CN101800746B - Method, device and system for detecting domain name of control host machine in botnets - Google Patents
Method, device and system for detecting domain name of control host machine in botnets Download PDFInfo
- Publication number
- CN101800746B CN101800746B CN201010109069XA CN201010109069A CN101800746B CN 101800746 B CN101800746 B CN 101800746B CN 201010109069X A CN201010109069X A CN 201010109069XA CN 201010109069 A CN201010109069 A CN 201010109069A CN 101800746 B CN101800746 B CN 101800746B
- Authority
- CN
- China
- Prior art keywords
- domain name
- botnet
- address
- main control
- control system
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The embodiment of the invention discloses a method, a device and a system for detecting a domain name of a host machine in botnets, aiming at solving the problem of obtained non-unique mark of the control host machine caused by frequent change of IP addresses of the control host machine. The method for detecting the domain name of the control host machine in botnets comprises the steps of: detecting botnets according to a network message, and obtaining an IP address of the control host machine in the botnets; and obtaining and analyzing a DNS response message returned by a domain name server according to a domain name service DNS request message inquired by the IP address or the domain name, and obtaining the domain name corresponding to the IP address from the DNS response message. The information of the domain name of the control host machine is not chanted so that the domain name doesn't change even though the IP address of the control host machine is possibly changed, i.e. the domain name and the control host machine are in one-to-one relationship. Therefore, the unique mark of the control host machine can be obtained, and the basis for subsequent processing is well established.
Description
Technical field
The present invention relates to the Network Communicate Security technical field, more particularly, relate to the methods, devices and systems that detect main control system domain name in Botnet.
Background technology
Botnet (Botnet) is to adopt one or more communication means to make a large amount of main frames infect corpse Bot (corpse instrument) programs, thus at effector's (being main control system) and infected main frame (being the corpse main frame) but between form the network of an one-to-many control.
Above-mentioned main control system often adopts the mode of dynamic IP to be controlled the corpse main frame, so the IP address of main control system often can change.In order to allow corpse main frame ratio be easier to find, the common domain-name information with this main control system in the Bot program, generally, the corpse main frame is reached the standard grade at every turn and the domain name of main control system can be placed in domain name service (DNS) request message, and send to name server to inquire about IP address corresponding to this domain name (to name server, sending IP address lookup DNS request message) this message, by this domain name, corresponding IP address is placed in the DNS response message and returns to (being also to record IP address and domain-name information in the DNS response message) name server again, the corpse main frame can communicate according to IP address and main control system in the DNS response message, send various IP packets.In addition, also can send inquiry of the domain name DNS request message to name server and utilize anti-domain name corresponding to this IP address of looking in IP address.
For the Botnet of existing network, can pass through DPI(Deep Packet Inspection, deep-packet detection at present) technology detected network message.Yet, in the process of implementing the invention, the inventor finds, the DPI technology often can only be found IP address and the port information of main control system, and because the IP address of main control system probably changes when reaching the standard grade at every turn, therefore different IP addresses may corresponding same main control system, and IP address and main control system may be many-to-one relation, and the main control system therefore got identifies not unique.
Summary of the invention
In view of this, embodiment of the present invention purpose is to provide the methods, devices and systems that detect main control system domain name in Botnet, to solve the not unique problem of the main control system got sign that often change causes because of main control system IP address.
For achieving the above object, the invention provides following technical scheme:
A kind of method that detects main control system domain name in Botnet comprises:
Detect Botnet according to network message, and obtain the procotol IP address of main control system in described Botnet;
Search the DNS response message of name server from described network message, described DNS response message returns for the IP address lookup DNS request message of corpse main frame in described Botnet; Resolve described DNS response message, therefrom obtain domain name corresponding to described IP address.
A kind of network equipment comprises:
Detecting unit, for according to network message, detecting Botnet, and the IP address that obtains main control system in described Botnet;
The first acquiring unit for obtaining and resolve the DNS response message of name server, obtains domain name corresponding to described IP address from described DNS response message;
Described the first acquiring unit comprises:
Search subelement, for search the DNS response message of domain name server from described network message, described DNS response message returns for the IP address lookup DNS request message of corpse main frame in described Botnet;
Resolve subelement, for resolving described DNS response message, therefrom obtain domain name corresponding to described IP address.
A kind of system that detects main control system domain name in Botnet, have the network equipment and name server, wherein:
The procotol IP address of the described network equipment for according to network message, detecting Botnet, obtain described Botnet main control system, and the DNS response message of searching name server from described network message, described DNS response message returns for the IP address lookup DNS request message of corpse main frame in described Botnet; Resolve described DNS response message, therefrom obtain domain name corresponding to described IP address;
The domain name server is used for receiving the domain name service DNS request message of IP address lookup or inquiry of the domain name, and returns to the DNS response message.
A kind of system that detects main control system domain name in Botnet, comprise deep-packet detection DPI equipment and gateway device, and described DPI equipment comprises detecting unit, and described gateway device comprises the first acquiring unit, wherein:
Described detecting unit is used for detecting Botnet according to network message, and obtains the IP address of main control system in described Botnet and send to the first acquiring unit;
Described the first acquiring unit is for searching the DNS response message of name server from described network message, and resolve described DNS response message, therefrom obtain domain name corresponding to described IP address, wherein, described DNS response message returns for the IP address lookup DNS request message of corpse main frame in described Botnet.
Visible, the method for main control system domain name in the detection Botnet that technique scheme provides, can, after detecting the IP address of main control system, obtain the domain name corresponding to IP address of main control system the DNS response message returned from name server.Because the domain-name information of main control system is constant, therefore, although the IP address of main control system probably changes when reaching the standard grade at every turn, but its domain name can not change, be that domain name and main control system are man-to-man relation, thereby can obtain unique main control system sign, and establish lower good basis for follow-up processing.
The accompanying drawing explanation
In order to be illustrated more clearly in the embodiment of the present invention or technical scheme of the prior art, below will the accompanying drawing of required use in embodiment or description of the Prior Art be briefly described, apparently, accompanying drawing in the following describes is only some embodiments of the present invention, for those of ordinary skills, under the prerequisite of not paying creative work, can also obtain according to these accompanying drawings other accompanying drawing.
