CN101854404B - Method and device for detecting anomaly of domain name system - Google Patents

Method and device for detecting anomaly of domain name system Download PDF

Info

Publication number
CN101854404B
CN101854404B CN 201010198228 CN201010198228A CN101854404B CN 101854404 B CN101854404 B CN 101854404B CN 201010198228 CN201010198228 CN 201010198228 CN 201010198228 A CN201010198228 A CN 201010198228A CN 101854404 B CN101854404 B CN 101854404B
Authority
CN
China
Prior art keywords
query
entropy
domain name
plurality
name system
Prior art date
Application number
CN 201010198228
Other languages
Chinese (zh)
Other versions
CN101854404A (en
Inventor
毛伟
李晓东
丁森林
王欣
吴军
金键
Original Assignee
中国科学院计算机网络信息中心
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中国科学院计算机网络信息中心 filed Critical 中国科学院计算机网络信息中心
Priority to CN 201010198228 priority Critical patent/CN101854404B/en
Publication of CN101854404A publication Critical patent/CN101854404A/en
Application granted granted Critical
Publication of CN101854404B publication Critical patent/CN101854404B/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements or network protocols for addressing or naming
    • H04L61/15Directories; Name-to-address mapping
    • H04L61/1505Directories; Name-to-address mapping involving standard directories or standard directory access protocols
    • H04L61/1511Directories; Name-to-address mapping involving standard directories or standard directory access protocols using domain name system [DNS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L29/00Arrangements, apparatus, circuits or systems, not covered by a single one of groups H04L1/00 - H04L27/00
    • H04L29/12Arrangements, apparatus, circuits or systems, not covered by a single one of groups H04L1/00 - H04L27/00 characterised by the data terminal
    • H04L29/12009Arrangements for addressing and naming in data networks
    • H04L29/12047Directories; name-to-address mapping
    • H04L29/12056Directories; name-to-address mapping involving standard directories and standard directory access protocols
    • H04L29/12066Directories; name-to-address mapping involving standard directories and standard directory access protocols using Domain Name System [DNS]

Abstract

本发明提供了一种检测域名系统异常的方法和装置,属于计算机网络技术领域。 The present invention provides a method of detecting abnormality domain name system and apparatus, belonging to the field of computer networking technology. 所述方法包括:将域名系统查询数据流划分为多个数据块;根据预设查询属性计算所述多个数据块的熵值,得到对应的多个熵值;判断得到的所述多个熵值中是否有预设个数的熵值超过预设阈值,如果是,则确定所述域名系统发生了异常。 Said method comprising: a domain name system query data stream into a plurality of data blocks; calculating a plurality of blocks of data according to the preset query property values ​​of entropy, to obtain a corresponding plurality of entropy; said plurality of entropy determination obtained if there is a predetermined number of entropy exceeds a preset threshold value, and if so, determining that the abnormality occurs in the domain name system. 所述装置包括:划分模块,计算模块和判断模块。 Said apparatus comprising: a dividing module, a calculation module and a determining module. 本发明通过计算域名系统查询数据流中多个数据块的熵值,当得到的对应的多个熵值中有预设个数的熵值超过预设阈值时,确定域名系统发生了异常,本发明能够对域名系统系统发生异常起到预警作用,从而减少当域名系统系统发生异常后的损失,相对于现有技术来说,检测准确度高,而且漏检率低。 Domain name system of the present invention by calculating the entropy of the stream of data blocks of the plurality of query data, when a plurality of entropy values ​​corresponding to values ​​obtained with a predetermined number of entropy exceeds a preset threshold, to determine the domain name system abnormality occurs, the present abnormality warning invention can play a role in phylogenetic domain name system, thereby reducing the loss when abnormality occurs DNS system, with respect to the prior art, the high detection accuracy, and low undetected.

Description

检测域名系统异常的方法和装置 A method and apparatus for detecting abnormality Domain Name System

技术领域 FIELD

[0001] 本发明涉及计算机网络安全技术,尤其涉及一种检测域名系统异常的方法和装置,属于计算机网络技术领域。 [0001] The present invention relates to computer network security technology, in particular to a domain name system abnormality detection apparatus and method, a computer network belonging to the technical field.

背景技术 Background technique

[0002] 域名系统(Domain Name System,以下简称DNS)是一个分布式数据库系统,该系统用于将域名转换成为网络可以识别的IP地址。 [0002] DNS (Domain Name System, hereinafter referred to as DNS) is a distributed database system for converting the domain can be identified by network IP address. 由于DNS是互联网络的基础,如果DNS异常将会对整个网络造成严重的影响,因此对DNS异常进行检测十分重要。 Since DNS is the foundation of the Internet, if the DNS exception will have serious impact on the entire network, so the DNS anomaly detection is very important.

[0003] 现有技术对DNS异常进行检测的方法主要有基于查询流量的变化或查询属性取值的变化来确定DNS是否发生异常。 The method [0003] of the prior art DNS abnormality detection mainly based on changes in the query or query property values ​​of flow rate changes determined DNS is abnormal. 基于查询流量的变化来确定DNS是否发生异常是指:当查询流量特别大或者特别小的时候认为DNS发生异常。 Based on changes in DNS query traffic to determine whether abnormal means: when the query traffic is particularly heavy or particularly small when considered abnormal DNS happen.

[0004] 发明人在实现本发明的过程中,发现现有技术至少存在以下问题: [0004] In the process of implementing the present invention finds that the prior art has at least the following problems:

[0005] 基于查询流量的变化来确定DNS是否发生异常的方案具有滞后性,在检测到异常的时候,查询流量往往已经累积到一定程度,已经造成了比较严重的后果,因此不能起到预警作用。 [0005] based on changes in DNS query traffic to determine whether abnormal program with a lag, the abnormality is detected when the query traffic often has been accumulated to a certain extent, it has resulted in serious consequences, and therefore can not play a role in early warning . 有时,异常的发生不一定能影响DNS查询流量,因此基于查询流量的变化来确定DNS是否发生异常具有很高的漏检率。 Sometimes, abnormal occurrence does not necessarily affect DNS query traffic, and therefore change based on query traffic to determine whether DNS abnormality with high missing rate.

发明内容 SUMMARY

[0006] 本发明提供一种检测DNS异常的方法和装置,以解决现有技术中检测DNS异常滞后,且漏检率高的问题。 [0006] The present invention provides a method of detecting abnormality DNS and means to solve the prior art DNS abnormality detection hysteresis, and high rate of undetected problems.

·[0007] 本发明提供的检测DNS异常的方法包括: * [0007] DNS abnormality detection method of the present invention comprises:

[0008] 将域名系统查询数据流划分为多个数据块; [0008] The domain name system query data stream into a plurality of data blocks;

[0009] 根据预设查询属性计算所述多个数据块的熵值,得到对应的多个熵值; [0009] calculating the entropy values ​​of data blocks according to a preset query property values ​​to obtain a corresponding plurality of entropy;

[0010] 判断得到的所述多个熵值中是否有预设个数的熵值超过预设阈值,如果是,则确定所述域名系统发生了异常。 Are there entropy preset number exceeds a predetermined threshold value of said plurality of entropy [0010] obtained is determined, and if so, determining that the abnormality occurs in the domain name system.

