CN104935556B - A kind of network security processing method, apparatus and system - Google Patents
A kind of network security processing method, apparatus and system Download PDFInfo
- Publication number
- CN104935556B CN104935556B CN201410105388.1A CN201410105388A CN104935556B CN 104935556 B CN104935556 B CN 104935556B CN 201410105388 A CN201410105388 A CN 201410105388A CN 104935556 B CN104935556 B CN 104935556B
- Authority
- CN
- China
- Prior art keywords
- dns
- modification
- server
- event
- client
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4505—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
- H04L61/4511—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/50—Address allocation
- H04L61/5076—Update or notification mechanisms, e.g. DynDNS
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
Abstract
The embodiment of the invention discloses a kind of network security processing methods, apparatus and system, wherein, the described method includes: client is when the domain name system DNS for detecting client router modifies event, the site link information for obtaining the corresponding modification link information of the modification event and being accessed, and it is sent to server;The server extracts access site identity from the site link information, and obtains the target DNS mark where the modification links corresponding website according to the modification link information;The server is identified according to the access site identity and the target DNS, and detection determines the legitimacy to the DNS modification event of the client router.Using the present invention, it can more in time, comprehensively determine illegal DNS modification event, determine suspicious DNS, ensure network security to a certain extent.
Description
Technical field
The present invention relates to computer network security technology field more particularly to a kind of network security processing method, device and
System.
Background technique
DNS(Domain Name System, domain name system), refer on internet, is between domain name and IP address
Correspondingly, the corresponding relationship based on IP address and domain name can find corresponding website by the domain name in access request
IP address, domain name mapping needs completed by special domain name analysis system, DNS is exactly the system for carrying out domain name mapping.
DNS is kidnapped, also known as Domain Hijacking, and by modifying the DNS of user, the original domain name of change customer service is directed toward, will
User is directed to the IP address that hijacker specifies, to change business wishes that information in front of the user is presented, reduces user's body
It tests, the interests of business and user is made all to incur loss.The means that DNS is kidnapped are by modifying the original normal DNS of router
For specific malice DNS realization.
It whether is at present that the judgement of malice relies primarily on and artificially collects user feedback to DNS modification, when user surfs the Internet
When experience occurs abnormal, reversed search is the discovery that the reason is that DNS is modified, then by manual verification, determines the DNS for malice.
Drawback of the prior art is that the identification to DNS occurs after exception occurs in user's online experience, and identify
Period is longer, occurs from a malice DNS to there is user feedback, generally requires one very long process of experience.
Summary of the invention
The technical problem to be solved by the embodiment of the invention is that providing a kind of network security processing method, device and being
System can in time, quickly be detected the network security to ensure user to the modification event of DNS.
In order to solve the above-mentioned technical problem, the embodiment of the invention provides a kind of network security processing methods, comprising:
It is corresponding to obtain the modification event when the domain name system DNS for detecting client router modifies event for client
Modification link information and the site link information that is accessed, and be sent to server;
The server extracts access site identity from the modification link information, and according to the website of the access
Link information obtains the target DNS mark where the website of the access;
The server is identified according to the access site identity and the target DNS, and detection is determined to the client
The legitimacy of the DNS modification event of router.
The embodiment of the invention also provides another network security processing methods, comprising:
Receive the site link information of the modification link information and access of client;
Access site identity is extracted from the site link information, and this is obtained according to the modification link information and is repaired
Change the target DNS mark where linking corresponding website;
It is identified according to the access site identity and the target DNS, detection determines the DNS to the client router
The legitimacy of modification event;
The modification link information and the site link information of access are that the client is detecting client router
Domain name system DNS modification event when obtain and send.
The embodiment of the present invention additionally provides another network security processing method, comprising:
During accessing website, the modification event of the domain name system DNS of local terminal router is detected;
When detecting the modification event of DNS, the corresponding station modifying link information and being accessed of the modification event is obtained
Point link information;
The modification link information that will acquire and the site link information accessed are sent to server.
Correspondingly, the embodiment of the present invention additionally provides a kind of network safety processing equipment, comprising:
Receiving module, the site link information of modification link information and access for receiving client, the modification chain
The site link information for connecing information and access is modification of the client in the domain name system DNS for detecting client router
It obtains when event and sends;
Processing module, for extracting access site identity from the site link information, and according to the modification chain
The target DNS where the acquisition of information modification links corresponding website is met to identify;
Detection module, for being identified according to the access site identity and the target DNS, detection is determined to the client
Hold the legitimacy of the DNS modification event of router.
The embodiment of the invention also provides another network safety processing equipments, comprising:
Event checking module, for detecting the domain name system DNS of local terminal router during accessing website
Modification event;
Module is obtained, for when detecting the modification event of DNS, obtaining the corresponding modification link information of the modification event
With the site link information accessed;
Sending module, the modification link information for will acquire are sent to server with the site link information accessed.
Correspondingly, the embodiment of the present invention additionally provides a kind of network security processing system, comprising: client and service
Device, wherein
The client, for obtaining the modification when the domain name system DNS for detecting client router modifies event
Site link information event corresponding modification link information and accessed, and it is sent to the server;
The server, for extracting access site identity from the modification link information, and according to the access
The site link acquisition of information access website where target DNS mark;And according to the access site identity and described
Target DNS mark, detection determine the legitimacy to the DNS modification event of the client router.
