic equipment, and computer-readable storage media.
  • DNS Domain Name System
  • DNS Domain Name System
  • All major enterprises have established DNS systems for the entire network. This kind of DNS system for the entire network cannot limit the range of query source IP, and objectively becomes a resource for traffic reflection attacks that attackers can use.
  • DNS DNS reflection attacks have repeatedly set attack traffic peak records, becoming the main target of abnormal traffic protection for current Internet infrastructure. Therefore, on the DNS server side, the detection ability of DNS reflection attacks is crucial for emergency response.
  • embodiments of the present disclosure provide a domain name reflection attack detection method and device, electronic equipment, and computer-readable storage media, aiming to solve the technical problem of low accuracy of DNS reflection attack detection.
  • a domain name reflection attack detection method including:
  • a domain name reflection attack detection device including:
  • the acquisition module is configured to obtain the number of requests for domain name resolution requests initiated by the request object to be detected within multiple time windows;
  • a building module configured to build the number of requests in multiple time windows according to a preset time relationship to obtain at least two request sequences
  • a calculation module configured to calculate a correlation coefficient between at least two request sequences
  • the determination module is configured to determine whether the request object to be detected initiates a domain name reflection attack based on the correlation coefficient between at least two request sequences.
  • an electronic device including: one or more processors; a storage device configured to store one or more programs.
  • the electronic device implements the domain name reflection attack detection method as described above.
  • a computer-readable storage medium having computer-readable instructions stored thereon.
  • the computer-readable instructions When executed by a processor of a computer, the computer is caused to perform the above-mentioned steps. Domain name reflection attack detection method.
  • a computer program product or computer program including computer instructions stored in a computer-readable storage medium.
  • the processor of the computer device reads the computer instructions from the computer-readable storage medium, and the processor executes the computer instructions, so that the computer device performs the domain name reflection attack detection method provided in the above various optional embodiments.
  • the forged domain name resolution request behavior is highly self-similar, while the normal domain name resolution request behavior is unpredictable.
  • the embodiment of the present disclosure constructs a request sequence based on the number of requests for domain name resolution requests initiated by the request object to be detected in multiple time windows.
  • the request sequence can characterize the behavioral characteristics of the request object to be detected in multiple time windows, and the correlation coefficient is calculated based on the request sequence. Then, based on the correlation coefficient, it can be accurately determined whether the request object to be detected initiates a domain name reflection attack.
  • the domain name emission attack detection method provided by the disclosure can promptly and accurately determine whether a domain name reflection attack is initiated.
  • Figure 1 is a schematic diagram of an implementation environment related to the present disclosure.
  • Figure 2 is a flow chart of a domain name reflection attack detection method related to the present disclosure.
  • FIG. 3 is a flowchart of step S210 in one embodiment of the present disclosure.
  • FIG. 4 is a flowchart of step S220 in one embodiment of the present disclosure.
  • FIG. 5 is a flowchart of step S410 in one embodiment of the present disclosure.
  • Figure 6 is a schematic diagram of determining the first time window and the second time window in one embodiment of the present disclosure.
  • FIG. 7 is a schematic diagram of determining the first time window and the second time window in another embodiment of the present disclosure.
  • FIG. 8 is a flowchart of step S230 in one embodiment of the present disclosure.
  • FIG. 9 is a flowchart of step S820 in one embodiment of the present disclosure.
  • FIG. 10 is a flowchart of step S240 in one embodiment of the present disclosure.
  • Figure 11 is a flow chart of a domain name reflection attack detection method related to the present disclosure.
  • Figure 12 is a block diagram of a domain name reflection attack detection device related to the present disclosure.
  • FIG. 13 shows a schematic structural diagram of a computer system suitable for implementing an electronic device according to an embodiment of the present disclosure.
  • DNS Domain Name System
  • IP addresses Internet Protocol Address
  • the source IP address initiates a DNS request to the DNS server.
  • the DNS server will perform domain name resolution based on the DNS request, obtain a DNS reply packet, and return the DNS reply packet to the source IP address. After domain name resolution, a DNS reply will be obtained.
  • the packet is larger than the DNS request, and the reflection attack takes advantage of the fact that the DNS reply packet is larger than the DNS request, amplifies the traffic, forges the IP address of the victim network, and sends a DNS request to the DNS server with the IP address of the victim network. This directs traffic of DNS reply packets to servers on the victim's network.
  • FIG. 1 is a schematic diagram of an implementation environment related to the present disclosure.
  • the implementation environment includes the botnet Zombie110, the DNS server 120, and the victim network Victim130.
  • the botnet Zombie110, the DNS server 120, and the victim network Victim130 communicate with each other through wired or wireless networks.
  • the botnet Zombie110 sends a DNS request to the DNS server 120. After analysis and processing by the DNS server 120, it amplifies the DNS reply packet. The DNS server 120 sends the amplified DNS reply packet to the victim network Victim130. The attack The attacker carried out multiple implementations through the botnet Zombie110 to achieve the purpose of attacking the victim network Victim130.
  • the domain name reflection attack detection method can construct a request sequence based on the number of domain name resolution requests initiated by the request object to be detected in multiple time windows.
  • the request sequence can characterize the behavioral characteristics of the request object to be detected in multiple time windows. , in different time windows, the behavior of fake domain name resolution requests is highly self-similar, while the behavior of normal domain name resolution requests is unpredictable.
  • Calculate the correlation coefficient according to the request sequence and then determine whether the request object to be detected initiates a domain name reflection attack based on the correlation coefficient, which can timely and accurately determine whether to initiate a domain name reflection attack.
  • Figure 2 is a flow chart of a domain name reflection attack detection method according to an exemplary embodiment. This method can be applied to the implementation environment shown in Figure 1, and is specifically executed by the DNS server 120 in the implementation environment shown in Figure 1.
  • the domain name reflection attack detection method may include steps S210 to S240, which are described in detail as follows:
  • Step S210 Obtain the number of domain name resolution requests initiated by the request object to be detected within multiple time windows.
  • the request object to be detected is the source IP that sends the domain name resolution request to the DNS server.
  • the source IP and the time when the source IP sent the domain name resolution request can be obtained. stamp.
  • the timestamp obtain the number of domain name resolution requests initiated by the request object to be detected in multiple time windows. If the request object to be detected has not initiated domain name resolution requests within a certain time window, the number of requests corresponding to the time window is recorded. is 0.
  • step S210 Before step S210 to obtain the number of requests for domain name resolution requests initiated by the request object to be detected within multiple time windows, the method also includes step S310 and step S320. Detailed introduction as follows:
  • Step S310 Obtain the request object that initiated the domain name resolution request within the specified time window, and count the number of requests that the request object initiated the domain name resolution request within the specified time window.
  • the request objects that send domain name resolution requests to the DNS server within the specified time window are obtained by parsing the DNS network traffic or DNS system logs, and the statistics of each request object in the specified time window are obtained.
  • the number of requests for domain name resolution requests sent within the specified time window For example, within the specified time window, a total of
  • Step S320 Determine the request object to be detected from the request objects based on the relationship between the request quantity and the preset quantity threshold.
  • a preset quantity threshold is set in advance.
  • request objects whose request quantity is smaller than the preset quantity threshold are filtered, and the remaining request objects can be used as request objects to be detected.
  • the request objects to be detected can be sorted in descending order according to the number of requests, and then based on the descending order, each request object to be detected can be detected to see whether it sends a domain name reflection attack.
  • Step S220 Construct the number of requests in multiple time windows according to the preset time relationship to obtain at least two request sequences.
  • a request sequence is constructed based on the number of requests for each request object to be detected in each time window with a preset time relationship. For the same request object to be detected, in different time windows, the forged domain name resolution request behavior has a high degree of Self-similarity, based on the number of requests, can construct a request sequence that can characterize the behavior of the request object to be detected.
  • Each request sequence consists of the number of requests in the corresponding time window, and the number of time windows corresponding to each request sequence same.
  • step S220 the number of requests in multiple time windows is constructed according to the preset time relationship to obtain at least two request sequences, including step S410 and step S420, The details are as follows:
  • Step S410 Divide multiple time windows into multiple first time windows and multiple second time windows according to a preset time relationship.
  • a first time window and a second time window are divided from multiple time windows.
  • the sum of the number of the multiple first time windows and the multiple second time windows may be less than or equal to the multiple time windows.
  • n time windows within the adjacent previous cache time of the request object to be detected can be obtained; or n time windows within the adjacent cache time of the request object to be detected can be obtained; Or obtain the first p time windows adjacent to the specified time window and the last q time windows adjacent to the specified time window to form multiple time windows, where the sum of p+q+1 is equal to the number of time windows in the cache time n, at the same time, p or q are both greater than or equal to k.
  • the first time window and the second time window are divided from n time windows. The number of the first time window and the second time window are equal. At the same time, the number of the first time window and the second time window is equal to the number of the first time window and the second time window. sum is not equal to n.
  • the cache time T will add request objects within the latest time window t, and the request objects before the cache time T will be cleared and released.
  • the DNS server always maintains a new request object every time window t. At the same time, unnecessary request objects are released within the cache time T to reduce the storage pressure on the DNS server.
  • Step S420 Construct a first request sequence based on the number of requests in multiple first time windows, and construct a second request sequence based on the number of requests in multiple second time windows.
  • the first request sequence is constructed based on the number of requests in the first time window, the plurality of first time windows are arranged in the order of time, and then the first request sequence is constructed based on the number of requests in the first time window according to the order of arrangement.
  • a request sequence according to the dictionary format of ⁇ src IP:[request number 1, request number 2,..., request number k] ⁇ , generate the first request sequence, such as 1.1.1.1: [20, 20,...], a total of k
  • the number of requests in a time window, 1.1.1.1 represents the request object to be detected whose source IP address is 1.1.1.1.
  • the first request sequence is constructed based on the number of requests in the second time window, the multiple second time windows are arranged in the order of time, and then the second request sequence is constructed based on the number of requests in the second time window according to the order.
  • multiple time windows are continuous time windows; in step S410, the multiple time windows are divided into multiple first time windows and Multiple second time windows, including step S510 and step S520, are described in detail as follows:
  • Step S510 Determine a specified number of consecutive time windows as multiple first time windows among multiple consecutive time windows.
  • the multiple time windows are n time windows within the adjacent cache time of the specified time window of the request object to be detected, or the adjacent time windows after the specified time window of the request object to be detected are acquired.
  • n time windows within a cache time are obtained, within these n time windows, according to the order of each time window, the first k consecutive time windows can be obtained as the first time window.
  • the multiple time windows shown in Figure 6 are n time windows within the adjacent previous cache time of the specified time window of the request object to be detected, and the 1st to kth time windows are directly as the first time window.
  • the continuous time windows are determined in the first p time windows.
  • k time windows as the first time window, or determine k consecutive time windows in the last q time windows as the first time window, as shown in Figure 7.
  • A Indicates the specified time window.
  • the time window on the left side of A is the first p time windows, and the time window on the right side of A is the next q time windows.
  • the 1st to kth time windows in the first p time windows are directly used as First time window.
  • Step S520 In other time windows except the first time window, determine a specified number of time windows as multiple second time windows; wherein the latest first time window among the multiple first time windows is earlier than the multiple first time windows. The earliest second time window among the second time windows.
  • k time windows are randomly obtained as the second time window in other time windows except the first time window.
  • the above formula indicates that a range is obtained based on the system time in [1, (n-k)], time represents the current system time, i+1 represents which second time window is being calculated, the value range of i is [0,k-1], after calculating the random number through the above formula , take the m+kth time window as the second time window, and repeat k times to get the required k time windows. If there are duplicates in the calculated random numbers, recalculate until k different ones are taken out time window as the second time window.
  • the first time is determined in the p time windows.
  • k time windows are randomly determined as the second time window within the next q time windows.
  • the Shuffle algorithm is used to randomly determine the k time windows as the second time window. Determine k time windows as the second time window, that is, obtain the current system time, use the current system time as a random factor, and calculate a random number.
  • the multiple time windows are n time windows within the previous cache time adjacent to the specified time window for obtaining the request object to be detected, or adjacent to the specified time window for obtaining the request object to be detected.
  • the last k consecutive time windows can be obtained as the first time window, and then in the remaining time windows, k time windows are randomly determined as Second time window.
  • k time windows are randomly determined, consistent with the above, k time windows are randomly determined as the second time window through the Shuffle algorithm.
  • the first p time windows can be randomly selected. Determine k time windows as the second time windows, and then determine k consecutive time windows in the next q time windows as the second time windows. When k time windows are randomly determined, consistent with the above, k time windows are randomly determined as the second time window through the Shuffle algorithm.
  • Step S230 Calculate the correlation coefficient between at least two request sequences.
  • the correlation coefficient between at least two request sequences is calculated. If the request sequence includes two, the correlation coefficient between the two request sequences is directly calculated; if the request sequence has more than two, each request is calculated. The correlation coefficient between two sequences is calculated, and the average coefficient is calculated based on the correlation coefficient between each request sequence, and the average coefficient is used as the correlation coefficient between at least two request sequences.
  • At least two request sequences include a first request sequence and a second request sequence; in step S230, calculating a correlation coefficient between the at least two request sequences includes the steps S810 and step S820 are described in detail as follows:
  • Step S810 perform an averaging operation on the number of requests included in the first request sequence to obtain a first average value, and perform an averaging operation on the number of requests included in the second request sequence to obtain a second average value.
  • the first average value X is calculated according to the number of requests in the first request sequence
  • the second average value is calculated according to the number of requests in the second request sequence.
  • Step S820 Calculate the correlation coefficient between the first request sequence and the second request sequence based on the first mean value, the second mean value, the first request sequence, and the second request sequence.
  • the correlation coefficient between the first request sequence and the second request sequence is calculated based on the calculated first mean value, the second mean value, the first request sequence, and the second request sequence.
  • step S820 the first request sequence and the second request sequence are calculated according to the first mean value, the second mean value, the first request sequence, and the second request sequence.
  • the correlation coefficient including step S910 and step S920, is described in detail as follows:
  • Step S910 Perform a difference operation on each request number contained in the first request sequence and the first average value to obtain a plurality of first difference values, and compare each request number contained in the second request sequence and the second average value respectively. Perform a difference operation to obtain multiple second difference values.
  • a difference operation is performed between each request number in the first request sequence and the first average value, that is, the first average value is subtracted from each request number in the first request sequence to obtain a plurality of first differences.
  • Step S920 Calculate the correlation coefficient between the first request sequence and the second request sequence based on the plurality of first difference values and the plurality of second difference values.
  • the correlation coefficient between the first request sequence and the second request sequence is calculated based on a plurality of first difference values and second difference values.
  • Step S240 Determine whether the request object to be detected initiates a domain name reflection attack based on the correlation coefficient between at least two request sequences.
  • the forged domain name resolution request behavior is highly self-similar, while the normal domain name resolution request behavior is unpredictable.
  • the correlation coefficient it can be known that the request object to be detected is in different time windows. Whether the behaviors of domain name resolution requests initiated within the time window are similar,
  • the forged domain name resolution request behavior is highly self-similar, while the normal domain name resolution request behavior is unpredictable.
  • the embodiment of the present disclosure constructs a request sequence based on the number of domain name resolution requests initiated by the request object to be detected in multiple time windows.
  • the request sequence can characterize the behavioral characteristics of the request object to be detected in multiple time windows, and the correlation coefficient is calculated based on the request sequence. Furthermore, based on the correlation coefficient, it can be accurately determined whether the request object to be detected initiates a domain name reflection attack.
  • the domain name launch attack detection method provided by the present disclosure detects whether a domain name reflection attack is initiated during the process of receiving a domain name resolution request, and can timely and accurately determine whether a domain name reflection attack is launched. Launch a domain name reflection attack.
  • step S240 it is determined whether the request object to be detected initiates a domain name reflection attack based on the correlation coefficient between at least two request sequences, including steps S1010 to step S1030.
  • the details are as follows:
  • Step S1010 Detect the relationship between the correlation coefficients of at least two request sequences and the preset threshold, and obtain the detection result.
  • the relationship between the correlation coefficient and the preset threshold is detected, that is, the correlation coefficient is compared with the preset threshold to obtain the detection result, and the preset threshold can be set to 0.5.
  • Step S1020 If the detection result indicates that the correlation coefficient is greater than or equal to the preset threshold, it is determined that the request object to be detected initiates a domain name reflection attack.
  • the correlation coefficient is greater than or equal to the preset threshold, it is determined that the request object to be detected initiates a domain name reflection attack, generates preset alarm information, and sends the preset alarm information to the victim network Victim130, that is, to the attacker through The forged source IP of the botnet Zombie110 sends preset alarm information to alert the victim network Victim130.
  • Step S1030 If the detection result indicates that the correlation coefficient is less than the preset threshold, it is determined that the request object to be detected has not initiated a domain name reflection attack.
  • the correlation coefficient of the detection result representation is less than the preset threshold, it indicates that the domain name resolution request behaviors initiated by the request object to be detected in different time windows are not similar, that is, the request object to be detected does not initiate a domain name reflection attack.
  • Figure 11 illustrates a domain name reflection attack detection method according to an exemplary embodiment, including steps S1110 to step S1180. The details are as follows:
  • Step S1110 Obtain the system log and parse the system log to obtain multiple request objects and the timestamps of domain name resolution requests initiated by the multiple request objects.
  • multiple request objects can be obtained, as well as the timestamp of the domain name resolution request sent by each request object.
  • Step S1120 According to the timestamp, obtain the request object that initiated the domain name resolution request within the specified time window, and count the number of requests that the request object initiated the domain name resolution request within the specified time window.
  • the time window t and the cache time T are pre-configured. According to the timestamp, the request object that initiates the domain name resolution request in the specified time window can be determined. Generally, within a time window, the corresponding request objects include multiple, Count the number of requests for each request object.
  • Step S1130 Determine the request object to be detected from the request objects based on the relationship between the request quantity and the preset quantity threshold.
  • a preset quantity threshold is set in advance, and request objects whose request quantity is lower than the preset quantity threshold within a specified time window are filtered, and the remaining request objects can be used as request objects to be detected. At this time, There may be multiple request objects to be detected.
  • Step S1140 Obtain multiple time windows adjacent to the specified time window, and within the multiple time windows, determine a specified number of consecutive time windows as multiple first time windows, and use the Shuffle algorithm to divide the first time window into Among the other time windows, a specified number of time windows are randomly determined as multiple second time windows; the latest first time window among the multiple first time windows is earlier than the earliest second time window among the multiple second time windows. .
  • n time windows within the adjacent previous cache time of the specified time window are obtained, or n time windows within the adjacent subsequent cache time of the specified time window are obtained.
  • the specified number is k, from Determine k consecutive time windows within n time windows as the first time windows, and then randomly determine k time windows as the second time windows from the remaining time windows through the Shuffle algorithm. Specifically, when determining the first time window, the 1st to kth time windows among n time windows are selected as the first time window. When determining the second time window, only the k+1th to nth time windows are considered. Time window, k time windows are randomly obtained from the k+1 to nth time window through the Shuffle algorithm as the second time window.
  • the first time window corresponding to each request object to be detected is the same, and the second time window is also the same. There is no need to separately determine the first time window and the second time window of each request object to be detected. Reduce the amount of calculation.
  • This shuffle algorithm selects k time windows as the second time window, which can try to catch the attacker with highly similar behavioral characteristics within a relatively long time range, while normal DNS requests present a large randomness. sex. Through the Shuffle algorithm, the calculation speed of subsequent correlation coefficient judgment can be greatly improved.
  • Step S1150 Construct a first request sequence of the request object to be detected based on a specified number of first time windows, and construct a second request sequence of the request object to be detected based on a specified number of second time windows.
  • a corresponding first request sequence is constructed according to the number of requests of each request object to be detected in the first time window
  • a corresponding second request sequence is constructed according to the number of requests for each request object to be detected in the second time window.
  • Step S1160 Calculate the correlation coefficient of the request object to be detected according to the first request sequence and the second request sequence.
  • the corresponding correlation coefficient is calculated based on the first request sequence and the second request sequence corresponding to each request object to be detected.
  • the scheme for calculating the correlation coefficient has been described above and will not be described again here.
  • Step S1170 Detect the relationship between the correlation coefficient of the request object to be detected and the preset threshold, and obtain the detection result of the request object to be detected.
  • the correlation coefficient of each request object to be detected is compared with the preset threshold to obtain the corresponding detection result.
  • Step S1180 If the detection result representation correlation coefficient of the request object to be detected is greater than or equal to the preset threshold, it is determined that the request object to be detected initiates a domain name reflection attack, and preset alarm information is sent to the request object to be detected.
  • the request object to be detected is calibrated to launch a domain name reflection attack.
  • the multiple request objects to be detected there are multiple requests to be detected.
  • preset alarm information is sent to multiple request objects to be detected.
  • the forged domain name resolution request behavior is highly self-similar, while the normal domain name resolution request behavior is unpredictable.
  • the disclosed embodiment obtains the request object according to the system log, determines the request object to be detected according to the number of requests for domain name resolution requests initiated by the request object, and determines the first time window and the second time window of the request object to be detected from multiple time windows.
  • the first time window of the request object to be detected is the same, and the second time window is also the same, which reduces the amount of calculation to a certain extent.
  • the object's Request sequence Based on the number of requests for each request object to be detected in the first time window and the second time window, the object's Request sequence.
  • the request sequence can characterize the behavioral characteristics of the request object to be detected in multiple time windows.
  • the correlation coefficient is calculated based on the request sequence. Then based on the correlation coefficient, it can be accurately determined whether the request object to be detected initiates a domain name reflection attack. At the same time, a prediction is also generated. Set alarm information and send the preset alarm information to the request object to be detected, that is, send the preset alarm information to the source IP forged by the attacker through the botnet Zombie110 to remind the victim network Victim130.
  • the domain name launch attack detection method provided by this disclosure detects whether a domain name reflection attack is initiated during the process of receiving a domain name resolution request, and can promptly and accurately determine whether a domain name reflection attack is initiated.
  • Figure 12 illustrates a domain name reflection attack detection device according to an exemplary embodiment, including:
  • the acquisition module 1210 is configured to obtain the number of requests for domain name resolution requests initiated by the request object to be detected within multiple time windows;
  • the construction module 1220 is configured to construct the number of requests in multiple time windows according to the preset time relationship to obtain at least two request sequences;
  • the calculation module 1230 is configured to calculate the correlation coefficient between at least two request sequences
  • the determination module 1240 is configured to determine whether the request object to be detected initiates a domain name reflection attack based on the correlation coefficient between at least two request sequences.
  • building module 1220 includes:
  • a dividing sub-module configured to divide multiple time windows into multiple first time windows and multiple second time windows according to a preset time relationship
  • the construction sub-module is configured to construct a first request sequence based on the number of requests in multiple first time windows, and construct a second request sequence based on the number of requests in multiple second time windows.
  • the multiple time windows are continuous time windows; divided into sub-modules, including:
  • the first determination unit is configured to determine a specified number of consecutive time windows as multiple first time windows in multiple consecutive time windows;
  • the second determination unit is configured to determine a specified number of time windows as multiple second time windows in other time windows except the first time window; wherein, the latest first time among the multiple first time windows The window is earlier than the earliest second time window of the plurality of second time windows.
  • At least two request sequences include a first request sequence and a second request sequence; the calculation module 1230 includes:
  • the operation submodule is configured to perform an averaging operation on the number of requests contained in the first request sequence to obtain a first average value, and perform an averaging operation on the number of requests contained in the second request sequence to obtain a second average value.
  • the calculation submodule is configured to calculate the correlation coefficient between the first request sequence and the second request sequence according to the first mean value, the second mean value, the first request sequence, and the second request sequence.
  • the calculation submodule includes:
  • the difference operation unit is configured to perform a difference operation on each request quantity contained in the first request sequence and the first mean value to obtain a plurality of first difference values, and to calculate each request quantity contained in the second request sequence respectively. Perform a difference operation with the second mean value to obtain multiple second difference values;
  • the calculation unit is configured to calculate the correlation coefficient between the first request sequence and the second request sequence according to the plurality of first difference values and the plurality of second difference values.
  • the domain name reflection attack detection device further includes:
  • the acquisition unit is configured to obtain the request object that initiates the domain name resolution request within the specified time window, and counts the number of requests that the request object initiates the domain name resolution request within the specified time window;
  • the request object to be detected determining unit is configured to determine the request object to be detected from the request objects based on the relationship between the number of requests and the preset quantity threshold.
  • the determining module 1240 includes:
  • the detection submodule is configured to detect the relationship between the correlation coefficient of at least two request sequences and the preset threshold, and obtain the detection result;
  • the first determination sub-module is configured to determine that the request object to be detected initiates a domain name reflection attack if the detection result representation correlation coefficient is greater than or equal to the preset threshold;
  • the second determination submodule is configured to determine that the request object to be detected has not initiated a domain name reflection attack if the detection result representation correlation coefficient is less than the preset threshold.
  • Embodiments of the present disclosure also provide an electronic device, including: one or more processors; a storage device for storing one or more programs. When the one or more programs are processed by the one or more When executed, the electronic device is caused to implement the domain name reflection attack detection method provided in the above embodiments.
  • FIG. 13 shows a schematic structural diagram of a computer system suitable for implementing an electronic device according to an embodiment of the present disclosure.
  • the computer system 1300 includes a central processing unit (Central Processing Unit, CPU) 1301, which can be loaded into a random computer according to a program stored in a read-only memory (Read-Only Memory, ROM) 1302 or from a storage part 1308. Access the program in the memory (Random Access Memory, RAM) 1303 to perform various appropriate actions and processing, such as performing the method described in the above embodiment. In RAM 1303, various programs and data required for system operation are also stored.
  • CPU 1301, ROM 1302 and RAM 1303 are connected to each other through bus 1304.
  • An input/output (I/O) interface 1305 is also connected to bus 1304.
  • the following components are connected to the I/O interface 1305: an input part 1306 including a keyboard, a mouse, etc.; an output part 1307 including a cathode ray tube (Cathode Ray Tube, CRT), a liquid crystal display (Liquid Crystal Display, LCD), etc., and a speaker, etc. ; a storage part 1308 including a hard disk, etc.; and a communication part 1309 including a network interface card such as a LAN (Local Area Network) card, a modem, etc.
  • the communication section 1309 performs communication processing via a network such as the Internet.
  • Driver 1310 is also connected to I/O interface 1305 as needed.
  • Removable media 1311 such as magnetic disks, optical disks, magneto-optical disks, semiconductor memories, etc., are installed on the drive 1310 as needed, so that computer programs read therefrom are installed into the storage portion 1308 as needed.
  • embodiments of the present disclosure include a computer program product including a computer program carried on a computer-readable medium, the computer program comprising a computer program for performing the method illustrated in the flowchart.
  • the computer program may be downloaded and installed from the network via communications portion 1309, and/or installed from removable media 1311.
  • CPU central processing unit
  • the computer-readable medium shown in the embodiments of the present disclosure may be a computer-readable signal medium or a computer-readable storage medium, or any combination of the above two.
  • the computer-readable storage medium may be, for example, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, device or device, or any combination thereof.
  • Computer readable storage media may include, but are not limited to: an electrical connection having one or more wires, a portable computer disk, a hard drive, random access memory (RAM), read only memory (ROM), removable Programmable Read-Only Memory (Erasable Programmable Read Only Memory, EPROM), flash memory, optical fiber, portable compact disk read-only memory (Compact Disc Read-Only Memory, CD-ROM), optical storage device, magnetic storage device, or any of the above suitable The combination.
  • a computer-readable storage medium may be any tangible medium that contains or stores a program for use by or in connection with an instruction execution system, apparatus, or device.
  • a computer-readable signal medium may include a data signal propagated in baseband or as part of a carrier wave, carrying a computer-readable computer program therein. Such propagated data signals may take many forms, including but not limited to electromagnetic signals, optical signals, or any suitable combination of the above.
  • a computer-readable signal medium may also be any computer-readable medium other than a computer-readable storage medium that can send, propagate, or transmit a program for use by or in connection with an instruction execution system, apparatus, or device .
  • Computer programs embodied on computer-readable media may be transmitted using any suitable medium, including but not limited to: wireless, wired, etc., or any suitable combination of the above.
  • each block in the flow chart or block diagram may represent a module, program segment, or part of the code.
  • the above-mentioned module, program segment, or part of the code includes one or more executable components for implementing the specified logical function. instruction.
  • the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown one after another may actually execute substantially in parallel, or they may sometimes execute in the reverse order, depending on the functionality involved.
  • each block in the block diagram or flowchart illustration, and combinations of blocks in the block diagram or flowchart illustration can be implemented by special purpose hardware-based systems that perform the specified functions or operations, or may be implemented by special purpose hardware-based systems that perform the specified functions or operations. Achieved by a combination of specialized hardware and computer instructions.
  • the units involved in the embodiments of the present disclosure can be implemented in software or hardware, and the described units can also be provided in a processor. Among them, the names of these units do not constitute a limitation on the unit itself under certain circumstances.
  • Another aspect of the present disclosure also provides a computer-readable storage medium on which a computer program is stored.
  • a computer program When the computer program is executed by a processor, the method as described above is implemented.
  • the computer-readable storage medium may be included in the electronic device described in the above embodiments, or may exist separately without being assembled into the electronic device.
  • Another aspect of the present disclosure also provides a computer program product or computer program including computer instructions stored in a computer-readable storage medium.
  • the processor of the computer device reads the computer instructions from the computer-readable storage medium, and the processor executes the computer instructions, so that the computer device performs the methods provided in the above embodiments.