The basic structure of the Botnet that Fig. 1 provides for the embodiment of the present invention;
The flow chart of the corpse host access main control system that Fig. 2 provides for the embodiment of the present invention;
The flow chart of the method for main control system domain name in the detection Botnet that Fig. 3 provides for the embodiment of the present invention;
The structural representation of the network equipment that Fig. 4 provides for the embodiment of the present invention;
Another structural representation of the network equipment that Fig. 5 provides for the embodiment of the present invention;
Fig. 6 detects submethod one flow chart for the domain name that the embodiment of the present invention provides;
The another structural representation of the network equipment that Fig. 7 provides for the embodiment of the present invention;
The usage monitoring table that Fig. 8 provides for the embodiment of the present invention detects the flow chart of main control system field name method;
The usage monitoring table that Fig. 9 provides for the embodiment of the present invention detects another flow chart of main control system field name method;
The flow chart of the method for the monitoring Botnet that Figure 10 provides for the embodiment of the present invention;
The structural representation of the system of the monitoring Botnet that Figure 11 provides for the embodiment of the present invention;
The structural representation of the network monitoring device that Figure 12 provides for the embodiment of the present invention;
Figure 13 detects submethod two flow charts for the domain name that the embodiment of the present invention provides;
The another structural representation of the network equipment that Figure 14 provides for the embodiment of the present invention;
The usage monitoring table that Figure 15 provides for the embodiment of the present invention detects the another flow chart of main control system field name method in Botnet;
The usage monitoring table that Figure 16 provides for the embodiment of the present invention detects the another flow chart of main control system field name method in Botnet;
The method of the monitoring Botnet that Figure 17 provides for the embodiment of the present invention another flow chart;
Another structural representation of the system of the monitoring Botnet that Figure 18 provides for the embodiment of the present invention;
Another structural representation of the network monitoring device that Figure 19 provides for the embodiment of the present invention;
The structural representation of the system of main control system domain name in the detection Botnet that Figure 20 provides for the embodiment of the present invention.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is clearly and completely described, obviously, described embodiment is only the present invention's part embodiment, rather than whole embodiment.Embodiment based in the present invention, those of ordinary skills, not making under the creative work prerequisite the every other embodiment obtained, belong to the scope of protection of the invention.
For quote and know for the purpose of, the technical term hereinafter used, write a Chinese character in simplified form or abridge to sum up and be explained as follows:
DDOS, Distributed Denial of Service, distributed denial of service attack;
Bot, robot, the corpse instrument, Bot be can automatically perform predefined function, can scheduled justice order institute's Long-distance Control and there is the program of certain artificial intelligence;
Zombie, the corpse main frame, contain Bot or other remote control programs, but the computer of victim Long-distance Control;
Botnet, Botnet, refer to and adopt one or more communication means to make a large amount of main frames infect corpse Bot programs, thereby at effector and infected main frame (being the corpse main frame) but between the network controlled of a formed one-to-many;
IP, Internet Protocol, procotol;
DPI, Deep Packet Inspection, deep-packet detection, so-called " degree of depth " is to compare with common message analysis level, " common packet check " be the content (comprise source address, destination address, source port, destination interface and protocol type) of layer below 4 of analyzing IP packet only, and DPI has also increased application layer analysis except the step analysis to front, identify various application and content thereof.At present, DPI can be divided into single bag coupling and two kinds of modes of many bag couplings: for most of IP packet, the feature by the network message in the IP packet just can be detected.Conventional method is the traversal rule tree, and message and each rule are mated one by one.And, for part IP packet, only depend on the single message of detection accurately to detect, at this moment need a plurality of messages of analyzing a stream accurately to detect;
DN, Domain Name, domain name, domain name is a certain computer or calculate the title of unit on the internet, for identifying its electronic bearing (sometimes also referring to geographical position) when the transfer of data;
DNS, Domain Name Service, domain name service;
DNS, Domain Name System, DNS, a certain computer or calculate unit and both can use the domain name sign also can use the IP address designation.The user more is ready to use the domain name be convenient to memory, and router is only used the length IP address of structure of fixing, have levels.For coordinating this two kinds of different demands, the directory service that needs a domain name and IP address to exchange, the main task of DNS that Here it is;
DNS, Domain Name Server, name server, name server is the main frame that DNS is housed.
Botnet has formed an Attack Platform, its basic network topology as shown in Figure 1, the assailant utilizes this platform can effectively initiate various attacks, can cause whole Back ground Information network or important application systemic breakdown, also can cause a large amount of secrets or individual privacy to be leaked, can also be used to be engaged in other illegal activities such as network fraud.DDOS, send spam, steal secret, the abuse resource is the attack that utilizes Botnet to start had been found that, these behaviors are to whole network or user self has caused more serious harm.Along with various new attack types occurring in the future, Botnet also may be used to initiate new unknown attack.Therefore exploring effective Botnet detection and method for supervising is very important.
Before in already described and Bot program usually with the domain-name information of main control system.Referring to Fig. 2, the inventor finds: generally, the corpse main frame is reached the standard grade at every turn and can be sent IP address lookup DNS request message to name server, by this domain name, corresponding IP address is placed in the DNS response message and returns name server again, the corpse main frame can communicate according to IP address and main control system in the DNS response message, sends various IP packets.
The inventor finds simultaneously: the domain-name information of main control system can not change easily.Once this is because the domain-name information of main control system is changed, Zombie can't by means of self Bot with former domain-name information find main control system.Even main control system can be issued the corpse main frame by new domain name information before the change domain name, but, owing to can't guaranteeing that, when main control system sends this information, all Zombie are online, therefore there is the risk of loss Zombie quantity.The above-mentioned domain name that these have determined main control system can not change easily.The embodiment of the present invention is designed according to these characteristics.
Fig. 3 shows a kind of method of main control system domain name in the detection Botnet that the embodiment of the present invention provides, and the method at least comprises the following steps:
S31, according to network message, detect Botnet, and obtain the IP address of main control system in this Botnet;
S32, obtain and resolve the DNS response message that name server returns for the domain name service DNS request message of IP address lookup or inquiry of the domain name, therefrom obtain domain name corresponding to described IP address.
For ease of understanding, now DNS request message and DNS response message are simply introduced.It is (convenient for calling that DNS request message and DNS response message all belong to network message, now DNS request message and DNS response message are referred to as to the DNS message), and form by header and 4 adjustable length fields (inquiry problem, answer, mandate and four fields of extraneous information) of 12 bytes, its general form is as shown in the table:
Table 1
Inquiry problem field wherein mainly is comprised of problem name, problem types and query type:
The name that the problem name normally will be searched is the sequence of one or more identifiers.Each identifier illustrates the byte length of identifier subsequently with the count value of first byte, and each name be take last byte as 0 end, and the identifier that length is 0 is the root identifier.Each identifier maximum length is 63, and whole query name random length does not need to fill character.For example, as the domain name that will search, be
Www.heike.com, this domain name is expressed as: [3|w|w|w|5|h|e|i|k|e|3|c|o|m|0], and as domain name be 44.33.88.123.in-addr.arpa, be expressed as: [2|4|4|2|3|3|2|8|8|3|1|2|3|7|i|n|-|a|d|d|r|4|a|r|p|a|0];
Problem types is generally query type, according to the type (the DNS request message of the type is IP address lookup DNS request message) of inquiry of the domain name IP address, certainly, can be also Query, according to the type of IP address lookup domain name (the DNS request message of the type is domain name addresses inquiry DNS request message);
It is 1 that query type adds usually, means internet address.