[0011] 本发明提供的检测DNS异常的装置包括: [0011] The present invention provides DNS abnormality detecting apparatus comprising:

[0012] 划分模块,用于将域名系统查询数据流划分为多个数据块; [0012] dividing module, the domain name system query for the data stream into a plurality of data blocks;

[0013] 计算模块,用于根据预设查询属性计算所述多个数据块的熵值,得到对应的多个熵值; [0013] calculation means for calculating a plurality of blocks of data according to the preset query property values ​​of entropy, to obtain a corresponding plurality of entropy;

[0014] 判断模块,用于判断得到的多个熵值中是否有预设个数的熵值超过预设阈值,如果是,则输出表示所述域名系统发生异常的信息。 [0014] a determination module configured to determine whether there are a predetermined number of entropy exceeds a predetermined threshold value determination plurality of entropy obtained, if so, outputs an abnormality occurrence information of the domain name system.

[0015] 本发明通过计算DNS查询数据流中多个数据块的熵值,当得到的对应的多个熵值中有预设个数的熵值超过预设阈值时,确定DNS系统发生了异常,本发明能够对DNS系统发生异常起到预警作用,从而减少当DNS系统发生异常后的损失,且漏检率低。 [0015] The present invention is by calculating the entropy values ​​of a plurality of data blocks DNS stream query data, when the entropy values ​​corresponding to the obtained value with a preset number of entropy exceeds a preset threshold, the DNS system determines abnormality occurs the present invention can play a role in early warning abnormality occurs on the DNS system, thereby reducing the loss when an abnormality occurs DNS system, and low undetected.

附图说明[0016] 为了更清楚地说明本发明或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作一简单地介绍。 BRIEF DESCRIPTION [0016] In order to more clearly illustrate the present invention or the technical solution in the prior art, the following embodiments or the drawings will be described in the prior art needed to be used, a brief introduction embodiment.

[0017] 图1为本发明检测DNS异常的方法实施例流程示意图; [0017] FIG. 1 is a schematic diagram detect abnormal flow DNS method embodiment of the present invention;

[0018] 图2为根据指定时间划分数据块的示意图; [0018] FIG. 2 is a diagram of a data block is divided according to a specified time;

[0019] 图3为采用窗口大小为10000时得到的熵值曲线; [0019] FIG. 3 is a graph window size entropy value obtained is 10000;

[0020] 图4为DNS查询率曲线; [0020] FIG. 4 is a curve DNS query;

[0021] 图5为本发明检测DNS异常的装置实施例结构示意图。 [0021] FIG. 5 is an abnormality detection apparatus DNS schematic structural embodiment of the invention.

具体实施方式 Detailed ways

[0022] 为使本发明的目的、技术方案和优点更加清楚,下面将结合本发明的附图,对本发明的技术方案进行清楚、完整地描述,显然,所描述的实施例是本发明一部分实施例,而不是全部的实施例。 [0022] To make the objectives, technical solutions, and advantages of the present invention will become more apparent below in conjunction with the accompanying drawings of the present invention, the technical solutions of the present invention are clearly and completely described, obviously, the embodiments described herein are implemented as part of the present invention cases, but not all embodiments. 基于本发明中的实施例,本领域普通技术人员在没有作出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。 Based on the embodiments of the present invention, those of ordinary skill in the art to make all other embodiments without creative work obtained by, fall within the scope of the present invention.

[0023] 本发明初次将熵的理论应用到DNS的异常检测中,因此首先对熵作一下介绍。 [0023] The present invention is first applied to the entropy theory DNS abnormality detection, the entropy for the first bit thus introduced. 熵在信息论中的定义为:如果一个系统S中存在一个事件集合E = {El,E2,…,Εη},Ε1,E2,…,En为事件集合E中的每一个事件。 The entropy in information theory is defined as follows: If there is a set of events in a system S E = {El, E2, ..., Εη}, Ε1, E2, ..., En is an event set E of each event. 每个事件的概率分布P= {P1,P2,…,Ρη},Ρ1,P2,…,Pn为每一个事件出现的概率。 Each event probability distribution P = {P1, P2, ..., Ρη}, Ρ1, P2, ..., Pn is the probability of each event occurring. 每个事件r本身的信息量Ir可由公式(I)计算: Each event information itself Ir r by the formula (I) is calculated:

[0024] Ir = -1og2Pr (I) [0024] Ir = -1og2Pr (I)

[0025]公式(I)中,r = 1,2,…,η。 [0025] Formula (I) wherein, r = 1,2, ..., η.

[0026] 例如:英语有26个字母,假如每个字母在文章中出现次数平均的话,每个字母的信息量为:I = -1og2 (1/26) = 4.7 [0026] For example: 26 English letters, each letter appears if the average number of words in the article, the amount of information each letter: I = -1og2 (1/26) = 4.7

[0027] 而汉字常用的有2500个,假如每个汉字在文章中出现次数平均的话,每个汉字的Ih 息里!为:I = —1g2 (1/2500) = 11.3 [0027] The Chinese characters commonly used in 2500, if the average number of times each character appears in the words of the article, each character's interest in Ih is:! I = -1g2 (1/2500) = 11.3

[0028] 熵是整个系统S的平均信息量,设熵为Hs,则熵的计算方法如公式(2)所示: [0028] The entropy is the entropy of the system S, as shown Hs Calculations of entropy, entropy of the formula (2):

[0029] [0029]

Figure CN101854404BD00041

[0030] 在信息传播领域中熵表示信息的不确定性。 [0030] In the field of information dissemination in the entropy of the uncertainty information. 高信息度的熵值较低,说明高信息度的系统比较稳定;而低信息度的熵值较高,说明低信息度的系统不稳定,容易发生异常,因此可以通过熵值来检测DNS是否发生异常。 A high degree of information entropy low value, indicating a high degree of information system is stable; the higher the degree of information entropy is low, indicating a low degree of information of the system is unstable, prone to abnormal, it is possible to detect whether the DNS by entropy An exception occurs.