Abstract

A domain-name reflection attack detection method and apparatus, and an electronic device and a storage medium. The method comprises: acquiring the number of domain-name resolution requests, which are initiated, within a plurality of time windows, by a request object to be subjected to detection; according to a preset time relationship, constructing the number of requests within the plurality of time windows, so as to obtain at least two request sequences; calculating a correlation coefficient between the at least two request sequences; and according to the correlation coefficient between the at least two request sequences, determining whether said request object has initiated a domain-name reflection attack.

Description

域名反射攻击检测方法及装置、电子设备、存储介质Domain name reflection attack detection method and device, electronic equipment, storage media
交叉引用cross reference
本公开要求于2022年8月3日提交的申请号为202210930014.8、名称为“域名反射攻击检测方法及装置、电子设备、存储介质”的中国专利申请的优先权,该中国专利申请的全部内容通过引用全部并入本文。This disclosure claims priority to the Chinese patent application with application number 202210930014.8 and titled "Domain name reflection attack detection method and device, electronic device, storage medium" submitted on August 3, 2022. The entire content of this Chinese patent application is approved by All references are incorporated herein.
技术领域Technical field
本公开涉及安全技术领域,具体而言,涉及一种域名反射攻击检测方法及装置、电子设备、计算机可读存储介质。The present disclosure relates to the field of security technology, and specifically to a domain name reflection attack detection method and device, electronic equipment, and computer-readable storage media.
背景技术Background technique
DNS(Domain Name System,域名系统)是互联网基础设施,因其隐含的商业价值,逐步被大型企业所重视,各大企业都建立了面向全网的DNS系统。这种面向全网的DNS系统,无法限制查询源IP的范围,客观上成为攻击者可利用的流量反射攻击资源,近年来,因DNS低成本、易躲避检测和溯源、流量放大效应明显等特征,DNS反射攻击屡创攻击流量峰值记录,成为当前互联网基础设施异常流量防护的主要对象。因此,在DNS服务器侧,DNS反射攻击的检测能力,对于应急响应至关重要。DNS (Domain Name System) is the Internet infrastructure. Because of its implicit commercial value, it has gradually been valued by large enterprises. All major enterprises have established DNS systems for the entire network. This kind of DNS system for the entire network cannot limit the range of query source IP, and objectively becomes a resource for traffic reflection attacks that attackers can use. In recent years, due to the low cost of DNS, easy evasion of detection and traceability, and obvious traffic amplification effect, DNS , DNS reflection attacks have repeatedly set attack traffic peak records, becoming the main target of abnormal traffic protection for current Internet infrastructure. Therefore, on the DNS server side, the detection ability of DNS reflection attacks is crucial for emergency response.
现有针对DNS反射攻击的检测方法,主要集中在DNS服务器侧或受害者侧,DNS服务器侧或受害者侧依据网络带宽、服务器的可用性进行监测,超过阈值就告警,但是,这种检测方法具有明显的滞后性,当发出告警时,往往为时已晚,同时,DNS服务器侧或受害者侧会存在其他原因导致网络带宽或服务器的可用性降低,进而影响对DNS反射攻击的检测,使得DNS反射攻击检测的准确性较低。一系列的DDoS(Distributed Denial of Service,分布式拒绝服务)案例表明,DNS反射攻击较容易突破异常流量清洗设备的处理能力,使得如何能够及时发现DNS反射攻击成为亟待解决的问题。Existing detection methods for DNS reflection attacks mainly focus on the DNS server side or the victim side. The DNS server side or victim side monitors based on network bandwidth and server availability, and alerts when the threshold is exceeded. However, this detection method has There is obvious lag. When an alarm is issued, it is often too late. At the same time, there may be other reasons on the DNS server side or the victim side that reduce network bandwidth or server availability, which in turn affects the detection of DNS reflection attacks, making DNS reflection Attack detection accuracy is low. A series of DDoS (Distributed Denial of Service, Distributed Denial of Service) cases show that DNS reflection attacks can easily break through the processing capabilities of abnormal traffic cleaning equipment, making how to detect DNS reflection attacks in time an urgent problem to be solved.
发明内容Contents of the invention
为解决上述技术问题,本公开的实施例提供了一种域名反射攻击检测方法及装置、电子设备、计算机可读存储介质,旨在解决DNS反射攻击检测的准确性较低的技术问题。In order to solve the above technical problems, embodiments of the present disclosure provide a domain name reflection attack detection method and device, electronic equipment, and computer-readable storage media, aiming to solve the technical problem of low accuracy of DNS reflection attack detection.
本公开的其他特性和优点将通过下面的详细描述变得显然,或部分地通过本公开的实践而习得。Additional features and advantages of the disclosure will be apparent from the following detailed description, or, in part, may be learned by practice of the disclosure.
根据本公开实施例的一个方面,提供了一种域名反射攻击检测方法,包括:According to an aspect of an embodiment of the present disclosure, a domain name reflection attack detection method is provided, including:
获取待检测请求对象在多个时间窗口内发起域名解析请求的请求数量;Obtain the number of domain name resolution requests initiated by the request object to be detected within multiple time windows;
根据预设时间关系对多个时间窗口的请求数量进行构建,得到至少两个请求序列;Construct the number of requests in multiple time windows according to the preset time relationship to obtain at least two request sequences;
计算至少两个请求序列之间的相关系数;Calculate the correlation coefficient between at least two request sequences;
根据至少两个请求序列之间的相关系数,确定待检测请求对象是否发起域名反射攻击。Based on the correlation coefficient between at least two request sequences, it is determined whether the request object to be detected initiates a domain name reflection attack.
根据本公开实施例的一个方面,提供了一种域名反射攻击检测装置,包括:According to an aspect of an embodiment of the present disclosure, a domain name reflection attack detection device is provided, including:
获取模块,配置为获取待检测请求对象在多个时间窗口内发起域名解析请求的请求数量;The acquisition module is configured to obtain the number of requests for domain name resolution requests initiated by the request object to be detected within multiple time windows;
构建模块,配置为根据预设时间关系对多个时间窗口的请求数量进行构建,得到至少两个请求序列;A building module configured to build the number of requests in multiple time windows according to a preset time relationship to obtain at least two request sequences;
计算模块,配置为计算至少两个请求序列之间的相关系数;a calculation module configured to calculate a correlation coefficient between at least two request sequences;
确定模块,配置为根据至少两个请求序列之间的相关系数,确定待检测请求对象是否发起域名反射攻击。The determination module is configured to determine whether the request object to be detected initiates a domain name reflection attack based on the correlation coefficient between at least two request sequences.
根据本公开实施例的一个方面,提供了一种电子设备,包括:一个或多个处理器;存储装置,用于存储一个或多个程序,当所述一个或多个程序被所述一个或多个处理器执行时,使得所述电子设备实现如前所述的域名反射攻击检测方法。According to an aspect of an embodiment of the present disclosure, an electronic device is provided, including: one or more processors; a storage device configured to store one or more programs. When the one or more programs are processed by the one or more When executed by multiple processors, the electronic device implements the domain name reflection attack detection method as described above.
根据本公开实施例的一个方面,提供了一种计算机可读存储介质,其上存储有计算机可读指令,当所述计算机可读指令被计算机的处理器执行时,使计算机执行如上所述的域名反射攻击检测方法。According to an aspect of an embodiment of the present disclosure, there is provided a computer-readable storage medium having computer-readable instructions stored thereon. When the computer-readable instructions are executed by a processor of a computer, the computer is caused to perform the above-mentioned steps. Domain name reflection attack detection method.
根据本公开实施例的一个方面,提供了一种计算机程序产品或计算机程序,该计算机程序产品或计算机程序包括计算机指令,该计算机指令存储在计算机可读存储介质中。计算机设备的处理器从计算机可读存储介质读取该计算机指令,处理器执行该计算机指令,使得该计算机设备执行上述各种可选实施例中提供的域名反射攻击检测方法。According to one aspect of an embodiment of the present disclosure, a computer program product or computer program is provided, the computer program product or computer program including computer instructions stored in a computer-readable storage medium. The processor of the computer device reads the computer instructions from the computer-readable storage medium, and the processor executes the computer instructions, so that the computer device performs the domain name reflection attack detection method provided in the above various optional embodiments.
在本公开的实施例所提供的技术方案中,在不同的时间窗口中,伪造的域名解析请求行为具有高度自相似性,而正常的域名解析请求行为呈现不可预测性。本公开实施例依据待检测请求对象在多个时间窗口发起域名解析请求的请求次数构建请求序列,请求序列能够表征待检测请求对象在多个时间窗口内的行为特征,根据请求序列计算相关系数,进而依据相关系数能够准确确定待检测请求对象是否发起域名反射攻击,本公开提供的域名发射攻击检测方法能够及时、准确的确定出是否发起域名反射攻击。In the technical solution provided by the embodiments of the present disclosure, in different time windows, the forged domain name resolution request behavior is highly self-similar, while the normal domain name resolution request behavior is unpredictable. The embodiment of the present disclosure constructs a request sequence based on the number of requests for domain name resolution requests initiated by the request object to be detected in multiple time windows. The request sequence can characterize the behavioral characteristics of the request object to be detected in multiple time windows, and the correlation coefficient is calculated based on the request sequence. Then, based on the correlation coefficient, it can be accurately determined whether the request object to be detected initiates a domain name reflection attack. The domain name emission attack detection method provided by the disclosure can promptly and accurately determine whether a domain name reflection attack is initiated.
附图说明Description of the drawings
此处的附图被并入说明书中并构成本说明书的一部分,示出了符合本公开的实施例,并与说明书一起用于解释本公开的原理。显而易见地,下面描述中的附图仅仅是本公开的一些实施例,对于本领域普通技术者来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。在附图中:The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the disclosure and together with the description, serve to explain the principles of the disclosure. Obviously, the drawings in the following description are only some embodiments of the present disclosure. For those of ordinary skill in the art, other drawings can be obtained based on these drawings without exerting creative efforts. In the attached picture:
图1是本公开涉及的一种实施环境的示意图。Figure 1 is a schematic diagram of an implementation environment related to the present disclosure.
图2是本公开涉及的一种域名反射攻击检测方法的流程图。Figure 2 is a flow chart of a domain name reflection attack detection method related to the present disclosure.
图3是本公开涉及的一个实施例中步骤S210的流程图。Figure 3 is a flowchart of step S210 in one embodiment of the present disclosure.
图4是本公开涉及的一个实施例中步骤S220的流程图。Figure 4 is a flowchart of step S220 in one embodiment of the present disclosure.
图5是本公开涉及的一个实施例中步骤S410的流程图。Figure 5 is a flowchart of step S410 in one embodiment of the present disclosure.
图6是本公开涉及的一个实施例中确定第一时间窗口和第二时间窗口的示意图。Figure 6 is a schematic diagram of determining the first time window and the second time window in one embodiment of the present disclosure.
图7是本公开涉及的另一个实施例中确定第一时间窗口和第二时间窗口的示意图。FIG. 7 is a schematic diagram of determining the first time window and the second time window in another embodiment of the present disclosure.
图8是本公开涉及的一个实施例中步骤S230的流程图。Figure 8 is a flowchart of step S230 in one embodiment of the present disclosure.
图9是本公开涉及的一个实施例中步骤S820的流程图。Figure 9 is a flowchart of step S820 in one embodiment of the present disclosure.
图10是本公开涉及的一个实施例中步骤S240的流程图。Figure 10 is a flowchart of step S240 in one embodiment of the present disclosure.
图11是本公开涉及的一种域名反射攻击检测方法的流程图。Figure 11 is a flow chart of a domain name reflection attack detection method related to the present disclosure.
图12是本公开涉及的一种域名反射攻击检测装置的框图。Figure 12 is a block diagram of a domain name reflection attack detection device related to the present disclosure.
图13示出了适于用来实现本公开实施例的电子设备的计算机系统的结构示意图。FIG. 13 shows a schematic structural diagram of a computer system suitable for implementing an electronic device according to an embodiment of the present disclosure.
具体实施方式Detailed ways
这里将详细地对示例性实施例执行说明,其示例表示在附图中。下面的描述涉及附图时,除非另有表示,不同附图中的相同数字表示相同或相似的要素。以下示例性实施例中所描述的实施方式并不代表与本公开相一致的所有实施方式。相反,它们仅是与如所附权利要求书中所详述的、本公开的一些方面相一致的装置和方法的例子。Reference will now be made in detail to exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the drawings, the same numbers in different drawings refer to the same or similar elements unless otherwise indicated. The implementations described in the following exemplary embodiments do not represent all implementations consistent with the present disclosure. Rather, they are merely examples of apparatus and methods consistent with aspects of the disclosure as detailed in the appended claims.
附图中所示的方框图仅仅是功能实体,不一定必须与物理上独立的实体相对应。即,可以采用软件形式来实现这些功能实体,或在一个或多个硬件模块或集成电路中实现这些功能实体,或在不同网络和/或处理器装置和/或微控制器装置中实现这些功能实体。The block diagrams shown in the figures are functional entities only and do not necessarily correspond to physically separate entities. That is, these functional entities may be implemented in software form, or implemented in one or more hardware modules or integrated circuits, or implemented in different networks and/or processor devices and/or microcontroller devices. entity.
附图中所示的流程图仅是示例性说明,不是必须包括所有的内容和操作/步骤,也不是必须按所描述的顺序执行。例如,有的操作/步骤还可以分解,而有的操作/步骤可以合并或部分合并,因此实际执行的顺序有可能根据实际情况改变。The flowcharts shown in the drawings are only illustrative, and do not necessarily include all contents and operations/steps, nor must they be performed in the order described. For example, some operations/steps can be decomposed, and some operations/steps can be merged or partially merged, so the actual order of execution may change according to the actual situation.
还需要说明的是:在本公开中提及的“多个”是指两个或者两个以上。“和/或”描述关联对象的关联关系,表示可以存在三种关系,例如,A和/或B可以表示:单独存在A,同时存在A和B,单独存在B这三种情况。字符“/”一般表示前后关联对象是一种“或”的关系。It should also be noted that the “plurality” mentioned in this disclosure refers to two or more. "And/or" describes the relationship between related objects, indicating that there can be three relationships. For example, A and/or B can mean: A exists alone, A and B exist simultaneously, and B exists alone. The character "/" generally indicates that the related objects are in an "or" relationship.
DNS(Domain Name System,域名系统)是因特网上作为域名和IP地址(Internet Protocol Address,互联网协议地址)相互映射的一个分布式数据库,能够使用户更方便的访问互联网,而不用去记住能够被机器直接读取的IP数串。通过主机名,最终得到该主机名对应的IP地址的过程叫做域名解析。DNS (Domain Name System) is a distributed database on the Internet that maps domain names and IP addresses (Internet Protocol Address) to each other. It allows users to access the Internet more conveniently without having to remember what can be accessed. The IP number string read directly by the machine. The process of finally obtaining the IP address corresponding to the host name through the host name is called domain name resolution.
在正常域名解析过程中,源IP地址向DNS服务器发起DNS请求,DNS服务器将依据DNS请求进行域名解析,得到DNS回复包,将DNS回复包返回给源IP地址,经过域名解析后,得到DNS回复包比DNS请求大,而反射攻击正是利用DNS回复包比DNS请求大的特点,放大流量,伪造受害者网络的IP地址,并以该受害者网络的IP地址向DNS服务器发送DNS请求,以此将DNS回复包的流量引入受害者网络的服务器。请参阅图1,图1是本公开涉及的一种实施环境的示意图。该实施环境包括僵尸网络Zombie110、DNS服务器120,以及受害者网络Victim130,僵尸网络Zombie110、DNS服务器120,以及受害者网络Victim130相互之间通过有线或者无线网络进行通信。During the normal domain name resolution process, the source IP address initiates a DNS request to the DNS server. The DNS server will perform domain name resolution based on the DNS request, obtain a DNS reply packet, and return the DNS reply packet to the source IP address. After domain name resolution, a DNS reply will be obtained. The packet is larger than the DNS request, and the reflection attack takes advantage of the fact that the DNS reply packet is larger than the DNS request, amplifies the traffic, forges the IP address of the victim network, and sends a DNS request to the DNS server with the IP address of the victim network. This directs traffic of DNS reply packets to servers on the victim's network. Please refer to FIG. 1 , which is a schematic diagram of an implementation environment related to the present disclosure. The implementation environment includes the botnet Zombie110, the DNS server 120, and the victim network Victim130. The botnet Zombie110, the DNS server 120, and the victim network Victim130 communicate with each other through wired or wireless networks.