Answer field as for the DNS message has recorded the answer of having done for above-mentioned inquiry problem field usually, also when the problem name of inquiry problem field is domain name (according to inquiry of the domain name IP address), the content of answering field record is IP address corresponding to this domain name, and the content of (according to the anti-nslookup in IP address) answer field record is domain name corresponding to this IP address when the problem name of inquiry problem field is the IP address.
Be understandable that, the answer field in the DNS request message is generally sky, and the inquiry problem field of DNS response message and answer field are not all generally empty, can say yet, the DNS response message has reflected the corresponding relation of IP address and domain name.
Step S32 has utilized the characteristics of DNS response message, obtains domain name corresponding to main control system IP address the DNS response message returned from name server.
Because the domain-name information of main control system is constant, therefore, although the IP address of main control system probably changes when reaching the standard grade at every turn, but its domain name can not change, be that domain name and main control system are man-to-man relation, thereby can obtain unique main control system sign, and establish lower good basis for follow-up processing.For example: the domain name to the main control system of Botnet is implemented shielding, to avoid more directly, rapidly other computers, joins in Botnet.
In another embodiment of the present invention, above-mentioned detection method also can comprise the steps:
Obtain the information of the network equipment be connected with the main control system with domain name according to network message;
Determine the topological structure of described Botnet according to described information.
After the topological structure of having determined Botnet, can be monitored even revertive control Botnet to Botnet according to this topological structure.
Corresponding with the method for main control system domain name in above-mentioned detection Botnet, the embodiment of the present invention also provides a kind of network equipment, and Fig. 4 shows a kind of structure of this network equipment 401, comprising:
Detecting unit 402, for according to network message, detecting Botnet, and the IP address that obtains main control system in described Botnet;
The first acquiring unit 403, the DNS response message returned for the domain name service DNS request message of IP address lookup or inquiry of the domain name for obtaining and resolve name server, therefrom obtain domain name corresponding to described IP address.
In another embodiment of the present invention, the above-mentioned network equipment also can comprise second acquisition unit and determining unit, and wherein, second acquisition unit can be used for obtaining according to network message the information of the network equipment be connected with the main control system with domain name; And determining unit can be used for determining according to above-mentioned information the topological structure of described Botnet.
In another embodiment of the present invention, referring to Fig. 5, the above-mentioned network equipment 401 also can comprise aging unit 501 and memory cell 502, wherein:
Aging unit 501 is for after getting above-mentioned domain name, aging current detection, or, while after surpassing the time started predetermined amount of time of current detection, not getting domain name yet, aging current detection.
Memory cell 502 is for storing any one or combination in any of above-mentioned domain name, IP address or time started.
In addition, aging unit 501 and/or memory cell 502 also can be independent of outside detecting unit 402 and the first acquiring unit 403, and therefore not to repeat here.
Above-mentioned domain name, IP address, in the time started, any one or combination in any can be recorded in default monitoring form, word document, board etc., and are stored in memory cell 502.
In view of the DNS request message is divided into two types of IP address lookup and inquiries of the domain name, therefore above-mentioned domain name detection method specifically can be divided into two kinds of submethods, below will to these two kinds of submethods, be introduced respectively:
Domain name detects submethod one:
Referring to Fig. 6, domain name detects submethod one and at least comprises the steps:
S61, according to network message, detect Botnet, and obtain the IP address of main control system in described Botnet;
S62, search the DNS response message that the domain name server returns for the IP address lookup DNS request message of corpse main frame in described Botnet from described network message;
S63, resolve described DNS response message, therefrom obtain domain name corresponding to described IP address.
In another embodiment of the present invention, referring to Fig. 6, above-mentioned detection method also can comprise the steps:
S64, obtain the information of the network equipment be connected with the main control system with domain name according to network message;
S65, determine the topological structure of described Botnet according to described information.
General, the DNS message of each host query can fall in natural aging, and therefore only otherwise roll off the production line, the main frame compartment time will send the DNS request message to DNS, and DNS also can return to the DNS response message.That is to say, generally always have in the IP packet and comprise the DNS response message.But sometimes for various reasons, can not find for a long time the DNS response message that name server returns for the IP address lookup DNS request message of the Zombie of Botnet, also just can't get the domain name of main control system.In this case, for taking less the detection resource, while can after surpassing the time started predetermined amount of time of current detection, not get domain name yet, aging current detection.Certainly, also can be after getting domain name, aging current detection.
Corresponding with above-mentioned domain name detection submethod one, referring to Fig. 7, the embodiment of the present invention also provides a kind of network equipment 701, and this equipment comprises detecting unit 702 and the first acquiring unit 703, the first acquiring unit 703 comprises again to be searched subelement 704 and resolves subelement 705, wherein:
Detecting unit 702 is for according to network message, detecting Botnet, and the IP address that obtains main control system in this Botnet;
Search the DNS response message that subelement 704 returns for the IP address lookup DNS request message of Zombie above-mentioned Botnet for search name server from above-mentioned network message;
Resolve subelement 705, for resolving described DNS response message, therefrom obtain domain name corresponding to described IP address.
In other embodiments of the invention, the network equipment 701 also can comprise second acquisition unit and determining unit, and wherein, second acquisition unit is for obtaining the information of the network equipment be connected with the main control system with domain name according to network message; Determining unit is for determining the topological structure of described Botnet according to described information.
The above-mentioned network equipment also can comprise aging unit and memory cell, wherein, aging unit is for after the topological structure that gets above-mentioned domain name or definite Botnet, aging current detection, perhaps, while after surpassing the time started predetermined amount of time of current detection, not getting yet the topological structure of domain name or definite Botnet, aging current detection; Memory cell is for storing any one or combination in any of above-mentioned domain name, IP address or time started.
When specific implementation, the function of the network equipment 701 can specifically be realized by DPI equipment, gateway device or other network equipments, and can be deployed on the forthright or bypass of network.For obtaining of network message, can adopt the prior art means such as packet capturing to be realized etc.
Illustrate, domain name, IP address, in the time started, any one or combination in any can be recorded in default monitoring form before.In embodiments of the present invention, use default monitoring form to detect various ways can be arranged the domain name of main control system in a certain Botnet, be described in detail below in conjunction with different modes:
Mode one:
Refer to Fig. 8, testing process comprises the steps:
S81, record time started of current detection on default monitoring form;
Suppose that default monitoring form form is as shown in table 2 or table 3:
Table 2
| CCIp | CCDomain | InsertTime |
| IP1 | D1 | T1 |
| IP2 | D2 | T2 |
| IP3 | D3 | T3 |
Table 3
| CCIp | CCDomain | InsertTime |
| IP1 | D1 | T1 |
| IP2 | D2 | T2 |
| IP3 | T3 |
Wherein, what CCIP mono-row recorded is detected main control system IP address, what CCDomain mono-row recorded is domain name word string corresponding to IP address, and what InsertTime mono-row recorded is the time of inserting certain once/current detection, the i.e. time started of certain once/current detection.