[0031] 实施例1 [0031] Example 1

[0032] 图1为本发明检测DNS异常的方法实施例流程示意图,如图1所示,该方法包括: [0032] FIG method for detecting an abnormality the DNS schematic flowchart embodiment of the present invention, shown in Figure 1, the method comprising:

[0033] 步骤101:将DNS查询数据流划分为多个数据块; [0033] Step 101: The DNS query data stream into a plurality of data blocks;

[0034] 需要说明的是:划分的数据块越大,也就是说每个数据块包括的查询数据量越多,该数据块的熵值的变化就越平缓,能够有效降低误检测的情况发生,但同时也降低了对异常流量的敏感度,漏检率上升;反之,数据块越小,也就是说每个数据块包括的查询数据量越少,检测DNS异常的灵敏度就越高,但准确性又会相应的降低。 [0034] Note that: the larger the divided data blocks, that is to say the more the amount of data in each data block includes a query, the more gradual change in entropy of the data block, can effectively reduce the occurrence of false detection , but also reduces the sensitivity of the abnormal traffic, missing rate increase; conversely, the smaller the data block, i.e., the less the amount of data in each data block includes a query, the higher the sensitivity of detection of abnormality the DNS, but accuracy will be reduced accordingly.

[0035] 实际应用中,可以将DNS查询数据流按照指定时间和/或按照指定查询量划分为多个数据块。 [0035] The practical application, DNS query data stream can be specified according to the time and / or amount of division as specified query a plurality of data blocks. 例如,可以将DNS查询数据流中每一分钟的查询数据量划分为一个数据块,或者将DNS查询数据流中每1000条查询记录的查询量划分为一个数据块;还可以同时按照指定时间和指定查询量进行划分,例如,当达到指定时间,但未达到指定查询量时划分为一个数据块,或者达到指定查询量,但没有达到指定时间时划分为一个数据块。 For example, the query may be divided amount of data per minute DNS query data stream as one data block, or divide queries per 1000 queries a DNS query records the data stream to a data block; may also be simultaneously specified time and specify queries divided, e.g., into one data block when the designated time is reached, but did not reach the specified amount of queries, or queries reaches a specified amount, but divided into a data block does not reach the specified time. 还可以根据时间段函数来划分,比如,在上午8:30到12:00之间,可以将数据块按照较小的时间段来划分,例如:每隔20-30秒划分一个数据块;在中午12:00到下午1:00可以将数据块按照较长的时间段划分,例如:每隔2-3分钟划分一个数据块。 May also be divided according to function period, for example, between 8:30 am to 12:00, according to the data blocks may be smaller time period is divided, for example: every 20-30 seconds dividing one data block; in 12:00 pm to 1:00 pm data blocks may be divided in accordance with a long period of time, for example: every 2-3 minutes divided one data block. 这种划分可以由技术人员根据实际情况进行调整,或者依据经验和查询数据量的大小来划分数据块。 This division may be performed by the skilled person according to the actual situation adjusted based on experience or data amount and size of the query to the divided data blocks.

[0036] 步骤102:根据预设查询属性计算多个数据块的熵值,得到对应的多个熵值; [0036] Step 102: calculating a plurality of blocks of data according to the preset query property values ​​of entropy, to obtain a corresponding plurality of entropy;

[0037] 其中,预设查询属性包括查询类型、查询中出现的错误类型、查询中出现的查询源IP或者查询中的查询域名出现情况,但不限于这些查询属性,只要是按照某种类别划分的查询属性均可。 [0037] wherein the preset attribute query includes a query type, the type of error occurring in the query, the query appears in the query source IP or domain search query appears in the case of, but not limited to query property, according to a certain category as long as the query properties are available.

[0038] 上述的查询类型至少包括:域名对应的IP地址记录(Address,简称A)、IPv6主机的地址记录AAAA、反向记录(Pointer,简称PTR)、邮件交换记录(Mail exchanger,简称MX)、名字服务器记录(Name Server,简称NS)、起始授权机构记录(Start Of Authority,简称S0A)。 [0038] The query type comprising at least: recording the corresponding IP address (Address, referred to as A), the address of the IPv6 host record AAAA, reverse records (Pointer, referred to as PTR), mail exchange record (Mail exchanger, referred to as MX) , name server record (name server, referred to as NS), start of Authority record (start Of Authority, referred to S0A).

[0039] 查询中出现的错误类型是指:发送的DNS查询请求中包含非法的字段,主要错误类型包括:查询源地址是私有地址、查询类型不存在、查询的顶级域不存在、查询的名字中包含非法的字符、查询的名字格式错误、重复查询或正常查询类等。 Error type [0039] appear in the query refers to: DNS query request sent contains illegal fields, the main types of errors include: query source address is a private address, the query type does not exist, top-level domain request is absent, the name of the query contains illegal characters, the name of a malformed query, repeat the query or normal query and so on. 其中,正常查询是指没有错误的查询,可以当预设查询属性为错误类型时,将没有错误的查询归入到正常查询类中,使得每条查询记录都可以归入具体某个类型中。 Wherein the query is the normal means without error query, the query can be a default attribute is the type of error, no error will be included in a query to query a normal class, so that each query can be classified record a particular type.

[0040] 根据预设查询属性计算多个数据块的熵值,具体为: [0040] The plurality of data blocks is calculated according to the preset query property values ​​of entropy, in particular:

[0041] 计算预设查询属性的每个元素在每个数据块中出现的概率; [0041] probability of each element is calculated preset attribute query appear in each data block;

[0042] 根据预设查询属性的每个元素在每个数据块中出现的概率,计算每个数据块的熵值。 [0042] The probability of default attributes for each element of the query appear in each data block, the entropy is calculated for each data block.

[0043] 当划分的多个数据块之间存在相互重叠的部分时,例如,图2为根据指定时间划分数据块的示意图,如图2所示,8:00至8:10之间的查询量为一个数据块,8:03至8:13之 Queries between 8:10 to 00: [0043] When the mutual overlap between the plurality of divided blocks, e.g., FIG. 2 is a schematic view of divided data specified time block, 82 shown in FIG. an amount of a data block, 8:03 to 8:13 of

间的查询量为一个数据块,......,即10分钟划分一个数据块,每个数据块之间有3分钟的 Queries between a data block, ......, i.e., 10 minutes dividing one data block, and 3 minutes between each data block

重叠时间,这样将查询数据流划分为多个有重叠的数据块。 Overlap time, so that the query data stream into a plurality of overlapping blocks of data. 本实施例以划分的每个数据块包括指定查询量为例进行详细说明。 In this embodiment, each data block including the divided specified amount of queries described in detail as an example.

[0044] 设每个数据块包括的指定查询量为10条查询记录,当前数据块为第i个数据块,与当前数据块相邻的前一数据块为第i_l个数据块,与当前数据块相邻的后一数据块为第i+1个数据块,若第i_l个数据块包括第I条至第10条的查询记录,则第i个数据块包括第2条至第11条的查询记录, 第i+Ι个数据块包括第3条至第12条查询记录。 [0044] Each data set block query including a specified amount of queries 10 records current data block is the i th data block adjacent to the current data block preceding data block of the data blocks i_l, current data after a data block adjacent to a block i + 1-th data block, when the first block of data including a query i_l records article I to article 10, the i-th data block comprises 2 to Article 11 of the article query logs, i + Ι of the data blocks includes a first 3 through 12 query record. 第1-Ι个数据块与第i个数据块重叠部分的查询量为第2条至第10条查询记录,第i个数据块与第i+Ι个数据块重叠部分的查询量为第3条至第11条查询记录。 The first 1-Ι data blocks with the i-th queries overlapped portion of the data block in Article 2 to 10 of the query record, i-th data block of the i + Ι data blocks overlapping queries portion is 3 Article 11 to Article Search record.