The embodiment of the present invention passes through the client station that acquisition is modified link information and accessed when generating DNS and modifying event
Point link information, is detected based on modification link information and the site link information accessed to the client road by server
By the legitimacy of the DNS modification event of device, so as to more in time, comprehensively determine that illegal DNS modifies event, determination can
Doubtful DNS, ensures network security to a certain extent.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below
There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this
Some embodiments of invention for those of ordinary skill in the art without creative efforts, can be with
It obtains other drawings based on these drawings.
Fig. 1 is a kind of flow diagram of network security processing method of the embodiment of the present invention;
Fig. 2 is the flow diagram of another network security processing method of the embodiment of the present invention;
Fig. 3 is the flow diagram of another network security processing method of the embodiment of the present invention;
Fig. 4 is the flow diagram of another network security processing method of the embodiment of the present invention;
Fig. 5 is a kind of structural schematic diagram of network safety processing equipment of the embodiment of the present invention;
Fig. 6 is a kind of structural schematic diagram of server of the embodiment of the present invention;
Fig. 7 is another network safety processing equipment of the embodiment of the present invention;
Fig. 8 is a kind of structural schematic diagram of user terminal of the embodiment of the present invention;
Fig. 9 is a kind of structural schematic diagram of network security processing system of the embodiment of the present invention.
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete
Site preparation description, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on
Embodiment in the present invention, it is obtained by those of ordinary skill in the art without making creative efforts every other
Embodiment shall fall within the protection scope of the present invention.
Referring to Figure 1, be the embodiment of the present invention a kind of network security processing method flow diagram, the present invention implement
The method of example can be applicable between client and the server of all types of network security monitorings, specifically, the method
Include:
S101: client obtains the modification event when the domain name system DNS for detecting client router modifies event
Corresponding modification link information and the site link information accessed, and it is sent to server.
Access of the client to websites certain in network is by DNS(Domain Name System, domain name system
System) server realizes after executing domain name to the conversion process of IP address.Under normal circumstances, problem is had already appeared for some
Dns server, associated stations can improve access speed by the reparation to DNS in client.Event is modified for DNS
Detection, a kind of implementation can be client and is modified to abnormal IP address in the IP address for the DNS for detecting local terminal
When, it can determine and produce the DNS modification event of router.
Specifically for example, it is accessed site link information (hereinafter referred to as A), A that certain user, which accesses website www.xx.com,
Jump to http: it is (following that // 192.168.1.1/hello dns_server=114.114.114.114 modifies link information
Abbreviation B), then the referer of B just includes A.All URL that client can access user are detected, and detecting it is not
It is local ip address access (such as 192.168 beginnings), when client detects B, is the discovery that 192.168 beginnings
URL, it is believed that this may be a DNS modification event.
After detecting modification event, client can obtain the modification link information for initiating the modification and active user
The site link information accessed by browser.And transmit these information to server, i.e., by above-mentioned B and B
Referer:A sends jointly to server.
S102: the server extracts access site identity from the site link information, and according to the modification
The target DNS that link information obtains where the modification links corresponding website is identified.
The access site identity is mainly the title etc. of the accessed website of user, as in above-mentioned www.xx.com
xx;
And the target DNS mark is then the DNS etc. indicated in modification link, as in above-mentioned modification link information
" 114.114.114.114 " in http: // 192.168.1.1/hello dns_server=114.114.114.114.
S103: the server is identified according to the access site identity and the target DNS, and detection is determined to the visitor
The legitimacy of the DNS modification event of family end router.
The legitimacy for detecting the DNS modification event of the client router can be divided into detection and determine that this modification is legal
With it is illegal, when detection is determined as illegal modifications, it is believed that the client produces DNS kidnapping accident, at this time can will
The IP address that DNS is corresponded to after this modification is recorded as illegal DNS, and initiates security control to the client.
Specifically it can be set a legitimate site identification sets i.e. white list, corresponding to each site identity in white list
Website can help user to repair problematic DNS to promote access speed, these modifications are benign modifications, and legitimate site mark
Knowing the DNS modification that the website other than collection generates can then be initially believed that it is suspicious DNS modification.Certainly, when legitimate site identifies
After the enough legitimate sites of concentrated setting, as long as when access site identity is not in the legitimate site identification sets, it can
Directly to think that this is revised as illegally.
After being initially believed that the DNS modification to client is suspicious, indicated according further to target DNS mark
Dns server port information and/or location region determine the conjunction to the DNS modification event of the client router
Method.It is specific:
The server judges that the target DNS is identified in the port information of indicated dns server, specified target
Whether port is turned on, if being turned on, the server determines that the DNS modification event to the client router is illegal behaviour
Make event;It specifically can be and the port opened in corresponding dns server is identified to the target DNS of modification judge, if
Target DNS opens 80 ports, then it is assumed that target DNS is very suspicious.And/or
The server judges the location of the indicated dns server of the target DNS mark region and the visitor
Whether the location of the current IP address in family end region meets preset condition for validity, if being unsatisfactory for determining pair of the server
The DNS modification event of the client router is illegal operation event.It specifically can be region where User IP and target
The region DNS compares, if User IP is at home, but target DNS at abroad, if think that the target DNS of the secondary modification is
It is very suspicious.
Certainly, the S103 can also include: the server according to the access site identity in other embodiments,
The target DNS mark and preset legitimacy mode decision scheme determine that the DNS modification event to the client router is
Illegal operation event specifically includes any one or more steps below:
When the access site identity is not recorded in preset legitimate site identification sets, determine to the client road
It is illegal operation event by the DNS modification event of device;
When the target port specified in the port information of the indicated dns server of target DNS mark is turned on,
Determine that the DNS modification event to the client router is illegal operation event;
As the location of the indicated dns server of the target DNS mark region and the current IP of the client
When the location of address region is unsatisfactory for preset condition for validity, determines and event is modified to the DNS of the client router
For illegal operation event.