After completing steps S81, monitoring form is updated to table 4 or table 5:
Table 4
| CCIp | CCDomain | InsertTime |
| IP1 | D1 | T1 |
| IP2 | D2 | T2 |
| IP3 | D3 | T3 |
| T4 |
Table 5
| CCIp | CCDomain | InsertTime |
| IP1 | D1 | T1 |
| IP2 | D2 | T2 |
| IP3 | T3 | |
| T4 |
S82, obtain network message;
S83, according to network message, detect Botnet, and obtain the IP address of main control system in Botnet;
S84, search in above-mentioned network message the DNS response message that whether has name server to return for the IP address lookup DNS request message of Zombie in above-mentioned Botnet, if so, turn S86, otherwise, S85 turned;
Whether S85, judgement have now surpassed the time started predetermined amount of time (as 24 hours) of current detection, if so, go to step S810, otherwise, return to step S82;
S86, resolve above-mentioned DNS response message;
S87, the IP address that the IP address in the DNS response message and monitoring form have been recorded are contrasted, judge IP address in monitoring form whether with the DNS response message in the IP address repeat mutually, if so, go to step S88, otherwise, go to step S89;
The corresponding relation of S88, completion above-mentioned IP address and domain name;
Suppose that in the DNS response message, the corresponding relation of IP address and domain name is IP3-D4, now, IP3 in IP3 in the DNS response message and default monitoring form repeats, time difference between T4 and T3 is not more than predetermined value, as 24 hours, retain T3, D4 is inserted to corresponding CCDomain mono-row of IP3 in default monitoring form, default monitoring form is updated to table 6 or table 7:
Table 6
| CCIp | CCDomain | InsertTime |
| IP1 | D1 | T1 |
| IP2 | D2 | T2 |
| IP3 | D3,D4 | T3 |
Table 7
| CCIp | CCDomain | InsertTime |
| IP1 | D1 | T1 |
| IP2 | D2 | T2 |
| IP3 | D4 | T3 |
When the time difference between T4 and T3 is greater than predetermined value, replace T3 with T4, D4 is inserted in monitoring form, monitoring form is updated to table 8 or table 9:
Table 8
| CCIp | CCDomain | InsertTime |
| IP1 | D1 | T1 |
| IP2 | D2 | T2 |
| IP3 | D3,D4 | T4 |
Table 9
| CCIp | CCDomain | InsertTime |
| IP1 | D1 | T1 |
| IP2 | D2 | T2 |
| IP3 | D4 | T4 |
S89, by the IP address in the DNS response message and domain name, insert respectively in monitoring form;
Suppose that in the DNS response message, the corresponding relation of IP address and domain name is IP4-D4, now, does not repeat the IP address of recording in the IP4 in the DNS response message and monitoring form, and IP4 and D4 are inserted respectively in monitoring form, and monitoring form is updated to table 10 or table 11:
Table 10
| CCIp | CCDomain | InsertTime |
| IP1 | D1 | T1 |
| IP2 | D2 | T2 |
| IP3 | D3 | T3 |
| IP4 | D4 | T4 |
Table 11
| CCIp | CCDomain | InsertTime |
| IP1 | D1 | T1 |
| IP2 | D2 | T2 |
| IP3 | T3 |
| IP4 | D4 | T4 |
S810, aging current detection;
S811, report monitoring form.
Mode two:
Refer to Fig. 9, this mode comprises the steps:
S91, the time started of recording current detection;
Suppose that default monitoring form form is as shown in the table:
Table 12
| CCIp | CCDomain | InsertTime |
| IP1 | D1 | T1 |
| IP2 | D2 | T2 |
| IP3 | D3 | T3 |
After completing steps S91, default monitoring form is updated to:
Table 13
| CCIp | CCDomain | InsertTime |
| IP1 | D1 | T1 |
| IP2 | D2 | T2 |
| IP3 | D3 | T3 |
| T4 |
S92, obtain network message;
S93, according to network message, detect Botnet, and obtain the IP address of main control system in this Botnet;
S94, search in above-mentioned network message the DNS response message that whether has name server to return for the IP address lookup DNS request message of Zombie in above-mentioned Botnet, if so, turn S96, otherwise, S95 turned;
Whether S95, judgement have now surpassed the time started predetermined amount of time (as 24 hours) of current detection, if so, go to step S910, otherwise, return to step S92;
S96, resolve above-mentioned DNS response message;
S97, the domain name that the domain name in the DNS response message and monitoring form have been recorded are contrasted, judge domain name in monitoring form whether with the DNS response message in domain name repeat mutually, if so, go to step S98, otherwise, go to step S99;
The corresponding relation of S98, completion IP address and domain name;
Suppose that in the DNS response message, the corresponding relation of IP address and domain name is IP4-D3, now, the D3 in the DNS response message and the D3 in monitoring form repeat, time difference between T4 and T3 is not more than predetermined value, as 24 hours, retains T3, IP4 is inserted to CCIp mono-row, and monitoring form is updated to:
Table 14
| CCIp | CCDomain | InsertTime |
| IP1 | D1 | T1 |
| IP2 | D2 | T2 |
| IP3,IP4 | D3 | T3 |
And, when the time difference between T4 and T3 is greater than predetermined value, T3 is replaced to T4, and IP4 is inserted to CCIp mono-row, monitoring form is updated to:
Table 15
| CCIp | CCDomain | InsertTime |
| IP1 | D1 | T1 |
| IP2 | D2 | T2 |
| IP3,IP4 | D3 | T4 |
S99, by the IP address in the DNS response message and domain name, insert respectively in monitoring form;
Suppose that in the DNS response message, the corresponding relation of IP address and domain name is IP4-D4, now, the domain name recorded in the domain name D4 in the DNS response message and monitoring form does not repeat, and IP4 and D4 are inserted respectively in monitoring form, and monitoring form is updated to:
Table 16
| CCIp | CCDomain | InsertTime |
| IP1 | D1 | T1 |
| IP2 | D2 | T2 |
| IP3 | D3 | T3 |
| IP4 | D4 | T4 |
S910, aging current detection;
S911, report monitoring form.
Corresponding with above-mentioned detection submethod one, referring to Figure 10, the embodiment of the present invention also discloses a kind of method of monitoring Botnet simultaneously, comprises the following steps:
S101, according to network message, detect Botnet, and obtain the procotol IP address of main control system in described Botnet;
S102, search the DNS response message that the domain name server returns for the IP address lookup DNS request message of corpse main frame in described Botnet from described network message;
S103, resolve described DNS response message, therefrom obtain domain name corresponding to described IP address;
S104, obtain the information of the network equipment be connected with the main control system with domain name according to network message;
S105, determine the topological structure of described Botnet according to described information;
S106, according to above-mentioned topological structure and domain name, described Botnet is monitored.
