CN106911536B - A kind of DNS health degree appraisal procedure based on model of fuzzy synthetic evaluation - Google Patents
A kind of DNS health degree appraisal procedure based on model of fuzzy synthetic evaluation Download PDFInfo
- Publication number
- CN106911536B CN106911536B CN201710243598.0A CN201710243598A CN106911536B CN 106911536 B CN106911536 B CN 106911536B CN 201710243598 A CN201710243598 A CN 201710243598A CN 106911536 B CN106911536 B CN 106911536B
- Authority
- CN
- China
- Prior art keywords
- dns
- influence
- influence factor
- health degree
- evaluation
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4505—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
- H04L61/4511—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
- H04L43/0876—Network utilisation, e.g. volume of load or congestion level
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/12—Network monitoring probes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/50—Testing arrangements
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Environmental & Geological Engineering (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The DNS health degree appraisal procedure based on model of fuzzy synthetic evaluation that the invention discloses a kind of, comprising the following steps: step 1: by way of interchanger mirror image, the original flow of server is obtained, acquires all data in DNS response bag;Step 2: by DNS flow, temporally window is for statistical analysis, constitutes historical data, extracts DNS health degree influence factor, and calculate each influence factor value;Step 3: eliminating the influence of dimension difference generation between each influence factor, obtain the evaluation of estimate of each influence factor of DNS health degree;Step 4: each factor being classified by influence degree, multilevel evaluation system is formed, analyzes and confirm the weight of influence factors at different levels;Step 5: according to each influence factor weight and evaluation of estimate, assessing the safe condition of current DNS, obtain the assessment result of the DNS current health degree.The present invention fully considers the characteristics of current DNS flow, and more kinds of unusual conditions of DNS can be effectively detected.
Description
Technical field
The present invention relates to the measurement of DNS system and evaluation areas, especially a kind of DNS based on model of fuzzy synthetic evaluation
Health degree appraisal procedure.
Background technique
Central nervous system of the DNS as internet is the key node in nearly all Internet application.By right
DNS, which is measured, can effectively cope with DNS problem encountered and variation with assessment, ensure the system stability and security of DNS,
Safeguard the quality of DNS service.
In the prior art mainly by DNS carry out load monitoring, active performance test, DNS flow is analyzed
To detect attack that DDoS and DNS poison etc., from client to the methods of DNS data source and integrated authentication for DNS
Server is measured and is assessed, wherein measurement to performance and assessment mainly using active probe by the way of there is also calculating
The problem of amount is big and time-consuming.And preceding method is concentrated mainly on measurement and assessment to DNS performance and to DNS security
Two aspect of measurement and assessment, is confined to consider the part particular characteristic or safety problem of dns server, and less consideration DNS takes
The service condition of business area's intra domain user, it is difficult to assess DNS operation conditions on the whole.
It is that DNS activity feelings are described by traffic statistics based on the assessment of the DNS health degree of model of fuzzy synthetic evaluation
The assessment technology of condition.Due to there are it is a variety of may be to the factor that DNS health degree impacts, to be surveyed on the whole to DNS
Amount and assessment, need to establish corresponding model and conclude to various pieces performance characteristic.With the proposition of fuzzy set theory, largely
Related application occurs, wherein just including Field Using Fuzzy Comprehensive Assessment.The method of fuzzy overall evaluation is influenced on by Multiple factors
Things make a kind of effective multifactor decision making method of thoroughly evaluating.There are mainly two types of its modes, is based on fuzzy synthesis square
The mode and mode based on fuzzy integral of battle array.At present this method of fuzzy overall evaluation be widely used in systematic survey with
In assessment, such as: helping to carry out network security situation evaluating method modeling and composite measurement and assessment are carried out to network system.
Summary of the invention
The DNS health degree assessment based on model of fuzzy synthetic evaluation that technical problem to be solved by the invention is to provide a kind of
Method extracts influence factor from DNS working condition itself, DNS user, the comprehensive multidimensional of DNS three angles of unconventional use state,
More kinds of unusual conditions of DNS can be effectively detected in the characteristics of fully considering current DNS flow.