假设DNS请求的数据部分长度约为40字节,而DNS回复包的数据部分的长度可能会达到4000字节,这意味着攻击者利用此手法能够产生约100倍的放大效应。因此,攻击者只需要控制一个能够产生150M流量的僵尸网络Zombie110就能够进行约15G的DDoS攻击。如图1所示,僵尸网络Zombie110向DNS服务器120发送DNS请求,经过DNS服务器120的解析处理,放大了DNS回复包,DNS服务器120将放大后的DNS回复包发送给了受害者网络Victim130,攻击者通过僵尸网络Zombie110进行多次的实施,以此达到攻击受害者网络Victim130的目的。Assume that the length of the data part of the DNS request is about 40 bytes, and the length of the data part of the DNS reply packet may reach 4000 bytes, which means that the attacker can use this technique to produce an amplification effect of about 100 times. Therefore, the attacker only needs to control a zombie network Zombie110 that can generate 150M traffic to carry out a DDoS attack of about 15G. As shown in Figure 1, the botnet Zombie110 sends a DNS request to the DNS server 120. After analysis and processing by the DNS server 120, it amplifies the DNS reply packet. The DNS server 120 sends the amplified DNS reply packet to the victim network Victim130. The attack The attacker carried out multiple implementations through the botnet Zombie110 to achieve the purpose of attacking the victim network Victim130.
攻击者为了提高流量放大效果,往往会伪造响应类型为Non-Exist Domain类型的DNS请求,强制DNS服务器120发起递归查询,导致DNS服务器120的CPU(Central Processing Unit,中央处理器)、Ram(Random access memory,随机存取存储器)突然上涨,而现有的位于DNS服务器侧的,基于DNS服务器120可用性监测的域名反射攻击检测方案往往难以发现异常,但现实中攻击者经常使用多个不同的公共DNS服务器发起攻击,单个DNS服务器往往不存在可用性异常。而靠近受害者网络Victim130侧的城域网对链路可用性监测的域名反射攻击检测方案,会受到其他DDoS攻击类型的干扰,还需要结合Netflow信息判断是否为域名反射攻击,因此,该种检测方案的判断时延较大。一系列创纪录的域名反射攻击流量峰值都可以使受害者网络Victim130的上游链路瘫痪,导致相关的研判系统无法工作。In order to improve the traffic amplification effect, attackers often forge DNS requests with a response type of Non-Exist Domain type, forcing the DNS server 120 to initiate a recursive query, causing the DNS server 120's CPU (Central Processing Unit, Central Processing Unit), Ram (Random) to access memory (random access memory) has suddenly increased, and the existing domain name reflection attack detection scheme based on DNS server 120 availability monitoring on the DNS server side is often difficult to detect abnormalities, but in reality attackers often use multiple different public When a DNS server launches an attack, a single DNS server often does not have availability abnormalities. The domain name reflection attack detection scheme for monitoring link availability on the metropolitan area network close to the Victim130 side of the victim network will be interfered by other DDoS attack types. It also needs to be combined with Netflow information to determine whether it is a domain name reflection attack. Therefore, this detection scheme The judgment delay is large. A series of record-setting domain name reflection attack traffic peaks can paralyze the upstream link of the victim network Victim130, causing related research and judgment systems to fail to work.
本公开实施例提供的域名反射攻击检测方法能够依据待检测请求对象在多个时间窗口发起域名解析请求的请求数量构建请求序列,请求序列能够表征待检测请求对象在多个时间窗口内的行为特征,在不同的时间窗口中,伪造的域名解析请求行为具有高度自相似性,而正常的域名解析请求行为呈现不可预测性。根据请求序列计算相关系数,进而依据相关系数确定待检测请求对象是否发起域名反射攻击,能够及时、准确的确定出是否发起域名反射攻击。The domain name reflection attack detection method provided by the embodiments of the present disclosure can construct a request sequence based on the number of domain name resolution requests initiated by the request object to be detected in multiple time windows. The request sequence can characterize the behavioral characteristics of the request object to be detected in multiple time windows. , in different time windows, the behavior of fake domain name resolution requests is highly self-similar, while the behavior of normal domain name resolution requests is unpredictable. Calculate the correlation coefficient according to the request sequence, and then determine whether the request object to be detected initiates a domain name reflection attack based on the correlation coefficient, which can timely and accurately determine whether to initiate a domain name reflection attack.
图2是根据一示例性实施例示出的一种域名反射攻击检测方法的流程图。该方法 可以应用于图1所示的实施环境,并由图1所示实施例环境中的DNS服务器120具体执行。Figure 2 is a flow chart of a domain name reflection attack detection method according to an exemplary embodiment. This method can be applied to the implementation environment shown in Figure 1, and is specifically executed by the DNS server 120 in the implementation environment shown in Figure 1.
如图2所示,在一示例性实施例中,该域名反射攻击检测方法可以包括步骤S210至步骤S240,详细介绍如下:As shown in Figure 2, in an exemplary embodiment, the domain name reflection attack detection method may include steps S210 to S240, which are described in detail as follows:
步骤S210,获取待检测请求对象在多个时间窗口内发起域名解析请求的请求数量。Step S210: Obtain the number of domain name resolution requests initiated by the request object to be detected within multiple time windows.
本公开实施例中,待检测请求对象即为向DNS服务器发送域名解析请求的源IP,对DNS网络流量或DNS系统日志进行解析,即可得到源IP,以及该源IP发送域名解析请求的时间戳。依据时间戳,获取待检测请求对象在多个时间窗口内发起域名解析请求的请求数量,若待检测请求对象在某个时间窗口内没有发起过域名解析请求,则该时间窗口对应的请求数量记为0。In this disclosed embodiment, the request object to be detected is the source IP that sends the domain name resolution request to the DNS server. By analyzing the DNS network traffic or DNS system logs, the source IP and the time when the source IP sent the domain name resolution request can be obtained. stamp. According to the timestamp, obtain the number of domain name resolution requests initiated by the request object to be detected in multiple time windows. If the request object to be detected has not initiated domain name resolution requests within a certain time window, the number of requests corresponding to the time window is recorded. is 0.
在本公开的一示例性实施例中,请参阅图3,在步骤S210获取待检测请求对象在多个时间窗口内发起域名解析请求的请求数量之前,方法还包括步骤S310和步骤S320,详细介绍如下:In an exemplary embodiment of the present disclosure, please refer to Figure 3. Before step S210 to obtain the number of requests for domain name resolution requests initiated by the request object to be detected within multiple time windows, the method also includes step S310 and step S320. Detailed introduction as follows:
步骤S310,获取指定时间窗口内发起域名解析请求的请求对象,并统计请求对象在指定时间窗口内发起域名解析请求的请求数量。Step S310: Obtain the request object that initiated the domain name resolution request within the specified time window, and count the number of requests that the request object initiated the domain name resolution request within the specified time window.
本公开实施例中,在确定待检测请求对象时,通过解析对DNS网络流量或DNS系统日志,得到指定时间窗口内向DNS服务器发送域名解析请求的请求对象,统计每个请求对象在该指定时间窗口内发送域名解析请求的请求数量,如指定时间窗口内,共有X个请求对象向DNS服务器发送域名解析请求,分别统计这X个请求对象在指定时间窗口的请求数量。In the embodiment of the present disclosure, when determining the request object to be detected, the request objects that send domain name resolution requests to the DNS server within the specified time window are obtained by parsing the DNS network traffic or DNS system logs, and the statistics of each request object in the specified time window are obtained. The number of requests for domain name resolution requests sent within the specified time window. For example, within the specified time window, a total of
步骤S320,根据请求数量和预设数量阈值的关系,从请求对象中确定待检测请求对象。Step S320: Determine the request object to be detected from the request objects based on the relationship between the request quantity and the preset quantity threshold.
本公开实施例中,预先设置有预设数量阈值,将X个请求对象中,请求数量小于预设数量阈值的请求对象进行过滤,剩下的请求对象即可作为待检测请求对象。经过过滤后,确定出的待检测请求对象若为多个,可依据请求数量对待检测请求对象进行降序排列,再依据降序排列后的顺序检测各个待检测请求对象其是否发送域名反射攻击。In this disclosed embodiment, a preset quantity threshold is set in advance. Among the X request objects, request objects whose request quantity is smaller than the preset quantity threshold are filtered, and the remaining request objects can be used as request objects to be detected. After filtering, if there are multiple request objects to be detected, the request objects to be detected can be sorted in descending order according to the number of requests, and then based on the descending order, each request object to be detected can be detected to see whether it sends a domain name reflection attack.
步骤S220,根据预设时间关系对多个时间窗口的请求数量进行构建,得到至少两个请求序列。Step S220: Construct the number of requests in multiple time windows according to the preset time relationship to obtain at least two request sequences.
本公开实施例中,依据预设时间关系个待检测请求对象在各个时间窗口的请求数量构建请求序列,对于同一个待检测请求对象,在不同的时间窗口中,伪造的域名解析请求行为具有高度自相似性,根据请求数量,即可构建出能够表征待检测请求对象的行为的请求序列,每个请求序列中由对应的时间窗口的请求数量 组成,每个请求序列所对应的时间窗口的数量相同。In this disclosed embodiment, a request sequence is constructed based on the number of requests for each request object to be detected in each time window with a preset time relationship. For the same request object to be detected, in different time windows, the forged domain name resolution request behavior has a high degree of Self-similarity, based on the number of requests, can construct a request sequence that can characterize the behavior of the request object to be detected. Each request sequence consists of the number of requests in the corresponding time window, and the number of time windows corresponding to each request sequence same.
在本公开的一示例性实施例中,请参阅图4,在步骤S220中根据预设时间关系对多个时间窗口的请求数量进行构建,得到至少两个请求序列,包括步骤S410和步骤S420,详细介绍如下:In an exemplary embodiment of the present disclosure, referring to Figure 4, in step S220, the number of requests in multiple time windows is constructed according to the preset time relationship to obtain at least two request sequences, including step S410 and step S420, The details are as follows:
步骤S410,根据预设时间关系,将多个时间窗口划分为多个第一时间窗口和多个第二时间窗口。Step S410: Divide multiple time windows into multiple first time windows and multiple second time windows according to a preset time relationship.
本公开实施例中,从多个时间窗口划分出第一时间窗口和第二时间窗口,多个第一时间窗口和多个第二时间窗口的数量之和可小于等于多个时间窗口,通过第一时间窗口和第二时间窗口,以此形成两个请求序列。In the embodiment of the present disclosure, a first time window and a second time window are divided from multiple time windows. The sum of the number of the multiple first time windows and the multiple second time windows may be less than or equal to the multiple time windows. Through the third time window, A time window and a second time window, thereby forming two request sequences.
预先定义相关的配置参数,配置参数包括时间窗口t和缓存时间T,其中,T=n*t,n为>30的自然数;同时配置有第一时间窗口和第二时间窗口的指定数量k,其中,k*t应大于30s,可以较好地克服合理的数值波动。Relevant configuration parameters are defined in advance. The configuration parameters include time window t and cache time T, where T=n*t, n is a natural number >30; at the same time, the specified number k of the first time window and the second time window is configured. Among them, k*t should be greater than 30s, which can better overcome reasonable numerical fluctuations.
在确定多个时间窗口时,可获取待检测请求对象的相邻的前一个缓存时间内的n个时间窗口;或获取待检测请求对象的相邻的后一个缓存时间内的n个时间窗口;或获取与指定时间窗口相邻的前p个时间窗口和与指定时间窗口相邻的后q个时间窗口形成多个时间窗口,其中,p+q+1的和等于缓存时间的时间窗口个数n,同时,p或q均大于等于k。在一个缓存时间内,从n个时间窗口划分出第一时间窗口和第二时间窗口,第一时间窗口与第二时间窗口的数量相等,同时,第一时间窗口与第二时间窗口的数量之和可不等于n。When multiple time windows are determined, n time windows within the adjacent previous cache time of the request object to be detected can be obtained; or n time windows within the adjacent cache time of the request object to be detected can be obtained; Or obtain the first p time windows adjacent to the specified time window and the last q time windows adjacent to the specified time window to form multiple time windows, where the sum of p+q+1 is equal to the number of time windows in the cache time n, at the same time, p or q are both greater than or equal to k. Within a cache time, the first time window and the second time window are divided from n time windows. The number of the first time window and the second time window are equal. At the same time, the number of the first time window and the second time window is equal to the number of the first time window and the second time window. sum is not equal to n.
每经过一个时间窗口t,缓存时间T将新增最近时间窗口t内的请求对象,将缓存时间T前的请求对象清零、释放,DNS服务器中始终保持每时间窗口t,新增请求对象,同时在缓存时间T中释放不需要的请求对象,以此减轻DNS服务器的存储压力。Every time a time window t passes, the cache time T will add request objects within the latest time window t, and the request objects before the cache time T will be cleared and released. The DNS server always maintains a new request object every time window t. At the same time, unnecessary request objects are released within the cache time T to reduce the storage pressure on the DNS server.
步骤S420,根据多个第一时间窗口的请求数量构建得到第一请求序列,以及根据多个第二时间窗口的请求数量构建得到第二请求序列。Step S420: Construct a first request sequence based on the number of requests in multiple first time windows, and construct a second request sequence based on the number of requests in multiple second time windows.
本公开实施例中,依据第一时间窗口的请求数量构建第一请求序列,将多个第一时间窗口依据时间的先后顺序进行排列,然后依据排列顺序,基于第一时间窗口的请求数量构建第一请求序列,按{src IP:[请求数量1,请求数量2,…,请求数量k]}的字典格式,生成第一请求序列,如1.1.1.1:[20,20,…],共有k个时间窗口的请求数量,1.1.1.1表征源IP地址为1.1.1.1的待检测请求对象。In the embodiment of the present disclosure, the first request sequence is constructed based on the number of requests in the first time window, the plurality of first time windows are arranged in the order of time, and then the first request sequence is constructed based on the number of requests in the first time window according to the order of arrangement. A request sequence, according to the dictionary format of {src IP:[request number 1, request number 2,..., request number k]}, generate the first request sequence, such as 1.1.1.1: [20, 20,...], a total of k The number of requests in a time window, 1.1.1.1 represents the request object to be detected whose source IP address is 1.1.1.1.
同样的,依据第二时间窗口的请求数量构建第一请求序列,将多个第二时间窗口依据时间的先后顺序进行排列,然后依据排列顺序,基于第二时间窗口的请求数量构建第二请求序列,按{src IP:[请求数量a,请求数量b,…,请求数量j]}的字典格式,生成第二请求序列。Similarly, the first request sequence is constructed based on the number of requests in the second time window, the multiple second time windows are arranged in the order of time, and then the second request sequence is constructed based on the number of requests in the second time window according to the order. , generate the second request sequence according to the dictionary format of {src IP:[request quantity a, request quantity b,..., request quantity j]}.
在本公开的一示例性实施例中,请参阅图5,多个时间窗口是连续的时间窗口;在步骤S410中根据预设时间关系,将多个时间窗口划分为多个第一时间窗口和多个第二时间窗口,包括步骤S510和步骤S520,详细介绍如下:In an exemplary embodiment of the present disclosure, please refer to FIG. 5 , multiple time windows are continuous time windows; in step S410, the multiple time windows are divided into multiple first time windows and Multiple second time windows, including step S510 and step S520, are described in detail as follows:
步骤S510,在多个连续的时间窗口中,确定指定数量个连续的时间窗口作为多个第一时间窗口。Step S510: Determine a specified number of consecutive time windows as multiple first time windows among multiple consecutive time windows.