[0045] 当划分的多个数据块之间存在相互重叠的部分时,根据预设查询属性计算多个数据块的熵值,可以包括: [0045] When the mutual overlap between the plurality of divided blocks, a plurality of data blocks entropy calculated according to the preset query properties, may comprise:

[0046] 计算与当前数据块相邻的前一数据块的熵值H1 ; [0046] with the calculated entropy value H1 adjacent to the current data block preceding data block;

[0047] 根据与当前数据块相邻的前一数据块的熵值H1,计算当前数据块的熵值H2。 [0047] The entropy value H1 and the current data block adjacent to the previous data block, the data block to calculate the current value of the entropy H2. [0048] 根据与当前数据块相邻的前一数据块的熵值H1,计算当前数据块的熵值H2,具体为: [0048] The entropy value current data block adjacent to the previous data block H1, calculates the current value of entropy data block H2, specifically:

[0049] 计算第一指定查询量和第二指定查询量分别在第i_l个数据块中的加权信息量Tf和T1 ;第一指定查询量是指第i个数据块与第1-Ι个数据块重叠部分前不重叠部分的查询量;第二指定查询量是指第i个数据块与第i+ι个数据块重叠部分后不重叠部分的查询量; [0049] calculating a first and a second specified amount of the specified query queries information Tf and T1 weighted respectively at the i_l data blocks; refers to an amount of a first specified query i-th data block and the data of 1-Ι queries does not overlap the front portion of the block overlap portion; a second query specified amount means an amount of the query does not overlap the portion of the i-th data block of the data blocks i + ι overlapping portion;

[0050] 继续上述的例子,第一指定查询量是指第I条查询记录,第二指定查询量是指第12条查询记录。 [0050] Continuing the example, a first query specifies article refers to an amount of I query record, the second specified query article refers to an amount of 12 query record.

[0051] 第I条查询记录所属的查询类型在第i_l个数据块中出现的概率为Pf,则Tf=-Pf1g2Pf ; Probability [0051] Section I query type record belongs query appears in the first data block as i_l Pf, = -Pf1g2Pf the Tf of the;

[0052] 第12条查询记录所属的查询类型在第1-Ι个数据块中出现的概率为P1,则T1=-Pilog2P1O Probability [0052] The article 12 of the type of query record belongs query appears in the first 1-Ι data blocks is P1, then T1 = -Pilog2P1O

[0053] 计算第二指定查询量和第三指定查询量分别在第i个数据块中的加权信息量7]'和Tf ;第三指定查询量是指第i个数据块与第i+ι个数据块重叠部分前不重叠部分的查询量; [0053] Calculation of the second and third specify the query specified amount of queries are weighted by information in the i-th data block 7] 'and Tf of the; third query specified amount means the i-th data block of the i + ι queries overlapping data blocks does not overlap portion of the front portion;

[0054] 继续上述的例子,第12条查询记录所属的查询类型在第i个数据块中出现的概率 [0054] Continuing the example, the probability of the type of article 12 queries query record belongs appearing in the i-th data block

为P;,则 P ;, it is

Figure CN101854404BD00061

[0055] 第三指定查询量是指第2条查询记录,则第2条查询记录所属的查询类型在第i个数据块中出现的概率为尸; [0055] The third specified amount of queries Query recording means article 2, article 2 queries the query type recording probability of occurring in the relevant i-th data block is dead;

Figure CN101854404BD00062

[0056] 根据第1-Ι数据块的熵值故、Tf、T1J;和Γ/,计算第i个数据块的熵值H2,即 [0056] The entropy of the first 1-Ι block it, Tf, T1J; and Γ /, i-th data block is calculated entropy H2, i.e.,

Figure CN101854404BD00063

[0057] 其中,当i为2,即与当前数据块相邻的前一数据块为划分的第一个数据块时,计算预设查询属性的每个元素在第一个数据块中出现的概率; Each element [0057] wherein, when i is 2, i.e., adjacent to the current data block preceding data block is the first data block of the divided calculate preset attribute query appears in the first data block probability;

[0058] 根据上述概率计算第一个数据块的熵值氏。 [0058] The entropy calculation of a block's data in accordance with said probability.

[0059] 例如,若预设查询属性为查询类型,则查询类型中的元素为具体的查询类型,如上述的A、AAAA, PTR、MX、NS、SOA等,每一条查询记录只能属于一个查询类型。 [0059] For example, if the query is a default query attribute type, the element type of query to a particular query type, as described above A, AAAA, PTR, MX, NS, SOA and so on, each record can only belong to a query query type. 可以计算该数据块中每一条查询记录所属的查询类型在该数据块中出现的概率,然后根据每一条查询记录所属的查询类型在该数据块中出现的概率来计算该数据块的熵值,计算公式为 May be calculated in the data block each query record probability query type belongs appearing in the data block, and then calculates the entropy of the data block every query log probability query type belongs appearing in the data block according to The formula is

[0060] [0060]

Figure CN101854404BD00064

[0061] 公式(3)中,Hk为每个数据块的熵值,j表示每个数据块中第j条查询记录,η表示每个数据块中有η条查询记录,Pj为每个数据块中第j条查询记录所属的查询类型在该数据块中出现的概率; [0061] Equation (3), Hk is the entropy value of each data block, j represents the j-th recording each data block query, η represents each data block has [eta] queries records, Pj for each data j-th block query type query log probability of occurring in the relevant data block;

[0062] 当预设查询属性为查询源IP时,查询源IP中的元素为每一条查询记录对应的IP地址。 [0062] When the preset attribute query query IP source, IP source query elements in each record corresponding to the IP address query. 由于每个数据块中的每一条查询记录只能是来自一个IP地址,则可以计算一个数据块中每一条查询记录的IP地址在该数据块中出现的概率,然后根据每一条查询记录的IP地址在该数据块中出现的概率来计算该数据块的熵值。 Since each record of each data block queries only from one IP address, the IP address may be calculated the probability of each one of a query log data block occurs in the data block, according to the IP and each record query the probability of occurrence of an address in the data block to calculate the entropy of the data block. [0063] 需要说明的是:预设查询属性还可以同时包括两种或两种以上,例如,当预设查询属性包括查询类型和查询源IP时,可以根据该两种查询属性分别计算每个数据块的熵值,然后将根据查询类型和查询源IP分别计算得到的两个熵值加权相加,将得到的加权相加的结果作为该数据块的最终熵值。 [0063] Incidentally: default query attributes may further include two or more simultaneously, e.g., when a preset attribute query includes a query type and query the IP source, may be calculated separately for each query based on the two kinds of properties entropy data block, and then calculates the entropy values ​​obtained by adding two weighted according to the type of query and query the IP source, the result will be the weighted sum of the entropy of the final data block.