In order to solve the above technical problems, the technical solution adopted by the present invention is that:
A kind of DNS health degree appraisal procedure based on model of fuzzy synthetic evaluation, comprising the following steps:
Step 1: by way of interchanger mirror image, obtaining the original flow of server, acquire all numbers in DNS response bag
According to;
Step 2: by DNS flow, temporally window is for statistical analysis, constitutes historical data, extracts DNS health degree shadow
The factor of sound, and calculate each influence factor value;
Step 3: eliminating the influence of dimension difference generation between each influence factor, obtain commenting for each influence factor of DNS health degree
Value;
Step 4: each factor being classified by influence degree, multilevel evaluation system is formed, analyzes and confirm influences at different levels
The weight of factor;
Step 5: according to each influence factor weight and evaluation of estimate, assessing the safe condition of current DNS, obtain the DNS and work as
The assessment result of preceding health degree.
Further, in the step 2, DNS health degree influence factor is that basis goes through DNS in campus network true environment
History flow is for statistical analysis, to dns server working condition influence factor, to the use state of service area intra domain user
Influence factor and three angles of influence factor of the unconventional use state of DNS are extracted.
Further, in the step 3, the influence of dimension difference generation between each influence factor is eliminated, is to utilize normalizing
Change influence factor value obtained by formula manipulation, obtains each influence element assessment value.
Further, in the step 4, multilevel evaluation system is formed, is to be divided into DNS health degree directly by influence degree
Connect three influence factor, indirect acting factor and DNS auxiliary data aspects.
Further, in step 4, quantitative analysis is carried out using weight of the analytic hierarchy process AHP to influence factors at different levels
And confirmation.
Compared with prior art, the beneficial effects of the present invention are: 1) present invention from DNS working condition itself, DNS user,
The characteristics of comprehensive multidimensional of DNS three angles of unconventional use state extracts influence factor, fully considers current DNS flow, can
More kinds of unusual conditions of DNS are effectively detected, such as DNS configuration error, ddos attack and personnel change on a large scale;2) this hair
Bright to assess the working condition of DNS according to the DNS data on flows currently generated, the method for opposite active probe improves point
It analyses speed and is suitable for network environment complicated and changeable;3) the health degree model that invention uses is not for single attack method
Or abnormal conditions, there can be stronger scalability to various attacks.
Detailed description of the invention
Fig. 1 is the DNS health degree appraisal procedure embodiment flow diagram based on model of fuzzy synthetic evaluation in the present invention.
Fig. 2 is influence factor multilevel evaluation system schematic diagram in the present invention.
Fig. 3 is the weight schematic diagram of each level influence factor in the present invention.
Specific embodiment
The present invention is made into being once described in detail with reference to the accompanying drawings and detailed description.Fig. 1 is the method for the present invention
It is original to obtain server as shown, this method mainly comprises the steps that 1) by way of interchanger mirror image for flow chart
Flow acquires all data in DNS response bag;2) by DNS flow, temporally window is for statistical analysis, constitutes history number
According to, extraction DNS health degree influence factor, and calculate each influence factor value;3) dimension difference generation between each influence factor of elimination
It influences, obtains the evaluation of estimate of each influence factor of DNS health degree;4) each factor is classified by influence degree, forms multistage and comments
The weight of influence factors at different levels is analyzed and confirmed to valence system;5) according to each influence factor weight and evaluation of estimate, current DNS is assessed
Safe condition, obtain the assessment result of the DNS current health degree.
Above-mentioned steps 2) in DNS health degree influence factor be according to being carried out to DNS historical traffic in campus network true environment
Statistical analysis, to dns server working condition influence factor, to the influence factor of the use state of service area intra domain user
And three different angles of influence factor of the unconventional use state of DNS are extracted, as shown in table 1.
1. three classes influence factor of table
It, actually can also be according to heterogeneous networks feelings herein it should be understood that influence factor listed by table 1 is used only as illustrating
Condition increases or reduces influence factor.
Wherein: dns server working condition influence factor is by taking " daily DNS query total degree change rate " as an example, the variation
Rate indicates result of the DNS same day inquiry times compared with historical data.Daily DNS query total degree change rate can embody this
The active degree of ground DNS system, the change rate is if very big it is anticipated that there is emergency event appearance.Ideally relative to close
Phase, change rate represent more greatly same day DNS query time with the historical data of period (number of weeks is identical, such as is all Monday)
It counts and has showed slump or the case where rise suddenly and sharply, and such situation is likely to that failure occurs in DNS system or DNS system is subject to
Attack, such as: the biggish DNS query total degree change rate in the region relatively stable for personnel such as school, companies, which implies, to be made
With having happened great change.
