CN106713312A - Method and device for detecting illegal domain name - Google Patents
Method and device for detecting illegal domain name Download PDFInfo
- Publication number
- CN106713312A CN106713312A CN201611195849.4A CN201611195849A CN106713312A CN 106713312 A CN106713312 A CN 106713312A CN 201611195849 A CN201611195849 A CN 201611195849A CN 106713312 A CN106713312 A CN 106713312A
- Authority
- CN
- China
- Prior art keywords
- domain name
- randomness
- characteristic value
- illegal
- degree
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4505—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
- H04L61/4511—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2463/00—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
- H04L2463/144—Detection or countermeasures against botnets
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a method and device for detecting an illegal domain name. The method includes the following steps that: a domain name to be detected is obtained, character composition in the domain name is analyzed, so that the feature value of the domain name can be obtained, and the degree of randomness of the domain name is obtained according to the feature value; and if the degree of randomness of the domain name is larger than a preset threshold value, it is determined that the domain name is an illegal domain name. The present invention also provides a device for detecting an illegal domain name. With the method and device for detecting the illegal domain name of the invention adopted, the technical problem that an existing botnet monitoring technology cannot detect newly-emerging illegal domain names can be solved, and the accuracy rate of the detection of illegal domain names can be improved.
Description
Technical field
The present invention relates to technical field of network security, more particularly to a kind of method and device for detecting illegal domain name.
Background technology
Botnet virus is one of current important viral species, and Botnet can initiate DDoS (Distributed
Denial of Service, distributed denial of service) malicious act such as attack, fishing mail, download and transmitted virus software.
By Botnet virus control main frame need and Botnet control server to be communicated, with obtain new attack target,
Download new virus, obtain new attack instruction, upper transmitting file etc., meat machine is referred to as by the main frame that Botnet is controlled.
Meat machine and C&C servers are communicated, and just must be known by C&C servers (Command and Control
Server, remote command and control server) IP address, early stage Botnet virus the IP address of C&C servers is direct
In write-in Virus, but directly communicated using IP address and be easily employed fire wall detection.
Most current Botnet program does not use IP address direct communication, will not be led to using fixed domain name yet
Letter, because if fixed domain name is encoded in Botnet Virus, professional can obtain C&C by conversed analysis
The domain name of server.Therefore, Botnet but control server generates a large amount of DGA (Domain Generated
Algorithm, domain name generating algorithm) domain name, select to register one of them or several domain names.Meat machine equally sends a large amount of DGA
The DNS request of domain name, one of them or several servers can return to IP address, IP address and C&C that meat machine is responded by DNS
Server communication.Meat machine can hide WAF and detect and specialty to a certain extent using DGA domain names and C&C control server communications
Personnel's conversed analysis, the domain name that C&C servers are generated using DGA algorithms can also quick-replaceable domain name and IP so that application fire prevention
Wall is more difficult from for the detection of Botnet.
The mode of existing detection Botnet is mainly, and is filtered using the blacklist of domain name or IP address, by
Domain expert obtains IP address or domain name that Botnet controls server by analyzing Botnet virus, pre-builds black
List, application firewall is detected when main frame communicates with corresponding blacklist and prevented.This method not only put into manpower it is many, into
This height;And it is merely able to detect existing Botnet virus, it is impossible to detect emerging Botnet, i.e., cannot detect new
The illegal domain name of appearance, causes the Detection accuracy of illegal domain name low.
The content of the invention
The present invention provides a kind of method and device for detecting illegal domain name, and its main purpose is to solve existing corpse net
The technical problem of emerging illegal domain name cannot be detected in network monitoring technology, the accuracy rate of detection illegal domain name is improved.
To achieve the above object, the present invention provides a kind of method for detecting illegal domain name, the method for the detection illegal domain name
Including:
Domain name to be detected is obtained, the character composition in domain name is analyzed to obtain the characteristic value of domain name, root
The degree of randomness of domain name is obtained according to the characteristic value;
If the degree of randomness of domain name is more than predetermined threshold value, judge that domain name is illegal domain name.
Alternatively, it is described to obtain domain name to be detected, the character composition in domain name is analyzed to obtain domain name
Characteristic value, according to the characteristic value obtain domain name degree of randomness the step of include:
Domain name in crawl DNS daily records is used as domain name to be detected;
Character composition is analyzed based on the randomness detected rule for pre-setting, generation is examined with the randomness
Gauge then corresponding characteristic value;
Degree of randomness of the characteristic value that will be generated as domain name.
Alternatively, when the characteristic value has multiple, acquisition domain name to be detected, to the character group in domain name
Include into being analyzed to obtain the characteristic value of domain name, the step of obtain the degree of randomness of domain name according to the characteristic value:
Domain name in crawl DNS daily records is used as domain name to be detected;
Character composition is analyzed based on the randomness detected rule for pre-setting, generation is examined with the randomness
Gauge then corresponding multiple characteristic values;
The multiple characteristic value normalization is processed according to disaggregated model, obtains the degree of randomness, wherein, based on it is described with
Machine detected rule and predetermined threshold value training grader generate the disaggregated model, and include in the disaggregated model
Respectively with the one-to-one multiple characteristic coefficient of the multiple characteristic value.
Alternatively, when the randomness detected rule includes 1 dimension to N-dimensional transition probability matrix, based on described 1 dimension to N
Dimension transition probability matrix includes N number of characteristic coefficient in generating N number of characteristic value, and the disaggregated model of generation;
It is described to be processed the multiple characteristic value normalization according to disaggregated model, include the step of obtain the degree of randomness:
N number of characteristic value is multiplied with corresponding characteristic coefficient respectively, using the sum of products as the random of domain name
Degree.
Alternatively, it is described the step of judge domain name as illegal domain name before, the method for the detection illegal domain name is also
Including:
If the degree of randomness of domain name is more than predetermined threshold value, judge whether the equipment in current network in predetermined period
The number of times for accessing domain name is more than in preset times, and the network number of devices for accessing domain name more than present count
Amount;
If so, then judging that domain name is illegal domain name, and domain name is added to domain name blacklist;
If it is not, then judging that domain name is legitimate domain name.
Alternatively, the equipment judged whether in current network accesses the number of times of domain name in predetermined period and is more than
Before the step of number of devices that domain name is accessed in preset times, and the network is more than predetermined number, the detection is non-
The method of method domain name also includes:
If the degree of randomness of domain name is more than predetermined threshold value, judge whether domain name meets preset character combination rule
Then;
If not meeting, execution judges whether that the equipment in current network accesses the number of times of domain name in predetermined period
The step of being more than predetermined number more than the number of devices that domain name is accessed in preset times, and the network;
If meeting, judge that domain name is legitimate domain name.
Alternatively, the step of character composition in domain name is analyzed the characteristic value to obtain domain name it
Before, the method for the detection illegal domain name includes:
After domain name to be detected is got, detection domain name is with the presence or absence of white in domain name blacklist or domain name
In list;
If it is not, then perform the character composition in domain name to be analyzed to obtain the step of the characteristic value of domain name
Suddenly.
Additionally, to achieve the above object, the present invention also provides a kind of device for detecting illegal domain name, the detection illegal domain name
Device include:
Degree of randomness acquisition module, for obtaining domain name to be detected, in domain name character composition be analyzed with
The characteristic value of domain name is obtained, the degree of randomness of domain name is obtained according to the characteristic value;
Domain name judge module, if being more than predetermined threshold value for the degree of randomness of domain name, judges domain name as illegal
Domain name.
Alternatively, when the characteristic value has multiple, the degree of randomness acquisition module includes:
Domain Name acquisition unit, for capturing the domain name in DNS daily records as domain name to be detected;
Characteristic value acquiring unit, for being divided character composition based on the randomness detected rule for pre-setting
Analysis, generates multiple characteristic values corresponding with the randomness detected rule;
Normalization unit, for processing the multiple characteristic value normalization according to disaggregated model, obtains the degree of randomness,
Wherein, the disaggregated model is generated based on the randomness detected rule and predetermined threshold value training grader, and it is described
Include multiple characteristic coefficients one-to-one with the multiple characteristic value respectively in disaggregated model.
Alternatively, the device of the detection illegal domain name also includes access detection module and list management module;
The access detection module is used for:If the degree of randomness of domain name is more than predetermined threshold value, judge whether current net
Equipment in network accesses the number of times of domain name more than access domain name in preset times, and the network in predetermined period
Number of devices be more than predetermined number;
Domain name judge module is additionally operable to:Equipment in preceding network accesses the number of times of domain name in predetermined period
When the number of devices that domain name is accessed more than preset times, and in the network is more than predetermined number, judge domain name as
Illegal domain name, otherwise, it is determined that domain name is legitimate domain name;
The list management module is used for:The domain name that domain name judge module is judged to illegal domain name is added to the black name of domain name
It is single.
