Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is clearly and completely described, obviously, described embodiment is only the present invention's part embodiment, rather than whole embodiment.Embodiment based in the present invention, those of ordinary skills, not making under the creative work prerequisite the every other embodiment obtained, belong to the scope of protection of the invention.
For quote and know for the purpose of, the technical term hereinafter used, write a Chinese character in simplified form or abridge to sum up and be explained as follows:
DDOS, Distributed Denial of Service, distributed denial of service attack;
Bot, robot, the corpse instrument, Bot be can automatically perform predefined function, can scheduled justice order institute's Long-distance Control and there is the program of certain artificial intelligence;
Zombie, the corpse main frame, contain Bot or other remote control programs, but the computer of victim Long-distance Control;
Botnet, Botnet, refer to and adopt one or more communication means to make a large amount of main frames infect corpse Bot programs, thereby at effector and infected main frame (being the corpse main frame) but between the network controlled of a formed one-to-many;
IP, Internet Protocol, procotol;
DPI, Deep Packet Inspection, deep-packet detection, so-called " degree of depth " is to compare with common message analysis level, " common packet check " be the content (comprise source address, destination address, source port, destination interface and protocol type) of layer below 4 of analyzing IP packet only, and DPI has also increased application layer analysis except the step analysis to front, identify various application and content thereof.At present, DPI can be divided into single bag coupling and two kinds of modes of many bag couplings: for most of IP packet, the feature by the network message in the IP packet just can be detected.Conventional method is the traversal rule tree, and message and each rule are mated one by one.And, for part IP packet, only depend on the single message of detection accurately to detect, at this moment need a plurality of messages of analyzing a stream accurately to detect;
DN, Domain Name, domain name, domain name is a certain computer or calculate the title of unit on the internet, for identifying its electronic bearing (sometimes also referring to geographical position) when the transfer of data;
DNS, Domain Name Service, domain name service;
DNS, Domain Name System, DNS, a certain computer or calculate unit and both can use the domain name sign also can use the IP address designation.The user more is ready to use the domain name be convenient to memory, and router is only used the length IP address of structure of fixing, have levels.For coordinating this two kinds of different demands, the directory service that needs a domain name and IP address to exchange, the main task of DNS that Here it is;
DNS, Domain Name Server, name server, name server is the main frame that DNS is housed.
Botnet has formed an Attack Platform, its basic network topology as shown in Figure 1, the assailant utilizes this platform can effectively initiate various attacks, can cause whole Back ground Information network or important application systemic breakdown, also can cause a large amount of secrets or individual privacy to be leaked, can also be used to be engaged in other illegal activities such as network fraud.DDOS, send spam, steal secret, the abuse resource is the attack that utilizes Botnet to start had been found that, these behaviors are to whole network or user self has caused more serious harm.Along with various new attack types occurring in the future, Botnet also may be used to initiate new unknown attack.Therefore exploring effective Botnet detection and method for supervising is very important.
Before in already described and Bot program usually with the domain-name information of main control system.Referring to Fig. 2, the inventor finds: generally, the corpse main frame is reached the standard grade at every turn and can be sent IP address lookup DNS request message to name server, by this domain name, corresponding IP address is placed in the DNS response message and returns name server again, the corpse main frame can communicate according to IP address and main control system in the DNS response message, sends various IP packets.
The inventor finds simultaneously: the domain-name information of main control system can not change easily.Once this is because the domain-name information of main control system is changed, Zombie can't by means of self Bot with former domain-name information find main control system.Even main control system can be issued the corpse main frame by new domain name information before the change domain name, but, owing to can't guaranteeing that, when main control system sends this information, all Zombie are online, therefore there is the risk of loss Zombie quantity.The above-mentioned domain name that these have determined main control system can not change easily.The embodiment of the present invention is designed according to these characteristics.
Fig. 3 shows a kind of method of main control system domain name in the detection Botnet that the embodiment of the present invention provides, and the method at least comprises the following steps:
S31, according to network message, detect Botnet, and obtain the IP address of main control system in this Botnet;
S32, obtain and resolve the DNS response message that name server returns for the domain name service DNS request message of IP address lookup or inquiry of the domain name, therefrom obtain domain name corresponding to described IP address.