[0064] 步骤103:判断上述得到的多个熵值中是否有预设个数的熵值超过预设阈值,如果是,则确定DNS发生了异常。 [0064] Step 103: determining whether a predetermined number of entropy exceeds a predetermined threshold entropy values ​​obtained in the above, if it is, it is determined that an abnormality has occurred DNS.

[0065] 若设置预设个数为5,则如果步骤102得到的多个熵值中有5个熵值均超过了预设阈值,则确定该DNS发生了异常。 [0065] When the preset number set to 5, then if there are five entropy entropy values ​​obtained in step 102 exceeded the preset threshold, it is determined that an abnormality has occurred DNS. 预设个数也可以设置为1、2等等其它个数。 Preset number may also be set to another number 1, and so on. 预设个数的多少会影响检测结果的精度,预设个数越大,得到的检测精度越高,但同时漏检率也上升。 How preset number affect the accuracy of test results, the larger the predetermined number, the higher the detection accuracy is obtained, but also increased the rate of undetected. 预设个数越小,检测精度越低,漏检率也同时降低,预设个数的选择需要根据实际的网络状况和经验来确定。 The preset quantity, the lower the detection accuracy, while reducing the rate of undetected, select a preset number needs to be determined according to the actual network conditions and experience.

[0066] 本实施例中DNS查询数据可以是历史DNS查询数据,也可以是实时DNS查询数据。 [0066] In the present embodiment, DNS query data can be historical data DNS query, the DNS query may be real time data. 如果DNS查询数据是历史DNS查询数据,则本实施例提供的方法可以用来对DNS使用情况进行分析,分析结果可以用来进行DNS优化;本实施例更多的应用在实时检测的场景中,即DNS查询数据为实时DNS查询数据,用来及时发现DNS中的异常,避免DNS遭受严重损失。 If the DNS query data is historical data DNS query, then the method of the present embodiment may be provided for use of the DNS analysis, analysis results can be used to optimize the DNS; Application Example of the present embodiment more real-time detection of a scene, That DNS query data for real-time DNS query data for timely detection of anomalies in DNS, DNS avoid serious losses.

[0067] 为了更好的体现本发明的效果,可以2009年5月19日中国互联网发生大面积断网事故为例进行说明。 [0067] In order to better reflect the effects of the present invention, Chinese Internet large area off Wang Shi May 19, 2009 it is described as an example. 发生大面积断网事故的原因就是DNS系统遭受到了攻击,根据从中国(China,简称CN)某个顶级结点的DNS权威服务器上采集到的2009年5月19日9:00-24:00之间的查询记录进行具体分析,将2009年5月19日9:00-24:00之间的查询记录划分为多个数据块,每个数据块的大小为10000,即每个数据块包括10000条查询记录,计算每个数据块的熵值,将得到的多个熵值绘制为熵值曲线。 The reason a large area off Wang Shi is the DNS system suffered the attack, according to the collected from China (China, referred to as the CN) DNS authoritative server to a top node of May 19, 2009 9: 00-24: 00 Search record between specific analysis, the May 19, 2009 9: 00-24: 00 records between the query into a plurality of data blocks, each data block size is 10,000, that is, each data block includes 10000 query record, entropy is calculated for each block, a plurality of entropy is the entropy obtained plotted curve. 图3为数据块大小为10000时得到的熵值曲线,图4为DNS查询率曲线,查询率为每分钟的查询次数。 FIG 3 is a block size of 10000 entropy curve obtained, Fig 4 is a curve DNS query, the query queries per minute rate. 从图3中可以看出,16:00左右熵值曲线已经出现了剧烈波动,即有多个熵值均超过了预设阈值,表明这时候已经开始有大量的DNS异常流量进入网络,即DNS已经发生了异常;而在图4所示的查询率曲线中,18:30左右查询流量才呈现出显著异常,但此时大面积断网已经开始发生,因此可以明显看出,现有技术基于查询流量的检测方案具有滞后性和很高的漏检率;本发明提供的检测DNS异常的方法可以预先及时的检测到DNS中的异常,起到了预警的作用。 As it can be seen from Figure 3, 16: about 00 entropy curve there have been sharp fluctuations that have entropy values ​​more than the preset threshold value, indicating that the time has begun to have a large number of DNS abnormal traffic from entering the network, or DNS abnormality has occurred; query rate curve shown in FIG. 4, 18: 30 query flow only show significant abnormality, but this time a large area off the network has begun to occur, so it is clear that, based on the prior art query traffic detection scheme having hysteresis and high missing rate; DNS abnormality detecting method of the present invention may be provided in advance and timely detection of an abnormality in the DNS, played a role in early warning.

[0068] 本发明通过将DNS查询数据流划分为多个数据块,根据预设查询属性计算多个数据块的熵值,得到对应的多个熵值,当该多个熵值中有预设个数的熵值超过预设阈值时,确定DNS发生了异常。 [0068] By the present invention the DNS query data stream into a plurality of data blocks, a plurality of data blocks is calculated according to the preset query property values ​​of entropy, entropy values ​​corresponding to obtain, when the plurality of entropy have preset when the number of entropy exceeds a preset threshold value, determine the DNS abnormal. 由于熵值是对DNS查询数据的查询属性随机分布的度量,当DNS发生异常时,例如,当DNS遭受到攻击时,DNS查询数据的查询属性的随机分布就会发生变化,从而也会导致熵值发生变化。 Since entropy is a measure of a DNS query data query properties of randomly distributed DNS when an exception occurs, for example, when subjected to attack DNS query attributes are randomly distributed DNS query data will change, which can lead to entropy value changes. 根据熵值的变化情况就可以得知DNS发生了异常,而现有技术的基于流量的检测方法在DNS发生异常时,当DNS异常的表现不是很明显时,DNS的查询流量也不会发生很明显的变化,因而也就不能检测出DNS发生异常,只有当DNS异常表现得很严重时,例如发生大面积的网络瘫痪,导致大量用户无法使用网络时,现有技术的基于流量的检测方法才能检测出DNS流量异常,进而检测出DNS发生异常,具有明显的滞后性;而本发明可以在发生如大面积网络故障等严重的异常情况之前就可以检测到DNS发生了异常,能够对DNS发生异常起到预警作用,使用户能够在DNS异常严重之前做好准备,避免了严重的DNS异常给用户带来的损失,降低了漏检率,提高了用户体验;并且由于DNS是一个极其复杂的系统,现有技术基于查询属性取值的变化来确定DNS是否发生异常时,没有考虑DNS系统 According to the change of entropy can learn DNS exception occurs, and flow-based detection methods in the DNS exception occurs when abnormal DNS performance is not very clear, the DNS query traffic does not occur prior art is significant changes, therefore, can not detect the occurrence of abnormal DNS, DNS only when abnormal appeared very serious, large-scale network paralysis occurs, for example, led to a large number of users are affected when, prior art detection methods based on order flow detected DNS traffic abnormality, and thus detects the DNS abnormality, having a significant lag; the present invention may be as previously severe abnormalities large network failure can be detected DNS occurrence of an abnormality occurs, the abnormality can occur on the DNS play a role in early warning, allowing users to do before the DNS unusually severe prepared to avoid a serious DNS abnormal losses caused to the user, reducing the missing rate, improve the user experience; and because DNS is an extremely complex system , when the prior art based on changes in the value of the attribute query DNS to determine whether an exception occurs, does not consider the DNS system 部复杂的状态变化,因而检测精度不高,而本发明进一步的实施例中,当划分的多个数据块之间存在重叠部分时,得到的多个熵值之间也反映了DNS系统内部状态的变化,使得检测精度大大提闻。 Complicated state change, and thus the detection accuracy is not high, but a further embodiment of the present invention, when there is overlap between the plurality of divided blocks, among the plurality of entropy obtained reflects the internal state of the DNS system changes, so that the detection accuracy greatly enhanced smell.

