CN101986642B - Detection system and method of Domain Flux data stream - Google Patents

Detection system and method of Domain Flux data stream Download PDF

Info

Publication number
CN101986642B
CN101986642B CN 201010517771 CN201010517771A CN101986642B CN 101986642 B CN101986642 B CN 101986642B CN 201010517771 CN201010517771 CN 201010517771 CN 201010517771 A CN201010517771 A CN 201010517771A CN 101986642 B CN101986642 B CN 101986642B
Authority
CN
China
Prior art keywords
dns
window
maximum
ro
common
Prior art date
Application number
CN 201010517771
Other languages
Chinese (zh)
Other versions
CN101986642A (en
Inventor
张治起
郭莉
刘潮歌
廖鹏
崔翔
Original Assignee
中国科学院计算技术研究所
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中国科学院计算技术研究所 filed Critical 中国科学院计算技术研究所
Priority to CN 201010517771 priority Critical patent/CN101986642B/en
Publication of CN101986642A publication Critical patent/CN101986642A/en
Application granted granted Critical
Publication of CN101986642B publication Critical patent/CN101986642B/en

Links

Abstract

本发明提供一种检测Domain Flux数据流的系统和方法,监听模块用于监听并分析出入网关的数据流,获取DNS查询请求数据包和DNS应答包,并提取源IP地址、待查询的DNS、时间戳、DNS对应的A记录信息;数据库操作模块,用于将监听模块提取的源IP地址、待查询的DNS、时间戳、DNS对应的A记录信息记录在数据库中;计算窗口最大公共子串的模块,用于计算时间窗口内任意两个请求的DNS的最大公共子串,并对最大公共子串出现的次数计数来确定窗口最大公共子串。 The present invention provides a system and method for detecting Domain Flux data stream, a monitoring module configured to monitor and analyze the data flow out of the gateway, DNS query acquisition request packets and DNS response packet, and extracts the source IP address, DNS to be queried, timestamp, DNS a record corresponding to the information; database operation module, a monitoring module configured to extract the source IP address, DNS a record information to be queried, the time stamp, the corresponding record in the DNS database; window calculating the maximum common substring a module for calculating any two DNS requests within a time window of maximum common substring, and the maximum number of counts occurring common substring to determine a maximum window common substring.

Description

—种Domain Flux数据流的检测系统和方法 - Species Domain Flux detection system and method of data stream

技术领域 FIELD

[0001] 本发明涉及网络安全技术领域,更具体地,涉及一种检测Domain Flux (域名流动)数据流的系统和方法。 [0001] The present invention relates to network security technology, and more particularly, to a Domain Flux (flow domain) data flow detection system and method.

背景技术 Background technique

[0002] 计算机面临的安全威胁数不胜数,近年来出现的僵尸网络有着更为严重的危害性,僵尸网络是通过入侵网络上的主机构建的、可被攻击者远程控制的并且用来发起后续攻击的攻击平台。 [0002] numerous computer security threats faced by botnets in recent years has a more serious dangers, botnet intrusion by hosts on network construction, can be remotely controlled by the attacker and used to initiate follow-up attack attack platform. 僵尸网络的组成部分包括僵尸程序(bot)、命令控制通道(Co_and &Control Channel, C & C)和控制者(botmaster)。 The network part comprises a zombie bots (bot), command control channel (Co_and & Control Channel, C & C) and the controller (botmaster). 控制者通过C & C向僵尸主机发出命令,运行在僵尸主机上的bot程序负责执行命令。 Controller issues commands to the bots by C & C, bot programs running on the zombie host is responsible for executing the command. 可见,僵尸网络比传统的恶意代码、攻击行为有着更为严重的危害性。 Visible, than the traditional botnet malicious code attacks has a more serious dangers.

[0003] 可控性是僵尸网络的本质属性,如果僵尸网络的C & C能够被检测并关闭,僵尸网络也就土崩瓦解了。 [0003] Controllability is the nature of zombie network, if the network bot C & C can be detected and closed, bots will fall apart. 传统的僵尸程序采用硬编码C & C server的IP或者域名的方式来寻找控制者,这种方式的C & C很容易被关闭。 Traditional hard-coded by way of bot C & C domain name or IP Server to find the controller, the C & C of this embodiment can be easily closed. 近来,一种称为Domain Flux的技术被用作C Recently, called Domain Flux is used as a C

& C server的寻址,Domain Flux技术在bot程序内硬编码一套与控制者共享的算法,该算法根据一些动态信息(例如当前时间)生成一个动态域名池。 & C server addressing, Domain Flux in the art bot program and a hard-coded shared controller algorithm to generate a pool of dynamic domain name in accordance with some dynamic information (e.g., current time). bot程序轮询该域名池来找至IJ命令集结点,从而能够保证无论以前的集结点是否被关闭,bot程序总是能够找到新的集结点。 bot program polls the domain pool IJ command came to the rally point, which can guarantee whether or not the previous assembly point is closed, bot program can always find a new rally point.

[0004] 采用Domain Flux技术的botnet通信过程如下:l)Domain Flux算法生成当前可用的域名池;2)控制者从该域名池中随机选择一个域名,用作本次通信的集结点;3)控制者注册该域名,使用该域名作为服务器域名,并将控制命令发布于此服务器;4)bot程序依次访问域名池中的域名;5)如果访问域名成功,并且成功获得经过验证的控制命令,本次通信结束;否则,重复步骤4。 [0004] The Domain Flux botnet communication technology as follows: l) Domain Flux algorithm to generate the current pool of available domain; 2) to select a domain controller from the domain pool randomly, assembly points as this communication; and 3) control who registered the domain name, use the domain name as a domain name server, and control commands issued this server; 4) bot program in order to access domain Name in the pool; 5) If successful domain access, and control commands successfully validated, The communication end; otherwise, repeat step 4.