For ease of understanding, now DNS request message and DNS response message are simply introduced.It is (convenient for calling that DNS request message and DNS response message all belong to network message, now DNS request message and DNS response message are referred to as to the DNS message), and form by header and 4 adjustable length fields (inquiry problem, answer, mandate and four fields of extraneous information) of 12 bytes, its general form is as shown in the table:
Table 1
Inquiry problem field wherein mainly is comprised of problem name, problem types and query type:
The name that the problem name normally will be searched is the sequence of one or more identifiers.Each identifier illustrates the byte length of identifier subsequently with the count value of first byte, and each name be take last byte as 0 end, and the identifier that length is 0 is the root identifier.Each identifier maximum length is 63, and whole query name random length does not need to fill character.For example, as the domain name that will search, be
Www.heike.com, this domain name is expressed as: [3|w|w|w|5|h|e|i|k|e|3|c|o|m|0], and as domain name be 44.33.88.123.in-addr.arpa, be expressed as: [2|4|4|2|3|3|2|8|8|3|1|2|3|7|i|n|-|a|d|d|r|4|a|r|p|a|0];
Problem types is generally query type, according to the type (the DNS request message of the type is IP address lookup DNS request message) of inquiry of the domain name IP address, certainly, can be also Query, according to the type of IP address lookup domain name (the DNS request message of the type is domain name addresses inquiry DNS request message);
It is 1 that query type adds usually, means internet address.
Answer field as for the DNS message has recorded the answer of having done for above-mentioned inquiry problem field usually, also when the problem name of inquiry problem field is domain name (according to inquiry of the domain name IP address), the content of answering field record is IP address corresponding to this domain name, and the content of (according to the anti-nslookup in IP address) answer field record is domain name corresponding to this IP address when the problem name of inquiry problem field is the IP address.
Be understandable that, the answer field in the DNS request message is generally sky, and the inquiry problem field of DNS response message and answer field are not all generally empty, can say yet, the DNS response message has reflected the corresponding relation of IP address and domain name.
Step S32 has utilized the characteristics of DNS response message, obtains domain name corresponding to main control system IP address the DNS response message returned from name server.
Because the domain-name information of main control system is constant, therefore, although the IP address of main control system probably changes when reaching the standard grade at every turn, but its domain name can not change, be that domain name and main control system are man-to-man relation, thereby can obtain unique main control system sign, and establish lower good basis for follow-up processing.For example: the domain name to the main control system of Botnet is implemented shielding, to avoid more directly, rapidly other computers, joins in Botnet.
In another embodiment of the present invention, above-mentioned detection method also can comprise the steps:
Obtain the information of the network equipment be connected with the main control system with domain name according to network message;
Determine the topological structure of described Botnet according to described information.
After the topological structure of having determined Botnet, can be monitored even revertive control Botnet to Botnet according to this topological structure.
Corresponding with the method for main control system domain name in above-mentioned detection Botnet, the embodiment of the present invention also provides a kind of network equipment, and Fig. 4 shows a kind of structure of this network equipment 401, comprising:
Detecting unit 402, for according to network message, detecting Botnet, and the IP address that obtains main control system in described Botnet;
The first acquiring unit 403, the DNS response message returned for the domain name service DNS request message of IP address lookup or inquiry of the domain name for obtaining and resolve name server, therefrom obtain domain name corresponding to described IP address.
In another embodiment of the present invention, the above-mentioned network equipment also can comprise second acquisition unit and determining unit, and wherein, second acquisition unit can be used for obtaining according to network message the information of the network equipment be connected with the main control system with domain name; And determining unit can be used for determining according to above-mentioned information the topological structure of described Botnet.
In another embodiment of the present invention, referring to Fig. 5, the above-mentioned network equipment 401 also can comprise aging unit 501 and memory cell 502, wherein:
Aging unit 501 is for after getting above-mentioned domain name, aging current detection, or, while after surpassing the time started predetermined amount of time of current detection, not getting domain name yet, aging current detection.
Memory cell 502 is for storing any one or combination in any of above-mentioned domain name, IP address or time started.
In addition, aging unit 501 and/or memory cell 502 also can be independent of outside detecting unit 402 and the first acquiring unit 403, and therefore not to repeat here.
Above-mentioned domain name, IP address, in the time started, any one or combination in any can be recorded in default monitoring form, word document, board etc., and are stored in memory cell 502.
In view of the DNS request message is divided into two types of IP address lookup and inquiries of the domain name, therefore above-mentioned domain name detection method specifically can be divided into two kinds of submethods, below will to these two kinds of submethods, be introduced respectively:
Domain name detects submethod one:
Referring to Fig. 6, domain name detects submethod one and at least comprises the steps:
S61, according to network message, detect Botnet, and obtain the IP address of main control system in described Botnet;
S62, search the DNS response message that the domain name server returns for the IP address lookup DNS request message of corpse main frame in described Botnet from described network message;
S63, resolve described DNS response message, therefrom obtain domain name corresponding to described IP address.
In another embodiment of the present invention, referring to Fig. 6, above-mentioned detection method also can comprise the steps:
S64, obtain the information of the network equipment be connected with the main control system with domain name according to network message;
S65, determine the topological structure of described Botnet according to described information.