Because the domain-name information of main control system is constant, therefore, although the IP address of main control system probably changes when reaching the standard grade at every turn, but its domain name can not change, be that domain name and main control system are man-to-man relation, thereby can obtain unique main control system sign, and establish lower good basis for follow-up processing.In addition, the embodiment of the present invention is usingd domain name as the monitoring foundation, thereby not there will be in the situation that the corresponding same main control system in different IP addresses can be judged into the problem that has a plurality of Botnets by accident, makes the monitoring of Botnet become simple.
For taking less the monitoring resource, in the time started that surpasses current monitoring, during predetermined amount of time, can stop current monitoring.Specifically comprise two kinds of situations: when surpassing the scheduled time (as 24 hours), while not getting yet the topological structure of domain name or definite Botnet, can stop current monitoring.Even got domain name or determined the topological structure of Botnet, for the purpose of cost savings, monitoring each time has the life-span of himself, once overtime, also to be stopped current monitoring.
And above-mentioned domain name, IP address, in the time started, any one or combination in any can be recorded in default monitoring form, word document, board etc.
Corresponding with above-mentioned method for supervising, the embodiment of the present invention also provides a kind of system of monitoring Botnet, referring to Figure 11, comprises foreground system 111 and background system 112, and foreground system 111 comprises:
Detecting unit 113, for according to network message, detecting Botnet, and the IP address that obtains main control system in this Botnet;
Determining unit 117, for determining the topological structure of described Botnet according to described information;
Corresponding with above-mentioned method for supervising, referring to Figure 12, the embodiment of the present invention also provides a kind of network monitoring device 121, and this equipment comprises:
Detecting unit 122, for according to network message, detecting Botnet, and the IP address that obtains main control system in described Botnet;
Determining unit 126, for determining the topological structure of described Botnet according to described information;
In other embodiments, network monitoring device 121 also can comprise and stop unit and memory cell, wherein, stops unit and during predetermined amount of time, stops current monitoring for the time started surpassing current monitoring; Memory cell is for storing time started any one or the combination in any of above-mentioned domain name, IP address, current monitoring.
When specific implementation, network monitoring device 121 specifically can be DPI equipment, gateway device or other can realize the network equipment of above-mentioned functions.
Domain name detects submethod two:
Referring to Figure 13, domain name detects submethod two and at least comprises the following steps:
S131, according to network message, detect Botnet, and obtain the IP address of main control system in described Botnet;
S132, send the DNS request message of the corresponding domain name in inquiry described IP address to name server;
The DNS response message that S133, reception domain name server return;
S134, resolve described DNS response message, therefrom obtain domain name corresponding to described IP address.
Because the domain-name information of main control system is constant, therefore, although the IP address of main control system probably changes when reaching the standard grade at every turn, but its domain name can not change, be that domain name and main control system are man-to-man relation, thereby can obtain unique main control system sign, and establish lower good basis for follow-up processing.In addition, due to after detecting the IP address of main control system, the embodiment of the present invention is directly inquired about domain name corresponding to this IP address to name server, rather than wait for that name server returns to the DNS response message of corpse main frame, when can not find for a long time name server and return to the DNS response message of Zombie in above-mentioned Botnet, the method that the present embodiment provides has more the advantage of saving of time.
In another embodiment of the present invention, above-mentioned domain name detects submethod two and also can comprise the steps:
Obtain the information of the network equipment be connected with the main control system with domain name according to network message;
Determine the topological structure of described Botnet according to described information.
In order to take less the detection resource, said method also can be after getting domain name, aging current detection.Certainly, while can after surpassing the time started predetermined amount of time of current detection, not get domain name yet yet, aging current detection.
Above-mentioned domain name, IP address, in the time started, any one or combination in any can be recorded in default monitoring form, word document, board etc.
Corresponding with above-mentioned domain name detection submethod two, referring to Figure 14, the embodiment of the present invention also provides a kind of network equipment 141, this equipment comprises detecting unit 142 and the first acquiring unit 143, the first acquiring unit 143 comprises again transmission subelement 144, receives subelement 145 and parsing subelement 146, wherein:
Detecting unit 142 is for according to network message, detecting Botnet, and the IP address that obtains main control system in this Botnet;
Send subelement 144, for send the DNS request message of the corresponding domain name in inquiry described IP address to name server;
Receive subelement 145, the DNS response message returned for receiving the domain name server;
Resolve subelement 146, for resolving described DNS response message, therefrom obtain domain name corresponding to described IP address.When specific implementation, the network equipment 141 or the first acquiring unit 143 can rely on the built-in anti-system of looking into of domain name to domain name corresponding to the anti-IP of looking into of name server address.
In other embodiments of the invention, the network equipment 141 also can comprise second acquisition unit and determining unit, and wherein, second acquisition unit is for obtaining the information of the network equipment be connected with the main control system with domain name according to network message; Determining unit is for determining the topological structure of described Botnet according to described information.