[0005] Domain Flux技术的优势在于它提供了足够的动态冗余,即使域名生成算法被破解,也只能得到集结点池,无法得到精确的集结点域名。 [0005] Domain Flux the advantages of technology is that it provides sufficient dynamic redundancy, even if the domain name generation algorithm is broken, it can only get the assembly points pool, could not get the exact domain name of the assembly points. 而生成算法可以引入更多的随机性,使得域名池的规模很大,变化速度很快,生成的域名与可信的域名几乎没有区别,防御者无法关闭域名池中的所有域名,那么破解算法对于僵尸网络的防御工作来讲,意义不大。 The generation algorithm may introduce more randomness, making the domain the pool is large-scale changes quickly, generate domain names and credible domain name is almost no difference, defender can not close the pool all domain domain name, then crack the algorithm for defense work botnet in terms of little significance.

[0006] 一般地,Domain Flux技术中的动态域名生成算法都采用随机字符串+固定后缀或者固定前缀+随机字符串或者固定前缀+随机字符串+固定后缀的形式。 [0006] Generally, a dynamic domain name Domain Flux art algorithms are used to generate a random string plus fixed or fixed prefix + suffix random string or a random string of fixed prefix + suffix + fixed. 动态生成算法主要负责生成随机字符串,而固定词缀都是硬编码在bot程序中。 Dynamic generation algorithm is mainly responsible for generating a random string, and affix the fixed hard-coded in the bot program. 因此,不难得出,DomainFlux技术具有如下特征:I)为了控制命令的快速下发,bot程序都会在短时间内发起大量的DNS查询请求,因此,一个时间窗口内会有大量的DNS查询;2)所查询的域名具有相同的最大公共子串;3)被注册用作C&C的域名在域名池中所占比例很小,DNS服务器能够解析出A记录的比例很小,明显相异于正常应用。 Therefore, difficult to draw, DomainFlux technology has the following features: I) in order to control commands issued quickly, BOT program will initiate a large number of DNS queries in a short time, and therefore, a large amount of time will be the DNS query window; 2 ) queried domain have the same maximum common substring; 3) is registered as the domain name of C & C domain in the proportion of small cell, DNS servers capable of resolving a very small proportion of the a record, significantly different from the normal application . Domain Flux技术建立在域名解析的基础之上,域名解析提供了从域名到IP的转换服务,而IP才是真正的网络通信中采用的地址。 Domain Flux technology is based on the domain name resolution, DNS provides translation services from domain names to IP, and the IP address of the real network traffic is employed. 下面描述域名解析的过程:1)、客户端发起域名解析请求,并将该请求发送给本地的域名服务器;2)、当本地的域名服务器收到请求后,就先查询本地的缓存,如果有该纪录项,则本地的域名服务器就直接把查询的结果返回;3)、如果本地的缓存中没有该纪录,则本地域名服务器就直接把请求发给根域名服务器,然后根域名服务器再返回给本地域名服务器一个所查询域(根的子域)的主域名服务器的地址;4)、本地服务器再向上一步返回的域名服务器发送请求,然后接受请求的服务器查询自己的缓存,如果没有该纪录,则返回相关的下级的域名服务器的地址;5)、重复第四步,直到找到正确的纪录;6)、本地域名服务器把返回的结果保存到缓存,以备下一次使用,同时还将结果返回给客户机。 Name resolution processes described below: 1), domain name resolution request initiated by the client, and sends the request to the local domain name server; 2), when the local domain name server receives the request, it first looks up the local cache, if there is the record entry, the local name server directly to the result of the query returns; 3), if the local cache is no such record, the local domain name server directly to the request sent to the root name servers, and then back to the root name servers address of the primary domain name server to a local domain name server a queried domain (root subdomain); and 4), the local server and then up the domain name server further return transmission request, then the server accepts the request to query its own cache, if there is no such record, related subordinate domain name server address is returned; 5), the fourth step is repeated until you find the correct record; 6), the local name server to save the results returned to the cache in order to prepare for the next use, and will also return results to the client.

[0007] 目前,对于采用Domain Flux技术的botnet的防御尚无良好方法,只能采用黑名单法。 [0007] Currently, there is no good way for the defense of botnet using Domain Flux technology, but to use the blacklist law. 黑名单法:将确认作为僵尸网络C & C使用的域名加入黑名单(malicious domainlist),采取技术手段阻止僵尸主机和这些域名之间的通信,采取非技术手段关闭这些域名。 Blacklist method: a confirmation botnet C & C domain used to blacklist (malicious domainlist), taking the technical means to block communication between these domains and bots, non-technical measures to take off these domains. 该方法的主要缺点在于被动性和滞后性。 The main disadvantage of this method is that the passive and hysteresis. 要想将一个很大的域名池中的域名按照这种方法处理,攻击者完全有可能在域名池中的域名被封锁之前,升级新的算法。 To a great domain name will pool in this treatment method, the attacker is entirely possible before the Domain Name in the pool are blocked, upgraded new algorithms. 从而保证C &C不被切断。 Thus ensuring the C & C will not be cut off. 该方法严重依赖于malicious domain list,具有较大的滞后性,无法满足实时需求。 The method relies heavily on malicious domain list, has a large hysteresis, can not meet the real-time requirements.