本公开实施例中,多个时间窗口是获取待检测请求对象的指定时间窗口的相邻的前一个缓存时间内的n个时间窗口,或获取待检测请求对象的指定时间窗口的相邻的后一个缓存时间内的n个时间窗口得到时,在这n个时间窗口内,依据各个时间窗口的顺序,可获取前k个连续的时间窗口作为第一时间窗口。如图6所示,图6所示的多个时间窗口是获取待检测请求对象的指定时间窗口的相邻的前一个缓存时间内的n个时间窗口,直接将第1至第k个时间窗口作为第一时间窗口。In the embodiment of the present disclosure, the multiple time windows are n time windows within the adjacent cache time of the specified time window of the request object to be detected, or the adjacent time windows after the specified time window of the request object to be detected are acquired. When n time windows within a cache time are obtained, within these n time windows, according to the order of each time window, the first k consecutive time windows can be obtained as the first time window. As shown in Figure 6, the multiple time windows shown in Figure 6 are n time windows within the adjacent previous cache time of the specified time window of the request object to be detected, and the 1st to kth time windows are directly as the first time window.
在另一实施例中,多个时间窗口是获取与指定时间窗口相邻的前p个时间窗口和与指定时间窗口相邻的后q个时间窗口得到时,在前p个时间窗口中确定连续的k个时间窗口作为第一时间窗口,或在后q个时间窗口中确定连续的k个时间窗口作为第一时间窗口,如图7所示,在图7展示的多个时间窗口中,A表示指定时间窗口,A左侧的时间窗口即为前p个时间窗口,A右侧的时间窗口即为后q个时间窗口,直接将前p个时间窗口中第1至第k个时间窗口作为第一时间窗口。In another embodiment, when multiple time windows are obtained by obtaining the first p time windows adjacent to the specified time window and the last q time windows adjacent to the specified time window, the continuous time windows are determined in the first p time windows. k time windows as the first time window, or determine k consecutive time windows in the last q time windows as the first time window, as shown in Figure 7. Among the multiple time windows shown in Figure 7, A Indicates the specified time window. The time window on the left side of A is the first p time windows, and the time window on the right side of A is the next q time windows. The 1st to kth time windows in the first p time windows are directly used as First time window.
步骤S520,在除第一时间窗口之外的其他时间窗口中,确定指定数量个时间窗口作为多个第二时间窗口;其中,多个第一时间窗口中最晚的第一时间窗口早于多个第二时间窗口中最早的第二时间窗口。Step S520: In other time windows except the first time window, determine a specified number of time windows as multiple second time windows; wherein the latest first time window among the multiple first time windows is earlier than the multiple first time windows. The earliest second time window among the second time windows.
本公开实施例中,在除第一时间窗口后的其他时间窗口内,随机获取k个时间窗口作为第二时间窗口。In the embodiment of the present disclosure, k time windows are randomly obtained as the second time window in other time windows except the first time window.
具体的,如图6所示,当多个时间窗口是获取待检测请求对象的指定时间窗口的相邻的前一个缓存时间内的n个时间窗口,或获取待检测请求对象的指定时间窗口的相邻的后一个缓存时间内的n个时间窗口得到时,通过Shuffle算法在第k+1至第n个时间窗口内随机确定k个时间窗口作为第二时间窗口,即获取当前系统时间,将当前系统时间作为随机因子,计算得到一个随机数,计算随机数的公式为:m=rand(time)*(i+1)mod(n-k),上述公式表示依据系统时间获取一个范围在[1,(n-k)]的随机数,time表示当前系统时间,i+1表示正在计算第几个第二时间窗口,i的取值范围为[0,k-1],通过上述公式计算出随机数后,取第m+k个时间窗口作为第二时间窗口,重复k次就可以得到需要的k个时间窗口,若计算出的随机数存在重复的情况,则重新进行计算,直到取出k个不同的时间窗口 作为第二时间窗口。Specifically, as shown in Figure 6, when the multiple time windows are n time windows within the adjacent previous cache time of the specified time window for obtaining the request object to be detected, or the specified time window for obtaining the request object to be detected is When n time windows in the adjacent cache time are obtained, k time windows are randomly determined as the second time window within the k+1 to nth time windows through the Shuffle algorithm, that is, the current system time is obtained, and The current system time is used as a random factor to calculate a random number. The formula for calculating the random number is: m=rand(time)*(i+1)mod(n-k). The above formula indicates that a range is obtained based on the system time in [1, (n-k)], time represents the current system time, i+1 represents which second time window is being calculated, the value range of i is [0,k-1], after calculating the random number through the above formula , take the m+kth time window as the second time window, and repeat k times to get the required k time windows. If there are duplicates in the calculated random numbers, recalculate until k different ones are taken out time window as the second time window.
如图7所示,当多个时间窗口是获取与指定时间窗口相邻的前p个时间窗口和与指定时间窗口相邻的后q个时间窗口得到时,在p个时间窗口确定第一时间窗口后,在后q个时间窗口内随机确定k个时间窗口作为第二时间窗口,同样的,在随机确定k个时间窗口作为第二时间窗口时,通过Shuffle算法在后q个时间窗口内随机确定k个时间窗口作为第二时间窗口,即获取当前系统时间,将当前系统时间作为随机因子,计算得到一个随机数,计算随机数的公式为:m=rand(time)*(i+1)mod(q),上述公式表示依据系统时间获取一个范围在[1,q]的随机数,time表示当前系统时间,i+1表示正在计算第几个第二时间窗口,i的取值范围为[0,k-1],通过上述公式计算出随机数后,取第m+p+1个时间窗口作为第二时间窗口,重复k次就可以得到需要的k个时间窗口,若计算出的随机数存在重复的情况,则重新进行计算,直到取出k个不同的时间窗口作为第二时间窗口。As shown in Figure 7, when multiple time windows are obtained by obtaining the first p time windows adjacent to the specified time window and the last q time windows adjacent to the specified time window, the first time is determined in the p time windows. After the window, k time windows are randomly determined as the second time window within the next q time windows. Similarly, when k time windows are randomly determined as the second time window, the Shuffle algorithm is used to randomly determine the k time windows as the second time window. Determine k time windows as the second time window, that is, obtain the current system time, use the current system time as a random factor, and calculate a random number. The formula for calculating the random number is: m=rand(time)*(i+1) mod(q), the above formula represents obtaining a random number in the range [1, q] based on the system time, time represents the current system time, i+1 represents which second time window is being calculated, and the value range of i is [0,k-1], after calculating the random number through the above formula, take the m+p+1th time window as the second time window, and repeat k times to get the required k time windows. If the calculated If there are duplicates of random numbers, the calculation will be re-calculated until k different time windows are taken out as the second time window.
在其他实施例中,当多个时间窗口是获取待检测请求对象的指定时间窗口的相邻的前一个缓存时间内的n个时间窗口,或获取待检测请求对象的指定时间窗口的相邻的后一个缓存时间内的n个时间窗口得到时,在n个时间窗口内,可获取后k个连续的时间窗口作为第一时间窗口,然后在剩余的时间窗口中,随机确定k个时间窗口作为第二时间窗口。在随机确定k个时间窗口时,与前述一致,通过Shuffle算法随机确定k个时间窗口作为第二时间窗口。In other embodiments, when the multiple time windows are n time windows within the previous cache time adjacent to the specified time window for obtaining the request object to be detected, or adjacent to the specified time window for obtaining the request object to be detected, When the n time windows within the last cache time are obtained, within the n time windows, the last k consecutive time windows can be obtained as the first time window, and then in the remaining time windows, k time windows are randomly determined as Second time window. When k time windows are randomly determined, consistent with the above, k time windows are randomly determined as the second time window through the Shuffle algorithm.
在另一实施例中,当多个时间窗口是获取与指定时间窗口相邻的前p个时间窗口和与指定时间窗口相邻的后q个时间窗口得到时,可从前p个时间窗口中随机确定k个时间窗口作为第二时间窗口,再在后q个时间窗口中确定连续的k个时间窗口作为第二时间窗口。在随机确定k个时间窗口时,与前述一致,通过Shuffle算法随机确定k个时间窗口作为第二时间窗口。In another embodiment, when multiple time windows are obtained by obtaining the first p time windows adjacent to the specified time window and the last q time windows adjacent to the specified time window, the first p time windows can be randomly selected. Determine k time windows as the second time windows, and then determine k consecutive time windows in the next q time windows as the second time windows. When k time windows are randomly determined, consistent with the above, k time windows are randomly determined as the second time window through the Shuffle algorithm.
步骤S230,计算至少两个请求序列之间的相关系数。Step S230: Calculate the correlation coefficient between at least two request sequences.
本公开实施例中,计算至少两个请求序列之间的相关系数,若请求序列包括两个时,直接计算两个请求序列之间的相关系数;若请求序列具有两个以上时,计算各个请求序列两两之间的相关系数,并基于各个请求序列两两之间的相关系数计算系数平均值,将系数平均值作为至少两个请求序列之间的相关系数。In the embodiment of the present disclosure, the correlation coefficient between at least two request sequences is calculated. If the request sequence includes two, the correlation coefficient between the two request sequences is directly calculated; if the request sequence has more than two, each request is calculated. The correlation coefficient between two sequences is calculated, and the average coefficient is calculated based on the correlation coefficient between each request sequence, and the average coefficient is used as the correlation coefficient between at least two request sequences.
在本公开的一示例性实施例中,请参阅图8,至少两个请求序列包括第一请求序列和第二请求序列;在步骤S230中计算至少两个请求序列之间的相关系数,包括步骤S810和步骤S820,详细介绍如下:In an exemplary embodiment of the present disclosure, referring to Figure 8, at least two request sequences include a first request sequence and a second request sequence; in step S230, calculating a correlation coefficient between the at least two request sequences includes the steps S810 and step S820 are described in detail as follows:
步骤S810,对第一请求序列中含有的各个请求数量进行求平均值运算,得到第一均值,以及对第二请求序列中含有的各个请求数量进行求平均值运算,得到第二均值。Step S810: perform an averaging operation on the number of requests included in the first request sequence to obtain a first average value, and perform an averaging operation on the number of requests included in the second request sequence to obtain a second average value.
本公开实施例中,根据第一请求序列中的请求数量计算第一均值X,以及根据第 二请求序列中的请求数量计算第二均值
Figure PCTCN2022140321-appb-000001
In the embodiment of the present disclosure, the first average value X is calculated according to the number of requests in the first request sequence, and the second average value is calculated according to the number of requests in the second request sequence.
Figure PCTCN2022140321-appb-000001
步骤S820,根据第一均值、第二均值、第一请求序列,以及第二请求序列,计算第一请求序列和第二请求序列之间的相关系数。Step S820: Calculate the correlation coefficient between the first request sequence and the second request sequence based on the first mean value, the second mean value, the first request sequence, and the second request sequence.
本公开实施例中,根据计算得到的第一均值、第二均值、第一请求序列,以及第二请求序列,计算第一请求序列和第二请求序列之间的相关系数。In the embodiment of the present disclosure, the correlation coefficient between the first request sequence and the second request sequence is calculated based on the calculated first mean value, the second mean value, the first request sequence, and the second request sequence.
在本公开的一示例性实施例中,请参阅图9,在步骤S820中根据第一均值、第二均值、第一请求序列,以及第二请求序列,计算第一请求序列和第二请求序列的相关系数,包括步骤S910和步骤S920,详细介绍如下:In an exemplary embodiment of the present disclosure, referring to FIG. 9, in step S820, the first request sequence and the second request sequence are calculated according to the first mean value, the second mean value, the first request sequence, and the second request sequence. The correlation coefficient, including step S910 and step S920, is described in detail as follows:
步骤S910,将第一请求序列中含有的各个请求数量分别与第一均值进行求差值运算,得到多个第一差值,以及将第二请求序列中含有的各个请求数量分别与第二均值进行求差值运算,得到多个第二差值。Step S910: Perform a difference operation on each request number contained in the first request sequence and the first average value to obtain a plurality of first difference values, and compare each request number contained in the second request sequence and the second average value respectively. Perform a difference operation to obtain multiple second difference values.
本公开实施例中,将第一请求序列中的各个请求数量分别与第一均值进行进行求差值运算,即第一请求序列中的各个请求数量减去第一均值,得到多个第一差值,将第二请求序列中的各个请求数量分别与第二均值进行求差值运算,即第二请求序列中的各个请求数量减去第二均值,得到多个第二差值。In the embodiment of the present disclosure, a difference operation is performed between each request number in the first request sequence and the first average value, that is, the first average value is subtracted from each request number in the first request sequence to obtain a plurality of first differences. value, perform a difference operation between each request number in the second request sequence and the second mean value, that is, subtract the second mean value from each request number in the second request sequence, to obtain a plurality of second difference values.
步骤S920,根据多个第一差值和多个第二差值,计算第一请求序列和第二请求序列之间的相关系数。Step S920: Calculate the correlation coefficient between the first request sequence and the second request sequence based on the plurality of first difference values and the plurality of second difference values.
本公开实施例中,根据多个第一差值和第二差值计算第一请求序列和第二请求序列之间的相关系数。In the embodiment of the present disclosure, the correlation coefficient between the first request sequence and the second request sequence is calculated based on a plurality of first difference values and second difference values.
具体的,通过公式
Figure PCTCN2022140321-appb-000002
计算第一序列和第二序列之间的相关系数,其中,r表示相关系数,X j表示第一请求序列中第j个请求数量,Y j表示第二请求序列中第j个请求数量,k表示第一请求序列和第二请求序列中分别具有k个请求数量,
Figure PCTCN2022140321-appb-000003
表示第一均值,
Figure PCTCN2022140321-appb-000004
表示第二均值。 Specifically, through the formula
Figure PCTCN2022140321-appb-000002
Calculate the correlation coefficient between the first sequence and the second sequence, where r represents the correlation coefficient, X j represents the j-th request quantity in the first request sequence, Y j represents the j-th request quantity in the second request sequence, k Indicates that there are k requests in the first request sequence and the second request sequence respectively,
Figure PCTCN2022140321-appb-000003
represents the first mean,
Figure PCTCN2022140321-appb-000004
represents the second mean.
步骤S240,根据至少两个请求序列之间的相关系数,确定待检测请求对象是否发起域名反射攻击。Step S240: Determine whether the request object to be detected initiates a domain name reflection attack based on the correlation coefficient between at least two request sequences.
本公开实施例中,在不同的时间窗口中,伪造的域名解析请求行为具有高度自相似性,而正常的域名解析请求行为呈现不可预测性,根据相关系数,即可知晓待检测请求对象在不同时间窗口内发起的域名解析请求行为是否具有相似性,In this disclosed embodiment, in different time windows, the forged domain name resolution request behavior is highly self-similar, while the normal domain name resolution request behavior is unpredictable. According to the correlation coefficient, it can be known that the request object to be detected is in different time windows. Whether the behaviors of domain name resolution requests initiated within the time window are similar,
当具有相似性时,即可表征待检测请求对象发起了域名反射攻击。When there is similarity, it can indicate that the request object to be detected has launched a domain name reflection attack.
本公开实施例中,在不同的时间窗口中,伪造的域名解析请求行为具有高度自相似性,而正常的域名解析请求行为呈现不可预测性。本公开实施例依据待检测请求对象在多个时间窗口发起域名解析请求的请求数量构建请求序列,请求序列能够表征待检测请求对象在多个时间窗口内的行为特征,根据请求序列计算相 关系数,进而依据相关系数能够准确确定待检测请求对象是否发起域名反射攻击,本公开提供的域名发射攻击检测方法在接收域名解析请求的过程中检测是否有发起域名反射攻击,能够及时、准确的确定出是否发起域名反射攻击。In this disclosed embodiment, in different time windows, the forged domain name resolution request behavior is highly self-similar, while the normal domain name resolution request behavior is unpredictable. The embodiment of the present disclosure constructs a request sequence based on the number of domain name resolution requests initiated by the request object to be detected in multiple time windows. The request sequence can characterize the behavioral characteristics of the request object to be detected in multiple time windows, and the correlation coefficient is calculated based on the request sequence. Furthermore, based on the correlation coefficient, it can be accurately determined whether the request object to be detected initiates a domain name reflection attack. The domain name launch attack detection method provided by the present disclosure detects whether a domain name reflection attack is initiated during the process of receiving a domain name resolution request, and can timely and accurately determine whether a domain name reflection attack is launched. Launch a domain name reflection attack.