The embodiment of the present invention passes through the client station that acquisition is modified link information and accessed when generating DNS and modifying event
Point link information, is detected based on modification link information and the site link information accessed to the client road by server
By the legitimacy of the DNS modification event of device, so as to more in time, comprehensively determine that illegal DNS modifies event, determination can
Doubtful DNS, ensures network security to a certain extent.
Fig. 2 is referred to again, is the flow diagram of another network security processing method of the embodiment of the present invention, the present invention
The method of embodiment can be applicable between client and the server of all types of network security monitorings, specifically, described
Method includes:
S201: client obtains the modification event when the domain name system DNS for detecting client router modifies event
Corresponding modification link information and the site link information accessed, and it is sent to server.
It, can be with before the S201 further include: the client detects generation during accessing website
Whether the network address information modified in link information is abnormal address, if so, determining the domain name for generating client router
The modification event of system DNS.
S202: the server extracts access site identity from the site link information, and according to the modification
The target DNS that link information obtains where the modification links corresponding website is identified.
The IP address etc. for accessing site identity and predominantly generating the website of above-mentioned modification event, and the target
DNS mark is then the IP address etc. of the dns server where the website of client user's current accessed.
S203: the server judges whether the access site identity is recorded in preset legitimate site identification sets.
Legitimate site identification sets, that is, the white list, website corresponding to each site identity in white list can help
User repairs problematic DNS to promote access speed, these modifications are benign modifications, and the station other than legitimate site identification sets
Point, which generates DNS modification, can then be initially believed that it is suspicious DNS modification.
If the access site identity is recorded in the legitimate site identification sets, this DNS generated modifies event
It is legal modifications event.If the access site identity is not recorded in the legitimate site identification sets, at the beginning of the server
Step determines that the DNS modification event to the client router is illegal operation event, executes following S204.
S204: the server judges the location of the indicated dns server of the target DNS mark region and institute
State whether the location of the current IP address of client region meets preset condition for validity.
Region belonging to the indicated dns server of target DNS mark is judged in the S204, and determines that client is worked as
Region belonging to preceding IP address.Wherein, it is existing for determining that it corresponds to affiliated region according to DNS mark and client ip address
Technology, this will not be repeated here.
Whether meet condition for validity in the embodiment of the present invention to specifically refer to: region belonging to dns server and client is
No specifically, if dns server is located at foreign countries, and region belonging to client is located at the country in effective range, then can be with
Determine that the two is unsatisfactory for condition for validity.Whether effective mode decision scheme can need to modify according to user, can be by position
It is determined as effective server apart from one or more closer dns server of some user, the dns server in remaining region is equal
It is determined as condition for validity that is invalid, that is, being unsatisfactory for described.
If the judging result of the S204 is to meet condition for validity, this modification is legal modifications event, corresponding DNS
For normal DNS.If being unsatisfactory for condition for validity, following S205 is executed.
S205: the server judges to specify in the port information of the indicated dns server of the target DNS mark
Target port whether be turned on.
It specifically can be and the port opened in corresponding dns server is identified to the target DNS of modification judge, if
Target DNS opens 80 ports, then it is assumed that target DNS is very suspicious, executes following S206 to S207.If being not turned on,
Then this modification is legal modifications event, and corresponding DNS is normal DNS.
S206: the server determines that the DNS modification event to the client router is illegal operation event.
S207: when the determining DNS modification event except to the client router of detection is illegal operation event, record
The target DNS mark.
When detection is determined as illegal operation event, it is believed that the client produces DNS kidnapping accident, at this time may be used
With by this modify after correspond to the IP address of DNS and be recorded as illegal DNS, and security control is initiated to the client.
It should be noted that in other embodiments, under the scene stringenter for the security requirement of DNS monitoring,
The combination of any one or any two step in S203, S204 and S205 can be only executed, as long as that is, therein one
A or two contents determine illegal operation event.
The embodiment of the present invention passes through the client station that acquisition is modified link information and accessed when generating DNS and modifying event
Point link information, is detected based on modification link information and the site link information accessed to the client road by server
By the legitimacy of the DNS modification event of device, so as to more in time, comprehensively determine that illegal DNS modifies event, determination can
Doubtful DNS, ensures network security to a certain extent.Wherein, by modifying the marks such as IP address and target DNS of website
The mark such as IP address more can accurately check out malice DNS modification, preferably ensure that the accuracy that can be confirmed with DNS.
Fig. 3 is referred to again, is the flow diagram of another network security processing method of the embodiment of the present invention, the present invention
The method of embodiment can be applicable in the server of all types of network security monitorings, specifically, the described method includes:
S301: the site link information of the modification link information and access of client is received;
The modification link information and the site link information of access are that the client is detecting client router
Domain name system DNS modification event when obtain and send.Its concrete implementation can refer to the description of above-described embodiment.Service
Realization communication interaction between device and client is achieved by the prior art.
S302: access site identity is extracted from the site link information, and is obtained according to the modification link information
Target DNS mark where taking the modification to link corresponding website.
The access site identity is mainly to generate the IP address etc. of the website of modification event, and the target DNS is identified
It is then the IP address etc. of the dns server where the website of client user's current accessed.
S303: identifying according to the access site identity and the target DNS, and detection is determined to the client router
DNS modification event legitimacy.