发明内容 SUMMARY

[0008] 为克服上述现有技术的缺陷,本发明提出一种检测Domain Flux数据流的方法,该方法涉及僵尸网络的防御,涉及一种在网络边界上采用监听数据包的方式来检测DomainFlux数据流的方法。 [0008] In order to overcome the above defects in the prior art, the present invention provides a method of detecting Domain Flux data stream, the method involves zombie defense network, to a data packet using listening mode on the network to detect the boundary data DomainFlux methods stream.

[0009] 根据本发明的一个方面,提出了一种检测Domain Flux数据流的系统,包括监听模块、数据库操作模块和计算窗口最大公共子串的模块; [0009] In accordance with one aspect of the present invention there is provided a module string Domain Flux data detecting system stream, comprising a monitoring module, a database module, and the operation calculates the maximum common sub-window;

[0010] 其中,监听模块用于监听并分析出入网关的数据流,获取DNS查询请求数据包和DNS应答包,并提取源IP地址、待查询的DNS、时间戳、DNS对应的A记录信息; Data stream [0010] wherein the monitoring module configured to monitor and analyze the access gateway, obtaining a DNS query DNS request packets and response packet, and extracts the source IP address, DNS to be queried, the time stamp, DNS A record corresponding to the information;

[0011] 数据库操作模块,用于将监听模块提取的源IP地址、待查询的DNS、时间戳、DNS对应的A记录信息记录在数据库中; [0011] database operation module, a monitoring module configured to extract the source IP address, DNS to be queried, the time stamp, the DNS A record corresponding to the information recorded in the database;

[0012] 计算窗口最大公共子串的模块,用于计算时间窗口内任意两个请求的DNS的最大公共子串,并对最大公共子串出现的次数计数来确定窗口最大公共子串。 [0012] calculating the maximum window module common substrings, for any two requests in the calculation time window of maximum common string DNS, and the count of the maximum number of common substring to determine a maximum window appears common substring.

[0013] 根据本发明的另一方面,提出了一种检测Domain Flux数据流的方法,包括: [0013] According to another aspect of the present invention there is provided a method of detecting Domain Flux data stream, comprising:

[0014] 步骤10)、监听并分析出入网关的数据流,获取DNS查询请求数据包和DNS应答包,并提取源IP地址、待查询的DNS、时间戳、DNS对应的A记录信息; [0014] Step 10), monitor and analyze data stream out of the gateway, DNS query acquisition request packets and DNS response packet, and extracts the source IP address, DNS to be queried, the time stamp, DNS A record corresponding to the information;

[0015] 步骤20)、将监听模块提取的源IP地址、待查询的DNS、时间戳、DNS对应的A记录信息记录在数据库中; [0015] Step 20), the monitor module extracts the source IP address, DNS to be queried, the time stamp, the DNS A record corresponding to the information recorded in the database;

[0016] 步骤30)、计算时间窗口内任意两个请求的DNS的最大公共子串,并对最大公共子串出现的次数计数来确定窗口最大公共子串。 [0016] Step 30), any two DNS request within the time window is calculated greatest common substring, and the maximum number of counts occurring common substring to determine a maximum window common substring.

[0017] 本发明可以实时地确定DNS查询数据流是否属于Doma in Flux数据流。 [0017] The present invention can determine in real time whether DNS query data stream data stream Doma in Flux. 一般地,botmaster为了实现控制命令的及时下发,要求Doma in Flux技术能够较快地找到C & C,因此,本方法中的时间窗口可以很小,从而实时地检测Doma in Flux数据流。 Generally, botmaster order to promptly issued control command required Doma in Flux C & C technology can be found quickly, therefore, the present process in a time window may be small, so that real-time data stream detected Doma in Flux.

[0018] 本方法无需malicious domain list。 [0018] The present method does not require malicious domain list. 本方法是在分析了Domain Flux技术的行为特征基础上提出来的,具有很强的针对性。 This method is proposed to analyze the behavioral characteristics of the foundation Domain Flux technology, highly targeted. 不需要黑名单,而是通过Domain Flux的行为模式来检测Domain Flux数据流。 Blacklist not required, but the data stream is detected by Domain Flux Domain Flux of behavior patterns. 相反地,本方法有助于建立malicious domain list :在检测到Domain Flux数据流之后,DNS服务器应答的A记录即为malicious IP。 In contrast, the present method contributes to malicious domain list: Domain Flux after detecting the data stream, DNS servers response A record is the malicious IP. 对应的DNS和该IP即构成了malicious domainlist的一个记录。 DNS and the corresponding IP constitutes a record of the malicious domainlist.

[0019] 该方法有助于发现未知的bot程序。 [0019] This method helps to find unknown bot program. 如果未知的bot程序采取Domain Flux技术寻址C & C,该方法在检测到Domain Flux数据流的同时,记录了数据的来源,在该主机上过滤数据包,即可得到未知bot程序的样本。 If the unknown bot program addressing techniques take Domain Flux C & C, which is detected while the Domain Flux data stream, the source of the data recorded, filter packets on the host, to obtain a sample of unknown bot program.

附图说明 BRIEF DESCRIPTION

[0020] 图I示出DNS查询过程示意图; [0020] FIG I shows a schematic view of a DNS query process;

[0021] 图2示出Domain Flux技术的流程图; [0021] FIG. 2 shows a flowchart Domain Flux art;

[0022] 图3示出检测Domain Flux数据流的系统运行示意图。 [0022] Figure 3 shows a schematic operating system detects Domain Flux data stream. 具体实施方式 Detailed ways

[0023] 下面结合附图和具体实施例对本发明提供的一种检测Domain Flux数据流的系统和方法进行详细描述。 [0023] DRAWINGS data and for detecting Domain Flux embodiment of the present invention provides a system and method of the stream will be described in detail with embodiments.