The method and device of detection illegal domain name proposed by the present invention, obtains domain name to be detected, to the word in the domain name
Symbol composition is analyzed to obtain the characteristic value of domain name, the degree of randomness of domain name is obtained according to the characteristic value for getting, in degree of randomness
During more than predetermined threshold value, the entitled illegal domain name of decision space, by the solution of the present invention, can not only detect existing non-legal order
Name, even if occurring in that new Botnet and generating new illegal domain name, it is also possible to domain name character in itself is constituted into
Row analysis, detects the illegal domain name, to solve and cannot detect emerging non-legal order in existing Botnet monitoring technology
The technical problem of name, improves the accuracy rate of detection illegal domain name.
Brief description of the drawings
Fig. 1 is the flow chart of the method first embodiment of present invention detection illegal domain name;
Fig. 2 is the refinement procedure Procedure of degree of randomness obtaining step in the method first embodiment for detecting illegal domain name of the invention
Figure;
Fig. 3 is the flow chart of the method second embodiment of present invention detection illegal domain name;
Fig. 4 is the high-level schematic functional block diagram of the device first embodiment of present invention detection illegal domain name;
Fig. 5 is the refinement functional module of degree of randomness acquisition module in the device first embodiment for detecting illegal domain name of the invention
Schematic diagram;
Fig. 6 is the high-level schematic functional block diagram of the device second embodiment of present invention detection illegal domain name.
The realization of the object of the invention, functional characteristics and advantage will be described further referring to the drawings in conjunction with the embodiments.
Specific embodiment
It should be appreciated that the specific embodiments described herein are merely illustrative of the present invention, it is not intended to limit the present invention.
The present invention provides a kind of method for detecting illegal domain name.It is the side of present invention detection illegal domain name shown in reference picture 1
The flow chart of method first embodiment.
In the present embodiment, the method for the detection illegal domain name includes:
Step S10, obtains domain name to be detected, and the character composition in domain name is analyzed to obtain the spy of domain name
Value indicative, the degree of randomness of domain name is obtained according to the characteristic value.
Step S20, if the degree of randomness of domain name is more than predetermined threshold value, judges that domain name is illegal domain name.
The method of the detection illegal domain name that the embodiment of the present invention is proposed can apply to various gateway devices, for example, exchanging
Machine, router, firewall box etc..Illustrated by taking LAN as an example, the main frame in the corresponding LAN of gateway device is accessed
The domain name crossed can be recorded in DNS daily records.Domain name can be captured from the new DNS daily records for producing at interval of prefixed time interval,
Domain name to grabbing detects, determines whether illegal domain name, and then judge whether the main frame for accessing the domain name infects
Corpse virus, wherein, illegal domain name can be DGA domain names;Or, in other examples, it is also possible to obtained from other channels
Take the domain name that main frame in LAN is accessed, the domain name that will be got is used as domain name to be detected.
Because the domain name generated based on DGA is typically to randomly choose some characters compositions, such as bdqjkxk.cn,
Stxhyxvyiws.ws etc.;And legitimate domain name, such as bookstore.com, stackoverflow.com, for convenience user note
Recall, its character composition typically has certain meaning or rule.Therefore, in the present embodiment, the character in domain name is constituted into
Row is analyzed to obtain the characteristic value of domain name, and characteristic value is the index for measuring domain name randomness, can reflect the domain name
Random degree, the random degree of domain name is higher, then the domain name for the possibility of DGA domain names it is higher, due to normal legitimate domains
Character composition in name typically has certain meaning or rule, therefore random degree than relatively low.
In this embodiment, being analyzed the characteristic value for getting to the character composition in domain name to be detected can have one
Individual or multiple.
One), when the characteristic value only one of which for getting, step S10 can include following refinement step:Crawl DNS days
Domain name in will is used as domain name to be detected;Character composition is divided based on the randomness detected rule for pre-setting
Analysis, generates characteristic value corresponding with the randomness detected rule;The characteristic value that will be generated is used as the random of domain name
Degree.
Wherein, above-mentioned randomness detected rule can be the computation rule of any random degree that can reflect domain name, example
Such as a gram language model, comentropy.The characteristic value of the domain name can be calculated according to a gram language model, it is assumed that wrapped in the domain name
Containing m character, then the probability of each character appearance is obtained respectively, the value that the m probable value that will be got is obtained after being multiplied, then
M powers are opened, then obtains the characteristic value that the domain name is based on a gram language model, wherein, the probability that each character occurs in domain name
Can be learnt by the data set to legitimate domain name, all probable value sums that possibly be present at the character in domain name
It is 1.Characteristic value is lower, and the random degree of the domain name is higher, then the domain name for illegal domain name possibility it is higher.Or, calculate
The comentropy of the domain name, using comentropy as the domain name characteristic value, comentropy reflects the uncertainty degree of the domain name, comentropy
Value it is bigger, then the uncertainty degree of the domain name is higher, the domain name for illegal domain name possibility it is also higher.
In this embodiment, the characteristic value that will can be calculated as domain name degree of randomness, and it is possible to set in advance
A threshold value is put as judgment standard, i.e. predetermined threshold value, when the characteristic value being calculated is less than the predetermined threshold value, then it is assumed that the domain
Entitled illegal domain name, otherwise, it is determined that domain name is legitimate domain name.
Two), as another embodiment, when the characteristic value for getting has multiple, according to the multiple features for getting
Value obtains the degree of randomness of domain name.Randomness detected rule is pre-set, domain name can be obtained according to the randomness detected rule
Multiple characteristic values.Two kinds of randomness detected rules are exemplified below to illustrate.
1), randomness detected rule includes 1 dimension to N-dimensional transition probability matrix, one in N >=2, i.e. the randomness detected rule
Include altogether from 1 dimension to N-dimensional multiple transition probability matrix, wherein, N-dimensional transition probability matrix corresponds to many gram language models, one
As two gram language models be referred to as single order Markov Chain, corresponding to two-dimentional transition probability matrix;Three gram language models are referred to as two
Rank Markov Chain, corresponding to three-dimensional transition probability matrix;Four gram language models are referred to as three rank Markov Chains, corresponding to the four-dimension
Transition probability matrix, by that analogy.
Below so that the multiple letters during the character string of domain name is by a to z this 26 English alphabets are constituted as an example, illustrate that multidimensional turns
The composition of probable value in probability matrix is moved, the first dimension of the multidimensional transition probability matrix reflects this 26 English words mother stocks of a to z
Do not appear in the probable value in character string, have 26 probable values, itself and be 1;The reflection of second dimension is when upper character difference
During for a to z, character late adjacent thereto is respectively the probable value of a to z, has 676 probable values, itself and be 1;3rd
Dimension reflection is respectively aa to zz (aa, ab, ac ... ba, bb, bc ... za, zb, zc ... zz) when two adjacent characters
When, character late adjacent thereto is respectively the probable value of a to z, has 17567 probable values, itself and be 1;By that analogy.
The dimension of transition probability matrix is higher, and the accuracy finally for the judgement of the random degree of domain name is higher, in addition, it is desirable to meter
Calculation amount is also bigger.In this embodiment, it is preferred that, randomness detected rule is set to 1 dimension to 4 dimension transition probability matrixs.
It should be noted that randomness detected rule includes that 1 dimension is somebody's turn to do to during N-dimensional transition probability matrix, it is necessary to calculate respectively
Domain name is from 1 dimension to the corresponding characteristic value of N-dimensional transition probability matrix, that is to say, that the characteristic value of the domain name for obtaining has N number of, wherein,
The characteristic value that the corresponding characteristic value of 1 dimension transition probability matrix is namely calculated according to a gram language model.Additionally, multidimensional turns
The probable value moved in probability matrix can be by the word to commonly using, English name, place name, phonetic, abbreviation and legal domain name
The data set of composition is learnt.
Below so that the multiple letters during the character string of domain name is by a to z this 26 English alphabets are constituted as an example, the domain name is illustrated
Characteristic value in the second dimension of N-dimensional transition probability matrix.
1st row:When a upper character is a in the character string of domain name, character late adjacent thereto is respectively a-z
Probable value, has 26 probable values.
2nd row:When a upper character is b in the character string of domain name, character late adjacent thereto is respectively a-z
Probable value, has 26 probable values.
By that analogy, the 26th row:When a upper character is z in the character string of domain name, character late adjacent thereto is
Not Wei a-z probable value, have 26 probable values.