[0069] 实施例2 [0069] Example 2

[0070] 图5为本发明检测DNS异常的装置实施例示意图,如图5所示,该装置包括:划分模块201、计算模块202和判断模块203 ; [0070] FIG. 5 is a schematic diagram of an apparatus abnormality detection DNS embodiment of the invention, shown in Figure 5, the apparatus comprising: a dividing module 201, calculation module 202 and a determining module 203;

[0071] 其中,划分模块201,用于将DNS查询数据流划分为多个数据块; [0071] wherein the dividing module 201, a DNS query for the data stream into a plurality of data blocks;

[0072] 具体的,划分模块201用于将DNS查询数据流按照指定时间和/或按照指定查询量划分为多个数据块。 [0072] Specifically, the dividing module 201 to the DNS query data stream according to a specified time and / or query the specified amount of data is divided into a plurality of blocks.

[0073] 计算模块202,用于根据预设查询属性计算划分模块201划分的多个数据块的熵值,得到对应的多个熵值; [0073] The calculation module 202, a plurality of data blocks for entropy value is calculated dividing module 201 according to a preset division of query properties, to give a corresponding plurality of entropy;

[0074] 其中,计算模块202包括第一计算单元和第二计算单元; [0074] wherein the calculation module comprises a first calculation unit 202 and second calculation unit;

[0075] 第一计算单元,用于计算预设查询属性的每个元素在每个数据块中出现的概率; [0075] The first calculation means for calculating the probability of each element of the preset attribute query appear in each data block;

[0076] 第二计算单元,用于根据第一计算单元得到的预设查询属性的每个元素在每个数据块中出现的概率,计算划分模块201划分的多个数据块的熵值,得到对应的多个熵值。 [0076] The second calculating unit, for each element in accordance with a predetermined probability query properties obtained appear first calculation unit in each data block, the calculated plurality of data blocks divided by division module 201 of entropy, to give corresponding to the plurality of entropy.

[0077]当划分模块201划分的多个数据块之间存在相互重叠的部分时,计算模块202包括: [0077] When the mutual overlap between a plurality of data blocks dividing partition module 201, calculation module 202 comprises:

[0078] 第三计算单元,用于计算与当前数据块相邻的前一数据块的熵值H1 ; [0078] The third calculation unit for calculating a current data block is adjacent to a previous block of data entropy value H1;

[0079] 第四计算单元,用于根据第三计算单元计算的与当前数据块相邻的前一数据块的H1,计算当前数据块的熵值H2。 [0079] a fourth calculating unit for calculating a third calculation unit H1 and the current data block adjacent to the previous data block, the data block to calculate the current value of the entropy H2.

[0080] 其中,第三计算单元包括: [0080] wherein the third calculating unit comprises:

[0081] 第一计算子单元,用于当上述与当前数据块相邻的前一数据块为划为的第一个数据块时,计算预设查询属性的每个元素在第一个数据块中出现的概率; [0081] a first calculating subunit, configured to, when a current data block is adjacent to a previous block of data is designated as the first data block, the calculated preset attribute query each element in said first data block the probability that appears;

[0082] 第二计算子单元,用于根据预设查询属性的每个元素在第一个数据块中出现的概率,计算第一个数据块的熵值H1。 [0082] The second calculating subunit, configured to query a preset probability attribute of each element appearing in the first data block, a calculation of entropy H1 data block.

[0083] 判断模块203,用于判断计算模块202得到的多个熵值中是否有预设个数的熵值超过预设阈值,如果是,则输出表示DNS发生异常的信息。 [0083] The determining module 203, whether there are a predetermined number of entropy exceeds a predetermined threshold value 202 to obtain a plurality of entropy determination calculation module, if so, outputs an abnormality with the DNS information.

[0084] 需要说明的是:对于检测DNS异常的装置第一实施例而言,由于其基本相应于方法第一实施例,所以相关之处参见方法第一实施例的部分说明即可。 [0084] It should be noted that: means for detecting a first abnormality DNS embodiment, since the basic method of the first embodiment corresponding to the embodiment, so see the first part of the procedure for related example of embodiment to be described.