在本公开的一示例性实施例中,请参阅图10,在步骤S240中根据至少两个请求序列之间的相关系数,确定待检测请求对象是否发起域名反射攻击,包括步骤S1010至步骤S1030,详细介绍如下:In an exemplary embodiment of the present disclosure, please refer to Figure 10. In step S240, it is determined whether the request object to be detected initiates a domain name reflection attack based on the correlation coefficient between at least two request sequences, including steps S1010 to step S1030. The details are as follows:
步骤S1010,检测至少两个请求序列的相关系数与预设阈值的关系,得到检测结果。Step S1010: Detect the relationship between the correlation coefficients of at least two request sequences and the preset threshold, and obtain the detection result.
本公开实施例中,检测相关系数与预设阈值的关系,即将相关系数与预设阈值进行比较,得到检测结果,预设阈值可设置为0.5。In the embodiment of the present disclosure, the relationship between the correlation coefficient and the preset threshold is detected, that is, the correlation coefficient is compared with the preset threshold to obtain the detection result, and the preset threshold can be set to 0.5.
步骤S1020,若检测结果表征相关系数大于等于预设阈值,则确定待检测请求对象发起域名反射攻击。Step S1020: If the detection result indicates that the correlation coefficient is greater than or equal to the preset threshold, it is determined that the request object to be detected initiates a domain name reflection attack.
本公开实施例中,若相关系数大于等于预设阈值,则确定待检测请求对象发起域名反射攻击,生成预设告警信息,并将预设告警信息发送给受害者网络Victim130,即向攻击者通过僵尸网络Zombie110伪造的源IP发送预设告警信息,以此提醒受害者网络Victim130。In this disclosed embodiment, if the correlation coefficient is greater than or equal to the preset threshold, it is determined that the request object to be detected initiates a domain name reflection attack, generates preset alarm information, and sends the preset alarm information to the victim network Victim130, that is, to the attacker through The forged source IP of the botnet Zombie110 sends preset alarm information to alert the victim network Victim130.
步骤S1030,若检测结果表征相关系数小于预设阈值,则确定待检测请求对象未发起域名反射攻击。Step S1030: If the detection result indicates that the correlation coefficient is less than the preset threshold, it is determined that the request object to be detected has not initiated a domain name reflection attack.
本公开实施例中,若检测结果表征相关系数小于预设阈值,则表明待检测请求对象在不同时间窗口内发起的域名解析请求行为不具有相似性,即待检测请求对象未发起域名反射攻击。In the embodiment of the present disclosure, if the correlation coefficient of the detection result representation is less than the preset threshold, it indicates that the domain name resolution request behaviors initiated by the request object to be detected in different time windows are not similar, that is, the request object to be detected does not initiate a domain name reflection attack.
在本公开的一示例性实施例中,请参阅图11,图11是根据一示例性实施例示出的一种域名反射攻击检测方法,包括步骤S1110至步骤S1180,详细介绍如下:In an exemplary embodiment of the present disclosure, please refer to Figure 11. Figure 11 illustrates a domain name reflection attack detection method according to an exemplary embodiment, including steps S1110 to step S1180. The details are as follows:
步骤S1110,获取系统日志,并对系统日志进行解析,得到多个请求对象,以及多个请求对象发起域名解析请求的时间戳。Step S1110: Obtain the system log and parse the system log to obtain multiple request objects and the timestamps of domain name resolution requests initiated by the multiple request objects.
本公开实施例中,对系统日志进行解析,得到即可得到多个请求对象,以及各个请求对象发送域名解析请求的时间戳。In this disclosed embodiment, by parsing the system log, multiple request objects can be obtained, as well as the timestamp of the domain name resolution request sent by each request object.
步骤S1120,根据时间戳,获取指定时间窗口内发起域名解析请求的请求对象,并统计请求对象在指定时间窗口内发起域名解析请求的请求数量。Step S1120: According to the timestamp, obtain the request object that initiated the domain name resolution request within the specified time window, and count the number of requests that the request object initiated the domain name resolution request within the specified time window.
本公开实施例中,预先配置有时间窗口t和缓存时间T,根据时间戳,能够确定指定时间窗口下发起域名解析请求的请求对象,一般一个时间窗口内,相对应的请求对象包括多个,统计各个请求对象的请求数量。In the embodiment of the present disclosure, the time window t and the cache time T are pre-configured. According to the timestamp, the request object that initiates the domain name resolution request in the specified time window can be determined. Generally, within a time window, the corresponding request objects include multiple, Count the number of requests for each request object.
步骤S1130,根据请求数量和预设数量阈值的关系,从请求对象中确定待检测请求对象。Step S1130: Determine the request object to be detected from the request objects based on the relationship between the request quantity and the preset quantity threshold.
本公开实施例中,预先设置有预设数量阈值,将指定时间窗口内,请求数量低于预设数量阈值的请求对象进行过滤,留下的请求对象即可作为待检测请求对象,此时,待检测请求对象可包括多个。In this disclosed embodiment, a preset quantity threshold is set in advance, and request objects whose request quantity is lower than the preset quantity threshold within a specified time window are filtered, and the remaining request objects can be used as request objects to be detected. At this time, There may be multiple request objects to be detected.
步骤S1140,获取与指定时间窗口相邻的多个时间窗口,并在多个时间窗口内,确定指定数量个连续的时间窗口作为多个第一时间窗口,以及通过Shuffle算法在除第一时间窗口的其他时间窗口中,随机确定指定数量个时间窗口作为多个第二时间窗口;多个第一时间窗口中最晚的第一时间窗口早于多个第二时间窗口中最早的第二时间窗口。Step S1140: Obtain multiple time windows adjacent to the specified time window, and within the multiple time windows, determine a specified number of consecutive time windows as multiple first time windows, and use the Shuffle algorithm to divide the first time window into Among the other time windows, a specified number of time windows are randomly determined as multiple second time windows; the latest first time window among the multiple first time windows is earlier than the earliest second time window among the multiple second time windows. .
本公开实施例中,获取指定时间窗口的相邻的前一个缓存时间内的n个时间窗口,或指定时间窗口的相邻的后一个缓存时间内的n个时间窗口,指定数量为k,从n个时间窗口内确定k个连续的时间窗口作为第一时间窗口,再从剩余的时间窗口内通过Shuffle算法随机确定k个时间窗口作为第二时间窗口。具体的,在确定第一时间窗口时,选择n个时间窗口中,第1至第k个时间窗口作为第一时间窗口,在确定第二时间窗口时,只考虑第k+1至第n个时间窗口,通过Shuffle算法从第k+1至第n个时间窗口随机获取k个时间窗口作为第二时间窗口。In the embodiment of the present disclosure, n time windows within the adjacent previous cache time of the specified time window are obtained, or n time windows within the adjacent subsequent cache time of the specified time window are obtained. The specified number is k, from Determine k consecutive time windows within n time windows as the first time windows, and then randomly determine k time windows as the second time windows from the remaining time windows through the Shuffle algorithm. Specifically, when determining the first time window, the 1st to kth time windows among n time windows are selected as the first time window. When determining the second time window, only the k+1th to nth time windows are considered. Time window, k time windows are randomly obtained from the k+1 to nth time window through the Shuffle algorithm as the second time window.
待检测请求对象具有多个时,各个待检测请求对象所对应的第一时间窗口相同,同时第二时间窗口也相同,无需单独确定各个待检测请求对象的第一时间窗口和第二时间窗口,减少计算量。这种基于Shuffle算法选取k个时间窗口作为第二时间窗口,能够尽可能抓住攻击者在一个相对长的时间范围内,具有高度类似的行为特征,而正常的DNS请求,呈现较大的随机性。通过Shuffle算法,可以极大提升后续相关系数判断的计算速度。When there are multiple request objects to be detected, the first time window corresponding to each request object to be detected is the same, and the second time window is also the same. There is no need to separately determine the first time window and the second time window of each request object to be detected. Reduce the amount of calculation. This shuffle algorithm selects k time windows as the second time window, which can try to catch the attacker with highly similar behavioral characteristics within a relatively long time range, while normal DNS requests present a large randomness. sex. Through the Shuffle algorithm, the calculation speed of subsequent correlation coefficient judgment can be greatly improved.
步骤S1150,根据指定数量个第一时间窗口构建待检测请求对象的第一请求序列,以及根据指定数量个第二时间窗口构建待检测请求对象的第二请求序列。Step S1150: Construct a first request sequence of the request object to be detected based on a specified number of first time windows, and construct a second request sequence of the request object to be detected based on a specified number of second time windows.
本公开实施例中,根据各个待检测请求对象在第一时间窗口内的请求数量构建对应的第一请求序列,以及根据各个待检测请求对象在第二时间窗口内的请求数量构建对应的第二请求序列。In the embodiment of the present disclosure, a corresponding first request sequence is constructed according to the number of requests of each request object to be detected in the first time window, and a corresponding second request sequence is constructed according to the number of requests for each request object to be detected in the second time window. Request sequence.
步骤S1160,根据第一请求序列和第二请求序列计算待检测请求对象的相关系数。Step S1160: Calculate the correlation coefficient of the request object to be detected according to the first request sequence and the second request sequence.
本公开实施例中,根据每个待检测请求对象对应的第一请求序列和第二请求序列,计算对应的相关系数,计算相关系数的方案在前述已进行说明,在此不进行赘述。In the embodiment of the present disclosure, the corresponding correlation coefficient is calculated based on the first request sequence and the second request sequence corresponding to each request object to be detected. The scheme for calculating the correlation coefficient has been described above and will not be described again here.
步骤S1170,检测待检测请求对象的相关系数与预设阈值的关系,得到待检测请求对象的检测结果。Step S1170: Detect the relationship between the correlation coefficient of the request object to be detected and the preset threshold, and obtain the detection result of the request object to be detected.
本公开实施例中,将各个待检测请求对象的相关系数分别与预设阈值进行比 较,得到对应的检测结果。In the embodiment of the present disclosure, the correlation coefficient of each request object to be detected is compared with the preset threshold to obtain the corresponding detection result.
步骤S1180,若待检测请求对象的检测结果表征相关系数大于等于预设阈值,则确定待检测请求对象发起域名反射攻击,并向待检测请求对象发送预设告警信息。Step S1180: If the detection result representation correlation coefficient of the request object to be detected is greater than or equal to the preset threshold, it is determined that the request object to be detected initiates a domain name reflection attack, and preset alarm information is sent to the request object to be detected.
本公开实施例中,若待检测请求对象的检测结果表征相关系数大于等于预设阈值,则标定待检测请求对象发起了域名反射攻击,在多个待检测请求对象中,存在多个待检测请求对象发起了域名反射攻击时,向多个待检测请求对象发送预设告警信息。In the embodiment of the present disclosure, if the detection result representation correlation coefficient of the request object to be detected is greater than or equal to the preset threshold, then the request object to be detected is calibrated to launch a domain name reflection attack. Among the multiple request objects to be detected, there are multiple requests to be detected. When an object launches a domain name reflection attack, preset alarm information is sent to multiple request objects to be detected.
本公开实施例中,在不同的时间窗口中,伪造的域名解析请求行为具有高度自相似性,而正常的域名解析请求行为呈现不可预测性。本公开实施例根据系统日志得到请求对象,根据请求对象发起域名解析请求的请求数量确定待检测请求对象,从多个时间窗口中确定待检测请求对象的第一时间窗口和第二时间窗口,各个待检测请求对象的第一时间窗口相同,同时第二时间窗口也相同,在一定程度上减少计算量,依据各个待检测请求对象在第一时间窗口和第二时间窗口的请求数量,构建对象的请求序列,请求序列能够表征待检测请求对象在多个时间窗口内的行为特征,根据请求序列计算相关系数,进而依据相关系数能够准确确定待检测请求对象是否发起域名反射攻击,同时,还生成预设告警信息,并将预设告警信息发送给待检测请求对象,即向攻击者通过僵尸网络Zombie110伪造的源IP发送预设告警信息,以此提醒受害者网络Victim130。本公开提供的域名发射攻击检测方法在接收域名解析请求的过程中检测是否有发起域名反射攻击,能够及时、准确的确定出是否发起域名反射攻击。In this disclosed embodiment, in different time windows, the forged domain name resolution request behavior is highly self-similar, while the normal domain name resolution request behavior is unpredictable. The disclosed embodiment obtains the request object according to the system log, determines the request object to be detected according to the number of requests for domain name resolution requests initiated by the request object, and determines the first time window and the second time window of the request object to be detected from multiple time windows. The first time window of the request object to be detected is the same, and the second time window is also the same, which reduces the amount of calculation to a certain extent. Based on the number of requests for each request object to be detected in the first time window and the second time window, the object's Request sequence. The request sequence can characterize the behavioral characteristics of the request object to be detected in multiple time windows. The correlation coefficient is calculated based on the request sequence. Then based on the correlation coefficient, it can be accurately determined whether the request object to be detected initiates a domain name reflection attack. At the same time, a prediction is also generated. Set alarm information and send the preset alarm information to the request object to be detected, that is, send the preset alarm information to the source IP forged by the attacker through the botnet Zombie110 to remind the victim network Victim130. The domain name launch attack detection method provided by this disclosure detects whether a domain name reflection attack is initiated during the process of receiving a domain name resolution request, and can promptly and accurately determine whether a domain name reflection attack is initiated.
在本公开的一个示例性实施例中,请参阅图12,图12是根据一示例性实施例示出的一种域名反射攻击检测装置,包括:In an exemplary embodiment of the present disclosure, please refer to Figure 12. Figure 12 illustrates a domain name reflection attack detection device according to an exemplary embodiment, including:
获取模块1210,配置为获取待检测请求对象在多个时间窗口内发起域名解析请求的请求数量;The acquisition module 1210 is configured to obtain the number of requests for domain name resolution requests initiated by the request object to be detected within multiple time windows;
构建模块1220,配置为根据预设时间关系对多个时间窗口的请求数量进行构建,得到至少两个请求序列;The construction module 1220 is configured to construct the number of requests in multiple time windows according to the preset time relationship to obtain at least two request sequences;
计算模块1230,配置为计算至少两个请求序列之间的相关系数;The calculation module 1230 is configured to calculate the correlation coefficient between at least two request sequences;
确定模块1240,配置为根据至少两个请求序列之间的相关系数,确定待检测请求对象是否发起域名反射攻击。The determination module 1240 is configured to determine whether the request object to be detected initiates a domain name reflection attack based on the correlation coefficient between at least two request sequences.
在本公开一示例性实施例中,构建模块1220包括:In an exemplary embodiment of the present disclosure, building module 1220 includes:
划分子模块,配置为根据预设时间关系,将多个时间窗口划分为多个第一时间窗口和多个第二时间窗口;A dividing sub-module configured to divide multiple time windows into multiple first time windows and multiple second time windows according to a preset time relationship;