General, the DNS message of each host query can fall in natural aging, and therefore only otherwise roll off the production line, the main frame compartment time will send the DNS request message to DNS, and DNS also can return to the DNS response message.That is to say, generally always have in the IP packet and comprise the DNS response message.But sometimes for various reasons, can not find for a long time the DNS response message that name server returns for the IP address lookup DNS request message of the Zombie of Botnet, also just can't get the domain name of main control system.In this case, for taking less the detection resource, while can after surpassing the time started predetermined amount of time of current detection, not get domain name yet, aging current detection.Certainly, also can be after getting domain name, aging current detection.
Corresponding with above-mentioned domain name detection submethod one, referring to Fig. 7, the embodiment of the present invention also provides a kind of network equipment 701, and this equipment comprises detecting unit 702 and the first acquiring unit 703, the first acquiring unit 703 comprises again to be searched subelement 704 and resolves subelement 705, wherein:
Detecting unit 702 is for according to network message, detecting Botnet, and the IP address that obtains main control system in this Botnet;
Search the DNS response message that subelement 704 returns for the IP address lookup DNS request message of Zombie above-mentioned Botnet for search name server from above-mentioned network message;
Resolve subelement 705, for resolving described DNS response message, therefrom obtain domain name corresponding to described IP address.
In other embodiments of the invention, the network equipment 701 also can comprise second acquisition unit and determining unit, and wherein, second acquisition unit is for obtaining the information of the network equipment be connected with the main control system with domain name according to network message; Determining unit is for determining the topological structure of described Botnet according to described information.
The above-mentioned network equipment also can comprise aging unit and memory cell, wherein, aging unit is for after the topological structure that gets above-mentioned domain name or definite Botnet, aging current detection, perhaps, while after surpassing the time started predetermined amount of time of current detection, not getting yet the topological structure of domain name or definite Botnet, aging current detection; Memory cell is for storing any one or combination in any of above-mentioned domain name, IP address or time started.
When specific implementation, the function of the network equipment 701 can specifically be realized by DPI equipment, gateway device or other network equipments, and can be deployed on the forthright or bypass of network.For obtaining of network message, can adopt the prior art means such as packet capturing to be realized etc.
Illustrate, domain name, IP address, in the time started, any one or combination in any can be recorded in default monitoring form before.In embodiments of the present invention, use default monitoring form to detect various ways can be arranged the domain name of main control system in a certain Botnet, be described in detail below in conjunction with different modes:
Mode one:
Refer to Fig. 8, testing process comprises the steps:
S81, record time started of current detection on default monitoring form;
Suppose that default monitoring form form is as shown in table 2 or table 3:
Table 2
CCIp |
CCDomain |
InsertTime |
IP1 |
D1 |
T1 |
IP2 |
D2 |
T2 |
IP3 |
D3 |
T3 |
Table 3
CCIp |
CCDomain |
InsertTime |
IP1 |
D1 |
T1 |
IP2 |
D2 |
T2 |
IP3 |
|
T3 |
Wherein, what CCIP mono-row recorded is detected main control system IP address, what CCDomain mono-row recorded is domain name word string corresponding to IP address, and what InsertTime mono-row recorded is the time of inserting certain once/current detection, the i.e. time started of certain once/current detection.
After completing steps S81, monitoring form is updated to table 4 or table 5:
Table 4
CCIp |
CCDomain |
InsertTime |
IP1 |
D1 |
T1 |
IP2 |
D2 |
T2 |
IP3 |
D3 |
T3 |
|
|
T4 |
Table 5
CCIp |
CCDomain |
InsertTime |
IP1 |
D1 |
T1 |
IP2 |
D2 |
T2 |
S82, obtain network message;
S83, according to network message, detect Botnet, and obtain the IP address of main control system in Botnet;
S84, search in above-mentioned network message the DNS response message that whether has name server to return for the IP address lookup DNS request message of Zombie in above-mentioned Botnet, if so, turn S86, otherwise, S85 turned;
Whether S85, judgement have now surpassed the time started predetermined amount of time (as 24 hours) of current detection, if so, go to step S810, otherwise, return to step S82;
S86, resolve above-mentioned DNS response message;
S87, the IP address that the IP address in the DNS response message and monitoring form have been recorded are contrasted, judge IP address in monitoring form whether with the DNS response message in the IP address repeat mutually, if so, go to step S88, otherwise, go to step S89;
The corresponding relation of S88, completion above-mentioned IP address and domain name;
Suppose that in the DNS response message, the corresponding relation of IP address and domain name is IP3-D4, now, IP3 in IP3 in the DNS response message and default monitoring form repeats, time difference between T4 and T3 is not more than predetermined value, as 24 hours, retain T3, D4 is inserted to corresponding CCDomain mono-row of IP3 in default monitoring form, default monitoring form is updated to table 6 or table 7:
Table 6
CCIp |
CCDomain |
InsertTime |
IP1 |
D1 |
T1 |
IP2 |
D2 |
T2 |
IP3 |
D3,D4 |
T3 |
Table 7
CCIp |
CCDomain |
InsertTime |
IP1 |
D1 |
T1 |
IP2 |
D2 |
T2 |
IP3 |
D4 |
T3 |
When the time difference between T4 and T3 is greater than predetermined value, replace T3 with T4, D4 is inserted in monitoring form, monitoring form is updated to table 8 or table 9:
Table 8
CCIp |
CCDomain |
InsertTime |
IP1 |
D1 |
T1 |
IP2 |
D2 |
T2 |
IP3 |
D3,D4 |
T4 |
Table 9
CCIp |
CCDomain |
InsertTime |
IP1 |
D1 |
T1 |
IP2 |
D2 |
T2 |
IP3 |
D4 |
T4 |
S89, by the IP address in the DNS response message and domain name, insert respectively in monitoring form;
Suppose that in the DNS response message, the corresponding relation of IP address and domain name is IP4-D4, now, does not repeat the IP address of recording in the IP4 in the DNS response message and monitoring form, and IP4 and D4 are inserted respectively in monitoring form, and monitoring form is updated to table 10 or table 11:
Table 10
CCIp |
CCDomain |
InsertTime |
IP1 |
D1 |
T1 |
IP2 |
D2 |
T2 |
IP3 |
D3 |
T3 |
IP4 |
D4 |
T4 |
Table 11
CCIp |
CCDomain |
InsertTime |
IP1 |
D1 |
T1 |
IP2 |
D2 |
T2 |
IP3 |
|
T3 |
S810, aging current detection;
S811, report monitoring form.