[0085] 本发明通过将DNS查询数据流划分为多个数据块,根据预设查询属性计算多个数据块的熵值,得到多个对应的熵值,当该多个熵值中有预设个数的熵值超过预设阈值时,确定DNS发生了异常。 [0085] By the present invention the DNS query data stream into a plurality of data blocks, a plurality of data blocks is calculated according to the preset query property values ​​of entropy, to obtain a corresponding plurality of entropy, the entropy values ​​when there is a preset when the number of entropy exceeds a preset threshold value, determine the DNS abnormal. 由于熵值是对DNS查询数据的查询属性随机分布的度量,当DNS发生异常时,例如,当DNS遭受到攻击时,DNS查询数据的查询属性的随机分布就会发生变化,从而也会导致熵值发生变化。 Since entropy is a measure of a DNS query data query properties of randomly distributed DNS when an exception occurs, for example, when subjected to attack DNS query attributes are randomly distributed DNS query data will change, which can lead to entropy value changes. 根据熵值的变化情况就可以得知DNS发生了异常,而现有技术的基于流量的检测方法在DNS发生异常时,当DNS异常的表现不是很明显时,DNS的查询流量也不会发生很明显的变化,因而也就不能检测出DNS发生异常,只有当DNS异常表现得很严重时,例如发生大面积的网络瘫痪,导致大量用户无法使用网络时,现有技术的基于流量的检测方法才能检测出DNS流量异常,进而检测出DNS发生异常,具有明显的滞后性;而本发明可以在发生如大面积网络故障等严重的异常情况之前就可以检测到DNS发生了异常,能够对DNS发生异常起到预警作用,使用户能够在DNS异常严重之前做好准备,避免了严重的DNS异常给用户带来的损失,降低了漏检率,提高了用户体验;并且由于DNS是一个极其复杂的系统,现有技术基于查询属性取值的变化来确定DNS是否发生异常时,没有考虑DNS系统 According to the change of entropy can learn DNS exception occurs, and flow-based detection methods in the DNS exception occurs when abnormal DNS performance is not very clear, the DNS query traffic does not occur prior art is significant changes, therefore, can not detect the occurrence of abnormal DNS, DNS only when abnormal appeared very serious, large-scale network paralysis occurs, for example, led to a large number of users are affected when, prior art detection methods based on order flow detected DNS traffic abnormality, and thus detects the DNS abnormality, having a significant lag; the present invention may be as previously severe abnormalities large network failure can be detected DNS occurrence of an abnormality occurs, the abnormality can occur on the DNS play a role in early warning, allowing users to do before the DNS unusually severe prepared to avoid a serious DNS abnormal losses caused to the user, reducing the missing rate, improve the user experience; and because DNS is an extremely complex system , when the prior art based on changes in the value of the attribute query DNS to determine whether an exception occurs, does not consider the DNS system 部复杂的状态变化,因而检测精度不高,而本发明进一步的实施例中,当划分的多个数据块之间存在重叠部分时,得到的多个熵值之间也反映了DNS系统内部状态的变化,使得检测精度大大提闻。 Complicated state change, and thus the detection accuracy is not high, but a further embodiment of the present invention, when there is overlap between the plurality of divided blocks, among the plurality of entropy obtained reflects the internal state of the DNS system changes, so that the detection accuracy greatly enhanced smell.

[0086] 本领域普通技术人员可以理解:实现上述方法实施例的全部或部分步骤可以通过程序指令相关的硬件来完成,前述的程序可以存储于一计算机可读取存储介质中,该程序在执行时,执行包括上述方法实施例的步骤;而前述的存储介质包括:R0M、RAM、磁碟或者光盘等各种可以存储程序代码的介质。 [0086] Those of ordinary skill in the art will be understood: the hardware implementing the above method can be accomplished by a program instructing relevant to all or part of the steps embodiment, the program may be stored in a computer readable storage medium, the program execution when, comprising the step of performing the above-described embodiment of the method; and the storage medium comprising: a variety of medium may store program codes R0M, RAM, magnetic disk, or optical disk.

[0087] 最后应说明的是:以上实施例仅用以说明本发明的技术方案,而非对其限制;尽管参照前述实施例对本发明进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本发明各实施例技术方案的精神和范围。 [0087] Finally, it should be noted that: the above embodiments are intended to illustrate the present invention, rather than limiting;. Although the present invention has been described in detail embodiments, those of ordinary skill in the art should be understood: may still be made to the technical solutions described in each embodiment of the modified or part of the technical features equivalents; as such modifications or replacements do not cause the essence of corresponding technical solutions to depart from the technical solutions of the embodiments of the present invention and scope.

Claims (8)

1.一种检测域名系统异常的方法,其特征在于,所述方法包括: 将域名系统查询数据流划分为多个数据块; 根据预设查询属性计算所述多个数据块的熵值,得到对应的多个熵值;其中,当所述多个数据块之间存在相互重叠的部分时,则根据预设查询属性计算所述多个数据块的熵值,包括:计算与当前数据块相邻的前一数据块的熵值;根据所述与当前数据块相邻的前一数据块的熵值,计算所述当前数据块的熵值; 判断得到的所述多个熵值中是否有预设个数的熵值超过预设阈值,如果是,则确定所述域名系统发生了异常。 An abnormality detecting method for a Domain Name System, which is characterized in that, said method comprising: a domain name system query data stream into a plurality of data blocks; calculating entropy of the plurality of data blocks according to a preset query properties, to give corresponding to the plurality of entropy; wherein, when the overlapping portion between the plurality of data blocks, calculating the entropy values ​​of data blocks according to a preset query properties, comprising: calculating phase current data block entropy value of the previous adjacent block; the entropy of the current data block adjacent to the previous data block, calculating entropy of the current data block; if there are a plurality of entropy determination obtained entropy preset number exceeds a preset threshold, if yes, determining that the abnormality occurs in the domain name system.
2.根据权利要求1所述的检测域名系统异常的方法,其特征在于,所述将所述域名系统查询数据流划分为多个数据块包括: 将所述域名系统查询数据流按照指定时间和/或指定查询量划分为多个数据块。 The abnormality detection method according to the domain name system of claim 1, wherein the domain name system query to the data stream into a plurality of blocks of data comprises: the domain name system query specified time and data stream / or specify queries divided into a plurality of data blocks.
3.根据权利要求1所述的检测域名系统异常的方法,其特征在于,当所述与当前数据块相邻的前一数据块为划为的第一个数据块时,计算所述预设查询属性的每个元素在所述第一个数据块中出现的概率; 根据所述概率计算所述第一个数据块的熵值。 The domain name system detecting abnormality according to a method as claimed in claim 1, wherein, when the block adjacent to the current data block preceding data block designated as a first calculating the preset the probability of each element appearing in the query attribute of the first data block; calculating an entropy value of the first data block in accordance with the probability.
4.根据权利要求1所述的检测域名系统异常的方法,其特征在于,所述预设查询属性包括:查询类型、错误类型、查询源IP地址和/或查询域名。 The domain name system detecting abnormality according to a method as claimed in claim 1, wherein the preset attribute query comprising: a query type, error type, source IP address query and / or query the domain name.
5.根据权利要求4所述的检测域名系统异常的方法,其特征在于,所述预设查询属性包括至少两种查询属性时,所述熵值为分别根据所述至少两种查询属性得到的至少两个熵值加权求和的结果。 5. The method of detecting abnormality of the domain name system as claimed in claim 4, wherein said predetermined property comprises at least two query query attributes, the entropy value is at least two query are obtained according to the attribute at least two entropy weighted sum of the results.
6.一种检测域名系统异常的装置,其特征在于,所述装置包括: 划分模块,用于将域名系统查询数据流划分为多个数据块; 计算模块,用于根据预设查询属性计算所述多个数据块的熵值,得到对应的多个熵值;其中,在所述多个数据块之间存在相互重叠的部分时,所述计算模块包括:第三计算单元,用于计算与当前数据块相邻的前一数据块的熵值;第四计算单元,用于根据所述第三计算单元计算的与当前数据块相邻前一数据块的熵值,计算所述当前数据块的熵值; 判断模块,用于判断得到的多个熵值中是否有预设个数的熵值超过预设阈值,如果是,则输出表示所述域名系统发生异常的信息。 A domain name system abnormality detecting device, characterized in that said apparatus comprising: a dividing module, the domain name system query for the data stream into a plurality of data blocks; calculating module, for calculating the default query properties said plurality of entropy data blocks to obtain a corresponding plurality of entropy; wherein, when the overlapping portion exists between said plurality of data blocks, the calculation module comprises: a third calculating means for calculating current data block adjacent to the entropy value of the previous data block; a fourth calculating unit, according to an entropy value of the previous block of data calculated by the third calculating unit block adjacent to the current data, calculating the current data block entropy value; a determining module configured to determine whether there are a predetermined number of plurality of entropy determination of entropy obtained exceeds a preset threshold, if yes, outputting information indicating occurrence of an abnormality of the domain name system.
7.根据权利要求6所述的检测域名系统异常的装置,其特征在于,所述划分模块,具体用于将所述域名系统查询数据流按照指定时间和/或指定查询量划分为多个数据块。 7. The abnormality detection apparatus according to the domain name system according to claim 6, characterized in that, the dividing module is used for the domain name system query data stream according to a specified time and / or a specified amount into a plurality of data query Piece.
8.根据权利要求6所述的检测域名系统异常的装置,其特征在于,所述第三计算单元包括: 第一计算子单元,用于当所述与当前数据块相邻的前一数据块为划为的第一个数据块时,计算所述预设查询属性的每个元素在所述第一个数据块中出现的概率; 第二计算子单元,用于根据所述概率计算所述第一个数据块的熵值。 The abnormality detection apparatus according to the domain name system as claimed in claim 6, wherein said third calculating means comprises: a first calculating subunit, configured to, when the current data block adjacent to the previous data block It is designated as the first data block, the probability of each element predetermined attribute query appears in a data block of the first calculating; second calculating sub-unit, for calculating said probability according to the the first entropy data block.
CN 201010198228 2010-06-04 2010-06-04 Method and device for detecting anomaly of domain name system CN101854404B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN 201010198228 CN101854404B (en) 2010-06-04 2010-06-04 Method and device for detecting anomaly of domain name system