构建子模块,配置为根据多个第一时间窗口的请求数量构建得到第一请求序列,以及根据多个第二时间窗口的请求数量构建得到第二请求序列。The construction sub-module is configured to construct a first request sequence based on the number of requests in multiple first time windows, and construct a second request sequence based on the number of requests in multiple second time windows.
在本公开一示例性实施例中,多个时间窗口是连续的时间窗口;划分子模块,包括:In an exemplary embodiment of the present disclosure, the multiple time windows are continuous time windows; divided into sub-modules, including:
第一确定单元,配置为在多个连续的时间窗口中,确定指定数量个连续的时间窗口作为多个第一时间窗口;The first determination unit is configured to determine a specified number of consecutive time windows as multiple first time windows in multiple consecutive time windows;
第二确定单元,配置为在除第一时间窗口之外的其他时间窗口中,确定指定数量个时间窗口作为多个第二时间窗口;其中,多个第一时间窗口中最晚的第一时间窗口早于多个第二时间窗口中最早的第二时间窗口。The second determination unit is configured to determine a specified number of time windows as multiple second time windows in other time windows except the first time window; wherein, the latest first time among the multiple first time windows The window is earlier than the earliest second time window of the plurality of second time windows.
在本公开一示例性实施例中,至少两个请求序列包括第一请求序列和第二请求序列;计算模块1230,包括:In an exemplary embodiment of the present disclosure, at least two request sequences include a first request sequence and a second request sequence; the calculation module 1230 includes:
运算子模块,配置为对第一请求序列中含有的各个请求数量进行求平均值运算,得到第一均值,以及对第二请求序列中含有的各个请求数量进行求平均值运算,得到第二均值;The operation submodule is configured to perform an averaging operation on the number of requests contained in the first request sequence to obtain a first average value, and perform an averaging operation on the number of requests contained in the second request sequence to obtain a second average value. ;
计算子模块,配置为根据第一均值、第二均值、第一请求序列,以及第二请求序列,计算第一请求序列和第二请求序列之间的相关系数。The calculation submodule is configured to calculate the correlation coefficient between the first request sequence and the second request sequence according to the first mean value, the second mean value, the first request sequence, and the second request sequence.
在本公开一示例性实施例中,计算子模块,包括:In an exemplary embodiment of the present disclosure, the calculation submodule includes:
求差运算单元,配置为将第一请求序列中含有的各个请求数量分别与第一均值进行求差值运算,得到多个第一差值,以及将第二请求序列中含有的各个请求数量分别与第二均值进行求差值运算,得到多个第二差值;The difference operation unit is configured to perform a difference operation on each request quantity contained in the first request sequence and the first mean value to obtain a plurality of first difference values, and to calculate each request quantity contained in the second request sequence respectively. Perform a difference operation with the second mean value to obtain multiple second difference values;
计算单元,配置为根据多个第一差值和多个第二差值,计算第一请求序列和第二请求序列之间的相关系数。The calculation unit is configured to calculate the correlation coefficient between the first request sequence and the second request sequence according to the plurality of first difference values and the plurality of second difference values.
在本公开一示例性实施例中,域名反射攻击检测装置还包括:In an exemplary embodiment of the present disclosure, the domain name reflection attack detection device further includes:
获取单元,配置为获取指定时间窗口内发起域名解析请求的请求对象,并统计请求对象在指定时间窗口内发起域名解析请求的请求数量;The acquisition unit is configured to obtain the request object that initiates the domain name resolution request within the specified time window, and counts the number of requests that the request object initiates the domain name resolution request within the specified time window;
待检测请求对象确定单元,配置为根据请求数量和预设数量阈值的关系,从请求对象中确定待检测请求对象。The request object to be detected determining unit is configured to determine the request object to be detected from the request objects based on the relationship between the number of requests and the preset quantity threshold.
在本公开一示例性实施例中,确定模块1240,包括:In an exemplary embodiment of the present disclosure, the determining module 1240 includes:
检测子模块,配置为检测至少两个请求序列的相关系数与预设阈值的关系,得到检测结果;The detection submodule is configured to detect the relationship between the correlation coefficient of at least two request sequences and the preset threshold, and obtain the detection result;
第一确定子模块,配置为若检测结果表征相关系数大于等于预设阈值,则确定待检测请求对象发起域名反射攻击;The first determination sub-module is configured to determine that the request object to be detected initiates a domain name reflection attack if the detection result representation correlation coefficient is greater than or equal to the preset threshold;
第二确定子模块,配置为若检测结果表征相关系数小于预设阈值,则确定待检测请求对象未发起域名反射攻击。The second determination submodule is configured to determine that the request object to be detected has not initiated a domain name reflection attack if the detection result representation correlation coefficient is less than the preset threshold.
需要说明的是,上述实施例所提供的装置与上述实施例所提供的方法属于同一构思,其中各个模块、子模块和单元执行操作的具体方式已经在方法实施例中 进行了详细描述,此处不再赘述。It should be noted that the device provided by the above embodiments and the method provided by the above embodiments belong to the same concept, and the specific manner in which each module, sub-module and unit performs operations has been described in detail in the method embodiments, here No longer.
本公开的实施例还提供了一种电子设备,包括:一个或多个处理器;存储装置,用于存储一个或多个程序,当所述一个或多个程序被所述一个或多个处理器执行时,使得所述电子设备实现上述各个实施例中提供的域名反射攻击检测方法。Embodiments of the present disclosure also provide an electronic device, including: one or more processors; a storage device for storing one or more programs. When the one or more programs are processed by the one or more When executed, the electronic device is caused to implement the domain name reflection attack detection method provided in the above embodiments.
图13示出了适于用来实现本公开实施例的电子设备的计算机系统的结构示意图。FIG. 13 shows a schematic structural diagram of a computer system suitable for implementing an electronic device according to an embodiment of the present disclosure.
需要说明的是,图13示出的电子设备的计算机系统1300仅是一个示例,不应对本公开实施例的功能和使用范围带来任何限制。It should be noted that the computer system 1300 of the electronic device shown in FIG. 13 is only an example, and should not bring any limitations to the functions and scope of use of the embodiments of the present disclosure.
如图13所示,计算机系统1300包括中央处理单元(Central Processing Unit,CPU)1301,其可以根据存储在只读存储器(Read-Only Memory,ROM)1302中的程序或者从储存部分1308加载到随机访问存储器(Random Access Memory,RAM)1303中的程序而执行各种适当的动作和处理,例如执行上述实施例中所述的方法。在RAM 1303中,还存储有系统操作所需的各种程序和数据。CPU 1301、ROM 1302以及RAM 1303通过总线1304彼此相连。输入/输出(Input/Output,I/O)接口1305也连接至总线1304。As shown in Figure 13, the computer system 1300 includes a central processing unit (Central Processing Unit, CPU) 1301, which can be loaded into a random computer according to a program stored in a read-only memory (Read-Only Memory, ROM) 1302 or from a storage part 1308. Access the program in the memory (Random Access Memory, RAM) 1303 to perform various appropriate actions and processing, such as performing the method described in the above embodiment. In RAM 1303, various programs and data required for system operation are also stored. CPU 1301, ROM 1302 and RAM 1303 are connected to each other through bus 1304. An input/output (I/O) interface 1305 is also connected to bus 1304.
以下部件连接至I/O接口1305:包括键盘、鼠标等的输入部分1306;包括诸如阴极射线管(Cathode Ray Tube,CRT)、液晶显示器(Liquid Crystal Display,LCD)等以及扬声器等的输出部分1307;包括硬盘等的储存部分1308;以及包括诸如LAN(Local Area Network,局域网)卡、调制解调器等的网络接口卡的通信部分1309。通信部分1309经由诸如因特网的网络执行通信处理。驱动器1310也根据需要连接至I/O接口1305。可拆卸介质1311,诸如磁盘、光盘、磁光盘、半导体存储器等等,根据需要安装在驱动器1310上,以便于从其上读出的计算机程序根据需要被安装入储存部分1308。The following components are connected to the I/O interface 1305: an input part 1306 including a keyboard, a mouse, etc.; an output part 1307 including a cathode ray tube (Cathode Ray Tube, CRT), a liquid crystal display (Liquid Crystal Display, LCD), etc., and a speaker, etc. ; a storage part 1308 including a hard disk, etc.; and a communication part 1309 including a network interface card such as a LAN (Local Area Network) card, a modem, etc. The communication section 1309 performs communication processing via a network such as the Internet. Driver 1310 is also connected to I/O interface 1305 as needed. Removable media 1311, such as magnetic disks, optical disks, magneto-optical disks, semiconductor memories, etc., are installed on the drive 1310 as needed, so that computer programs read therefrom are installed into the storage portion 1308 as needed.
特别地,根据本公开的实施例,上文参考流程图描述的过程可以被实现为计算机软件程序。例如,本公开的实施例包括一种计算机程序产品,其包括承载在计算机可读介质上的计算机程序,该计算机程序包含用于执行流程图所示的方法的计算机程序。在这样的实施例中,该计算机程序可以通过通信部分1309从网络上被下载和安装,和/或从可拆卸介质1311被安装。在该计算机程序被中央处理单元(CPU)1301执行时,执行本公开的系统中限定的各种功能。In particular, according to embodiments of the present disclosure, the processes described above with reference to the flowcharts may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product including a computer program carried on a computer-readable medium, the computer program comprising a computer program for performing the method illustrated in the flowchart. In such embodiments, the computer program may be downloaded and installed from the network via communications portion 1309, and/or installed from removable media 1311. When this computer program is executed by the central processing unit (CPU) 1301, various functions defined in the system of the present disclosure are performed.
需要说明的是,本公开实施例所示的计算机可读介质可以是计算机可读信号介质或者计算机可读存储介质或者是上述两者的任意组合。计算机可读存储介质例如可以是电、磁、光、电磁、红外线、或半导体的系统、装置或器件,或者任意以上的组合。计算机可读存储介质的更具体的例子可以包括但不限于:具有一个或多个导线的电连接、便携式计算机磁盘、硬盘、随机访问存储器(RAM)、只读存储器(ROM)、 可擦式可编程只读存储器(Erasable Programmable Read Only Memory,EPROM)、闪存、光纤、便携式紧凑磁盘只读存储器(Compact Disc Read-Only Memory,CD-ROM)、光存储器件、磁存储器件、或者上述的任意合适的组合。在本公开中,计算机可读存储介质可以是任何包含或存储程序的有形介质,该程序可以被指令执行系统、装置或者器件使用或者与其结合使用。而在本公开中,计算机可读的信号介质可以包括在基带中或者作为载波一部分传播的数据信号,其中承载了计算机可读的计算机程序。这种传播的数据信号可以采用多种形式,包括但不限于电磁信号、光信号或上述的任意合适的组合。计算机可读的信号介质还可以是计算机可读存储介质以外的任何计算机可读介质,该计算机可读介质可以发送、传播或者传输用于由指令执行系统、装置或者器件使用或者与其结合使用的程序。计算机可读介质上包含的计算机程序可以用任何适当的介质传输,包括但不限于:无线、有线等等,或者上述的任意合适的组合。It should be noted that the computer-readable medium shown in the embodiments of the present disclosure may be a computer-readable signal medium or a computer-readable storage medium, or any combination of the above two. The computer-readable storage medium may be, for example, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, device or device, or any combination thereof. More specific examples of computer readable storage media may include, but are not limited to: an electrical connection having one or more wires, a portable computer disk, a hard drive, random access memory (RAM), read only memory (ROM), removable Programmable Read-Only Memory (Erasable Programmable Read Only Memory, EPROM), flash memory, optical fiber, portable compact disk read-only memory (Compact Disc Read-Only Memory, CD-ROM), optical storage device, magnetic storage device, or any of the above suitable The combination. In this disclosure, a computer-readable storage medium may be any tangible medium that contains or stores a program for use by or in connection with an instruction execution system, apparatus, or device. In this disclosure, a computer-readable signal medium may include a data signal propagated in baseband or as part of a carrier wave, carrying a computer-readable computer program therein. Such propagated data signals may take many forms, including but not limited to electromagnetic signals, optical signals, or any suitable combination of the above. A computer-readable signal medium may also be any computer-readable medium other than a computer-readable storage medium that can send, propagate, or transmit a program for use by or in connection with an instruction execution system, apparatus, or device . Computer programs embodied on computer-readable media may be transmitted using any suitable medium, including but not limited to: wireless, wired, etc., or any suitable combination of the above.
附图中的流程图和框图,图示了按照本公开各种实施例的系统、方法和计算机程序产品的可能实现的体系架构、功能和操作。其中,流程图或框图中的每个方框可以代表一个模块、程序段、或代码的一部分,上述模块、程序段、或代码的一部分包含一个或多个用于实现规定的逻辑功能的可执行指令。也应当注意,在有些作为替换的实现中,方框中所标注的功能也可以以不同于附图中所标注的顺序发生。例如,两个接连地表示的方框实际上可以基本并行地执行,它们有时也可以按相反的顺序执行,这依所涉及的功能而定。也要注意的是,框图或流程图中的每个方框、以及框图或流程图中的方框的组合,可以用执行规定的功能或操作的专用的基于硬件的系统来实现,或者可以用专用硬件与计算机指令的组合来实现。The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operations of possible implementations of systems, methods, and computer program products according to various embodiments of the present disclosure. Each block in the flow chart or block diagram may represent a module, program segment, or part of the code. The above-mentioned module, program segment, or part of the code includes one or more executable components for implementing the specified logical function. instruction. It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown one after another may actually execute substantially in parallel, or they may sometimes execute in the reverse order, depending on the functionality involved. It will also be noted that each block in the block diagram or flowchart illustration, and combinations of blocks in the block diagram or flowchart illustration, can be implemented by special purpose hardware-based systems that perform the specified functions or operations, or may be implemented by special purpose hardware-based systems that perform the specified functions or operations. Achieved by a combination of specialized hardware and computer instructions.
描述于本公开实施例中所涉及到的单元可以通过软件的方式实现,也可以通过硬件的方式来实现,所描述的单元也可以设置在处理器中。其中,这些单元的名称在某种情况下并不构成对该单元本身的限定。The units involved in the embodiments of the present disclosure can be implemented in software or hardware, and the described units can also be provided in a processor. Among them, the names of these units do not constitute a limitation on the unit itself under certain circumstances.
本公开的另一方面还提供了一种计算机可读存储介质,其上存储有计算机程序,该计算机程序被处理器执行时实现如前所述的方法。该计算机可读存储介质可以是上述实施例中描述的电子设备中所包含的,也可以是单独存在,而未装配入该电子设备中。Another aspect of the present disclosure also provides a computer-readable storage medium on which a computer program is stored. When the computer program is executed by a processor, the method as described above is implemented. The computer-readable storage medium may be included in the electronic device described in the above embodiments, or may exist separately without being assembled into the electronic device.
本公开的另一方面还提供了一种计算机程序产品或计算机程序,该计算机程序产品或计算机程序包括计算机指令,该计算机指令存储在计算机可读存储介质中。计算机设备的处理器从计算机可读存储介质读取该计算机指令,处理器执行该计算机指令,使得该计算机设备执行上述各个实施例中提供的方法。Another aspect of the present disclosure also provides a computer program product or computer program including computer instructions stored in a computer-readable storage medium. The processor of the computer device reads the computer instructions from the computer-readable storage medium, and the processor executes the computer instructions, so that the computer device performs the methods provided in the above embodiments.
上述内容,仅为本公开的较佳示例性实施例,并非用于限制本公开的实施方案,本领域普通技术人员根据本公开的主要构思和精神,可以十分方便地进行相应的变通或修改,故本公开的保护范围应以权利要求书所要求的保护范围为准。The above contents are only preferred exemplary embodiments of the present disclosure and are not intended to limit the implementation of the present disclosure. Those of ordinary skill in the art can easily make corresponding modifications or modifications based on the main concept and spirit of the present disclosure. Therefore, the protection scope of the present disclosure should be subject to the protection scope required by the claims.