In different embodiments of the invention, the detection domain name of using default monitoring form to carry out main control system in Botnet can have various ways, below in conjunction with this different modes, the embodiment of the present invention is described in detail:
Mode one:
Refer to Figure 15, this mode comprises the steps:
S151, the time started of recording current detection;
Suppose that default monitoring form form is table 17 or table 18:
Table 17
| CCIp | CCDomain | InsertTime |
| IP1 | D1 | T1 |
| IP2 | D2 | T2 |
| IP3 | D3 | T3 |
Table 18
| CCIp | CCDomain | InsertTime |
| IP1 | D1 | T1 |
| IP2 | D2 | T2 |
| IP3 | T3 |
After completing steps S151, default monitoring form is updated to table 19 or table 20:
Table 19
| CCIp | CCDomain | InsertTime |
| IP1 | D1 | T1 |
| IP2 | D2 | T2 |
| IP3 | D3 | T3 |
| T4 |
Table 20
| CCIp | CCDomain | InsertTime |
| IP1 | D1 | T1 |
| IP2 | D2 | T2 |
| IP3 | T3 | |
| T4 |
S152, according to network message, detect Botnet, and obtain the IP address of main control system in this Botnet;
S153, send the DNS request message of the corresponding domain name in inquiry described IP address to name server;
S154, judge whether the DNS response message of receiving that name server returns, if so, turn S156, if not, turn S155;
Whether the number of times that S155, judgement send the DNS request message surpasses pre-determined number (as 3 times), if so, goes to step S1510, if not, returns to step S153;
The DNS response message that S156, parsing name server return, therefrom obtain domain name corresponding to IP address;
S157, the IP address that the IP address in the DNS response message and monitoring form have been recorded are contrasted, judge IP address in monitoring form whether with the DNS response message in the IP address repeat mutually, if so, go to step S158, if not, go to step S159;
The corresponding relation of S158, completion above-mentioned IP address and domain name;
Suppose that in the DNS response message, the corresponding relation of IP address and domain name is IP3-D4, now, IP3 in the DNS response message and the IP3 in monitoring form repeat, time difference between T4 and T3 is not more than predetermined value, as 24 hours, retain T3, D4 is inserted to corresponding CCDomain mono-row of IP3 in monitoring form, monitoring form is updated to table 21 or table 22:
Table 21
| CCIp | CCDomain | InsertTime |
| IP1 | D1 | T1 |
| IP2 | D2 | T2 |
| IP3 | D3,D4 | T3 |
Table 22
| CCIp | CCDomain | InsertTime |
| IP1 | D1 | T1 |
| IP2 | D2 | T2 |
| IP3 | D4 | T3 |
When the time difference between T4 and T3 is greater than predetermined value, T3 is replaced to T4, D4 is inserted to corresponding CCDomain mono-row of IP3 in monitoring form, monitoring form is updated to table 23 or table 24:
Table 23
| CCIp | CCDomain | InsertTime |
| IP1 | D1 | T1 |
| IP2 | D2 | T2 |
| IP3 | D3,D4 | T4 |
Table 24
| CCIp | CCDomain | InsertTime |
| IP1 | D1 | T1 |
| IP2 | D2 | T2 |
| IP3 | D4 | T4 |
S159, by the IP address in the DNS response message and domain name, insert respectively in monitoring form;
Suppose that in the DNS response message, the corresponding relation of IP address and domain name is IP4-D4, now, does not repeat the IP address of recording in the IP4 in the DNS response message and monitoring form, and IP4 and D4 are inserted respectively in monitoring form, and monitoring form is updated to table 25 or table 26:
Table 25
| CCIp | CCDomain | InsertTime |
| IP1 | D1 | T1 |
| IP2 | D2 | T2 |
| IP3 | D3 | T3 |
| IP4 | D4 | T4 |
Table 26
| CCIp | CCDomain | InsertTime |
| IP1 | D1 | T1 |
| IP2 | D2 | T2 |
| IP3 | T3 | |
| IP4 | D4 | T4 |
S1510, aging current detection;
S1511, report monitoring form.
Mode two:
Refer to Figure 16, this mode comprises the steps:
S161, the time started of recording current detection;
Suppose that default monitoring form form is table 27:
Table 27
| CCIp | CCDomain | InsertTime |
| IP1 | D1 | T1 |
| IP2 | D2 | T2 |
| IP3 | D3 | T3 |
After completing steps S161, default monitoring form is updated to table 28:
Table 28
| CCIp | CCDomain | InsertTime |
| IP1 | D1 | T1 |
| IP2 | D2 | T2 |
| IP3 | D3 | T3 |
| T4 |
S162, according to network message, detect Botnet, and obtain the IP address of main control system in this Botnet;
S163, send the DNS request message of the corresponding domain name in inquiry described IP address to name server;
S164, judge whether the DNS response message of receiving that name server returns, if so, turn S166, if not, turn S165;
Whether the number of times that S165, judgement send the DNS request message surpasses pre-determined number (as 3 times), if so, goes to step S1610, if not, returns to step S163;
The DNS response message that S166, parsing name server return, therefrom obtain domain name corresponding to IP address;
S167, the domain name that the domain name in the DNS response message and monitoring form have been recorded are contrasted, and judge whether to repeat mutually, if so, go to step S168, if not, go to step S169;
The corresponding relation of S168, completion IP address and domain name;
Suppose that in the DNS response message, the corresponding relation of IP address and domain name is IP4-D3, now, the D3 in the DNS response message and the D3 in monitoring form repeat, time difference between T4 and T3 is not more than predetermined value, as 24 hours, retains T3, IP4 is inserted to CCIp mono-row, and monitoring form is updated to:
Table 29
| CCIp | CCDomain | InsertTime |
| IP1 | D1 | T1 |
| IP2 | D2 | T2 |
| IP3,IP4 | D3 | T3 |
And, when the time difference between T4 and T3 is greater than predetermined value, T3 is replaced to T4, and IP4 is inserted to CCIp mono-row, monitoring form is updated to:
Table 30
| CCIp | CCDomain | InsertTime |
| IP1 | D1 | T1 |
| IP2 | D2 | T2 |
| IP3,IP4 | D3 | T4 |
S169, by the IP address in the DNS response message and domain name, insert respectively in monitoring form;
Suppose that in the DNS response message, the corresponding relation of IP address and domain name is IP4-D4, now, the domain name recorded in the domain name D4 in the DNS response message and monitoring form does not repeat, and IP4 and D4 are inserted respectively in monitoring form, and monitoring form is updated to:
Table 31
| CCIp | CCDomain | InsertTime |
| IP1 | D1 | T1 |
| IP2 | D2 | T2 |
| IP3 | D3 | T3 |
| IP4 | D4 | T4 |
S1610, aging current detection;
S1611, report monitoring form.
Corresponding with above-mentioned detection submethod two, referring to Figure 17, the embodiment of the present invention also discloses a kind of method of monitoring Botnet simultaneously, comprises the following steps:
S171, according to network message, detect Botnet, and obtain the procotol IP address of main control system in described Botnet;
S172, send the DNS request message of the corresponding domain name in inquiry described IP address to name server;
The DNS response message that S173, reception domain name server return;
S174, resolve described DNS response message, therefrom obtain domain name corresponding to described IP address;
S175, the information of obtaining the network equipment be connected with the main control system with domain name according to network message determine that the all-network equipment be connected with the main control system with above-mentioned domain name belongs to same Botnet;
S176, determine the topological structure of described Botnet according to described information;
S177, according to above-mentioned topological structure and domain name, described Botnet is monitored.
Visible, in the IP address that detects main control system, the embodiment of the present invention is directly inquired about domain name corresponding to this IP address to name server, rather than waits for that name server returns to the DNS response message of corpse main frame, thereby has saved the stand-by period.Although the IP address of main control system probably changes when reaching the standard grade at every turn, because domain name and the main control system of main control system is man-to-man relation, thereby can obtain unique main control system sign, and establish lower good basis for follow-up processing.In addition, the embodiment of the present invention is usingd domain name as the monitoring foundation, thereby not there will be in the situation that the corresponding same main control system in different IP addresses can be judged into the problem that has a plurality of Botnets by accident, makes the monitoring of Botnet become simple.
For taking less the detection resource, can during predetermined amount of time, stop current monitoring in the time started that surpasses current monitoring, or, while after sending described DNS request message pre-determined number, not receiving yet the DNS response message, stop current monitoring.