The S303 can specifically include: according to the access site identity, the target DNS mark and preset conjunction
Method mode decision scheme determines that the DNS modification event to the client router is illegal operation event;Including below any
One or more steps:
When the access site identity is not recorded in preset legitimate site identification sets, determine to the client road
It is illegal operation event by the DNS modification event of device;
When the target port specified in the port information of the indicated dns server of target DNS mark is turned on,
Determine that the DNS modification event to the client router is illegal operation event;
As the location of the indicated dns server of the target DNS mark region and the current IP of the client
When the location of address region is unsatisfactory for preset condition for validity, determines and event is modified to the DNS of the client router
For illegal operation event.
Alternatively, the S303 also may comprise steps of:
The server judges whether the access site identity is recorded in preset legitimate site identification sets;
If being not recorded in preset legitimate site identification sets, the server is primarily determined to the client router
DNS modification event be illegal operation event, further believed according to the indicated dns server port of target DNS mark
Breath and/or location region determine the legitimacy to the DNS modification event of the client router.
Wherein, the port information of the dns server indicated according to target DNS mark and/or locating position
Region is set, determines the legitimacy to the DNS modification event of the client router, comprising:
The server judges that the target DNS is identified in the port information of indicated dns server, specified target
Whether port is turned on, if being turned on, the server determines that the DNS modification event to the client router is illegal behaviour
Make event;And/or
The server judges the location of the indicated dns server of the target DNS mark region and the visitor
Whether the location of the current IP address in family end region meets preset condition for validity, if not satisfied, the server determines
DNS modification event to the client router is illegal operation event.
The embodiment of the present invention passes through the client station that acquisition is modified link information and accessed when generating DNS and modifying event
Point link information, is detected based on modification link information and the site link information accessed to the client road by server
By the legitimacy of the DNS modification event of device, so as to more in time, comprehensively determine that illegal DNS modifies event, determination can
Doubtful DNS, ensures network security to a certain extent.
Fig. 4 is referred to again, is the flow diagram of another network security processing method of the embodiment of the present invention, the present invention
The method of embodiment can be applicable in all types of clients for parsing domain name by dns server, specifically, the side
Method includes:
S401: the client detects repairing for the domain name system DNS of local terminal router during accessing website
Change event.
Access of the client to websites certain in network is by DNS(Domain Name System, domain name system
System) server realizes after executing domain name to the conversion process of IP address.Under normal circumstances, problem is had already appeared for some
Dns server, associated stations can improve access speed by the reparation to DNS in client.Event is modified for DNS
Detection, a kind of implementation can be client and is modified to abnormal IP address in the IP address for the DNS for detecting local terminal
When, it can determine and produce the DNS modification event of router.
S402: it when detecting the modification event of DNS, obtains the corresponding modification link information of the modification event and is accessed
Site link information.
S403: the modification link information that will acquire and the site link information accessed are sent to server.
The embodiment of the present invention, when generating DNS modification event, can acquire modification link by client accurately and in time
Information and the site link information accessed are sent to server and are detected, and determine in time so as to more illegal
DNS modifies event, determines suspicious DNS, ensures user network safety to a certain extent.
The network safety processing equipment of the embodiment of the present invention and system are described in detail below.
Fig. 5 is referred to, is a kind of structural schematic diagram of network safety processing equipment of the embodiment of the present invention, the present invention is implemented
The described device of example may be provided in the server of all types of network security monitorings, specifically, described device includes:
Receiving module 11, the site link information of modification link information and access for receiving client, the modification
Link information and the site link information of access are the client repairing in the domain name system DNS for detecting client router
It obtains and sends when changing event;
Processing module 12, for extracting access site identity from the site link information, and according to the modification
The target DNS that link information obtains where the modification links corresponding website is identified;
Detection module 13, for being identified according to the access site identity and the target DNS, detection is determined to the visitor
The legitimacy of the DNS modification event of family end router.
Access of the client to websites certain in network is by DNS(Domain Name System, domain name system
System) server realizes after executing domain name to the conversion process of IP address.Under normal circumstances, problem is had already appeared for some
Dns server, associated stations can improve access speed by the reparation to DNS in client.Event is modified for DNS
Detection, a kind of implementation can be client and is modified to abnormal IP address in the IP address for the DNS for detecting local terminal
When, it can determine and produce the DNS modification event of router.
After detecting modification event, client can obtain the modification link information for initiating the modification and active user
The site link information accessed by browser.And transmit these information to server.
The processing module 12 handles the title etc. that the obtained access site identity is mainly the accessed website of user,
And the target DNS mark is then the DNS etc. indicated in modification link.
It is true that the legitimacy that the detection module 13 detects the DNS modification event of the client router can be divided into detection
This fixed modification it is legal with it is illegal, when detection is determined as illegal modifications, it is believed that the client produces DNS abduction thing
Part, the IP address that DNS is corresponded to after can modifying this at this time is recorded as illegal DNS, and initiates safety control to the client
System.
A legitimate site identification sets i.e. white list, each station in white list specifically can be set in the detection module 13
Website corresponding to point identification can help user to repair problematic DNS to promote access speed, these modifications are benign repair
Change, and the DNS modification that the website other than legitimate site identification sets generates can then be initially believed that it is suspicious DNS modification.Certainly,
After being provided with enough legitimate sites in legitimate site identification sets, as long as when access site identity is not in the legitimate site
In identification sets, then it is fair to consider that this is revised as illegally.