Claims (10)

  1. 一种域名反射攻击检测方法,包括:A domain name reflection attack detection method, including:
    获取待检测请求对象在多个时间窗口内发起域名解析请求的请求数量;Obtain the number of domain name resolution requests initiated by the request object to be detected within multiple time windows;
    根据预设时间关系对所述多个时间窗口的请求数量进行构建,得到至少两个请求序列;Construct the number of requests in the multiple time windows according to the preset time relationship to obtain at least two request sequences;
    计算所述至少两个请求序列之间的相关系数;Calculate the correlation coefficient between the at least two request sequences;
    根据所述至少两个请求序列之间的相关系数,确定所述待检测请求对象是否发起域名反射攻击。According to the correlation coefficient between the at least two request sequences, it is determined whether the request object to be detected initiates a domain name reflection attack.
  2. 如权利要求1所述的方法,其中,所述根据预设时间关系对所述多个时间窗口的请求数量进行构建,得到至少两个请求序列,包括:The method of claim 1, wherein the number of requests in the multiple time windows is constructed according to a preset time relationship to obtain at least two request sequences, including:
    根据预设时间关系,将所述多个时间窗口划分为多个第一时间窗口和多个第二时间窗口;Divide the plurality of time windows into a plurality of first time windows and a plurality of second time windows according to a preset time relationship;
    根据所述多个第一时间窗口的请求数量构建得到第一请求序列,以及根据所述多个第二时间窗口的请求数量构建得到第二请求序列。A first request sequence is constructed according to the number of requests in the plurality of first time windows, and a second request sequence is constructed according to the number of requests in the plurality of second time windows.
  3. 如权利要求2所述的方法,其中,所述多个时间窗口是连续的时间窗口;所述根据预设时间关系,将所述多个时间窗口划分为多个第一时间窗口和多个第二时间窗口,包括:The method of claim 2, wherein the plurality of time windows are continuous time windows; and the plurality of time windows are divided into a plurality of first time windows and a plurality of third time windows according to a preset time relationship. Two time windows, including:
    在多个连续的时间窗口中,确定指定数量个连续的时间窗口作为所述多个第一时间窗口;Among multiple consecutive time windows, determine a specified number of consecutive time windows as the multiple first time windows;
    在除所述第一时间窗口之外的其他时间窗口中,确定所述指定数量个时间窗口作为所述多个第二时间窗口;其中,所述多个第一时间窗口中最晚的第一时间窗口早于所述多个第二时间窗口中最早的第二时间窗口。In other time windows except the first time window, the specified number of time windows is determined as the plurality of second time windows; wherein the latest first time window among the plurality of first time windows is The time window is earlier than the earliest second time window among the plurality of second time windows.
  4. 如权利要求1所述的方法,其中,所述至少两个请求序列包括第一请求序列和第二请求序列;所述计算所述至少两个请求序列之间的相关系数,包括:The method of claim 1, wherein the at least two request sequences include a first request sequence and a second request sequence; and calculating the correlation coefficient between the at least two request sequences includes:
    对所述第一请求序列中含有的各个请求数量进行求平均值运算,得到第一均值,以及对所述第二请求序列中含有的各个请求数量进行求平均值运算,得到第二均值;Perform an averaging operation on the number of requests contained in the first request sequence to obtain a first average value, and perform an averaging operation on the number of requests contained in the second request sequence to obtain a second average value;
    根据所述第一均值、所述第二均值、所述第一请求序列,以及所述第二请求序列,计算所述第一请求序列和所述第二请求序列之间的相关系数。According to the first mean value, the second mean value, the first request sequence, and the second request sequence, a correlation coefficient between the first request sequence and the second request sequence is calculated.
  5. 如权利要求4所述的方法,其中,所述根据所述第一均值、所述第二均值、所述第一请求序列,以及所述第二请求序列,计算所述第一请求序列和所述第二请求序列的相关系数,包括:The method of claim 4, wherein the first request sequence and the first request sequence are calculated based on the first mean value, the second mean value, the first request sequence, and the second request sequence. The correlation coefficient of the second request sequence includes:
    将所述第一请求序列中含有的各个请求数量分别与所述第一均值进行求差值运算,得到多个第一差值,以及将所述第二请求序列中含有的各个请求数量分别与所述第二均 值进行求差值运算,得到多个第二差值;Perform a difference operation between each request number contained in the first request sequence and the first average value to obtain a plurality of first difference values, and compare each request number contained in the second request sequence with the first mean value respectively. The second mean value is subjected to a difference operation to obtain a plurality of second difference values;
    根据所述多个第一差值和所述多个第二差值,计算所述第一请求序列和所述第二请求序列之间的相关系数。Calculate a correlation coefficient between the first request sequence and the second request sequence according to the plurality of first difference values and the plurality of second difference values.
  6. 如权利要求1至5中任一项所述的方法,其中,在获取待检测请求对象在多个时间窗口内发起域名解析请求的请求数量之前,所述方法还包括:The method according to any one of claims 1 to 5, wherein before obtaining the number of requests for domain name resolution requests initiated by the request object to be detected within multiple time windows, the method further includes:
    获取指定时间窗口内发起域名解析请求的请求对象,并统计所述请求对象在所述指定时间窗口内发起域名解析请求的请求数量;Obtain the request object that initiated the domain name resolution request within the specified time window, and count the number of requests that the request object initiated the domain name resolution request within the specified time window;
    根据所述请求数量和预设数量阈值的关系,从所述请求对象中确定所述待检测请求对象。The request object to be detected is determined from the request objects according to the relationship between the request quantity and the preset quantity threshold.
  7. 如权利要求1至5中任一项所述的方法,其中,所述根据所述至少两个请求序列之间的相关系数,确定所述待检测请求对象是否发起域名反射攻击,包括:The method according to any one of claims 1 to 5, wherein determining whether the request object to be detected initiates a domain name reflection attack based on the correlation coefficient between the at least two request sequences includes:
    检测所述至少两个请求序列的相关系数与预设阈值的关系,得到检测结果;Detect the relationship between the correlation coefficient of the at least two request sequences and the preset threshold, and obtain the detection result;
    若所述检测结果表征所述相关系数大于等于所述预设阈值,则确定所述待检测请求对象发起域名反射攻击;If the detection result indicates that the correlation coefficient is greater than or equal to the preset threshold, it is determined that the request object to be detected initiates a domain name reflection attack;
    若所述检测结果表征所述相关系数小于所述预设阈值,则确定所述待检测请求对象未发起域名反射攻击。If the detection result indicates that the correlation coefficient is less than the preset threshold, it is determined that the request object to be detected has not initiated a domain name reflection attack.
  8. 一种域名反射攻击检测装置,包括:A domain name reflection attack detection device, including:
    获取模块,配置为获取待检测请求对象在多个时间窗口内发起域名解析请求的请求数量;The acquisition module is configured to obtain the number of requests for domain name resolution requests initiated by the request object to be detected within multiple time windows;
    构建模块,配置为根据预设时间关系对所述多个时间窗口的请求数量进行构建,得到至少两个请求序列;A construction module configured to construct the number of requests in the multiple time windows according to a preset time relationship to obtain at least two request sequences;
    计算模块,配置为计算所述至少两个请求序列之间的相关系数;A calculation module configured to calculate the correlation coefficient between the at least two request sequences;
    确定模块,配置为根据所述至少两个请求序列之间的相关系数,确定所述待检测请求对象是否发起域名反射攻击。The determination module is configured to determine whether the request object to be detected initiates a domain name reflection attack based on the correlation coefficient between the at least two request sequences.
  9. 一种电子设备,包括:An electronic device including:
    一个或多个处理器;one or more processors;
    存储装置,用于存储一个或多个程序,当所述一个或多个程序被所述一个或多个处理器执行时,使得所述电子设备实现如权利要求1至7中任一项所述的域名反射攻击检测方法。Storage device, used to store one or more programs, when the one or more programs are executed by the one or more processors, so that the electronic device implements any one of claims 1 to 7 Domain name reflection attack detection method.
  10. 一种计算机可读存储介质,其上存储有计算机可读指令,当所述计算机可读指令被计算机的处理器执行时,使计算机执行权利要求1至7中任一项所述的域名反射攻击检测方法。A computer-readable storage medium having computer-readable instructions stored thereon. When the computer-readable instructions are executed by a processor of a computer, the computer is caused to perform the domain name reflection attack described in any one of claims 1 to 7. Detection method.
PCT/CN2022/140321 2022-08-03 2022-12-20 Domain-name reflection attack detection method and apparatus, and electronic device and storage medium WO2024027079A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202210930014.8A CN115296904B (en) 2022-08-03 2022-08-03 Domain name reflection attack detection method and device, electronic equipment and storage medium
CN202210930014.8 2022-08-03