Corresponding with above-mentioned method for supervising, the embodiment of the present invention also provides a kind of system of monitoring Botnet, and referring to Figure 18, this system comprises foreground system 181 and background system 182.
Detecting unit 183, for according to network message, detecting Botnet, and the IP address that obtains main control system in this Botnet;
Send subelement 185, for send the DNS request message of the corresponding domain name in inquiry described IP address to name server;
Receive subelement 186, the DNS response message returned for receiving the domain name server;
Determining unit 189, for determining the topological structure of described Botnet according to described information;
Corresponding with above-mentioned method for supervising, referring to Figure 19, the embodiment of the present invention also provides a kind of network monitoring device 191, and this equipment comprises:
Detecting unit 192, for according to network message, detecting Botnet, and the IP address that obtains main control system in this Botnet;
Send subelement 193, for send the DNS request message of the corresponding domain name in inquiry described IP address to name server;
Receive subelement 194, the DNS response message returned for receiving the domain name server;
Resolve subelement 195, for resolving described DNS response message, therefrom obtain domain name corresponding to described IP address;
Second acquisition unit 196, for obtaining the information of the network equipment be connected with the main control system with domain name according to network message;
Determining unit 197, for determining the topological structure of described Botnet according to described information;
Monitoring unit 198, for being monitored described Botnet according to above-mentioned topological structure and domain name.In other embodiments, network monitoring device 191 also can comprise and stop unit and memory cell, wherein, stops unit and during predetermined amount of time, stops current monitoring for the time started surpassing current monitoring; Memory cell is for storing time started any one or the combination in any of above-mentioned domain name, IP address, current monitoring.
When specific implementation, the network equipment 191 specifically can be DPI equipment, gateway device or other can realize the network equipment of above-mentioned functions.
Corresponding with the method for main control system domain name in above-mentioned detection Botnet, the embodiment of the present invention also provides a kind of system that detects main control system domain name in Botnet simultaneously, this system has the network equipment and the name server of arbitrary embodiment in above all embodiment, wherein:
The procotol IP address of the network equipment for according to network message, detecting Botnet, obtain described Botnet main control system, and obtain and resolve for the domain name service DNS request message of IP address lookup or inquiry of the domain name and the DNS response message returned therefrom obtains domain name corresponding to described IP address;
Name server is used for receiving the domain name service DNS request message of IP address lookup or inquiry of the domain name, and returns to the DNS response message.
Corresponding with the method for main control system domain name in above-mentioned detection Botnet, the embodiment of the present invention also provides the system of main control system domain name in another kind of detection Botnet simultaneously, referring to Figure 20, this system comprises DPI equipment 201 and gateway device 202, DPI equipment 201 comprises detecting unit 203, gateway device 202 comprises the first acquiring unit 204, wherein:
Detecting unit 203 is for according to network message, detecting Botnet, and the IP address that obtains main control system in described Botnet;
The DNS response message that the first acquiring unit 204 returns for the domain name service DNS request message of IP address lookup or inquiry of the domain name for obtaining and resolve name server, therefrom obtain domain name corresponding to described IP address.
It should be noted that, in this specification, each embodiment adopts the mode of going forward one by one to describe, and what each embodiment stressed is and the difference of other embodiment that between each embodiment, identical similar part is mutually referring to getting final product.For the disclosed device of embodiment, because it corresponds to the method disclosed in Example, so description is fairly simple, relevant part partly illustrates and gets final product referring to method.
One of ordinary skill in the art will appreciate that all or part of flow process realized in above-described embodiment method, to come the hardware that instruction is relevant to complete by computer program, described program can be stored in a computer read/write memory medium, described program, when carrying out, can comprise the flow process as the embodiment of above-mentioned each side method.Wherein, described storage medium can be magnetic disc, CD, read-only store-memory body (Read-Only Memory, ROM) or random store-memory body (Random Access Memory, RAM) etc.
To the above-mentioned explanation of the disclosed embodiments, make professional and technical personnel in the field can realize or use the present invention.Multiple modification to these embodiment will be apparent for those skilled in the art, and General Principle as defined herein can be in the situation that do not break away from the spirit or scope of the present invention, realization in other embodiments.Therefore, the present invention will can not be restricted to these embodiment shown in this article, but will meet the widest scope consistent with principle disclosed herein and features of novelty.
Claims (6)
1. a method that detects main control system domain name in Botnet, is characterized in that, comprising:
In the network equipment or detection Botnet, the system of main control system domain name detects Botnet according to network message, and obtains the procotol IP address of main control system in described Botnet;
In the network equipment or detection Botnet, the system of main control system domain name is searched the DNS response message of name server from described network message, and described DNS response message returns for the IP address lookup DNS request message of corpse main frame in described Botnet;
In the network equipment or detection Botnet, the described DNS response message of system analysis of main control system domain name, therefrom obtain domain name corresponding to described IP address, usings domain name as unique described main control system sign;
After getting domain name, aging current detection, or, while after surpassing the time started predetermined amount of time of current detection, not getting domain name yet, aging current detection.
2. the method for claim 1, is characterized in that, also comprises:
In the network equipment or detection Botnet, the system of main control system domain name is obtained the information of the network equipment be connected with the main control system with domain name according to network message;
In the network equipment or detection Botnet, the system of main control system domain name is determined the topological structure of described Botnet according to described information.
3. a network equipment, is characterized in that, comprising:
Detecting unit, for according to network message, detecting Botnet, and the IP address that obtains main control system in described Botnet;
The first acquiring unit for obtaining and resolve the DNS response message of name server, obtains domain name corresponding to described IP address from described DNS response message, usings domain name as unique described main control system sign;
Aging unit, for after getting domain name, aging current detection, or, while after surpassing the time started predetermined amount of time of current detection, not getting domain name yet, aging current detection;
Described the first acquiring unit comprises:
Search subelement, for search the DNS response message of domain name server from described network message, described DNS response message returns for the IP address lookup DNS request message of corpse main frame in described Botnet;
Resolve subelement, for resolving described DNS response message, therefrom obtain domain name corresponding to described IP address.
4. equipment as claimed in claim 3, is characterized in that, also comprises:
Second acquisition unit, for obtaining the information of the network equipment be connected with the main control system with domain name according to network message;
Determining unit, for determining the topological structure of described Botnet according to described information.
5. a system that detects main control system domain name in Botnet, is characterized in that, has the network equipment as described as claim 3 or 4 and name server, wherein:
The procotol IP address of the described network equipment for according to network message, detecting Botnet, obtain described Botnet main control system, and the DNS response message of searching the domain name server from described network message, described DNS response message returns for the IP address lookup DNS request message of corpse main frame in described Botnet; Resolve described DNS response message, therefrom obtain domain name corresponding to described IP address, using domain name as unique described main control system sign; After getting domain name, aging current detection, or, while after surpassing the time started predetermined amount of time of current detection, not getting domain name yet, aging current detection;
The domain name server is used for receiving the domain name service DNS request message of IP address lookup or inquiry of the domain name, and returns to the DNS response message.