[0024] 总的来说,本发明提出了一种在网络边界处检测Domain Flux流量的方法。 [0024] In summary, the present invention provides a method of detecting Domain Flux flow rate at the network boundary. 该方法针对背景技术中提到的Domain Flux技术的三个特征,侦听并记录局域网内所有的DNS查询数据流,计算同一个时间窗口内的最大公共子串出现的次数及DNS解析失败的概率,据此计算当前窗口内数据流是否属于Domain Flux数据流。 The method for Domain Flux three features noted in the background art, the listening and recording of all DNS queries data flow within a local area network, the same time calculates the maximum number of common sub-strings within the window and the probability of occurrence of a DNS resolution failure accordingly calculates the current window data flow belongs Domain Flux data stream. 该方法能够实时检测到DomainFlux流量的存在,并能够确定该数据流的来源,从而推测出局域网内主机感染了bot程序。 This method can detect the presence of DomainFlux real time traffic, and can determine the source of the data stream, so that the hosts in the LAN presumed infection bot program.

[0025] 在根据本发明的一个实施例中,提供一种在网络边界处检测Domain Flux流量的系统,其中该系统包括监听模块S、数据库操作模块D和计算窗口最大公共子串的模块(WLCS)。 [0025] In accordance with one embodiment of the present invention, there is provided a system for detecting network Domain Flux flow rate at a boundary, wherein the system comprises a monitoring module S, D and the database operation module calculates the maximum common substring of the window module (WLCS ). 其中,一个时间窗口内任意两个DNS都包含一个最大公共子串,对这些最大公共子串出现的次数进行计数,出现次数最多的最大公共子串称为“窗口的最大公共子串”。 Wherein, within a time window of any two DNS contains a maximum common substring, the maximum number of these common substring occurring counts up the maximum number of common sub-sequence appears as "maximal common sub-window string."

[0026] 监听模块用于监听并分析数据流,该模块监听出入网关的数据流,从中分析出DNS查询请求数据包和DNS应答包,并提取源IP地址、待查询的DNS、时间戳、DNS对应的A记录信息。 [0026] The monitoring module configured to monitor and analyze the data stream, the module data stream monitor access gateway, a DNS query request therefrom analyze packets and DNS response packet, and extracts the source IP address, DNS to be queried, the time stamp, DNS a record corresponding to the information.

[0027] 数据库操作模块,负责将监听模块解析出的源IP地址、待查询的DNS、时间戳、DNS对应的A记录信息记录在数据库中。 [0027] The operation of the database module, the monitoring module is responsible for parsing the source IP address, DNS to be queried, the time stamp, the DNS A record corresponding to the information recorded in the database. 同时,负责在时间窗口结束之后清理数据库记录,因为本方法是状态独立的,几个时间窗口并不存在关联性,删除数据库记录可以避免数据库记录越来越多。 At the same time, responsible for cleaning up after the end of the time window of the database record, because this method is independent of the state, several time-window correlation does not exist, delete database records more and more to avoid database records. 需要指出的是,该实现过程只要能够记录一个时间窗口内的DNS数据即可,并不一定使用到数据库系统,任何能够按照发明中提到的4个字段记录一个时间窗口内的DNS数据的技术手段都可采用,都属于本方法的适用范围。 It should be noted that the implementation can be as long as the data can be recorded in the DNS a time window is not necessarily to use the database system, any four fields recorded in accordance with the invention can be mentioned a technique DNS data within the time window means can be employed are within the scope of application of this method.

[0028] 用于计算窗口最大公共子串的模块WLCS,采用最大公共子串算法(LCS)计算时间窗口内任意两个请求的DNS的最大公共子串,并对最大公共子串出现的次数计数,出现次数最多的即为窗口最大公共子串。 [0028] window is used to calculate the maximum common substring module WLCS, calculate the maximum common substring any two requests within a time window of DNS using the maximum common substring algorithm (LCS), and the maximum number of counts occurring common substring the number of times, the most frequent is the largest public substring window. 需要指出的是,计算窗口最大公共子串的算法有很多,只要能够得出窗口最大公共子串及其在本时间窗口内出现的次数即可,都属于本发明涵盖的范围。 It should be noted that there are many common substring calculate the maximum window algorithm can be derived so long as the maximum number of windows and common substring occurring within the time window to the present, are within the scope of the invention encompassed.

[0029] 进一步地,在局域网的网关处监听局域网内所有的DNS查询,记录查询的源IP、要查询的域名、查询时间及DNS服务器的响应,如果在一个时间窗口之内,特定主机发起的DNS查询具有如下特征:1)窗口的最大公共子串出现的次数超过阈值;2)窗口的最大公共子串对应的DNS查询得到的DNS服务器应答为“未找到域名对应的A记录”的频率超过阈值;则认为该主机正在采用Domain Flux技术寻址C & C。 [0029] Further, monitor the LAN all DNS queries, records the source IP lookup of the domain name to query, the query response time and the DNS servers at the gateway LAN, if within a time window of a particular host-initiated DNS query has the following characteristics: 1) the maximum number of common sub-window string appears exceeds a threshold; 2) maximum common substring corresponding DNS window from the query DNS server response was "a record corresponding to the domain not found" frequency exceeds threshold; it is considered that the host is addressing technique uses Domain Flux C & C.

[0030] 由于可以记录发出的DNS查询及DNS服务器的响应,可以得到域名与IP的对应关系,而Domain Flux寻址的结束条件是找到了经过验证的C & C或者域名池轮询完毕,因此在网关处可以确定哪个DNS是malicious domain。 [0030] Since the response to the DNS query issued and may record the DNS server can obtain the corresponding domain name with the IP, address and end condition Domain Flux is verified to find a C & C domain or pool polling is completed, thus DNS which can be determined at the gateway is malicious domain. 根据Domain Flux数据流的源IP,可以确定该主机感染了bot程序。 The source IP Domain Flux data stream may be determined that the infected host bot program. 另外,网内其他主机如果查询同样的域名,网关处可以修改DNS服务器的返回值,从而阻止其它已感染主机获得控制命令。 In addition, if the query other hosts within the network the same domain name, the gateway can modify the DNS server returns the value, in order to prevent other infections has been host to obtain control commands.

[0031 ] 具体地,对于监听模块 [0031] In particular, for the monitoring module

[0032] 监听数据流并对其分析的一般过程如下:1)获取网络适配器列表;2)打开网络适配器;3)捕获数据;4)根据协议特征,分析数据流并提取信息。 [0032] interception data stream and analyzes its general process is as follows: 1) Get the list of network adapters; 2) Open the network adapter; 3) capture data; 4) according to protocol characteristics, and analyze the data stream to extract information. [0033] 其中,对于捕获数据流有几点说明:1)监听模块基于winpcap开发。 [0033] wherein, for capturing the data stream with a few points: 1) the monitoring module based winpcap development. 但是,捕获数据流的方法有很多种,只要能够捕获到所有通过本地网卡的数据包即可,都属于本发明涵盖的范畴;2)捕获数据包部分不是本发明阐述的重点且资料丰富,故不加以详细叙述,以下从数据包的处理开始。 However, the capture of a wide variety of data streams, as long as all the captured data packets through the local network adapter to fall within the scope of the invention encompassed; 2) and the key part of the wealth of information not captured data packet of the present invention set forth above, so not be described in detail, starting with the packet processing.

[0034] 定义结构体,以存储从DNS数据包中提取的信息。 [0034] The definition of the structure, to store the extracted information from the DNS packet.

[0035] 首先判断数据包是否是DNS请求包,若不是,返回FALSE。 [0035] The first determines whether the packet is a DNS request packet, if not, returns FALSE. 若是,从数据包中解析出发起DNS查询的源IP地址、待查询的目的地址以及时间戳,将这些信息返回到结构体DNSRequest中。 If, from the parsed data packet source IP address originating the DNS query, a destination address and a time stamp to be queried, this information will be returned to the structures DNSRequest. 如果上述操作成功,则返回TRUE,否则,返回FALSE。 If this operation is successful, it returns TRUE, otherwise, it returns FALSE.

[0036] 首先判断数据包是否是DNS应答包,若不是,返回FALSE。 [0036] The first determines whether the packet is a DNS response packet, if not, returns FALSE. 若是,从数据包中解析出该包的目的IP地址、DNS及其对应的IP地址,返回到结构体DNSResponse中。 If, from the packet parsing the packet destination IP address, the DNS and the corresponding IP address is returned to the DNSResponse structure. 成功,则返回TRUE。 Succeeds, it returns TRUE.

[0037] 对于数据库操作模块 [0037] For the operation of the database module

[0038] 准备工作:安装MySql数据库系统(其它数据库系统也可),设计数据库表的格式如下: [0038] Preparation: mounting MySql database system (also other database systems), database table format is designed as follows:

[0039] [0039]

I Source IP | Requested DNS — Time Stamp DNS A Record I Source IP | Requested DNS - Time Stamp DNS A Record

[0040] 将监听到的DNS请求记录在数据库中。 [0040] DNS request to listen to the record in the database. 如果该主机发出的DNS查询已有记录,则在该主机对应的数据库表中增加新的记录,按字段将主机IP、要查询的DNS、发出查询的时间戳记录在数据库中。 If the host sends DNS queries have been recorded, the corresponding increase in the host database tables in a new record, according to field a host IP, DNS to query, the query time stamp issued a record in the database. 若该主机IP在数据库中尚无记录,则新建记录。 If the host IP is no record in the database, then create a new record. 操作执行成功,返回TRUE ;操作失败,返回FALSE。 Operation succeeds, the return TRUE; operation fails, returns FALSE.

[0041] 将监听到的DNS服务器的应答记录在数据库中。 [0041] response will listen to the record in the DNS server database. 首先在数据库中按照DNS应答包中的目的IP、查询的DNS查找相应的记录,然后将查询的DNS对应的A记录记录在该记录的DNS A Record字段中。 First, find the appropriate record in accordance with the destination IP DNS response packet, the DNS query in the database, then the DNS query corresponding A recording in the Record of the DNS A record field. 操作执行成功,返回TRUE ;操作失败,返回FALSE。 Operation succeeds, the return TRUE; operation fails, returns FALSE.

[0042] 查找数据库的Source IP字段,删除该字段对应的数据记录。 [0042] Finding Source IP database field, delete the field corresponding data records.

[0043] 对于计算窗口最大公共子串的模块 [0043] For the calculation of the maximum window module common substring

[0044] 处理单个IP —个时间窗口内的DNS查询记录,判定是否是Domain Flux流量。 [0044] Processing a single IP - DNS query records within a time window is determined whether Domain Flux flow.

[0045] 对于同一个时间窗口内的记录,使用LCS算法(其它求最大公共子串的算法也可)计算任意两条记录的最大公共子串。 [0045] for recording within the same time window, use the LCS algorithm (other seeking the most common substring algorithm may be) recorded in arbitrary two largest common string. 并对所有的最大公共子串出现的次数进行计数,出现次数做多的最大公共子串即为窗口最大公共子串,记录窗口最大公共子串及其出现次数。 And the maximum number of all common string that appears to count the number of occurrences do more of the largest common string is the maximum common substring window, record the maximum window common string and the number of occurrences.

[0046] 如果窗口最大公共子串出现的次数小于预设的阈值,则该时间窗口内的DNS查询数据流并不是Domain Flux数据流;否则,统计包含有窗口最大公共子串的DNS查询的结果,计算数据库中A记录为空的概率,若该值超过预设的阈值,则认为该时间窗口内的DNS查询数据流属于Domain Flux数据流。 [0046] If the maximum number of common string window appears smaller than the preset threshold, the DNS query data stream is not Domain Flux data flow within the window of time; otherwise, the statistical window contains the result of the largest public DNS queries substring , a record in the database is calculated as the probability of an empty, if the value exceeds a preset threshold, that the DNS query data flow within the time window belongs to Domain Flux data stream. 否则,该数据流不属于Domain Flux数据流 Otherwise, the data stream does not belong to the Domain Flux data stream

[0047] 图3为系统运行示意图,该方法应工作在网络边界处,即图中所示网关之上。 [0047] FIG. 3 is a schematic diagram of the system operation, the method should work at the network boundary, i.e., on the gateway in FIG. 表I所示为监听和记录所得的数据记录(表中DNS IP处空白表示DNS服务器找不到该域名对应的A记录),以下从计算窗口最大公共子串开始说明。 Table I shows the listening and recording data obtained (Table DNS IP represents the DNS server can not be found at a blank record corresponding to the domain A), the window is calculated from the maximum common substring starting instructions.

[0048] 设定时间窗口为30秒。 [0048] The time window is set to 30 seconds. 如果属于正常用户浏览网页或其他合法用途引起的DNS查询,单个IP发起的查询数量在30秒内不会超过5次。 If a normal user browsing the web or other legitimate uses due to DNS queries, the number of queries a single IP initiated within 30 seconds of no more than 5 times. 而且正常应用中,DNS查询失败的概率也是很小的,设定为5%。 And normal applications, DNS query probability of failure is very small, set at 5%. 对一个时间窗口内的数据首先进行窗口最大公共子串的计算,不难得出,本次实验中的窗口最大公共子串为dyndns. com,且其共计出现8次。 A time window of the first data string calculated maximum common sub-window, difficult to draw, in this experiment the maximum window common substring dyndns. Com, and which appears eight times in total. 其次,包含有窗口最大公共子串dyndns. com的DNS查询的失败率为100% (DNS查询返回的A记录为空,认为DNS查询失败),远远大于设定的失败阈值。 Secondly, the window contains the maximum common substring DynDNS. Com DNS query failure rate of 100% (A DNS query returns record is empty, that DNS lookup failure), the failure is far greater than the set threshold.

[0049] 综上,可以确定该时间窗口内的DNS查询数据流属于Domain Flux数据流。 [0049] In summary, the data stream may be determined DNS query within the time windows belonging to the Domain Flux data stream. 另外,由Source IP可以推知主机10. 0. 0. 11感染了一种采用domain flux技术作为C & C的bot程序。 Further, the Source IP host 10. It can be inferred as infection 0.11 0.5 C & C using the program for a bot domain flux technique. 进一步地,在主机10. 0. 0. 11上对数据包进行过滤,可以得到bot程序样本;一旦Domain Flux数据流中某一个查询获得了DNS对应的A记录,可以把该DNS及其IP加入到malicious domain list中;如果检测到局域网内其它主机也有着同样的窗口最大公共子串,可以在网关处修改DNS服务器的返回,从而阻断bot host与master的通信。 Further, the data packets on the host computer 10. 0.5 0.11 filter, a sample can be obtained bot program; Domain Flux Once a data stream a DNS query to obtain a corresponding A record may be added to the DNS and IP to malicious domain list; if other hosts in the LAN detects the maximum window also have the same common string, can be modified at the gateway of the DNS server returns to block communication with the master bot host.

[0050] [0050]

Figure CN101986642BD00081

[0051 ] 表I 一个时间窗口内的DNS查询记录 [0051] Table I records a time of DNS query in the window

[0052] 示例中的阈值及其它数量值都是为了说明该方法的实现过程所采用的示例,考虑到网络应用的差异性,具体实施时不应以此为例,应当结合具体网络进行分析。 [0052] The number of threshold values, and other examples are intended to illustrate an example of the implementation of the method employed, taking into account the differences in network applications, as an example not to the specific embodiments, it should be analyzed in conjunction with the specific network.

[0053] 最后应说明的是,以上实施例仅用以描述本发明的技术方案而不是对本技术方法进行限制。 [0053] Finally, it should be noted that the above embodiments are only to describe the technical solutions of the present invention and are not restrictive of the art methods.

Claims (10)

1. 一种检测Domain Flux数据流的系统,包括监听模块、数据库操作模块和计算窗ロ最大公共子串的模块; 其中,监听模块用于监听并分析出入网关的数据流,获取DNS查询请求数据包和DNS应答包,并提取源IP地址、待查询的DNS、时间戳、DNS对应的A记录信息; 数据库操作模块,用于将监听模块提取的源IP地址、待查询的DNS、时间戳、DNS对应的A记录信息记录在数据库中; 计算窗ロ最大公共子串的模块,用于计算时间窗口内任意两个请求的DNS的最大公共子串,并对最大公共子串出现的次数计数来确定窗ロ最大公共子串;当特定主机发起的DNS查询获知窗ロ的最大公共子串出现的次数超过阈值并且窗ロ的最大公共子串对应的DNS查询得到的DNS服务器应答为“未找到域名对应的A记录”的频率超过阈值,则该系统确定该主机正在采用Domain Flux技术寻■址C&C。 1. A method of detecting Domain Flux data stream, comprising a monitoring module, a database module and calculates the operation window ro maximal common substrings module; wherein the monitoring module configured to monitor and analyze the data flow out of the gateway, DNS query requests data acquisition DNS packet and the response packet, and extracts the source IP address, DNS to be queried, the time stamp, DNS a record corresponding to the information; database operation module, a monitoring module configured to extract the source IP address, DNS to be queried, the time stamp, a DNS record corresponding to the record information in a database; window calculating the maximum common substring ro modules, the maximum common string DNS within a time window of any two computing request, and the maximum number of common substring occurring counts OK window ro largest common string; the number of times when a specific host-initiated DNS queries informed window ro is the largest common string appears exceeds the threshold and the window ro is the largest common string corresponding DNS query to get the DNS server response is "domain name not found a record corresponding to the frequency "exceeds the threshold, the system determines that the host is using Domain Flux ■ finding technology addressing C & C.
2.权利要求I的系统,其中,窗ロ的最大公共子串是ー个时间窗口内DNS都包含的、出现次数最多的最大公共子串。 2. I claim system, wherein the maximum common substring is ー ro window within a time window are included in the DNS, the maximum number of the most common string appears.
3.权利要求I的系统,其中,所述数据库操作模块用于在时间窗ロ结束之后清理数据库记录,并且仅需记录ー个时间窗口内的DNS数据。 3. The system of claim I, wherein said database module is configured to clean the database operation after the end of the time window records ro, and only the data recorded in the DNS ー time window.
4.权利要求I的系统,其中,所述监听模块还用于获取网络适配器列表,打开网络适配器,捕获数据并且根据协议特征来分析数据流并提取信息。 4. The system of claim I, wherein the monitoring module further configured to obtain a list of the network adapter, the network adapter is opened, and to analyze the captured data according to a protocol data stream and extracts feature information.
5. 一种检测Domain Flux数据流的方法,包括: 步骤10)、监听并分析出入网关的数据流,获取DNS查询请求数据包和DNS应答包,并提取源IP地址、待查询的DNS、时间戳、DNS对应的A记录信息; 步骤20)、将监听模块提取的源IP地址、待查询的DNS、时间戳、DNS对应的A记录信息记录在数据库中; 步骤30)、计算时间窗口内任意两个请求的DNS的最大公共子串,并对最大公共子串出现的次数计数来确定窗ロ最大公共子串;当特定主机发起的DNS查询获知窗ロ的最大公共子串出现的次数超过阈值并且窗ロ的最大公共子串对应的DNS查询得到的DNS服务器应答为“未找到域名对应的A记录”的频率超过阈值,则确定该主机正在采用Domain Flux技术寻址C&C。 A method for detecting Domain Flux data stream, comprising the steps of: 10), monitor and analyze the data flow out of the gateway, DNS query acquisition request packets and DNS response packet, and extracts the source IP address, DNS queries to be, time stamp, the DNS record information corresponding a; step 20 is), a monitor module records information extracted source IP address, DNS to be queried, the time stamp, the DNS corresponding record in the database; step 30), within the time window in arbitrary the two sub-maximal common DNS request strings, and the maximum number of counts occurring common substring to determine the maximum window ro common substring; when the number of times a particular host initiates a DNS query window ro known maximum common substring occurring exceeds the threshold ro and the window corresponding to the maximum common string DNS query DNS server response is obtained "a record corresponding to the domain name was not found" frequency exceeds the threshold, it is determined that the host is addressing technique uses domain Flux C & C.
6.权利要求5的方法,其中,步骤30)中,窗ロ的最大公共子串是ー个时间窗口内DNS都包含的、出现次数最多的最大公共子串。 The method of claim 5, wherein, in the step 30), the maximum common substring is ー ro window within a time window are included in the DNS, the maximum number of times the most frequent common substrings.
7.权利要求5的方法,其中,步骤20)中,在时间窗ロ结束之后清理数据库记录,并且仅需记录一个时间窗ロ内的DNS数据。 The method of 5, wherein, in the step 20), after the clean-up database records the time window ro, and requires a DNS record data within a time window of claim ro.
8.权利要求5的方法,其中,步骤10)还包括: 获取网络适配器列表,打开网络适配器,捕获数据,根据协议特征来分析数据流并提取信息。 The method of claim 5, wherein the step 10) further comprises: obtaining a list of the network adapter, the network adapter is opened, capture data, according to a protocol data stream feature to analyze and extract information.
9.权利要求8的方法,其中,步骤10)还包括: 步骤110)、确定数据包是DNS请求包,从该DNS数据包中解析出发起DNS查询的源IP地址、待查询的目的地址以及时间戳并返回; 步骤120)、确定数据包是DNS应答包,从该DNS数据包中解析出该包的目的IP地址、DNS及其对应的IP地址并返回。 9. The method of claim 8, wherein the step 10) further comprises: step 110), determines that the data packet is a DNS request packet, parses the originating source IP address from the DNS query DNS packet, the destination address to be queried and and returns the time stamp; step 120), determines that the data packet is a DNS response packet, parses the packet destination IP address from the DNS packet, and the DNS and returns the corresponding IP address.
10.权利要求5的方法,其中,步骤30)还包括: 步骤310)、对于同一个时间窗口内的记录,使用最大公共子串算法计算任意两条记录的最大公共子串; 步骤320)、对所有的最大公共子串出现的次数进行计数,出现次数做多的最大公共子串确定为窗ロ最大公共子串,返回窗ロ最大公共子串出现的次数; 步骤330)、当最大公共子串出现的次数超过阈值并且窗ロ的最大公共子串对应的DNS查询得到的DNS服务器应答为“未找到域名对应的A记录”的频率超过阈值时,确定该时间窗ロ内的DNS查询数据流属于Domain Flux数据流。 10. The method of claim 5, wherein the step 30) further comprises: step 310), the recording within the same time window, maximum common substring algorithm to calculate the maximum of any two common sub-string records; step 320), counting the number of times all the maximum common substring occurring, occurrences do more maximal common substring determining a window ro maximum common substring, return window ro maximum number of common substring occurring; step 330), when the maximum common sub DNS server response times string occurs exceeds a threshold and the window ro maximum common substring corresponding DNS query obtained as "a record corresponding to the domain not found" frequency exceeds a threshold value, determine the DNS query data within the time window ro stream Domain Flux data stream belongs.
CN 201010517771 2010-10-18 2010-10-18 Detection system and method of Domain Flux data stream CN101986642B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN 201010517771 CN101986642B (en) 2010-10-18 2010-10-18 Detection system and method of Domain Flux data stream

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN 201010517771 CN101986642B (en) 2010-10-18 2010-10-18 Detection system and method of Domain Flux data stream

Publications (2)

Publication Number Publication Date
CN101986642A CN101986642A (en) 2011-03-16
CN101986642B true CN101986642B (en) 2012-12-26

Family

ID=43710945

Family Applications (1)

Application Number Title Priority Date Filing Date
CN 201010517771 CN101986642B (en) 2010-10-18 2010-10-18 Detection system and method of Domain Flux data stream

Country Status (1)

Country Link
CN (1) CN101986642B (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102868669B (en) * 2011-07-08 2016-04-06 上海寰雷信息技术有限公司 A kind of means of defence for constantly change prefix domain name attack and device
CN102685145A (en) * 2012-05-28 2012-09-19 西安交通大学 Domain name server (DNS) data packet-based bot-net domain name discovery method
CN104618354B (en) * 2015-01-19 2018-04-27 中国科学院信息工程研究所 A kind of cache optimization method and system resisted continuation and become the attack of domain name prefix
US20180139224A1 (en) * 2015-08-31 2018-05-17 Hewlett Packard Enterprise Development Lp Collecting domain name system traffic
CN105897714B (en) * 2016-04-11 2018-11-09 天津大学 Botnet detection method based on DNS traffic characteristics
CN107623751A (en) * 2016-07-14 2018-01-23 网宿科技股份有限公司 DNS network systems, domain name analytic method and system

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101360019A (en) 2008-09-18 2009-02-04 华为技术有限公司 Detection method, system and apparatus of zombie network
CN101488965A (en) 2009-02-23 2009-07-22 中国科学院计算技术研究所 Domain name filtering system and method

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR100442594B1 (en) * 2001-09-11 2004-08-02 삼성전자주식회사 Packet data service method for wireless telecommunication system and apparatus therefor

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101360019A (en) 2008-09-18 2009-02-04 华为技术有限公司 Detection method, system and apparatus of zombie network
CN101488965A (en) 2009-02-23 2009-07-22 中国科学院计算技术研究所 Domain name filtering system and method

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
季大臣等.Botnet网络组织机制研究.《全国计算机安全学术交流会论文集》.2010,第25卷385-389.

Also Published As

Publication number Publication date
CN101986642A (en) 2011-03-16

Similar Documents

Publication Publication Date Title
Xie et al. A large-scale hidden semi-Markov model for anomaly detection on user browsing behaviors
US8935383B2 (en) Systems, apparatus, and methods for network data analysis
US7620733B1 (en) DNS anti-spoofing using UDP
US8260914B1 (en) Detecting DNS fast-flux anomalies
Passerini et al. Fluxor: Detecting and monitoring fast-flux service networks
Fabian et al. My botnet is bigger than yours (maybe, better than yours): why size estimates remain challenging
EP3264720A1 (en) Using dns communications to filter domain names
Whyte et al. DNS-based Detection of Scanning Worms in an Enterprise Network.
US7814546B1 (en) Method and system for integrated computer networking attack attribution
Marchal et al. A big data architecture for large scale security monitoring
US8745737B2 (en) Systems and methods for detecting similarities in network traffic
CN101350745B (en) Intrude detection method and device
Lu et al. Clustering botnet communication traffic based on n-gram feature selection
Wang et al. An entropy-based distributed DDoS detection mechanism in software-defined networking
CN101610174B (en) Log correlation analysis system and method
US8117655B2 (en) Detecting anomalous web proxy activity
CN102487339B (en) Attack preventing method for network equipment and device
US8347394B1 (en) Detection of downloaded malware using DNS information
CN104113519B (en) Network attack detecting method and its device
JP2001217834A (en) System for tracking access chain, network system, method and recording medium
Hsu et al. Fast-flux bot detection in real time
US20120159623A1 (en) Method and apparatus for monitoring and processing dns query traffic
US20030200441A1 (en) Detecting randomness in computer network traffic
US20050278779A1 (en) System and method for identifying the source of a denial-of-service attack
CN102045214B (en) Botnet detection method, device and system

Legal Events

Date Code Title Description
C06 Publication
C10 Request of examination as to substance
C14 Granted