Mode two:
Refer to Fig. 9, this mode comprises the steps:
S91, the time started of recording current detection;
Suppose that default monitoring form form is as shown in the table:
Table 12
CCIp |
CCDomain |
InsertTime |
IP1 |
D1 |
T1 |
IP2 |
D2 |
T2 |
IP3 |
D3 |
T3 |
After completing steps S91, default monitoring form is updated to:
Table 13
CCIp |
CCDomain |
InsertTime |
IP1 |
D1 |
T1 |
IP2 |
D2 |
T2 |
IP3 |
D3 |
T3 |
|
|
T4 |
S92, obtain network message;
S93, according to network message, detect Botnet, and obtain the IP address of main control system in this Botnet;
S94, search in above-mentioned network message the DNS response message that whether has name server to return for the IP address lookup DNS request message of Zombie in above-mentioned Botnet, if so, turn S96, otherwise, S95 turned;
Whether S95, judgement have now surpassed the time started predetermined amount of time (as 24 hours) of current detection, if so, go to step S910, otherwise, return to step S92;
S96, resolve above-mentioned DNS response message;
S97, the domain name that the domain name in the DNS response message and monitoring form have been recorded are contrasted, judge domain name in monitoring form whether with the DNS response message in domain name repeat mutually, if so, go to step S98, otherwise, go to step S99;
The corresponding relation of S98, completion IP address and domain name;
Suppose that in the DNS response message, the corresponding relation of IP address and domain name is IP4-D3, now, the D3 in the DNS response message and the D3 in monitoring form repeat, time difference between T4 and T3 is not more than predetermined value, as 24 hours, retains T3, IP4 is inserted to CCIp mono-row, and monitoring form is updated to:
Table 14
CCIp |
CCDomain |
InsertTime |
IP1 |
D1 |
T1 |
IP2 |
D2 |
T2 |
IP3,IP4 |
D3 |
T3 |
And, when the time difference between T4 and T3 is greater than predetermined value, T3 is replaced to T4, and IP4 is inserted to CCIp mono-row, monitoring form is updated to:
Table 15
CCIp |
CCDomain |
InsertTime |
IP1 |
D1 |
T1 |
IP2 |
D2 |
T2 |
IP3,IP4 |
D3 |
T4 |
S99, by the IP address in the DNS response message and domain name, insert respectively in monitoring form;
Suppose that in the DNS response message, the corresponding relation of IP address and domain name is IP4-D4, now, the domain name recorded in the domain name D4 in the DNS response message and monitoring form does not repeat, and IP4 and D4 are inserted respectively in monitoring form, and monitoring form is updated to:
Table 16
CCIp |
CCDomain |
InsertTime |
IP1 |
D1 |
T1 |
IP2 |
D2 |
T2 |
IP3 |
D3 |
T3 |
IP4 |
D4 |
T4 |
S910, aging current detection;
S911, report monitoring form.
Corresponding with above-mentioned detection submethod one, referring to Figure 10, the embodiment of the present invention also discloses a kind of method of monitoring Botnet simultaneously, comprises the following steps:
S101, according to network message, detect Botnet, and obtain the procotol IP address of main control system in described Botnet;
S102, search the DNS response message that the domain name server returns for the IP address lookup DNS request message of corpse main frame in described Botnet from described network message;
S103, resolve described DNS response message, therefrom obtain domain name corresponding to described IP address;
S104, obtain the information of the network equipment be connected with the main control system with domain name according to network message;
S105, determine the topological structure of described Botnet according to described information;
S106, according to above-mentioned topological structure and domain name, described Botnet is monitored.
Because the domain-name information of main control system is constant, therefore, although the IP address of main control system probably changes when reaching the standard grade at every turn, but its domain name can not change, be that domain name and main control system are man-to-man relation, thereby can obtain unique main control system sign, and establish lower good basis for follow-up processing.In addition, the embodiment of the present invention is usingd domain name as the monitoring foundation, thereby not there will be in the situation that the corresponding same main control system in different IP addresses can be judged into the problem that has a plurality of Botnets by accident, makes the monitoring of Botnet become simple.
For taking less the monitoring resource, in the time started that surpasses current monitoring, during predetermined amount of time, can stop current monitoring.Specifically comprise two kinds of situations: when surpassing the scheduled time (as 24 hours), while not getting yet the topological structure of domain name or definite Botnet, can stop current monitoring.Even got domain name or determined the topological structure of Botnet, for the purpose of cost savings, monitoring each time has the life-span of himself, once overtime, also to be stopped current monitoring.
And above-mentioned domain name, IP address, in the time started, any one or combination in any can be recorded in default monitoring form, word document, board etc.
Corresponding with above-mentioned method for supervising, the embodiment of the present invention also provides a kind of system of monitoring Botnet, referring to Figure 11, comprises foreground system 111 and background system 112, and foreground system 111 comprises:
Detecting unit 113, for according to network message, detecting Botnet, and the IP address that obtains main control system in this Botnet;
Search subelement 114, the DNS response message returned for the IP address lookup DNS request message of Zombie above-mentioned Botnet for search name server from above-mentioned network message;
Resolve subelement 115, for resolving above-mentioned DNS response message, therefrom obtain domain name corresponding to described IP address;
Background system 112 comprises:
Second acquisition unit 116, for obtaining the information of the network equipment be connected with the main control system with domain name according to network message;
Determining unit 117, for determining the topological structure of described Botnet according to described information;
Monitoring unit 118, for being monitored described Botnet according to above-mentioned topological structure and domain name.
Corresponding with above-mentioned method for supervising, referring to Figure 12, the embodiment of the present invention also provides a kind of network monitoring device 121, and this equipment comprises:
Detecting unit 122, for according to network message, detecting Botnet, and the IP address that obtains main control system in described Botnet;
Search subelement 123, the DNS response message returned for the IP address lookup DNS request message of Zombie above-mentioned Botnet for search name server from above-mentioned network message;
Resolve subelement 124, for resolving above-mentioned DNS response message, therefrom obtain domain name corresponding to described IP address;
Second acquisition unit 125, for obtaining the information of the network equipment be connected with the main control system with domain name according to network message;
Determining unit 126, for determining the topological structure of described Botnet according to described information;
Monitoring unit 127, for being monitored described Botnet according to above-mentioned topological structure and domain name.
In other embodiments, network monitoring device 121 also can comprise and stop unit and memory cell, wherein, stops unit and during predetermined amount of time, stops current monitoring for the time started surpassing current monitoring; Memory cell is for storing time started any one or the combination in any of above-mentioned domain name, IP address, current monitoring.
When specific implementation, network monitoring device 121 specifically can be DPI equipment, gateway device or other can realize the network equipment of above-mentioned functions.
Domain name detects submethod two:
Referring to Figure 13, domain name detects submethod two and at least comprises the following steps:
S131, according to network message, detect Botnet, and obtain the IP address of main control system in described Botnet;
S132, send the DNS request message of the corresponding domain name in inquiry described IP address to name server;
The DNS response message that S133, reception domain name server return;
S134, resolve described DNS response message, therefrom obtain domain name corresponding to described IP address.
Because the domain-name information of main control system is constant, therefore, although the IP address of main control system probably changes when reaching the standard grade at every turn, but its domain name can not change, be that domain name and main control system are man-to-man relation, thereby can obtain unique main control system sign, and establish lower good basis for follow-up processing.In addition, due to after detecting the IP address of main control system, the embodiment of the present invention is directly inquired about domain name corresponding to this IP address to name server, rather than wait for that name server returns to the DNS response message of corpse main frame, when can not find for a long time name server and return to the DNS response message of Zombie in above-mentioned Botnet, the method that the present embodiment provides has more the advantage of saving of time.
In another embodiment of the present invention, above-mentioned domain name detects submethod two and also can comprise the steps:
Obtain the information of the network equipment be connected with the main control system with domain name according to network message;
Determine the topological structure of described Botnet according to described information.
In order to take less the detection resource, said method also can be after getting domain name, aging current detection.Certainly, while can after surpassing the time started predetermined amount of time of current detection, not get domain name yet yet, aging current detection.
Above-mentioned domain name, IP address, in the time started, any one or combination in any can be recorded in default monitoring form, word document, board etc.