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN 201010198228 CN101854404B (en) 2010-06-04 2010-06-04 Method and device for detecting anomaly of domain name system
PCT/CN2010/074577 WO2011150579A1 (en) 2010-06-04 2010-06-28 Method and device for detecting domain name system (dns) anomaly

Publications (2)

Publication Number Publication Date
CN101854404A CN101854404A (en) 2010-10-06
CN101854404B true CN101854404B (en) 2013-08-07

Family

ID=42805666

Family Applications (1)

Application Number Title Priority Date Filing Date
CN 201010198228 CN101854404B (en) 2010-06-04 2010-06-04 Method and device for detecting anomaly of domain name system

Country Status (2)

Country Link
CN (1) CN101854404B (en)
WO (1) WO2011150579A1 (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105745868B (en) * 2013-11-26 2019-04-26 爱立信(中国)通信有限公司 The method and apparatus of abnormality detection in network
CN104268289B (en) * 2014-10-21 2017-12-12 中国建设银行股份有限公司 The abatement detecting method and device of link URL
CN105471639B (en) * 2015-11-23 2018-07-27 清华大学 Network flow entropy evaluation method based on median and device
CN106533829B (en) * 2016-11-04 2019-04-30 东南大学 A kind of DNS method for recognizing flux based on bit entropy
CN106803824A (en) * 2016-12-19 2017-06-06 互联网域名系统北京市工程研究中心有限公司 A kind of means of defence attacked for random domain name inquiry
CN107707375B (en) * 2017-05-26 2018-07-20 贵州白山云科技有限公司 A kind of method and apparatus of positioning parsing failure

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101051952A (en) 2007-04-18 2007-10-10 东南大学 Self adaption sampling stream measuring method under high speed multilink logic channel environment
CN101572701A (en) 2009-02-10 2009-11-04 中科正阳信息安全技术有限公司 Security gateway system for resisting DDoS attack for DNS service

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8266438B2 (en) * 2004-10-25 2012-09-11 Security First Corp. Secure data parser method and system
CN101378394B (en) * 2008-09-26 2012-01-18 成都市华为赛门铁克科技有限公司 Detection defense method for distributed reject service and network appliance
CN101645884B (en) * 2009-08-26 2012-09-05 西安理工大学 Multi-measure network abnormity detection method based on relative entropy theory

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101051952A (en) 2007-04-18 2007-10-10 东南大学 Self adaption sampling stream measuring method under high speed multilink logic channel environment
CN101572701A (en) 2009-02-10 2009-11-04 中科正阳信息安全技术有限公司 Security gateway system for resisting DDoS attack for DNS service

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
王垚.《域名系统安全性研究》.《域名系统安全性研究》.2008,

Also Published As

Publication number Publication date
CN101854404A (en) 2010-10-06
WO2011150579A1 (en) 2011-12-08

Similar Documents

Publication Publication Date Title
US9032521B2 (en) Adaptive cyber-security analytics
Bethencourt et al. Mapping Internet Sensors with Probe Response Attacks.
Cooley et al. Grouping web page references into transactions for mining world wide web browsing patterns
Jianliang et al. The application on intrusion detection based on k-means cluster algorithm
US8244752B2 (en) Classifying search query traffic
US8024804B2 (en) Correlation engine for detecting network attacks and detection method
EP3018879B1 (en) Malicious software detection in a computing system
US7523016B1 (en) Detecting anomalies
CN101436967A (en) Method and system for evaluating network safety situation
Dou et al. A confidence-based filtering method for DDoS attack defense in cloud environment
CN101702660B (en) Anomaly detection method and the domain name system
CN101370008A (en) System for real-time intrusion detection of SQL injection WEB attacks
CN102082792A (en) Phishing webpage detection method and device
US8429747B2 (en) Method and device for detecting flood attacks
CN101610174A (en) Log correlation analysis system and method
CN101609493A (en) Database SQL infusion protecting method based on self-learning
CN101645884B (en) Multi-measure network abnormity detection method based on relative entropy theory
Hao et al. Understanding the domain registration behavior of spammers
Chan et al. Discovering correlated spatio-temporal changes in evolving graphs
US20170010931A1 (en) Correctly identifying potential anomalies in a distributed storage system
CN101325520B (en) Method for locating and analyzing fault of intelligent self-adapting network based on log
CN102340485A (en) Network security situation awareness system and method based on information correlation
CN102571484A (en) Method for detecting and finding online water army
CN101369276B (en) Evidence obtaining method for Web browser caching data
CN101035031A (en) Method and device for detecting the number of the shared access host

Legal Events

Date Code Title Description
C06 Publication
C10 Request of examination as to substance
C53 Change or modification
COR Bibliographic change or correction in the description

Free format text: CORRECT: INVENTOR; FROM: MAO WEI LI XIAODONG DING SENLIN WANG XIN WU JUN JIN JIAN LU WENZHE TO: MAOWEI LI XIAODONG DING SENLIN WANG XIN WU JUN JIN JIAN

C14 Granted