Publications (1)

Publication Number Publication Date
WO2024027079A1 true WO2024027079A1 (en) 2024-02-08

Family

ID=83826545

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2022/140321 WO2024027079A1 (en) 2022-08-03 2022-12-20 Domain-name reflection attack detection method and apparatus, and electronic device and storage medium

Country Status (2)

Country Link
CN (1) CN115296904B (en)
WO (1) WO2024027079A1 (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115296904B (en) * 2022-08-03 2023-10-27 中国电信股份有限公司 Domain name reflection attack detection method and device, electronic equipment and storage medium

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120174220A1 (en) * 2010-12-31 2012-07-05 Verisign, Inc. Detecting and mitigating denial of service attacks
CN109005181A (en) * 2018-08-10 2018-12-14 深信服科技股份有限公司 A kind of detection method, system and the associated component of DNS amplification attack
US20190020663A1 (en) * 2017-07-13 2019-01-17 Cisco Technology, Inc. Using repetitive behavioral patterns to detect malware
CN113783892A (en) * 2021-09-28 2021-12-10 北京天融信网络安全技术有限公司 Reflection attack detection method, system, device and computer readable storage medium
CN114363062A (en) * 2021-12-31 2022-04-15 深信服科技股份有限公司 Domain name detection method, system, equipment and computer readable storage medium
CN115296904A (en) * 2022-08-03 2022-11-04 中国电信股份有限公司 Domain name reflection attack detection method and device, electronic equipment and storage medium

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2017163104A1 (en) * 2016-03-21 2017-09-28 Telefonaktiebolaget Lm Ericsson (Publ) System and method for mitigating dns attacks
EP3462712B1 (en) * 2017-10-02 2020-07-01 Nokia Solutions and Networks Oy Method for mitigating dns-ddos attacks
CN113347186B (en) * 2021-06-01 2022-05-06 百度在线网络技术(北京)有限公司 Reflection attack detection method and device and electronic equipment

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120174220A1 (en) * 2010-12-31 2012-07-05 Verisign, Inc. Detecting and mitigating denial of service attacks
US20190020663A1 (en) * 2017-07-13 2019-01-17 Cisco Technology, Inc. Using repetitive behavioral patterns to detect malware
CN109005181A (en) * 2018-08-10 2018-12-14 深信服科技股份有限公司 A kind of detection method, system and the associated component of DNS amplification attack
CN113783892A (en) * 2021-09-28 2021-12-10 北京天融信网络安全技术有限公司 Reflection attack detection method, system, device and computer readable storage medium
CN114363062A (en) * 2021-12-31 2022-04-15 深信服科技股份有限公司 Domain name detection method, system, equipment and computer readable storage medium
CN115296904A (en) * 2022-08-03 2022-11-04 中国电信股份有限公司 Domain name reflection attack detection method and device, electronic equipment and storage medium

Also Published As

Publication number Publication date
CN115296904B (en) 2023-10-27
CN115296904A (en) 2022-11-04

Similar Documents

Publication Publication Date Title
US9848004B2 (en) Methods and systems for internet protocol (IP) packet header collection and storage
US8726382B2 (en) Methods and systems for automated detection and tracking of network attacks
US7903566B2 (en) Methods and systems for anomaly detection using internet protocol (IP) traffic conversation data
Strayer et al. Botnet detection based on network behavior
US7995496B2 (en) Methods and systems for internet protocol (IP) traffic conversation detection and storage
CN111277570A (en) Data security monitoring method and device, electronic equipment and readable medium
US8762515B2 (en) Methods and systems for collection, tracking, and display of near real time multicast data
US8483056B2 (en) Analysis apparatus and method for abnormal network traffic
US8650646B2 (en) System and method for optimization of security traffic monitoring
CN107770132B (en) Method and device for detecting algorithmically generated domain name
US8001601B2 (en) Method and apparatus for large-scale automated distributed denial of service attack detection
US20160359870A1 (en) Method and apparatus for detecting malware infection
US10218733B1 (en) System and method for detecting a malicious activity in a computing environment
Vaarandi et al. Using security logs for collecting and reporting technical security metrics
US11711389B2 (en) Scanner probe detection
US11770396B2 (en) Port scan detection using destination profiles
WO2024027079A1 (en) Domain-name reflection attack detection method and apparatus, and electronic device and storage medium
US10129277B1 (en) Methods for detecting malicious network traffic and devices thereof
CN111835681A (en) Large-scale abnormal flow host detection method and device
CN110958245B (en) Attack detection method, device, equipment and storage medium
CN110061998B (en) Attack defense method and device
KR100950079B1 (en) Network abnormal state detection device using HMMHidden Markov Model and Method thereof
CN108712365B (en) DDoS attack event detection method and system based on flow log
CN109246157B (en) Correlation detection method for HTTP slow request DOS attack
WO2020157561A1 (en) Port scan detection

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22953867

Country of ref document: EP

Kind code of ref document: A1