Corresponding with above-mentioned domain name detection submethod two, referring to Figure 14, the embodiment of the present invention also provides a kind of network equipment 141, this equipment comprises detecting unit 142 and the first acquiring unit 143, the first acquiring unit 143 comprises again transmission subelement 144, receives subelement 145 and parsing subelement 146, wherein:
Detecting unit 142 is for according to network message, detecting Botnet, and the IP address that obtains main control system in this Botnet;
Send subelement 144, for send the DNS request message of the corresponding domain name in inquiry described IP address to name server;
Receive subelement 145, the DNS response message returned for receiving the domain name server;
Resolve subelement 146, for resolving described DNS response message, therefrom obtain domain name corresponding to described IP address.When specific implementation, the network equipment 141 or the first acquiring unit 143 can rely on the built-in anti-system of looking into of domain name to domain name corresponding to the anti-IP of looking into of name server address.
In other embodiments of the invention, the network equipment 141 also can comprise second acquisition unit and determining unit, and wherein, second acquisition unit is for obtaining the information of the network equipment be connected with the main control system with domain name according to network message; Determining unit is for determining the topological structure of described Botnet according to described information.
In different embodiments of the invention, the detection domain name of using default monitoring form to carry out main control system in Botnet can have various ways, below in conjunction with this different modes, the embodiment of the present invention is described in detail:
Mode one:
Refer to Figure 15, this mode comprises the steps:
S151, the time started of recording current detection;
Suppose that default monitoring form form is table 17 or table 18:
Table 17
CCIp |
CCDomain |
InsertTime |
IP1 |
D1 |
T1 |
IP2 |
D2 |
T2 |
IP3 |
D3 |
T3 |
Table 18
CCIp |
CCDomain |
InsertTime |
IP1 |
D1 |
T1 |
IP2 |
D2 |
T2 |
IP3 |
|
T3 |
After completing steps S151, default monitoring form is updated to table 19 or table 20:
Table 19
CCIp |
CCDomain |
InsertTime |
IP1 |
D1 |
T1 |
IP2 |
D2 |
T2 |
Table 20
CCIp |
CCDomain |
InsertTime |
IP1 |
D1 |
T1 |
IP2 |
D2 |
T2 |
IP3 |
|
T3 |
|
|
T4 |
S152, according to network message, detect Botnet, and obtain the IP address of main control system in this Botnet;
S153, send the DNS request message of the corresponding domain name in inquiry described IP address to name server;
S154, judge whether the DNS response message of receiving that name server returns, if so, turn S156, if not, turn S155;
Whether the number of times that S155, judgement send the DNS request message surpasses pre-determined number (as 3 times), if so, goes to step S1510, if not, returns to step S153;
The DNS response message that S156, parsing name server return, therefrom obtain domain name corresponding to IP address;
S157, the IP address that the IP address in the DNS response message and monitoring form have been recorded are contrasted, judge IP address in monitoring form whether with the DNS response message in the IP address repeat mutually, if so, go to step S158, if not, go to step S159;
The corresponding relation of S158, completion above-mentioned IP address and domain name;
Suppose that in the DNS response message, the corresponding relation of IP address and domain name is IP3-D4, now, IP3 in the DNS response message and the IP3 in monitoring form repeat, time difference between T4 and T3 is not more than predetermined value, as 24 hours, retain T3, D4 is inserted to corresponding CCDomain mono-row of IP3 in monitoring form, monitoring form is updated to table 21 or table 22:
Table 21
CCIp |
CCDomain |
InsertTime |
IP1 |
D1 |
T1 |
IP2 |
D2 |
T2 |
Table 22
CCIp |
CCDomain |
InsertTime |
IP1 |
D1 |
T1 |
IP2 |
D2 |
T2 |
IP3 |
D4 |
T3 |
When the time difference between T4 and T3 is greater than predetermined value, T3 is replaced to T4, D4 is inserted to corresponding CCDomain mono-row of IP3 in monitoring form, monitoring form is updated to table 23 or table 24:
Table 23
CCIp |
CCDomain |
InsertTime |
IP1 |
D1 |
T1 |
IP2 |
D2 |
T2 |
IP3 |
D3,D4 |
T4 |
Table 24
CCIp |
CCDomain |
InsertTime |
IP1 |
D1 |
T1 |
IP2 |
D2 |
T2 |
IP3 |
D4 |
T4 |
S159, by the IP address in the DNS response message and domain name, insert respectively in monitoring form;
Suppose that in the DNS response message, the corresponding relation of IP address and domain name is IP4-D4, now, does not repeat the IP address of recording in the IP4 in the DNS response message and monitoring form, and IP4 and D4 are inserted respectively in monitoring form, and monitoring form is updated to table 25 or table 26:
Table 25
CCIp |
CCDomain |
InsertTime |
IP1 |
D1 |
T1 |
IP2 |
D2 |
T2 |
IP3 |
D3 |
T3 |
IP4 |
D4 |
T4 |
Table 26
CCIp |
CCDomain |
InsertTime |
IP1 |
D1 |
T1 |
IP2 |
D2 |
T2 |
IP3 |
|
T3 |
IP4 |
D4 |
T4 |
S1510, aging current detection;
S1511, report monitoring form.