6. a system that detects main control system domain name in Botnet, is characterized in that, comprises deep-packet detection DPI equipment and gateway device, and described DPI equipment comprises detecting unit, and described gateway device comprises the first acquiring unit and aging unit, wherein:
Described detecting unit, for according to network message, detecting Botnet, obtains the IP address of main control system in described Botnet and sends to the first acquiring unit;
Described the first acquiring unit is for searching the DNS response message of name server from described network message, and resolve described DNS response message, therefrom obtain domain name corresponding to described IP address, using domain name as unique described main control system sign, wherein, described DNS response message returns for the IP address lookup DNS request message of corpse main frame in described Botnet;
Described aging unit is used for, after getting domain name, and aging current detection, or, while after surpassing the time started predetermined amount of time of current detection, not getting domain name yet, aging current detection.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010109069XA CN101800746B (en) | 2010-02-04 | 2010-02-04 | Method, device and system for detecting domain name of control host machine in botnets |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010109069XA CN101800746B (en) | 2010-02-04 | 2010-02-04 | Method, device and system for detecting domain name of control host machine in botnets |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101800746A CN101800746A (en) | 2010-08-11 |
| CN101800746B true CN101800746B (en) | 2013-12-04 |
Family
ID=42596238
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201010109069XA Active CN101800746B (en) | 2010-02-04 | 2010-02-04 | Method, device and system for detecting domain name of control host machine in botnets |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101800746B (en) |
Families Citing this family (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102026146B (en) * | 2010-10-11 | 2014-11-19 | 华为技术有限公司 | Method, host and system for sending control message |
| CN102223422B (en) * | 2011-08-02 | 2014-07-09 | 杭州迪普科技有限公司 | Domain name system (DNS) message processing method and network safety equipment |
| CN102571487B (en) * | 2011-12-20 | 2014-05-07 | 东南大学 | Distributed bot network scale measuring and tracking method based on multiple data sources |
| CN104717226B (en) * | 2012-06-06 | 2018-11-30 | 北京奇安信科技有限公司 | A kind of detection method and device for network address |
| CN103002070B (en) * | 2012-12-25 | 2015-05-20 | 上海牙木通讯技术有限公司 | Domain name resolution method and device |
| CN103078968B (en) * | 2013-01-22 | 2015-12-02 | 华为技术有限公司 | Domain name inquiry method, IP divide race's method, device and equipment |
| US10198579B2 (en) * | 2014-08-22 | 2019-02-05 | Mcafee, Llc | System and method to detect domain generation algorithm malware and systems infected by such malware |
| CN104639391A (en) * | 2015-01-04 | 2015-05-20 | 中国联合网络通信集团有限公司 | Method for generating network flow record and corresponding flow detection equipment |
| US10652270B1 (en) * | 2016-06-23 | 2020-05-12 | Ntt Research, Inc. | Botmaster discovery system and method |
| CN106713371B (en) * | 2016-12-08 | 2020-04-21 | 中国电子科技网络信息安全有限公司 | Fast Flux botnet detection method based on DNS abnormal mining |
| CN110928709B (en) * | 2019-11-21 | 2023-08-29 | 中国民航信息网络股份有限公司 | Service calling method and device under micro-service framework and server |
| CN113179260B (en) * | 2021-04-21 | 2022-09-23 | 国家计算机网络与信息安全管理中心河北分中心 | Botnet detection method, device, equipment and medium |
-
2010
- 2010-02-04 CN CN201010109069XA patent/CN101800746B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN101800746A (en) | 2010-08-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101800746B (en) | Method, device and system for detecting domain name of control host machine in botnets | |
| CN103607399B (en) | Private IP network network safety monitoring system and method based on darknet | |
| US7352289B1 (en) | System and method for detecting the connection state of a network cable connector | |
| CN106487879A (en) | A kind of network equipment recognition methodss based on device-fingerprint storehouse and device | |
| KR101544322B1 (en) | System for detecting malicious code behavior using visualization and method thereof | |
| CN100563149C (en) | A kind of DHCP monitor method and device thereof | |
| CN102045215B (en) | Botnet detection method and device | |
| CN102148854B (en) | Method and device for identifying peer-to-peer (P2P) shared flows | |
| CA2469169A1 (en) | Method and apparatus for determination of network topology | |
| CN102761458A (en) | Detection method and system of rebound type Trojan | |
| US20120173712A1 (en) | Method and device for identifying p2p application connections | |
| CN107682470B (en) | Method and device for detecting public network IP availability in NAT address pool | |
| CN107733867B (en) | Botnet discovery and protection method, system and storage medium | |
| CN108234473A (en) | A kind of message anti-attack method and device | |
| CN109561111A (en) | A kind of determination method and device of attack source | |
| KR101416523B1 (en) | Security system and operating method thereof | |
| CN111835681A (en) | Large-scale abnormal flow host detection method and device | |
| CN101599857B (en) | Method, device and network detection system for detecting number of host computers accessed to sharing | |
| CN105245551B (en) | A kind of application and identification method based on DNS and the long combination of packet | |
| CN102223422A (en) | Domain name system (DNS) message processing method and network safety equipment | |
| US10097418B2 (en) | Discovering network nodes | |
| KR102211503B1 (en) | Harmful ip determining method | |
| CN106534141A (en) | Method and system for preventing domain name server from being attacked and firewall | |
| CN102685133B (en) | Maine engine mark tracing method and system as well as terminal and central server | |
| CN108322444B (en) | Method, device and system for detecting command and control channel |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C56 | Change in the name or address of the patentee |
Owner name: HUAWEI DIGITAL TECHNOLOGY (CHENGDU) CO., LTD. Free format text: FORMER NAME: CHENGDU HUAWEI SYMANTEC TECHNOLOGIES CO., LTD. |
|
| CP01 | Change in the name or title of a patent holder |
Address after: 611731 Chengdu high tech Zone, Sichuan, West Park, Qingshui River Patentee after: HUAWEI DIGITAL TECHNOLOGIES (CHENG DU) Co.,Ltd. Address before: 611731 Chengdu high tech Zone, Sichuan, West Park, Qingshui River Patentee before: CHENGDU HUAWEI SYMANTEC TECHNOLOGIES Co.,Ltd. |
|
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20220824 Address after: 518129 Bantian HUAWEI headquarters office building, Longgang District, Guangdong, Shenzhen Patentee after: HUAWEI TECHNOLOGIES Co.,Ltd. Address before: 611731 Qingshui River District, Chengdu hi tech Zone, Sichuan, China Patentee before: HUAWEI DIGITAL TECHNOLOGIES (CHENG DU) Co.,Ltd. |