The side of characteristic value of the calculating domain name in the second dimension of N-dimensional transition probability matrix is illustrated by taking google.com as an example
Formula, obtains next adjacent with o of probability that the character late adjacent with g is o from above-mentioned two-dimentional transition probability matrix respectively
Individual character is for the probability of the o character late adjacent with o for the probability of the g character late adjacent with g is the probability and l of l
Adjacent character late is the probability of e, and above-mentioned 5 probable values that will be got open 5 powers after being multiplied, and the numerical value for obtaining is
Characteristic value of the domain name in the second dimension of N-dimensional transition probability matrix.From said process as can be seen that calculating characteristic value
When, the probability number and the number of times of evolution that are got from transition probability matrix are equal to the quantity of the character in domain name.
It is understood that above-mentioned probable value and letter are for example, in actual applications, constituting the word of domain name
Symbol is not limited to above-mentioned 26 English alphabets, can also be the combination of other characters or English alphabet and other types character
Deng such as numeral.
2), randomness detected rule includes rule is calculated as below:Calculate the word in comentropy, the domain name of domain name
Digital accounting in female accounting, domain name;Comentropy, alphabetical accounting and the numeral of domain name are obtained according to above-mentioned computation rule
Accounting, using comentropy, alphabetical accounting and digital accounting as domain name characteristic value, in other examples, can be with
The computation rule of more character combination probable values is added, for example, calculating vowel accounting, calculating consonant accounting etc..
In this embodiment, the characteristic value that will be calculated in itself as degree of randomness, and according in advance be each with
Whether the predetermined threshold value that machine degree is set, be all higher than predetermined threshold value, if so, then decision space is entitled in the multiple characteristic values for judging domain name
Illegal domain name.
Further, when characteristic value has multiple, in order to more accurately judge whether domain name is illegal domain name, using returning
One change algorithm by multiple characteristic value normalizations be one value, using the value as domain name degree of randomness.For example, using weighting algorithm,
Or, processed multiple characteristic value normalizations using the disaggregated model of grader etc..
Below by taking grader as an example, shown in reference picture 2, step S10 can include following refinement step:
Step S11, the domain name in crawl DNS daily records is used as domain name to be detected;
Step S12, based on the randomness detected rule for pre-setting to the character composition be analyzed, generation with it is described
The corresponding multiple characteristic values of randomness detected rule;
Step S13, is processed the multiple characteristic value normalization according to disaggregated model, obtains the degree of randomness, wherein, base
The disaggregated model, and the disaggregated model are generated in the randomness detected rule and predetermined threshold value training grader
In include multiple characteristic coefficients one-to-one with the multiple characteristic value respectively.
Using known illegal domain name as positive sample, known legitimate domain name as negative sample, examined according to the randomness
Gauge then extracts the characteristic value of the positive sample and negative sample respectively, the characteristic value based on the positive sample and negative sample, and
Predetermined threshold value is trained grader and generates characteristic coefficient, and the characteristic coefficient constitutes the disaggregated model, and in disaggregated model
The number of characteristic coefficient is equal with the number of the characteristic value obtained according to randomness detected rule.Obtain multiple characteristic values it
Afterwards, the disaggregated model according to the grader processes multiple characteristic value normalizations, obtains the degree of randomness of domain name, is sentenced according to degree of randomness
Whether disconnected domain name is illegal domain name, and the characteristic coefficient in the disaggregated model of training grader generation is matched with predetermined threshold value.
It is general to N-dimensional transfer based on described 1 dimension when the randomness detected rule includes 1 dimension to N-dimensional transition probability matrix
Rate matrix includes N number of characteristic coefficient in generating N number of characteristic value, and the disaggregated model of generation;The step S13 includes:
By N number of characteristic value respectively with corresponding characteristic coefficient be multiplied, using the sum of products as domain name degree of randomness.
By taking four-dimensional transition probability matrix as an example, the characteristic value of domain name is calculated according to four-dimensional transition probability matrix, four can be obtained
Individual characteristic value, respectively P1, P2, P3, P4, are that grader sets four characteristic coefficients, respectively A1, A2, A3, A4, according to
Lower formula calculates the degree of randomness E of domain name:
E=P1 × A1+P2 × A2+P3 × A3+P3 × A3
Feature extraction is carried out to positive sample and negative sample according to four-dimensional transition probability matrix respectively, and will be used as judgment standard
Predetermined threshold value be set to 0, with " E > 0 are illegal domain name, E≤0 for legitimate domain name " and the spy of positive and negative samples for extracting
Value indicative trains grader, obtains the value of A1, A2, A3, A4, the value composition and classification model of four for obtaining characteristic coefficient.
Further, as a kind of implementation method, after the entitled illegal domain name of decision space, the domain name is added to and is built in advance
In vertical domain name blacklist, and intercept process is made in the access of main frame in local area network to domain name in domain name blacklist;If domain name
Degree of randomness less or greater than predetermined threshold value, then the entitled legitimate domain name of decision space.
Further, as a kind of implementation method, domain name blacklist and domain name white list are pre-build, will be known illegal
Domain name is added to domain name blacklist, and known legitimate domain name is added into domain name white list, after domain name to be detected is got,
First detection domain name whether there is in domain name blacklist or domain name white list, tentatively to judge whether domain name closes
Method, when domain name to be detected is neither in domain name blacklist, when also not in domain name white list, performs step S10, if domain name
In domain name white list, then legitimate domain name is determined that it is, do not make intercept process, if domain name is in domain name blacklist, decision space
Entitled illegal domain name, intercepts access of the main frame for the domain name.
The probable value in multidimensional transition probability matrix is entered it is possible to further renewal regularly according to domain name white list
Row updates;Or, grader is trained according to the domain name white list and domain name blacklist that update, to update disaggregated model,
The accuracy rate for detecting illegal domain name is improved with further.
The method of the detection illegal domain name that the present embodiment is proposed, obtains domain name to be detected, to the character group in the domain name
Into being analyzed to obtain the characteristic value of domain name, the degree of randomness of domain name is obtained according to the characteristic value for getting, be more than in degree of randomness
During predetermined threshold value, the entitled illegal domain name of decision space, by the solution of the present invention, can not only detect existing illegal domain name, i.e.,
Make to occur in that new Botnet and generate new illegal domain name, it is also possible to which domain name character composition in itself is divided
Analysis, detects the illegal domain name, to solve and cannot detect emerging illegal domain name in existing Botnet monitoring technology
Technical problem, improves the accuracy rate of detection illegal domain name.
The second embodiment of the method for present invention detection illegal domain name is proposed based on first embodiment.Shown in reference picture 3,
In the present embodiment, before step S20, the method for the detection illegal domain name also includes:
If the degree of randomness of domain name is more than predetermined threshold value, judge whether the equipment in current network in predetermined period
The number of times for accessing domain name is more than in preset times, and the network number of devices for accessing domain name more than present count
Amount;
Step S20, if so, then judging that domain name is illegal domain name;
Step S40, domain name blacklist is added to by domain name;
Step S50, if it is not, then judging that domain name is legitimate domain name.
In this embodiment, in order to reduce the erroneous judgement to illegal domain name, the accuracy rate that illegal domain name judges further is improved,
After the degree of randomness for detecting domain name is more than predetermined threshold value, one is entered for the access situation of the domain name according to the main frame in LAN
Step judges whether domain name is illegal domain name, for example, work as separate unit main frame in LAN accesses the domain name at a certain time interval
Number of times exceeded preset times;The host number of the access domain name in the LAN has exceeded predetermined number, when occurring in that
Any one in above-mentioned two situations, then judge that the domain name is illegal domain name.Additionally, judging the access domain in LAN
When the host number of name has exceeded predetermined number, can also judge that these access whether above-mentioned domain host has DNS request to return
Return, if so, while decision space entitled illegal domain name, judge that the IP address for returning controls the IP of server as Botnet,
The IP of return is added in the IP blacklists that pre-build, access that subsequently can be with the main frame in local area network to the IP address
Make intercept process.
Further, as a kind of implementation method, in order to further reduce the erroneous judgement to illegal domain name, in step
Before S30, the method also includes:
If the degree of randomness of domain name is more than predetermined threshold value, judge whether domain name meets preset character combination rule
Then;
If not meeting, execution judges whether that the equipment in current network accesses the number of times of domain name in predetermined period
The step of being more than predetermined number more than the number of devices that domain name is accessed in preset times, and the network;
If meeting, judge that domain name is legitimate domain name.
Because domain name may have various different types of character combinations to form, such as by the alphabetical, digital etc. of different language
Combine, but different language it is alphabetical, digital between transition probability it is relatively low, therefore, in this embodiment, in order to subtract
Few erroneous judgement to illegal domain name, after the degree of randomness for detecting domain name is more than predetermined threshold value, whether detection domain name meets preset
Character combination rule, for example, character combination rule can include:Domain name is formed by combining by common word, phonetic, numeral.