The detection module 13 is after being initially believed that the DNS modification to client is suspicious, according further to the target
DNS mark indicated dns server port information and/or location region, determine to the client router
The legitimacy of DNS modification event.It is specific:
The detection module 13 judges in the port information of the indicated dns server of the target DNS mark, specified
Whether target port is turned on, if being turned on, the server determines that the DNS modification event to the client router is non-
Method action event;It specifically can be and the port opened in corresponding dns server is identified to the target DNS of modification judge,
If target DNS opens 80 ports, then it is assumed that target DNS is very suspicious.And/or
The detection module 13 judges the location of the indicated dns server of the target DNS mark region and institute
State whether the location of the current IP address of client region meets preset condition for validity, if it is true to be unsatisfactory for the server
The fixed DNS modification event to the client router is illegal operation event.Specifically can be by region where User IP with
The region target DNS compares, if User IP is at home, but target DNS at abroad, if think the target of the secondary modification
DNS is very suspicious.
It should be noted that in other embodiments, under the scene stringenter for the security requirement of DNS monitoring,
The detection module 12 can only detect the combination of any one in above content or any two, if that is, one of those
Or two contents determine illegal operation event.
Fig. 6 specifically is referred to, is a kind of structural schematic diagram of server of the embodiment of the present invention, the institute of the embodiment of the present invention
Stating server includes: at least one processor 1001, such as CPU, at least one communication bus 1002, at least one network interface
1003, memory 1004.Wherein, communication bus 1002 is for realizing the connection communication between these components.Wherein, the network
Interface 1003 optionally may include standard wireline interface and wireless interface (such as WI-FI, mobile communication interface).It is described to deposit
Reservoir 1004 can be high speed RAM memory, be also possible to non-labile memory (non-volatile memory), example
Such as at least one magnetic disk storage.The memory 1004 optionally can also be that at least one is located remotely from aforementioned processor
1001 storage device.As shown in fig. 6, as be stored in a kind of memory 1004 of computer storage medium operating system,
Network communication module, and it is stored with network security processing application program and other programs.
Specifically, the processor 1001 can be used for that the network security stored in the memory 1004 processing is called to answer
With program, following steps are executed:
Receive the site link information of the modification link information and access of client;
Access site identity is extracted from the site link information, and this is obtained according to the modification link information and is repaired
Change the target DNS mark where linking corresponding website;
It is identified according to the access site identity and the target DNS, detection determines the DNS to the client router
The legitimacy of modification event;
The modification link information and the site link information of access are that the client is detecting client router
Domain name system DNS modification event when obtain and send.
The embodiment of the present invention passes through the client station that acquisition is modified link information and accessed when generating DNS and modifying event
Point link information, is detected based on modification link information and the site link information accessed to the client road by server
By the legitimacy of the DNS modification event of device, so as to more in time, comprehensively determine that illegal DNS modifies event, determination can
Doubtful DNS, ensures network security to a certain extent.
Refer to Fig. 7 again, be another network safety processing equipment of the embodiment of the present invention, the embodiment of the present invention it is described
Device may be provided in all types of clients for parsing domain name by dns server, specifically, described device includes:
Event checking module 21, for detecting the domain name system DNS of local terminal router during accessing website
Modification event;
Module 22 is obtained, for when detecting the modification event of DNS, obtaining the corresponding modification link letter of the modification event
Breath and the site link information accessed;
Sending module 23, the modification link information for will acquire are sent to service with the site link information accessed
Device.
Access of the client to websites certain in network is by DNS(Domain Name System, domain name system
System) server realizes after executing domain name to the conversion process of IP address.Under normal circumstances, problem is had already appeared for some
Dns server, associated stations can improve access speed by the reparation to DNS in client.Event is modified for DNS
Detection, the event checking module 21 can be the IP address in the DNS for detecting local terminal and is modified to abnormal IP address
When, so that it is determined that producing the DNS modification event of router.
Fig. 8 specifically is referred to, is a kind of structural schematic diagram of user terminal of the embodiment of the present invention, the embodiment of the present invention
The user terminal can be the mobile intelligence such as tablet computer, mobile phone, electronic reader, remote controler, mobile unit, wearable device
It can equipment.
The user terminal includes: at least one processor 2001, such as CPU, at least one communication bus 2002, at least
One network interface 2003, memory 2004.Wherein, communication bus 2002 is for realizing the connection communication between these components.
Wherein, the network interface 2003 optionally may include that (such as WI-FI, mobile communication connects standard wireline interface and wireless interface
Mouthful etc.).The memory 2004 can be high speed RAM memory, be also possible to non-labile memory (non-volatile
Memory), a for example, at least magnetic disk storage.Before the memory 2004 optionally can also be that at least one is located remotely from
State the storage device of processor 2001.As shown in figure 8, as behaviour is stored in a kind of memory 2004 of computer storage medium
Make system, network communication module, and is stored with network security processing application program and other programs.
Specifically, the processor 2001 can be used for that the network security stored in the memory 2004 processing is called to answer
With program, following steps are executed:
During accessing website, the modification event of the domain name system DNS of local terminal router is detected;
When detecting the modification event of DNS, the corresponding station modifying link information and being accessed of the modification event is obtained
Point link information;
The modification link information that will acquire and the site link information accessed are sent to server.
The embodiment of the present invention, when generating DNS modification event, can acquire modification link by client accurately and in time
Information and the site link information accessed are sent to server and are detected, and determine in time so as to more illegal
DNS modifies event, determines suspicious DNS, ensures user network safety to a certain extent.
Fig. 9 is referred to again, is a kind of structural schematic diagram of network security processing system of the embodiment of the present invention, and the present invention is real
Apply example the system comprises client 2 and servers 1, wherein the client 2 is all types of to pass through dns server solution
The client of domain name is analysed, and the server 1 is then the server of all types of network security monitorings.It is specific:
The client 2, for obtaining this and repairing when the domain name system DNS for detecting client router modifies event
The site link information for changing the corresponding modification link information of event and being accessed, and it is sent to the server 1;
The server 1, for extracting access site identity from the site link information, according to the modification chain
The target DNS where the acquisition of information modification links corresponding website is met to identify;And according to the access site identity and the mesh
DNS mark is marked, detection determines the legitimacy to the DNS modification event of the client router.
Wherein, when detecting DNS modification event, the client is also used to during accessing website, detection
Whether the network address information in the modification link information of generation is abnormal address, generates client router if so, determining
Domain name system DNS modification event.
The access site identity is mainly the title etc. of the accessed website of user, and target DNS mark is then to repair
Change the DNS etc. indicated in link.After the server obtains access site identity and target DNS mark, visitor described herein is detected
When whether the DNS modification event at family end is legal, the server, for judging it is preset whether the access site identity is recorded in
Legitimate site identification sets in;If being not recorded in preset legitimate site identification sets, primarily determine to the client road
It is illegal operation event by the DNS modification event of device, further according to dns server end indicated by target DNS mark
Message breath and/or location region determine the legitimacy to the DNS modification event of the client router.
Wherein, in the dns server port information and/or location area indicated according to target DNS mark
Domain, when determining the legitimacy to the DNS modification event of the client router, the server, for judging the target
In the port information of the indicated dns server of DNS mark, whether specified target port is turned on, if being turned on, the clothes
The determining DNS modification event to the client router of device of being engaged in is illegal operation event;And/or the server, for sentencing
Locating for the location of the indicated dns server of the target DNS mark of breaking region and the current IP address of the client
The band of position whether meet preset condition for validity, if not satisfied, the server determine to the client router
It is illegal operation event that DNS, which modifies event,.
The server is also used to determine in detection except the DNS modification event to the client router is illegal behaviour
When making event, the target DNS mark is recorded.
When detection is determined as illegal operation event, it is believed that the client produces DNS kidnapping accident, at this time may be used
With by this modify after correspond to the IP address of DNS and be recorded as illegal DNS, and security control is initiated to the client.
The specific implementation of the client and server can refer to the description of above-mentioned Fig. 1 to Fig. 8 corresponding embodiment.
The embodiment of the present invention passes through the client station that acquisition is modified link information and accessed when generating DNS and modifying event
Point link information, is detected based on modification link information and the site link information accessed to the client road by server
By the legitimacy of the DNS modification event of device, so as to more in time, comprehensively determine that illegal DNS modifies event, determination can
Doubtful DNS, ensures network security to a certain extent.Wherein, by modifying the marks such as IP address and target DNS of website
The mark such as IP address more can accurately check out malice DNS modification, preferably ensure that the accuracy that can be confirmed with DNS.
Those of ordinary skill in the art will appreciate that realizing all or part of the process in above-described embodiment method, being can be with
Relevant hardware is instructed to complete by computer program, the program can be stored in a computer-readable storage medium
In, the program is when being executed, it may include such as the process of the embodiment of above-mentioned each method.Wherein, the storage medium can be magnetic
Dish, CD, read-only memory (Read-Only Memory, ROM) or random access memory (Random Access
Memory, RAM) etc..
The above disclosure is only the preferred embodiments of the present invention, cannot limit the right model of the present invention with this certainly
It encloses, therefore equivalent changes made in accordance with the claims of the present invention, is still within the scope of the present invention.
Claims (14)
1. a kind of network security processing method characterized by comprising
Client obtains this modification event is corresponding and repair when the domain name system DNS for detecting client router modifies event
The site link information for changing link information and being accessed, and it is sent to server;
The server extracts access site identity from the site link information, and is obtained according to the modification link information
Target DNS mark where taking the modification to link corresponding website;
The server is identified according to the access site identity and the target DNS, and detection, which determines, routes the client
The legitimacy of the DNS modification event of device;
Wherein, when detection determines that the access site identity is not recorded in preset legitimate site identification sets, and/or when inspection
When survey determines that target port specified in the port information of the indicated dns server of the target DNS mark is turned on, and/
Or when detection determines that the location of indicated dns server of target DNS mark region and the client are current
When the location of IP address region is unsatisfactory for preset condition for validity, determines and thing is modified to the DNS of the client router
Part is illegal operation event.
2. the method as described in claim 1, which is characterized in that in the client in the domain name for detecting client router
When system DNS modifies event, the site link information for obtaining the corresponding modification link information of the modification event and being accessed, concurrently
Before giving server, further includes:
During accessing website, the network address information detected in the modification link information of generation is the client
No is abnormal address, if so, determining the modification event for generating the domain name system DNS of client router.
3. the method as described in claim 1, which is characterized in that the server is according to the access site identity and the mesh
DNS mark is marked, detection determines the legitimacy to the DNS modification event of the client router, comprising:
The server judges whether the access site identity is recorded in preset legitimate site identification sets;
If being not recorded in preset legitimate site identification sets, the server is primarily determined to the client router
It is illegal operation event that DNS, which modifies event, further the dns server port information indicated according to target DNS mark
And/or location region, determine the legitimacy to the DNS modification event of the client router.
4. method as claimed in claim 3, which is characterized in that the DNS service indicated according to target DNS mark
The port information of device and/or location region determine the legitimacy to the DNS modification event of the client router,
Include:
The server judges that the target DNS is identified in the port information of indicated dns server, specified target port
Whether it is turned on, if being turned on, the server determines that the DNS modification event to the client router is illegal operation thing
Part;And/or
The server judges the location of the indicated dns server of the target DNS mark region and the client
Whether the location of current IP address region meets preset condition for validity, if not satisfied, the server is determined to institute
The DNS modification event for stating client router is illegal operation event.
5. such as the described in any item methods of Claims 1-4, which is characterized in that further include:
The server is when the determining DNS modification event except to the client router of detection is illegal operation event, note
Record the target DNS mark.
6. a kind of network security processing method characterized by comprising
Receive the site link information of the modification link information and access of client;
Access site identity is extracted from the site link information, and the modification chain is obtained according to the modification link information
Connect the target DNS mark where corresponding website;
It is identified according to the access site identity and the target DNS, detection, which determines, modifies the DNS of the client router
The legitimacy of event;
The modification link information and the site link information of access are the clients in the domain for detecting client router
It obtains and sends when the modification event of name system DNS;
Wherein, when detection determines that the access site identity is not recorded in preset legitimate site identification sets, and/or when inspection
Survey when the target port specified in the port information for determining the indicated dns server of target DNS mark is turned on and/
Or when detection determines that the location of indicated dns server of target DNS mark region and the client are current
When the location of IP address region is unsatisfactory for preset condition for validity, determines and thing is modified to the DNS of the client router
Part is illegal operation event.
7. a kind of network security processing method characterized by comprising
During accessing website, the modification event of the domain name system DNS of client router is detected;
When detecting the modification event of DNS, the corresponding website chain modifying link information and being accessed of the modification event is obtained
Connect information;
The modification link information that will acquire and the site link information accessed are sent to server, in order to the server root
It is marked according to from the access site identity extracted in the site link information and the target DNS obtained from the modification link information
Know, detection determines the legitimacy to the DNS modification event of the client router;
Wherein, the server is worked as the determining access site identity of detection and is not recorded in preset legitimate site identification sets
When, and/or when the target port specified in the port information that detection determines the indicated dns server of the target DNS mark
When being turned on, and/or when detection determine the location of the indicated dns server of target DNS mark region with it is described
When the location of the current IP address of client region is unsatisfactory for preset condition for validity, determine to the client router
DNS modification event be illegal operation event.
8. a kind of network safety processing equipment characterized by comprising
Receiving module, the site link information of modification link information and access for receiving client, the modification link letter
Breath and the site link information of access are modification event of the client in the domain name system DNS for detecting client router
When obtain and send;
Processing module for extracting access site identity from the site link information, and links according to the modification and believes
The target DNS that breath obtains where the modification links corresponding website is identified;
Detection module, for being identified according to the access site identity and the target DNS, detection is determined to the client road
By the legitimacy of the DNS modification event of device;
Wherein, the detection module is specifically when detection determines that the access site identity is not recorded in preset legitimate site mark
Know when concentrating, and/or when the mesh specified in the port information that detection determines the indicated dns server of the target DNS mark
When mark port is turned on, and/or when detection determines the location of the indicated dns server of target DNS mark region
When the location of current IP address region is unsatisfactory for preset condition for validity with the client, determine to the client
The DNS modification event of router is illegal operation event.
9. a kind of network safety processing equipment characterized by comprising
Event checking module, for detecting repairing for the domain name system DNS of client router during accessing website
Change event;
Module is obtained, for when detecting the modification event of DNS, obtaining the corresponding modification link information of the modification event and institute
The site link information of access;
Sending module, the modification link information for will acquire are sent to server with the site link information accessed, so as to
In the server according to from the access site identity extracted in the site link information and from the modification link information
The target DNS of acquisition is identified, and detection determines the legitimacy to the DNS modification event of the client router;
Wherein, the server is worked as the determining access site identity of detection and is not recorded in preset legitimate site identification sets
When, and/or when the target port specified in the port information that detection determines the indicated dns server of target DNS mark
When being turned on, and/or when detection determine the location of the indicated dns server of target DNS mark region with it is described
When the location of the current IP address of client region is unsatisfactory for preset condition for validity, determine to the client router
DNS modification event be illegal operation event.
10. a kind of network security processing system characterized by comprising client and server, wherein
The client, for obtaining the modification event when the domain name system DNS for detecting client router modifies event
Corresponding modification link information and the site link information accessed, and it is sent to the server;
The server links according to the modification and believes for extracting access site identity from the site link information
The target DNS that breath obtains where the modification links corresponding website is identified;And according to the access site identity and the target DNS
Mark, detection determine the legitimacy to the DNS modification event of the client router;
Wherein, the server is worked as the determining access site identity of detection and is not recorded in preset legitimate site identification sets
When, and/or when the target port specified in the port information that detection determines the indicated dns server of target DNS mark
When being turned on, and/or when detection determine the location of the indicated dns server of target DNS mark region with it is described
When the location of the current IP address of client region is unsatisfactory for preset condition for validity, determine to the client router
DNS modification event be illegal operation event.
11. system as claimed in claim 10, which is characterized in that
The client is also used to during accessing website, with detecting the network in the modification link information of generation
Whether location information is abnormal address, if so, determining the modification event for generating the domain name system DNS of client router.
12. system as claimed in claim 10, which is characterized in that
The server, for judging whether the access site identity is recorded in preset legitimate site identification sets;If not
It is recorded in preset legitimate site identification sets, then primarily determines that the DNS modification event to the client router is illegal
Action event, further according to dns server port information and/or location area indicated by target DNS mark
Domain determines the legitimacy to the DNS modification event of the client router.
13. system as claimed in claim 12, which is characterized in that
The server, for judging that the target DNS is identified in the port information of indicated dns server, specified mesh
Whether mark port is turned on, if being turned on, the server determines that the DNS modification event to the client router is illegal
Action event;And/or
The server, for judging the location of the indicated dns server of the target DNS mark region and the visitor
Whether the location of the current IP address in family end region meets preset condition for validity, if not satisfied, the server determines
DNS modification event to the client router is illegal operation event.
14. such as the described in any item systems of claim 10 to 13, which is characterized in that
The server is also used to determine in detection except the DNS modification event to the client router is illegal operation thing
When part, the target DNS mark is recorded.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410105388.1A CN104935556B (en) | 2014-03-20 | 2014-03-20 | A kind of network security processing method, apparatus and system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410105388.1A CN104935556B (en) | 2014-03-20 | 2014-03-20 | A kind of network security processing method, apparatus and system |
Publications (2)
Publication Number | Publication Date |
---|---|
CN104935556A CN104935556A (en) | 2015-09-23 |
CN104935556B true CN104935556B (en) | 2019-06-07 |
Family
ID=54122529
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201410105388.1A Active CN104935556B (en) | 2014-03-20 | 2014-03-20 | A kind of network security processing method, apparatus and system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN104935556B (en) |
Families Citing this family (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106911652B (en) * | 2015-12-23 | 2021-06-04 | 北京奇虎科技有限公司 | Method and device for preventing configuration information of wireless router from being tampered |
CN106534149A (en) * | 2016-11-29 | 2017-03-22 | 北京小米移动软件有限公司 | DNS anti-hijacking method and device, terminal and server |
CN111756731B (en) * | 2020-06-23 | 2022-06-28 | 全球能源互联网研究院有限公司 | Credibility measuring method and system for private network |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101669347A (en) * | 2007-04-23 | 2010-03-10 | 国际商业机器公司 | Method and apparatus for detecting port scans with fake source address |
CN102301682A (en) * | 2011-04-29 | 2011-12-28 | 华为技术有限公司 | Method and system for network caching, domain name system redirection sub-system thereof |
CN102577252A (en) * | 2009-10-21 | 2012-07-11 | 瑞科网信科技有限公司 | Method and system to determine an application delivery server based on geo-location information |
CN103607385A (en) * | 2013-11-14 | 2014-02-26 | 北京奇虎科技有限公司 | Method and apparatus for security detection based on browser |
-
2014
- 2014-03-20 CN CN201410105388.1A patent/CN104935556B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101669347A (en) * | 2007-04-23 | 2010-03-10 | 国际商业机器公司 | Method and apparatus for detecting port scans with fake source address |
CN102577252A (en) * | 2009-10-21 | 2012-07-11 | 瑞科网信科技有限公司 | Method and system to determine an application delivery server based on geo-location information |
CN102301682A (en) * | 2011-04-29 | 2011-12-28 | 华为技术有限公司 | Method and system for network caching, domain name system redirection sub-system thereof |
CN103607385A (en) * | 2013-11-14 | 2014-02-26 | 北京奇虎科技有限公司 | Method and apparatus for security detection based on browser |
Also Published As
Publication number | Publication date |
---|---|
CN104935556A (en) | 2015-09-23 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN108737327B (en) | Method, device and system for intercepting malicious website and memory | |
US10248782B2 (en) | Systems and methods for access control to web applications and identification of web browsers | |
US8392963B2 (en) | Techniques for tracking actual users in web application security systems | |
CN103067385B (en) | The method of defence Hijack Attack and fire compartment wall | |
CN103916490B (en) | DNS tamper-proof method and device | |
CN104811462B (en) | A kind of access gateway reorientation method and access gateway | |
CN107770226B (en) | Control method and device for smart home, home gateway and mobile terminal | |
CN104144163B (en) | Auth method, apparatus and system | |
CN109039987A (en) | A kind of user account login method, device, electronic equipment and storage medium | |
CN104811449A (en) | Base collision attack detecting method and system | |
CN104168339A (en) | Method and device for preventing domain name from being intercepted | |
CN103825895A (en) | Information processing method and electronic device | |
CN104580553B (en) | Method and device for identifying network address translation equipment | |
CN104935551B (en) | A kind of webpage tamper protective device and method | |
CN105763388A (en) | Fault detection method and fault detection system | |
WO2015014215A1 (en) | Domain name resolution method, system and device | |
CN107276983A (en) | A kind of the traffic security control method and system synchronous with cloud based on DPI | |
CN106411644A (en) | Network sharing device detection method and system based on DPI technology | |
CN109450690B (en) | Method and device for quickly locking lost host in networking | |
CN104935556B (en) | A kind of network security processing method, apparatus and system | |
CN105392137A (en) | Household WIFI embezzlement preventing method, wireless router and terminal equipment | |
KR101341596B1 (en) | Apparatus and method for monitoring of wep application telecommunication data by user | |
CN102045310B (en) | Industrial Internet intrusion detection as well as defense method and device | |
CN112231679B (en) | Terminal equipment verification method and device and storage medium | |
CN103312724A (en) | Domain name system (DNS) request authentication method and device |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
TR01 | Transfer of patent right | ||
TR01 | Transfer of patent right |
Effective date of registration: 20230625 Address after: 518057 Tencent Building, No. 1 High-tech Zone, Nanshan District, Shenzhen City, Guangdong Province, 35 floors Patentee after: TENCENT TECHNOLOGY (SHENZHEN) Co.,Ltd. Patentee after: TENCENT CLOUD COMPUTING (BEIJING) Co.,Ltd. Address before: 2, 518000, East 403 room, SEG science and Technology Park, Zhenxing Road, Shenzhen, Guangdong, Futian District Patentee before: TENCENT TECHNOLOGY (SHENZHEN) Co.,Ltd. |