For user's service condition influence factor by taking " user requests TOP1000 variability index " as an example, which describes the same day
User asks TOP1000 and historical data (the first seven day) to be compared rear resulting as a result, the bigger expression user of the index requests
TOP1000 change rate is bigger.Usually for the user in the same area, TOP ranking is relatively fixed due to user's habit
Etc. reasons be not in too big variation.Therefore, the smaller explanation zone user service condition of the index is more stable, otherwise the area
Domain user's service condition is unstable.
In unconventional use state, dns resolution success rate directly describes the normal use situation of DNS system.At this
It is calculated using the RCODE field in the packet header DNS power is parsed into invention.
Above-mentioned steps 2) in calculate each influence factor value, be to be retouched according to history and current DNS data on flows by influence factor
It states and calculates each influence factor value, each influence factor calculation formula is as shown in table 2.
Specifically: in server contention states influence factor, by taking " daily DNS query total degree change rate " as an example.If
Same day DNS query total degree is v, is in the recent period and with the period n days history data sets H, wherein daily historical data is hi, history
Inquiring average value isThen the change rate definition of DNS query total degree is as shown in formula (1):
In user's service condition influence factor, by taking " user requests TOP1000 variability index " as an example.In daily user
In TOP1000 ranking list, includes 1000 groups of (IP, Count) key-value pairs, i.e. user and request number of times key-value pair, the same day will be calculated
Ranking list be denoted as U, historical data (in actually calculating using seven days in the past data) is denoted as V, then has to any IP following
Four kinds of situations:
1. the IP existed in the same day and historical data;
2. the IP is first appeared in same day data;
3. the IP only occurs in the historical data;
4. the IP does not occur in historical data and same day data.
Based on above-mentioned four kinds of situations, when calculating user's ranking list variation numerical value, for 1,2 two kind of situation directly calculate U,
The difference of IP request number of times indicates the variation c of user in the set of V two, filters out this IP like for the third situation and with its request time
Several sums indicates the loss l of user as negative value, for the 4th kind of situation, due to that wouldn't make beyond current and historical data range
Consider.Finally such as formula (2) by calculated result normalization, user's ranking list numerical value is obtained.
In unconventional use state influence factor, if the record number that RCODE is 0 in same day DNS response record is w, note
Record sum is n, then dns resolution success rate is formula such as formula (3)
S=w/n × 100% (3)
Each influence factor calculation formula of table 2
Above-mentioned steps 3) in eliminate the influence that dimension difference between each influence factor generates, be to utilize normalization formula manipulation institute
Several influence factor values are obtained, each influence element assessment value is obtained.Specifically, arctan function standardization and deviation standard are used
The mode of change will affect factor value and be mapped to section [0,1].The arctan function standardized method and deviation standardized method
Respectively such as following formula (4) (5):
Above-mentioned steps 4) according to each influence factor weight and evaluation of estimate, multilevel evaluation system in formation is by influencing journey
DNS health degree is divided into direct acting factor by degree, the influence factor of three aspects of indirect acting factor and DNS auxiliary data carries out
Consider.Specifically, direct acting factor refers to that the change of the influence factor will directly influence DNS health status;Indirectly influence because
Element refers to that the use of DNS can be depicted often in the DNS basic status gone out by daily DNS query traffic statistics, this kind of influence factor
State can embody DNS health degree indirectly;Auxiliary data, such data are smaller to the health degree influence power of DNS, but extreme
In the case of can preferably embody the health condition of DNS.
Above-mentioned steps 4) in analysis and confirm the weights of influence factors at different levels, be using AHP (analytic hierarchy process (AHP)) at different levels
The weight of influence factor carries out quantitative analysis and confirmation.Specifically, if the level for needing to calculate weight includes n influence factor
Ci, Judgement Matricies W, then to matrix W carry out formula (6), (7) operation after, can get its feature vector formula
(8):
a′i=ai/n (8)
Above-mentioned steps 5) according to each influence factor weight and evaluation of estimate, obtain the assessment knot of the DNS current health degree
Fruit, the scoring of health degree is higher to show that DNS operation conditions is the better.