When detecting domain name and meeting preset character combination rule, the entitled legitimate domain name of decision space, otherwise, it is determined that domain name is non-legal order
Name, or, step S30 is further performed, judge whether domain name is non-for the access of the domain name according to main frame in LAN
Method domain name.
The present invention also proposes a kind of device for detecting illegal domain name.
It is the high-level schematic functional block diagram of the device first embodiment of present invention detection illegal domain name shown in reference picture 4.
In this embodiment, the device of the detection illegal domain name includes:
Degree of randomness acquisition module 10, for obtaining domain name to be detected, is analyzed to the character composition in domain name
To obtain the characteristic value of domain name, the degree of randomness of domain name is obtained according to the characteristic value;
Domain name judge module 20, if being more than predetermined threshold value for the degree of randomness of domain name, judges domain name as non-
Method domain name.
The device of the detection illegal domain name that the embodiment of the present invention is proposed can apply to various gateway devices, for example, exchanging
Machine, router, firewall box etc..Illustrated by taking LAN as an example, the main frame in the corresponding LAN of gateway device is accessed
The domain name crossed can be recorded in DNS daily records.Domain name can be captured from the new DNS daily records for producing at interval of prefixed time interval,
Domain name to grabbing detects, determines whether illegal domain name, and then judge whether the main frame for accessing the domain name infects
Corpse virus, wherein, illegal domain name can be DGA domain names;Or, in other examples, it is also possible to obtained from other channels
Take the domain name that main frame in LAN is accessed, the domain name that will be got is used as domain name to be detected.
Because the domain name generated based on DGA is typically to randomly choose some characters compositions, such as bdqjkxk.cn,
Stxhyxvyiws.ws etc.;And legitimate domain name, such as bookstore.com, stackoverflow.com, for convenience user note
Recall, its character composition typically has certain meaning or rule.Therefore, in the present embodiment, the character in domain name is constituted into
Row is analyzed to obtain the characteristic value of domain name, and characteristic value is the index for measuring domain name randomness, can reflect the domain name
Random degree, the random degree of domain name is higher, then the domain name for the possibility of DGA domain names it is higher, due to normal legitimate domains
Character composition in name typically has certain meaning or rule, therefore random degree than relatively low.
In this embodiment, being analyzed the characteristic value for getting to the character composition in domain name to be detected can have one
Individual or multiple.
One), when the characteristic value only one of which for getting, degree of randomness acquisition module 10 is additionally operable to:In crawl DNS daily records
Domain name is used as domain name to be detected;Character composition is analyzed based on the randomness detected rule for pre-setting, is generated
Characteristic value corresponding with the randomness detected rule;Degree of randomness of the characteristic value that will be generated as domain name.
Wherein, above-mentioned randomness detected rule can be the computation rule of any random degree that can reflect domain name, example
Such as a gram language model, comentropy.The characteristic value of the domain name can be calculated according to a gram language model, it is assumed that wrapped in the domain name
Containing m character, then the probability of each character appearance is obtained respectively, the value that the m probable value that will be got is obtained after being multiplied, then
M powers are opened, then obtains the characteristic value that the domain name is based on a gram language model, wherein, the probability that each character occurs in domain name
Can be learnt by the data set to legitimate domain name, all probable value sums that possibly be present at the character in domain name
It is 1.Characteristic value is lower, and the random degree of the domain name is higher, then the domain name for illegal domain name possibility it is higher.Or, calculate
The comentropy of the domain name, using comentropy as the domain name characteristic value, comentropy reflects the uncertainty degree of the domain name, comentropy
Value it is bigger, then the uncertainty degree of the domain name is higher, the domain name for illegal domain name possibility it is also higher.
In this embodiment, the characteristic value that will can be calculated as domain name degree of randomness, and it is possible to set in advance
A threshold value is put as judgment standard, i.e. predetermined threshold value, when the characteristic value being calculated is less than the predetermined threshold value, then it is assumed that the domain
Entitled illegal domain name, otherwise, it is determined that domain name is legitimate domain name.
Two), as another embodiment, when the characteristic value for getting has multiple, according to the multiple features for getting
Value obtains the degree of randomness of domain name.Randomness detected rule is pre-set, domain name can be obtained according to the randomness detected rule
Multiple characteristic values.Two kinds of randomness detected rules are exemplified below to illustrate.
1), randomness detected rule includes 1 dimension to N-dimensional transition probability matrix, one in N >=2, i.e. the randomness detected rule
Include altogether from 1 dimension to N-dimensional multiple transition probability matrix, wherein, N-dimensional transition probability matrix corresponds to many gram language models, one
As two gram language models be referred to as single order Markov Chain, corresponding to two-dimentional transition probability matrix;Three gram language models are referred to as two
Rank Markov Chain, corresponding to three-dimensional transition probability matrix;Four gram language models are referred to as three rank Markov Chains, corresponding to the four-dimension
Transition probability matrix, by that analogy.
Below so that the multiple letters during the character string of domain name is by a to z this 26 English alphabets are constituted as an example, illustrate that multidimensional turns
The composition of probable value in probability matrix is moved, the first dimension of the multidimensional transition probability matrix reflects this 26 English words mother stocks of a to z
Do not appear in the probable value in character string, have 26 probable values, itself and be 1;The reflection of second dimension is when upper character difference
During for a to z, character late adjacent thereto is respectively the probable value of a to z, has 676 probable values, itself and be 1;3rd
Dimension reflection is respectively aa to zz (aa, ab, ac ... ba, bb, bc ... za, zb, zc ... zz) when two adjacent characters
When, character late adjacent thereto is respectively the probable value of a to z, has 17567 probable values, itself and be 1;By that analogy.
The dimension of transition probability matrix is higher, and the accuracy finally for the judgement of the random degree of domain name is higher, in addition, it is desirable to meter
Calculation amount is also bigger.In this embodiment, it is preferred that, randomness detected rule is set to 1 dimension to 4 dimension transition probability matrixs.
It should be noted that randomness detected rule includes that 1 dimension is somebody's turn to do to during N-dimensional transition probability matrix, it is necessary to calculate respectively
Domain name is from 1 dimension to the corresponding characteristic value of N-dimensional transition probability matrix, that is to say, that the characteristic value of the domain name for obtaining has N number of, wherein 1
The characteristic value that the corresponding characteristic value of dimension transition probability matrix is namely calculated according to a gram language model.Additionally, multidimensional turns
The probable value moved in probability matrix can be by the word to commonly using, English name, place name, phonetic, abbreviation and legal domain name
The data set of composition is learnt.
Below so that the multiple letters during the character string of domain name is by a to z this 26 English alphabets are constituted as an example, the domain name is illustrated
Characteristic value in the second dimension of N-dimensional transition probability matrix.
1st row:When a upper character is a in the character string of domain name, character late adjacent thereto is respectively a-z
Probable value, has 26 probable values.
2nd row:When a upper character is b in the character string of domain name, character late adjacent thereto is respectively a-z
Probable value, has 26 probable values.
By that analogy, the 26th row:When a upper character is z in the character string of domain name, character late adjacent thereto is
Not Wei a-z probable value, have 26 probable values.
The side of characteristic value of the calculating domain name in the second dimension of N-dimensional transition probability matrix is illustrated by taking google.com as an example
Formula, obtains next adjacent with o of probability that the character late adjacent with g is o from above-mentioned two-dimentional transition probability matrix respectively
Individual character is for the probability of the o character late adjacent with o for the probability of the g character late adjacent with g is the probability and l of l
Adjacent character late is the probability of e, and above-mentioned 5 probable values that will be got open 5 powers after being multiplied, and the numerical value for obtaining is
Characteristic value of the domain name in the second dimension of N-dimensional transition probability matrix.From said process as can be seen that calculating characteristic value
When, the probability number and the number of times of evolution that are got from transition probability matrix are equal to the quantity of the character in domain name.
It is understood that above-mentioned probable value and letter are for example, in actual applications, constituting the word of domain name
Symbol is not limited to above-mentioned 26 English alphabets, can also be the combination of other characters or English alphabet and other types character
Deng such as numeral.
2), randomness detected rule includes rule is calculated as below:Calculate the word in comentropy, the domain name of domain name
Digital accounting in female accounting, domain name;Comentropy, alphabetical accounting and the numeral of domain name are obtained according to above-mentioned computation rule
Accounting, using comentropy, alphabetical accounting and digital accounting as domain name characteristic value, in other examples, can be with
The computation rule of more character combination probable values is added, for example, calculating vowel accounting, calculating consonant accounting etc..
In this embodiment, degree of randomness acquisition module 10 is additionally operable to the characteristic value that will be calculated in itself as at random
Degree, domain name judge module 20 is due to according to being in advance the predetermined threshold value that each degree of randomness is set, judging multiple features of domain name
Whether predetermined threshold value is all higher than in value, if so, the then entitled illegal domain name of decision space.
Further, when characteristic value has multiple, in order to more accurately judge whether domain name is illegal domain name, using returning
One change algorithm by multiple characteristic value normalizations be one value, using the value as domain name degree of randomness.For example, using weighting algorithm,
Or, processed multiple characteristic value normalizations using the disaggregated model of grader etc..
Below by taking grader as an example, shown in reference picture 5, degree of randomness acquisition module 10 is included with lower unit:
Domain Name acquisition unit 11, for capturing the domain name in DNS daily records as domain name to be detected;
Characteristic value acquiring unit 12, for being divided character composition based on the randomness detected rule for pre-setting
Analysis, generates multiple characteristic values corresponding with the randomness detected rule;
Normalization unit 13, for processing the multiple characteristic value normalization according to disaggregated model, obtains described random
Degree, wherein, the disaggregated model, and institute are generated based on the randomness detected rule and predetermined threshold value training grader
State include in disaggregated model respectively with the one-to-one multiple characteristic coefficients of the multiple characteristic value.
Using known illegal domain name as positive sample, known legitimate domain name as negative sample, examined according to the randomness
Gauge then extracts the characteristic value of the positive sample and negative sample respectively, the characteristic value based on the positive sample and negative sample, and
Predetermined threshold value is trained grader and generates characteristic coefficient, and the characteristic coefficient constitutes the disaggregated model, and in disaggregated model
The number of characteristic coefficient is equal with the number of the characteristic value obtained according to randomness detected rule.Obtain multiple characteristic values it
Afterwards, the disaggregated model according to the grader processes multiple characteristic value normalizations, obtains the degree of randomness of domain name, is sentenced according to degree of randomness
Whether disconnected domain name is illegal domain name, and the characteristic coefficient in the disaggregated model of training grader generation is matched with predetermined threshold value.
It is general to N-dimensional transfer based on described 1 dimension when the randomness detected rule includes 1 dimension to N-dimensional transition probability matrix
Rate matrix includes N number of characteristic coefficient in generating N number of characteristic value, and the disaggregated model of generation;Normalization unit 13 is also used
In:By N number of characteristic value respectively with corresponding characteristic coefficient be multiplied, using the sum of products as domain name degree of randomness.
By taking four-dimensional transition probability matrix as an example, the characteristic value of domain name is calculated according to four-dimensional transition probability matrix, four can be obtained
Individual characteristic value, respectively P1, P2, P3, P4, are that grader sets four characteristic coefficients, respectively A1, A2, A3, A4, according to
Lower formula calculates the degree of randomness E of domain name:
E=P1 × A1+P2 × A2+P3 × A3+P3 × A3
Feature extraction is carried out to positive sample and negative sample according to four-dimensional transition probability matrix respectively, and will be used as judgment standard
Predetermined threshold value be set to 0, with " E > 0 are illegal domain name, E≤0 for legitimate domain name " and the spy of positive and negative samples for extracting
Value indicative trains grader, obtains the value of A1, A2, A3, A4, the value composition and classification model of four for obtaining characteristic coefficient.
Further, as a kind of implementation method, be added to for the domain name after the entitled illegal domain name of decision space by the device
In the domain name blacklist for pre-building, and intercept process is made in the access of main frame in local area network to domain name in domain name blacklist;
If the degree of randomness of domain name is less or greater than predetermined threshold value, the entitled legitimate domain name of decision space.
Further, as a kind of implementation method, domain name blacklist and domain name white list are pre-build, will be known illegal
Domain name is added to domain name blacklist, and known legitimate domain name is added into domain name white list, and the device also includes list filter module
Block, for after domain name to be detected is got, detection domain name to be with the presence or absence of white in domain name blacklist or domain name
It is also not white in domain name when domain name to be detected is neither in domain name blacklist tentatively to judge whether domain name is legal in list
When in list, degree of randomness acquisition module 10 is analyzed to obtain the characteristic value of domain name, root to the character composition in domain name
The degree of randomness of domain name is obtained according to the characteristic value, if domain name is in domain name white list, domain name judge module 20 judges it
It is legitimate domain name, does not make intercept process, if domain name is in domain name blacklist, the entitled non-legal order of the decision space of domain name judge module 20
Name, intercepts access of the main frame for the domain name.
It is possible to further regularly be entered to the probable value in multidimensional transition probability matrix according to the domain name white list for updating
Row updates;Or, grader is trained according to the domain name white list and domain name blacklist that update, to update disaggregated model,
The accuracy rate for detecting illegal domain name is improved with further.
The device of the detection illegal domain name that the present embodiment is proposed, obtains domain name to be detected, to the character group in the domain name
Into being analyzed to obtain the characteristic value of domain name, the degree of randomness of domain name is obtained according to the characteristic value for getting, be more than in degree of randomness
During predetermined threshold value, the entitled illegal domain name of decision space, by the solution of the present invention, can not only detect existing illegal domain name, i.e.,
Make to occur in that new Botnet and generate new illegal domain name, it is also possible to which domain name character composition in itself is divided
Analysis, detects the illegal domain name, to solve and cannot detect emerging illegal domain name in existing Botnet monitoring technology
Technical problem, improves the accuracy rate of detection illegal domain name.
The second embodiment of the device of present invention detection illegal domain name is proposed based on first embodiment.Shown in reference picture 6,
In the present embodiment, the device of the detection illegal domain name also includes access detection module 30 and list management module 40, wherein,
Access detection module 30 is used for:If the degree of randomness of domain name is more than predetermined threshold value, judge whether current network
Interior equipment accesses the number of times of domain name more than access domain name in preset times, and the network in predetermined period
Number of devices is more than predetermined number;
Domain name judge module 20 is additionally operable to:The number of times that equipment in preceding network accesses domain name in predetermined period is big
When the number of devices that domain name is accessed in preset times, and the network is more than predetermined number, judge domain name as non-
Method domain name, otherwise, it is determined that domain name is legitimate domain name;
List management module 40 is used for:The domain name that domain name judge module 20 is judged to illegal domain name is added to the black name of domain name
It is single.
In this embodiment, in order to reduce the erroneous judgement to illegal domain name, the accuracy rate that illegal domain name judges further is improved,
After the degree of randomness for detecting domain name is more than predetermined threshold value, one is entered for the access situation of the domain name according to the main frame in LAN
Step judges whether domain name is illegal domain name, for example, work as separate unit main frame in LAN accesses the domain name at a certain time interval
Number of times exceeded preset times;The host number of the access domain name in the LAN has exceeded predetermined number, when occurring in that
Any one in above-mentioned two situations, then judge that the domain name is illegal domain name.Additionally, judging the access domain in LAN
When the host number of name has exceeded predetermined number, can also judge that these access whether above-mentioned domain host has DNS request to return
Return, if so, while decision space entitled illegal domain name, judge that the IP address for returning controls the IP of server as Botnet,
The IP of return is added in the IP blacklists that pre-build, access that subsequently can be with the main frame in local area network to the IP address
Make intercept process.
Further, as a kind of implementation method, in order to further reduce the erroneous judgement to illegal domain name, the device is also
Including:
Rule judgment module, if being more than predetermined threshold value for the degree of randomness of domain name, judges whether domain name accords with
Close preset character combination rule;
Access detection module 30 is additionally operable to:If not meeting, judge whether the equipment in current network in predetermined period
The number of times for accessing domain name is more than in preset times, and the network number of devices for accessing domain name more than present count
Amount;
Domain name judge module 20 is additionally operable to:When judging that domain name meets preset character combination rule, the entitled conjunction of decision space
Method domain name.
Because domain name may have various different types of character combinations to form, such as by the alphabetical, digital etc. of different language
Combine, but different language it is alphabetical, digital between transition probability it is relatively low, therefore, in this embodiment, in order to subtract
Few erroneous judgement to illegal domain name, after the degree of randomness for detecting domain name is more than predetermined threshold value, whether detection domain name meets preset
Character combination rule, for example, character combination rule can include:Domain name is formed by combining by common word, phonetic, numeral.
When detecting domain name and meeting preset character combination rule, the entitled legitimate domain name of decision space, otherwise, it is determined that domain name is non-legal order
Name, or, further by access detection module 30 according to main frame in LAN for the access of the domain name judge domain name whether be
Illegal domain name.