Mode two:
Refer to Figure 16, this mode comprises the steps:
S161, the time started of recording current detection;
Suppose that default monitoring form form is table 27:
Table 27
CCIp |
CCDomain |
InsertTime |
IP1 |
D1 |
T1 |
IP2 |
D2 |
T2 |
IP3 |
D3 |
T3 |
After completing steps S161, default monitoring form is updated to table 28:
Table 28
CCIp |
CCDomain |
InsertTime |
IP1 |
D1 |
T1 |
IP2 |
D2 |
T2 |
IP3 |
D3 |
T3 |
|
|
T4 |
S162, according to network message, detect Botnet, and obtain the IP address of main control system in this Botnet;
S163, send the DNS request message of the corresponding domain name in inquiry described IP address to name server;
S164, judge whether the DNS response message of receiving that name server returns, if so, turn S166, if not, turn S165;
Whether the number of times that S165, judgement send the DNS request message surpasses pre-determined number (as 3 times), if so, goes to step S1610, if not, returns to step S163;
The DNS response message that S166, parsing name server return, therefrom obtain domain name corresponding to IP address;
S167, the domain name that the domain name in the DNS response message and monitoring form have been recorded are contrasted, and judge whether to repeat mutually, if so, go to step S168, if not, go to step S169;
The corresponding relation of S168, completion IP address and domain name;
Suppose that in the DNS response message, the corresponding relation of IP address and domain name is IP4-D3, now, the D3 in the DNS response message and the D3 in monitoring form repeat, time difference between T4 and T3 is not more than predetermined value, as 24 hours, retains T3, IP4 is inserted to CCIp mono-row, and monitoring form is updated to:
Table 29
CCIp |
CCDomain |
InsertTime |
IP1 |
D1 |
T1 |
IP2 |
D2 |
T2 |
IP3,IP4 |
D3 |
T3 |
And, when the time difference between T4 and T3 is greater than predetermined value, T3 is replaced to T4, and IP4 is inserted to CCIp mono-row, monitoring form is updated to:
Table 30
CCIp |
CCDomain |
InsertTime |
IP1 |
D1 |
T1 |
IP2 |
D2 |
T2 |
IP3,IP4 |
D3 |
T4 |
S169, by the IP address in the DNS response message and domain name, insert respectively in monitoring form;
Suppose that in the DNS response message, the corresponding relation of IP address and domain name is IP4-D4, now, the domain name recorded in the domain name D4 in the DNS response message and monitoring form does not repeat, and IP4 and D4 are inserted respectively in monitoring form, and monitoring form is updated to:
Table 31
CCIp |
CCDomain |
InsertTime |
IP1 |
D1 |
T1 |
IP2 |
D2 |
T2 |
IP3 |
D3 |
T3 |
IP4 |
D4 |
T4 |
S1610, aging current detection;
S1611, report monitoring form.
Corresponding with above-mentioned detection submethod two, referring to Figure 17, the embodiment of the present invention also discloses a kind of method of monitoring Botnet simultaneously, comprises the following steps:
S171, according to network message, detect Botnet, and obtain the procotol IP address of main control system in described Botnet;
S172, send the DNS request message of the corresponding domain name in inquiry described IP address to name server;
The DNS response message that S173, reception domain name server return;
S174, resolve described DNS response message, therefrom obtain domain name corresponding to described IP address;
S175, the information of obtaining the network equipment be connected with the main control system with domain name according to network message determine that the all-network equipment be connected with the main control system with above-mentioned domain name belongs to same Botnet;
S176, determine the topological structure of described Botnet according to described information;
S177, according to above-mentioned topological structure and domain name, described Botnet is monitored.
Visible, in the IP address that detects main control system, the embodiment of the present invention is directly inquired about domain name corresponding to this IP address to name server, rather than waits for that name server returns to the DNS response message of corpse main frame, thereby has saved the stand-by period.Although the IP address of main control system probably changes when reaching the standard grade at every turn, because domain name and the main control system of main control system is man-to-man relation, thereby can obtain unique main control system sign, and establish lower good basis for follow-up processing.In addition, the embodiment of the present invention is usingd domain name as the monitoring foundation, thereby not there will be in the situation that the corresponding same main control system in different IP addresses can be judged into the problem that has a plurality of Botnets by accident, makes the monitoring of Botnet become simple.
For taking less the detection resource, can during predetermined amount of time, stop current monitoring in the time started that surpasses current monitoring, or, while after sending described DNS request message pre-determined number, not receiving yet the DNS response message, stop current monitoring.
Corresponding with above-mentioned method for supervising, the embodiment of the present invention also provides a kind of system of monitoring Botnet, and referring to Figure 18, this system comprises foreground system 181 and background system 182.
Foreground system 181 comprises detecting unit 183 and the first acquiring unit 184, and the first acquiring unit 184 comprises transmission subelement 185, receives subelement 186 and resolves subelement 187:
Detecting unit 183, for according to network message, detecting Botnet, and the IP address that obtains main control system in this Botnet;
Send subelement 185, for send the DNS request message of the corresponding domain name in inquiry described IP address to name server;
Receive subelement 186, the DNS response message returned for receiving the domain name server;
Resolve subelement 187, for resolving described DNS response message, therefrom obtain domain name corresponding to described IP address;
Background system 182 comprises:
Second acquisition unit 188, for obtaining the information of the network equipment be connected with the main control system with domain name according to network message;
Determining unit 189, for determining the topological structure of described Botnet according to described information;
Monitoring unit 1810, for being monitored described Botnet according to above-mentioned topological structure and domain name.
Corresponding with above-mentioned method for supervising, referring to Figure 19, the embodiment of the present invention also provides a kind of network monitoring device 191, and this equipment comprises:
Detecting unit 192, for according to network message, detecting Botnet, and the IP address that obtains main control system in this Botnet;
Send subelement 193, for send the DNS request message of the corresponding domain name in inquiry described IP address to name server;
Receive subelement 194, the DNS response message returned for receiving the domain name server;
Resolve subelement 195, for resolving described DNS response message, therefrom obtain domain name corresponding to described IP address;
Second acquisition unit 196, for obtaining the information of the network equipment be connected with the main control system with domain name according to network message;
Determining unit 197, for determining the topological structure of described Botnet according to described information;
Monitoring unit 198, for being monitored described Botnet according to above-mentioned topological structure and domain name.In other embodiments, network monitoring device 191 also can comprise and stop unit and memory cell, wherein, stops unit and during predetermined amount of time, stops current monitoring for the time started surpassing current monitoring; Memory cell is for storing time started any one or the combination in any of above-mentioned domain name, IP address, current monitoring.
When specific implementation, the network equipment 191 specifically can be DPI equipment, gateway device or other can realize the network equipment of above-mentioned functions.
Corresponding with the method for main control system domain name in above-mentioned detection Botnet, the embodiment of the present invention also provides a kind of system that detects main control system domain name in Botnet simultaneously, this system has the network equipment and the name server of arbitrary embodiment in above all embodiment, wherein:
The procotol IP address of the network equipment for according to network message, detecting Botnet, obtain described Botnet main control system, and obtain and resolve for the domain name service DNS request message of IP address lookup or inquiry of the domain name and the DNS response message returned therefrom obtains domain name corresponding to described IP address;
Name server is used for receiving the domain name service DNS request message of IP address lookup or inquiry of the domain name, and returns to the DNS response message.
Corresponding with the method for main control system domain name in above-mentioned detection Botnet, the embodiment of the present invention also provides the system of main control system domain name in another kind of detection Botnet simultaneously, referring to Figure 20, this system comprises DPI equipment 201 and gateway device 202, DPI equipment 201 comprises detecting unit 203, gateway device 202 comprises the first acquiring unit 204, wherein:
Detecting unit 203 is for according to network message, detecting Botnet, and the IP address that obtains main control system in described Botnet;
The DNS response message that the first acquiring unit 204 returns for the domain name service DNS request message of IP address lookup or inquiry of the domain name for obtaining and resolve name server, therefrom obtain domain name corresponding to described IP address.
It should be noted that, in this specification, each embodiment adopts the mode of going forward one by one to describe, and what each embodiment stressed is and the difference of other embodiment that between each embodiment, identical similar part is mutually referring to getting final product.For the disclosed device of embodiment, because it corresponds to the method disclosed in Example, so description is fairly simple, relevant part partly illustrates and gets final product referring to method.
One of ordinary skill in the art will appreciate that all or part of flow process realized in above-described embodiment method, to come the hardware that instruction is relevant to complete by computer program, described program can be stored in a computer read/write memory medium, described program, when carrying out, can comprise the flow process as the embodiment of above-mentioned each side method.Wherein, described storage medium can be magnetic disc, CD, read-only store-memory body (Read-Only Memory, ROM) or random store-memory body (Random Access Memory, RAM) etc.
To the above-mentioned explanation of the disclosed embodiments, make professional and technical personnel in the field can realize or use the present invention.Multiple modification to these embodiment will be apparent for those skilled in the art, and General Principle as defined herein can be in the situation that do not break away from the spirit or scope of the present invention, realization in other embodiments.Therefore, the present invention will can not be restricted to these embodiment shown in this article, but will meet the widest scope consistent with principle disclosed herein and features of novelty.