Assessment mode of the present invention analyzes DNS health degree influence factor by data on flows by a kind of, assesses DNS health degree
Method finally shown in the form of health degree using model of fuzzy synthetic evaluation, realize and DNS health degree commented
Estimate, overcome the one-sidedness to the assessment of DNS operating status, improve analysis speed and is suitable for network rings complicated and changeable
Border solves the problems, such as to be difficult to efficiently assess DNS operation conditions on the whole under complex environment.The present invention is suitable for increasingly multiple
Miscellaneous network environment effectively measures and assesses a variety of situations that dns server faces in true environment.
Claims (5)
1. a kind of DNS health degree appraisal procedure based on model of fuzzy synthetic evaluation, which is characterized in that include the following steps
Step 1: by way of interchanger mirror image, obtaining the original flow of server, acquire all data in DNS response bag;
Step 2: by DNS flow, temporally window is for statistical analysis, constitute historical data, extract DNS health degree influence because
Element, and calculate each influence factor value;
Step 3: eliminating the influence of dimension difference generation between each influence factor, obtain the evaluation of estimate of each influence factor of DNS health degree;
Step 4: each factor being classified by influence degree, multilevel evaluation system is formed, analyzes and confirm influence factors at different levels
Weight;
Step 5: according to each influence factor weight and evaluation of estimate, assessing the safe condition of current DNS, obtain the DNS and be currently good for
The assessment result of Kang Du.
2. a kind of DNS health degree appraisal procedure based on model of fuzzy synthetic evaluation as described in claim 1, feature exist
In in the step 2, DNS health degree influence factor is that basis counts DNS historical traffic in campus network true environment
Analysis, to dns server working condition influence factor, to the influence factor of the use state of service area intra domain user and
Three angles of influence factor of the unconventional use state of DNS are extracted.
3. a kind of DNS health degree appraisal procedure based on model of fuzzy synthetic evaluation as described in claim 1, feature exist
In in the step 3, eliminating the influence that dimension difference generates between each influence factor, be using obtained by normalization formula manipulation
Influence factor value obtains each influence element assessment value.
4. a kind of DNS health degree appraisal procedure based on model of fuzzy synthetic evaluation as described in claim 1, feature exist
In, in the step 4, formed multilevel evaluation system, be by influence degree by DNS health degree be divided into direct acting factor,
Connect three aspects of influence factor and DNS auxiliary data.
5. a kind of DNS health degree appraisal procedure based on model of fuzzy synthetic evaluation as described in claim 1, feature exist
In weight progress quantitative analysis and confirmation in the step 4, using analytic hierarchy process (AHP) to influence factors at different levels.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710243598.0A CN106911536B (en) | 2017-04-14 | 2017-04-14 | A kind of DNS health degree appraisal procedure based on model of fuzzy synthetic evaluation |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710243598.0A CN106911536B (en) | 2017-04-14 | 2017-04-14 | A kind of DNS health degree appraisal procedure based on model of fuzzy synthetic evaluation |
Publications (2)
Publication Number | Publication Date |
---|---|
CN106911536A CN106911536A (en) | 2017-06-30 |
CN106911536B true CN106911536B (en) | 2019-08-20 |
Family
ID=59209522
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710243598.0A Active CN106911536B (en) | 2017-04-14 | 2017-04-14 | A kind of DNS health degree appraisal procedure based on model of fuzzy synthetic evaluation |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106911536B (en) |
Families Citing this family (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110324295B (en) * | 2018-03-30 | 2022-04-12 | 阿里云计算有限公司 | Defense method and device for domain name system flooding attack |
CN109217469A (en) * | 2018-09-03 | 2019-01-15 | 南京永为科技有限公司 | Intelligent power distribution electrical energy monitoring system and working method |
US11570244B2 (en) * | 2018-12-11 | 2023-01-31 | Amazon Technologies, Inc. | Mirroring network traffic of virtual networks at a service provider network |
CN109788081A (en) * | 2019-01-17 | 2019-05-21 | 国家计算机网络与信息安全管理中心 | A kind of dns server test constantly and QoS evaluating method |