The preferred embodiments of the present invention are these are only, the scope of the claims of the invention is not thereby limited, it is every to utilize this hair
Equivalent structure or equivalent flow conversion that bright specification and accompanying drawing content are made, or directly or indirectly it is used in other related skills
Art field, is included within the scope of the present invention.
Claims (10)
1. it is a kind of detect illegal domain name method, it is characterised in that the method for the detection illegal domain name includes:
Domain name to be detected is obtained, the character composition in domain name is analyzed to obtain the characteristic value of domain name, according to institute
State the degree of randomness that characteristic value obtains domain name;
If the degree of randomness of domain name is more than predetermined threshold value, judge that domain name is illegal domain name.
2. it is according to claim 1 detection illegal domain name method, it is characterised in that acquisition domain name to be detected,
Character composition in domain name is analyzed to obtain the characteristic value of domain name, domain name is obtained according to the characteristic value
The step of degree of randomness, includes:
Domain name in crawl domain name system DNS daily record is used as domain name to be detected;
Character composition is analyzed based on the randomness detected rule for pre-setting, generation is detected with the randomness and advised
Then corresponding characteristic value;
Degree of randomness of the characteristic value that will be generated as domain name.
3. it is according to claim 1 detection illegal domain name method, it is characterised in that when the characteristic value has multiple,
It is described to obtain domain name to be detected, the character composition in domain name is analyzed to obtain the characteristic value of domain name, according to institute
Stating the step of characteristic value obtains the degree of randomness of domain name includes:
Domain name in crawl DNS daily records is used as domain name to be detected;
Character composition is analyzed based on the randomness detected rule for pre-setting, generation is detected with the randomness and advised
Then corresponding multiple characteristic values;
The multiple characteristic value normalization is processed according to disaggregated model, obtains the degree of randomness, wherein, based on the randomness
Detected rule and predetermined threshold value training grader generate the disaggregated model, and include difference in the disaggregated model
With the one-to-one multiple characteristic coefficient of the multiple characteristic value.
4. it is according to claim 3 detection illegal domain name method, it is characterised in that when the randomness detected rule bag
When including 1 dimension to N-dimensional transition probability matrix, N number of characteristic value, and the institute for generating are generated based on described 1 dimension to N-dimensional transition probability matrix
State and include N number of characteristic coefficient in disaggregated model;
It is described to be processed the multiple characteristic value normalization according to disaggregated model, include the step of obtain the degree of randomness:
By N number of characteristic value respectively with corresponding characteristic coefficient be multiplied, using the sum of products as domain name degree of randomness.
5. it is according to any one of claim 1 to 4 detection illegal domain name method, it is characterised in that the judgement institute
Before the step of domain name is stated for illegal domain name, the method for the detection illegal domain name also includes:
If the degree of randomness of domain name is more than predetermined threshold value, judge whether that the equipment in current network is accessed in predetermined period
The number of times of domain name is more than in preset times, and the network number of devices for accessing domain name more than predetermined number;
If so, then judging that domain name is illegal domain name, and domain name is added to domain name blacklist;
If it is not, then judging that domain name is legitimate domain name.
6. it is according to claim 5 detection illegal domain name method, it is characterised in that it is described to judge whether in current network
Equipment the number of times of domain name is accessed in predetermined period more than accessing setting for domain name in preset times, and the network
Before the step of standby quantity is more than predetermined number, the method for the detection illegal domain name also includes:
If the degree of randomness of domain name is more than predetermined threshold value, judge whether domain name meets preset character combination rule;
If not meeting, the number of times that the equipment that execution judges whether in current network accesses domain name in predetermined period is more than
The step of number of devices that domain name is accessed in preset times, and the network is more than predetermined number;
If meeting, judge that domain name is legitimate domain name.
7. it is according to claim 6 detection illegal domain name method, it is characterised in that the character in domain name
Before the step of composition is analyzed the characteristic value to obtain domain name, the method for the detection illegal domain name includes:
After domain name to be detected is got, detection domain name whether there is in domain name blacklist or domain name white list
In;
If it is not, then performing the character in domain name constitutes the step of being analyzed the characteristic value to obtain domain name.
8. it is a kind of detect illegal domain name device, it is characterised in that the device of the detection illegal domain name includes:
Degree of randomness acquisition module, for obtaining domain name to be detected, is analyzed to obtain to the character composition in domain name
The characteristic value of domain name, the degree of randomness of domain name is obtained according to the characteristic value;
Domain name judge module, if being more than predetermined threshold value for the degree of randomness of domain name, judges that domain name is illegal domain name.
9. it is according to claim 8 detection illegal domain name device, it is characterised in that when the characteristic value has multiple,
The degree of randomness acquisition module includes:
Domain Name acquisition unit, for capturing the domain name in DNS daily records as domain name to be detected;
Characteristic value acquiring unit, it is raw for being analyzed to character composition based on the randomness detected rule for pre-setting
Into multiple characteristic values corresponding with the randomness detected rule;
Normalization unit, for processing the multiple characteristic value normalization according to disaggregated model, obtains the degree of randomness, its
In, the disaggregated model, and described point are generated based on the randomness detected rule and predetermined threshold value training grader
Include multiple characteristic coefficients one-to-one with the multiple characteristic value respectively in class model.
10. according to claim 8 or claim 9 detection illegal domain name device, it is characterised in that the detection illegal domain name
Device also includes access detection module and list management module;
The access detection module is used for:If the degree of randomness of domain name is more than predetermined threshold value, judge whether in current network
Equipment the number of times of domain name is accessed in predetermined period more than accessing setting for domain name in preset times, and the network
Standby quantity is more than predetermined number;
Domain name judge module is additionally operable to:The number of times that equipment in preceding network accesses domain name in predetermined period is more than
When the number of devices that domain name is accessed in preset times, and the network is more than predetermined number, judge domain name as illegal
Domain name, otherwise, it is determined that domain name is legitimate domain name;
The list management module is used for:The domain name that domain name judge module is judged to illegal domain name is added to domain name blacklist.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611195849.4A CN106713312A (en) | 2016-12-21 | 2016-12-21 | Method and device for detecting illegal domain name |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611195849.4A CN106713312A (en) | 2016-12-21 | 2016-12-21 | Method and device for detecting illegal domain name |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN106713312A true CN106713312A (en) | 2017-05-24 |
Family
ID=58938746
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201611195849.4A Pending CN106713312A (en) | 2016-12-21 | 2016-12-21 | Method and device for detecting illegal domain name |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106713312A (en) |
Cited By (45)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107645503A (en) * | 2017-09-20 | 2018-01-30 | 杭州安恒信息技术有限公司 | A kind of detection method of the affiliated DGA families of rule-based malice domain name |
| CN107682348A (en) * | 2017-10-19 | 2018-02-09 | 杭州安恒信息技术有限公司 | DGA domain name Quick method and devices based on machine learning |
| CN108337259A (en) * | 2018-02-01 | 2018-07-27 | 南京邮电大学 | A kind of suspicious web page identification method based on HTTP request Host information |
| CN108449349A (en) * | 2018-03-23 | 2018-08-24 | 新华三大数据技术有限公司 | The method and device for preventing malice domain name from attacking |
| CN109246074A (en) * | 2018-07-23 | 2019-01-18 | 北京奇虎科技有限公司 | Identify method, apparatus, server and the readable storage medium storing program for executing of suspicious domain name |
| CN109391602A (en) * | 2017-08-11 | 2019-02-26 | 北京金睛云华科技有限公司 | A kind of zombie host detection method |
| CN109391599A (en) * | 2017-08-10 | 2019-02-26 | 蓝盾信息安全技术股份有限公司 | A kind of detection system of the Botnet communication signal based on HTTPS traffic characteristics analysis |
| CN109889616A (en) * | 2018-05-21 | 2019-06-14 | 新华三信息安全技术有限公司 | A kind of method and device identifying domain name |
| CN109936560A (en) * | 2018-12-27 | 2019-06-25 | 上海银行股份有限公司 | Malware means of defence and device |
| CN110233830A (en) * | 2019-05-20 | 2019-09-13 | 中国银行股份有限公司 | Domain name identification and domain name identification model generation method, device and storage medium |
| CN110392064A (en) * | 2019-09-04 | 2019-10-29 | 中国工商银行股份有限公司 | Risk Identification Method, calculates equipment and computer readable storage medium at device |
| CN110401632A (en) * | 2019-06-20 | 2019-11-01 | 国网辽宁省电力有限公司信息通信分公司 | A kind of malice domain name infection host source tracing method |
| US10581880B2 (en) | 2016-09-19 | 2020-03-03 | Group-Ib Tds Ltd. | System and method for generating rules for attack detection feedback system |
| CN111078860A (en) * | 2019-11-27 | 2020-04-28 | 北京小米移动软件有限公司 | Text screening method, text screening device and electronic equipment |
| CN111181937A (en) * | 2019-12-20 | 2020-05-19 | 北京丁牛科技有限公司 | Domain name detection method, device, equipment and system |
| US10721271B2 (en) | 2016-12-29 | 2020-07-21 | Trust Ltd. | System and method for detecting phishing web pages |
| US10721251B2 (en) | 2016-08-03 | 2020-07-21 | Group Ib, Ltd | Method and system for detecting remote access during activity on the pages of a web resource |
| US10762352B2 (en) | 2018-01-17 | 2020-09-01 | Group Ib, Ltd | Method and system for the automatic identification of fuzzy copies of video content |
| CN111654504A (en) * | 2020-06-10 | 2020-09-11 | 北京天融信网络安全技术有限公司 | DGA domain name detection method and device |
| US10778719B2 (en) | 2016-12-29 | 2020-09-15 | Trust Ltd. | System and method for gathering information to detect phishing activity |
| CN111935097A (en) * | 2020-07-16 | 2020-11-13 | 上海斗象信息科技有限公司 | Method for detecting DGA domain name |
| US10958684B2 (en) | 2018-01-17 | 2021-03-23 | Group Ib, Ltd | Method and computer device for identifying malicious web resources |
| CN112771523A (en) * | 2018-08-14 | 2021-05-07 | 北京嘀嘀无限科技发展有限公司 | System and method for detecting a generated domain |
| US11005779B2 (en) | 2018-02-13 | 2021-05-11 | Trust Ltd. | Method of and server for detecting associated web resources |
| CN112929370A (en) * | 2021-02-08 | 2021-06-08 | 丁牛信息安全科技(江苏)有限公司 | Domain name system hidden channel detection method and device |
| CN113098989A (en) * | 2020-01-09 | 2021-07-09 | 深信服科技股份有限公司 | Dictionary generation method, domain name detection method, device, equipment and medium |
| CN113329035A (en) * | 2021-06-29 | 2021-08-31 | 深信服科技股份有限公司 | Method and device for detecting attack domain name, electronic equipment and storage medium |
| US11122061B2 (en) | 2018-01-17 | 2021-09-14 | Group IB TDS, Ltd | Method and server for determining malicious files in network traffic |
| US11153351B2 (en) | 2018-12-17 | 2021-10-19 | Trust Ltd. | Method and computing device for identifying suspicious users in message exchange systems |
| US11151581B2 (en) | 2020-03-04 | 2021-10-19 | Group-Ib Global Private Limited | System and method for brand protection based on search results |
| US11250129B2 (en) | 2019-12-05 | 2022-02-15 | Group IB TDS, Ltd | Method and system for determining affiliation of software to software families |
| CN114285627A (en) * | 2021-12-21 | 2022-04-05 | 安天科技集团股份有限公司 | Flow detection method and device, electronic equipment and computer readable storage medium |
| CN114363060A (en) * | 2021-12-31 | 2022-04-15 | 深信服科技股份有限公司 | Domain name detection method, system, equipment and computer readable storage medium |
| US11356470B2 (en) | 2019-12-19 | 2022-06-07 | Group IB TDS, Ltd | Method and system for determining network vulnerabilities |
| US11431749B2 (en) | 2018-12-28 | 2022-08-30 | Trust Ltd. | Method and computing device for generating indication of malicious web resources |
| US11451580B2 (en) | 2018-01-17 | 2022-09-20 | Trust Ltd. | Method and system of decentralized malware identification |
| US11503044B2 (en) | 2018-01-17 | 2022-11-15 | Group IB TDS, Ltd | Method computing device for detecting malicious domain names in network traffic |
| US11526608B2 (en) | 2019-12-05 | 2022-12-13 | Group IB TDS, Ltd | Method and system for determining affiliation of software to software families |
| CN116599861A (en) * | 2023-07-18 | 2023-08-15 | 海马云(天津)信息技术有限公司 | Method for detecting cloud service abnormality, server device and storage medium |
| US11755700B2 (en) | 2017-11-21 | 2023-09-12 | Group Ib, Ltd | Method for classifying user action sequence |
| US11847223B2 (en) | 2020-08-06 | 2023-12-19 | Group IB TDS, Ltd | Method and system for generating a list of indicators of compromise |
| US11934498B2 (en) | 2019-02-27 | 2024-03-19 | Group Ib, Ltd | Method and system of user identification |
| US11947572B2 (en) | 2021-03-29 | 2024-04-02 | Group IB TDS, Ltd | Method and system for clustering executable files |
| US11985147B2 (en) | 2021-06-01 | 2024-05-14 | Trust Ltd. | System and method for detecting a cyberattack |
| US12088606B2 (en) | 2021-06-10 | 2024-09-10 | F.A.C.C.T. Network Security Llc | System and method for detection of malicious network resources |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101702660A (en) * | 2009-11-12 | 2010-05-05 | 中国科学院计算技术研究所 | Abnormal domain name detection method and system |
| US20130232574A1 (en) * | 2012-03-02 | 2013-09-05 | Cox Communications, Inc. | Systems and Methods of DNS Grey Listing |
| CN105577660A (en) * | 2015-12-22 | 2016-05-11 | 国家电网公司 | DGA domain name detection method based on random forest |
| CN105827594A (en) * | 2016-03-08 | 2016-08-03 | 北京航空航天大学 | Suspicion detection method based on domain name readability and domain name analysis behavior |
-
2016
- 2016-12-21 CN CN201611195849.4A patent/CN106713312A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101702660A (en) * | 2009-11-12 | 2010-05-05 | 中国科学院计算技术研究所 | Abnormal domain name detection method and system |
| US20130232574A1 (en) * | 2012-03-02 | 2013-09-05 | Cox Communications, Inc. | Systems and Methods of DNS Grey Listing |
| CN105577660A (en) * | 2015-12-22 | 2016-05-11 | 国家电网公司 | DGA domain name detection method based on random forest |
| CN105827594A (en) * | 2016-03-08 | 2016-08-03 | 北京航空航天大学 | Suspicion detection method based on domain name readability and domain name analysis behavior |
Cited By (57)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10721251B2 (en) | 2016-08-03 | 2020-07-21 | Group Ib, Ltd | Method and system for detecting remote access during activity on the pages of a web resource |
| US10581880B2 (en) | 2016-09-19 | 2020-03-03 | Group-Ib Tds Ltd. | System and method for generating rules for attack detection feedback system |
| US10778719B2 (en) | 2016-12-29 | 2020-09-15 | Trust Ltd. | System and method for gathering information to detect phishing activity |
| US10721271B2 (en) | 2016-12-29 | 2020-07-21 | Trust Ltd. | System and method for detecting phishing web pages |
| CN109391599A (en) * | 2017-08-10 | 2019-02-26 | 蓝盾信息安全技术股份有限公司 | A kind of detection system of the Botnet communication signal based on HTTPS traffic characteristics analysis |
| CN109391602B (en) * | 2017-08-11 | 2021-04-09 | 北京金睛云华科技有限公司 | Zombie host detection method |
| CN109391602A (en) * | 2017-08-11 | 2019-02-26 | 北京金睛云华科技有限公司 | A kind of zombie host detection method |
| CN107645503B (en) * | 2017-09-20 | 2020-01-24 | 杭州安恒信息技术股份有限公司 | Rule-based method for detecting DGA family to which malicious domain name belongs |
| CN107645503A (en) * | 2017-09-20 | 2018-01-30 | 杭州安恒信息技术有限公司 | A kind of detection method of the affiliated DGA families of rule-based malice domain name |
| CN107682348A (en) * | 2017-10-19 | 2018-02-09 | 杭州安恒信息技术有限公司 | DGA domain name Quick method and devices based on machine learning |
| US11755700B2 (en) | 2017-11-21 | 2023-09-12 | Group Ib, Ltd | Method for classifying user action sequence |
| US10762352B2 (en) | 2018-01-17 | 2020-09-01 | Group Ib, Ltd | Method and system for the automatic identification of fuzzy copies of video content |
| US11503044B2 (en) | 2018-01-17 | 2022-11-15 | Group IB TDS, Ltd | Method computing device for detecting malicious domain names in network traffic |
| US11122061B2 (en) | 2018-01-17 | 2021-09-14 | Group IB TDS, Ltd | Method and server for determining malicious files in network traffic |
| US11451580B2 (en) | 2018-01-17 | 2022-09-20 | Trust Ltd. | Method and system of decentralized malware identification |
| US11475670B2 (en) | 2018-01-17 | 2022-10-18 | Group Ib, Ltd | Method of creating a template of original video content |
| US10958684B2 (en) | 2018-01-17 | 2021-03-23 | Group Ib, Ltd | Method and computer device for identifying malicious web resources |
| CN108337259A (en) * | 2018-02-01 | 2018-07-27 | 南京邮电大学 | A kind of suspicious web page identification method based on HTTP request Host information |
| US11005779B2 (en) | 2018-02-13 | 2021-05-11 | Trust Ltd. | Method of and server for detecting associated web resources |
| CN108449349B (en) * | 2018-03-23 | 2021-01-26 | 新华三大数据技术有限公司 | Method and device for preventing malicious domain name attack |
| CN108449349A (en) * | 2018-03-23 | 2018-08-24 | 新华三大数据技术有限公司 | The method and device for preventing malice domain name from attacking |
| CN109889616A (en) * | 2018-05-21 | 2019-06-14 | 新华三信息安全技术有限公司 | A kind of method and device identifying domain name |
| CN109246074A (en) * | 2018-07-23 | 2019-01-18 | 北京奇虎科技有限公司 | Identify method, apparatus, server and the readable storage medium storing program for executing of suspicious domain name |
| CN112771523A (en) * | 2018-08-14 | 2021-05-07 | 北京嘀嘀无限科技发展有限公司 | System and method for detecting a generated domain |
| US11153351B2 (en) | 2018-12-17 | 2021-10-19 | Trust Ltd. | Method and computing device for identifying suspicious users in message exchange systems |
| CN109936560A (en) * | 2018-12-27 | 2019-06-25 | 上海银行股份有限公司 | Malware means of defence and device |
| US11431749B2 (en) | 2018-12-28 | 2022-08-30 | Trust Ltd. | Method and computing device for generating indication of malicious web resources |
| US11934498B2 (en) | 2019-02-27 | 2024-03-19 | Group Ib, Ltd | Method and system of user identification |
| CN110233830A (en) * | 2019-05-20 | 2019-09-13 | 中国银行股份有限公司 | Domain name identification and domain name identification model generation method, device and storage medium |
| CN110401632A (en) * | 2019-06-20 | 2019-11-01 | 国网辽宁省电力有限公司信息通信分公司 | A kind of malice domain name infection host source tracing method |
| CN110401632B (en) * | 2019-06-20 | 2022-02-15 | 国网辽宁省电力有限公司信息通信分公司 | Malicious domain name infected host tracing method |
| CN110392064A (en) * | 2019-09-04 | 2019-10-29 | 中国工商银行股份有限公司 | Risk Identification Method, calculates equipment and computer readable storage medium at device |
| CN110392064B (en) * | 2019-09-04 | 2022-03-15 | 中国工商银行股份有限公司 | Risk identification method and device, computing equipment and computer readable storage medium |
| CN111078860A (en) * | 2019-11-27 | 2020-04-28 | 北京小米移动软件有限公司 | Text screening method, text screening device and electronic equipment |
| CN111078860B (en) * | 2019-11-27 | 2023-04-11 | 北京小米移动软件有限公司 | Text screening method, text screening device and electronic equipment |
| US11526608B2 (en) | 2019-12-05 | 2022-12-13 | Group IB TDS, Ltd | Method and system for determining affiliation of software to software families |
| US11250129B2 (en) | 2019-12-05 | 2022-02-15 | Group IB TDS, Ltd | Method and system for determining affiliation of software to software families |
| US11356470B2 (en) | 2019-12-19 | 2022-06-07 | Group IB TDS, Ltd | Method and system for determining network vulnerabilities |
| CN111181937A (en) * | 2019-12-20 | 2020-05-19 | 北京丁牛科技有限公司 | Domain name detection method, device, equipment and system |
| CN113098989A (en) * | 2020-01-09 | 2021-07-09 | 深信服科技股份有限公司 | Dictionary generation method, domain name detection method, device, equipment and medium |
| CN113098989B (en) * | 2020-01-09 | 2023-02-03 | 深信服科技股份有限公司 | Dictionary generation method, domain name detection method, device, equipment and medium |
| US11151581B2 (en) | 2020-03-04 | 2021-10-19 | Group-Ib Global Private Limited | System and method for brand protection based on search results |
| CN111654504A (en) * | 2020-06-10 | 2020-09-11 | 北京天融信网络安全技术有限公司 | DGA domain name detection method and device |
| CN111935097B (en) * | 2020-07-16 | 2022-07-19 | 上海斗象信息科技有限公司 | Method for detecting DGA domain name |
| CN111935097A (en) * | 2020-07-16 | 2020-11-13 | 上海斗象信息科技有限公司 | Method for detecting DGA domain name |
| US11847223B2 (en) | 2020-08-06 | 2023-12-19 | Group IB TDS, Ltd | Method and system for generating a list of indicators of compromise |
| CN112929370A (en) * | 2021-02-08 | 2021-06-08 | 丁牛信息安全科技(江苏)有限公司 | Domain name system hidden channel detection method and device |
| CN112929370B (en) * | 2021-02-08 | 2022-10-18 | 丁牛信息安全科技(江苏)有限公司 | Domain name system hidden channel detection method and device |
| US11947572B2 (en) | 2021-03-29 | 2024-04-02 | Group IB TDS, Ltd | Method and system for clustering executable files |
| US11985147B2 (en) | 2021-06-01 | 2024-05-14 | Trust Ltd. | System and method for detecting a cyberattack |
| US12088606B2 (en) | 2021-06-10 | 2024-09-10 | F.A.C.C.T. Network Security Llc | System and method for detection of malicious network resources |
| CN113329035A (en) * | 2021-06-29 | 2021-08-31 | 深信服科技股份有限公司 | Method and device for detecting attack domain name, electronic equipment and storage medium |
| CN114285627B (en) * | 2021-12-21 | 2023-12-22 | 安天科技集团股份有限公司 | Flow detection method and device, electronic equipment and computer readable storage medium |
| CN114285627A (en) * | 2021-12-21 | 2022-04-05 | 安天科技集团股份有限公司 | Flow detection method and device, electronic equipment and computer readable storage medium |
| CN114363060A (en) * | 2021-12-31 | 2022-04-15 | 深信服科技股份有限公司 | Domain name detection method, system, equipment and computer readable storage medium |
| CN114363060B (en) * | 2021-12-31 | 2024-08-20 | 深信服科技股份有限公司 | Domain name detection method, system, equipment and computer readable storage medium |
| CN116599861A (en) * | 2023-07-18 | 2023-08-15 | 海马云(天津)信息技术有限公司 | Method for detecting cloud service abnormality, server device and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106713312A (en) | Method and device for detecting illegal domain name | |
| Protić | Review of KDD Cup ‘99, NSL-KDD and Kyoto 2006+ datasets | |
| CN106790019B (en) | Encryption method for recognizing flux and device based on feature self study | |
| CN105827594B (en) | A kind of dubiety detection method based on domain name readability and domain name mapping behavior | |
| CN107579956B (en) | User behavior detection method and device | |
| CN111262722A (en) | Safety monitoring method for industrial control system network | |
| CN112019651B (en) | DGA domain name detection method using depth residual error network and character-level sliding window | |
| CN106790023A (en) | Network security Alliance Defense method and apparatus | |
| CN107360145B (en) | Multi-node honeypot system and data analysis method thereof | |
| CN110830490B (en) | Malicious domain name detection method and system based on area confrontation training deep network | |
| CN106961419A (en) | WebShell detection methods, apparatus and system | |
| CN109005145A (en) | A kind of malice URL detection system and its method extracted based on automated characterization | |
| CN105072214B (en) | C&C domain name recognition methods based on domain name feature | |
| CN104615760A (en) | Phishing website recognizing method and phishing website recognizing system | |
| CN112073551B (en) | DGA domain name detection system based on character-level sliding window and depth residual error network | |
| Huang et al. | Automatic identification of honeypot server using machine learning techniques | |
| CN110365636B (en) | Method and device for judging attack data source of industrial control honeypot | |
| CN112073550B (en) | DGA domain name detection method fusing character-level sliding window and depth residual error network | |
| CN113905016A (en) | DGA domain name detection method, detection device and computer storage medium | |
| CN115021997B (en) | Network intrusion detection system based on machine learning | |
| CN114553523A (en) | Attack detection method and device based on attack detection model, medium and equipment | |
| CN117478433B (en) | Network and information security dynamic early warning system | |
| CN116996286A (en) | Network attack and security vulnerability management framework platform based on big data analysis | |
| CN110855716B (en) | Self-adaptive security threat analysis method and system for counterfeit domain names | |
| Harbola et al. | Improved intrusion detection in DDoS applying feature selection using rank & score of attributes in KDD-99 data set |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20170524 |
|
| RJ01 | Rejection of invention patent application after publication |