CN110336806B (en) * | 2019-06-27 | 2020-05-01 | 四川大学 | Covert communication detection method combining conversation behavior and communication relation |
CN110995880B (en) * | 2019-11-29 | 2022-08-16 | 北京工业大学 | DNS data quality evaluation method |
CN114866342B (en) * | 2022-06-30 | 2023-01-17 | 广东睿江云计算股份有限公司 | Flow characteristic identification method and device, computer equipment and storage medium |
CN116016220B (en) * | 2022-12-23 | 2024-06-18 | 天翼安全科技有限公司 | Method, device and equipment for predicting service traffic based on DNS traffic |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103001825A (en) * | 2012-11-15 | 2013-03-27 | 中国科学院计算机网络信息中心 | Method and system for detecting DNS (domain name system) traffic abnormality |
CN103929330A (en) * | 2014-04-22 | 2014-07-16 | 中国科学院计算技术研究所 | Domain name service quality evaluation method and system |
CN105516196A (en) * | 2016-01-19 | 2016-04-20 | 国家计算机网络与信息安全管理中心江苏分中心 | HTTP message data-based parallelization network anomaly detection method and system |
CN106209920A (en) * | 2016-09-19 | 2016-12-07 | 贵州白山云科技有限公司 | The safety protecting method of a kind of dns server and device |
-
2017
- 2017-04-14 CN CN201710243598.0A patent/CN106911536B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103001825A (en) * | 2012-11-15 | 2013-03-27 | 中国科学院计算机网络信息中心 | Method and system for detecting DNS (domain name system) traffic abnormality |
CN103929330A (en) * | 2014-04-22 | 2014-07-16 | 中国科学院计算技术研究所 | Domain name service quality evaluation method and system |
CN105516196A (en) * | 2016-01-19 | 2016-04-20 | 国家计算机网络与信息安全管理中心江苏分中心 | HTTP message data-based parallelization network anomaly detection method and system |
CN106209920A (en) * | 2016-09-19 | 2016-12-07 | 贵州白山云科技有限公司 | The safety protecting method of a kind of dns server and device |
Non-Patent Citations (1)
Title |
---|
基于层次分析法的域名系统安全状况评估;尹凌晓等;《科研信息化技术与应用》;20131231;第75-79页 |
Also Published As
Publication number | Publication date |
---|---|
CN106911536A (en) | 2017-06-30 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN106911536B (en) | A kind of DNS health degree appraisal procedure based on model of fuzzy synthetic evaluation | |
EP3211854B1 (en) | Cyber security | |
EP4033387A1 (en) | Cyber security | |
Mudzingwa et al. | A study of methodologies used in intrusion detection and prevention systems (IDPS) | |
CN108848515A (en) | A kind of internet of things service quality-monitoring platform and method based on big data | |
CN102123149B (en) | Service-oriented large-scale network security situational assessment device and method | |
CA2655547C (en) | Method and system for determining parameter distribution, variance, outliers and trends in systems | |
Yang et al. | Deep network analyzer (DNA): A big data analytics platform for cellular networks | |
Nováczki | An improved anomaly detection and diagnosis framework for mobile network operators | |
CN111049680B (en) | Intranet transverse movement detection system and method based on graph representation learning | |
US20100071061A1 (en) | Method and Apparatus for Whole-Network Anomaly Diagnosis and Method to Detect and Classify Network Anomalies Using Traffic Feature Distributions | |
CN105429977A (en) | Method for monitoring abnormal flows of deep packet detection equipment based on information entropy measurement | |
CN107517216A (en) | A kind of network safety event correlating method | |
CN106453412A (en) | Malicious domain name determination method based on frequency characteristics | |
CN108111463A (en) | The self study of various dimensions baseline and abnormal behaviour analysis based on average value and standard deviation | |
Hemmer et al. | A process mining approach for supporting iot predictive security | |
CN112165470A (en) | Intelligent terminal access safety early warning system based on log big data analysis | |
CN110719286A (en) | Network optimization scheme sharing system and method based on big data | |
CN110881022A (en) | Large-scale network security situation detection and analysis method | |
Yang et al. | [Retracted] Computer User Behavior Anomaly Detection Based on K‐Means Algorithm | |
Flanagan et al. | 2d2n: A dynamic degenerative neural network for classification of images of live network data | |
Wei et al. | Defense strategy of network security based on dynamic classification | |
CN109873708A (en) | A kind of assets portrait method clustered based on traffic characteristic and kmeans | |
Hu et al. | Intrusion detection methods in communication-based train control systems based on relative entropy and trust evaluation | |
Kuang et al. | [Retracted] On the Modeling of RTT Time Series for Network Anomaly Detection |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |