CN106911536B - A kind of DNS health degree appraisal procedure based on model of fuzzy synthetic evaluation - Google Patents

A kind of DNS health degree appraisal procedure based on model of fuzzy synthetic evaluation Download PDF

Info

Publication number
CN106911536B
CN106911536B CN201710243598.0A CN201710243598A CN106911536B CN 106911536 B CN106911536 B CN 106911536B CN 201710243598 A CN201710243598 A CN 201710243598A CN 106911536 B CN106911536 B CN 106911536B
Authority
CN
China
Prior art keywords
dns
influence
influence factor
health degree
evaluation
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201710243598.0A
Other languages
Chinese (zh)
Other versions
CN106911536A (en
Inventor
陈兴蜀
朱毅
陈敬涵
邵国林
曾雪梅
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sichuan University
Original Assignee
Sichuan University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sichuan University filed Critical Sichuan University
Priority to CN201710243598.0A priority Critical patent/CN106911536B/en
Publication of CN106911536A publication Critical patent/CN106911536A/en
Application granted granted Critical
Publication of CN106911536B publication Critical patent/CN106911536B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • H04L43/0876Network utilisation, e.g. volume of load or congestion level
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/12Network monitoring probes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/50Testing arrangements

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Environmental & Geological Engineering (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The DNS health degree appraisal procedure based on model of fuzzy synthetic evaluation that the invention discloses a kind of, comprising the following steps: step 1: by way of interchanger mirror image, the original flow of server is obtained, acquires all data in DNS response bag;Step 2: by DNS flow, temporally window is for statistical analysis, constitutes historical data, extracts DNS health degree influence factor, and calculate each influence factor value;Step 3: eliminating the influence of dimension difference generation between each influence factor, obtain the evaluation of estimate of each influence factor of DNS health degree;Step 4: each factor being classified by influence degree, multilevel evaluation system is formed, analyzes and confirm the weight of influence factors at different levels;Step 5: according to each influence factor weight and evaluation of estimate, assessing the safe condition of current DNS, obtain the assessment result of the DNS current health degree.The present invention fully considers the characteristics of current DNS flow, and more kinds of unusual conditions of DNS can be effectively detected.

Description

A kind of DNS health degree appraisal procedure based on model of fuzzy synthetic evaluation
Technical field
The present invention relates to the measurement of DNS system and evaluation areas, especially a kind of DNS based on model of fuzzy synthetic evaluation Health degree appraisal procedure.
Background technique
Central nervous system of the DNS as internet is the key node in nearly all Internet application.By right DNS, which is measured, can effectively cope with DNS problem encountered and variation with assessment, ensure the system stability and security of DNS, Safeguard the quality of DNS service.
In the prior art mainly by DNS carry out load monitoring, active performance test, DNS flow is analyzed To detect attack that DDoS and DNS poison etc., from client to the methods of DNS data source and integrated authentication for DNS Server is measured and is assessed, wherein measurement to performance and assessment mainly using active probe by the way of there is also calculating The problem of amount is big and time-consuming.And preceding method is concentrated mainly on measurement and assessment to DNS performance and to DNS security Two aspect of measurement and assessment, is confined to consider the part particular characteristic or safety problem of dns server, and less consideration DNS takes The service condition of business area's intra domain user, it is difficult to assess DNS operation conditions on the whole.
It is that DNS activity feelings are described by traffic statistics based on the assessment of the DNS health degree of model of fuzzy synthetic evaluation The assessment technology of condition.Due to there are it is a variety of may be to the factor that DNS health degree impacts, to be surveyed on the whole to DNS Amount and assessment, need to establish corresponding model and conclude to various pieces performance characteristic.With the proposition of fuzzy set theory, largely Related application occurs, wherein just including Field Using Fuzzy Comprehensive Assessment.The method of fuzzy overall evaluation is influenced on by Multiple factors Things make a kind of effective multifactor decision making method of thoroughly evaluating.There are mainly two types of its modes, is based on fuzzy synthesis square The mode and mode based on fuzzy integral of battle array.At present this method of fuzzy overall evaluation be widely used in systematic survey with In assessment, such as: helping to carry out network security situation evaluating method modeling and composite measurement and assessment are carried out to network system.
Summary of the invention
The DNS health degree assessment based on model of fuzzy synthetic evaluation that technical problem to be solved by the invention is to provide a kind of Method extracts influence factor from DNS working condition itself, DNS user, the comprehensive multidimensional of DNS three angles of unconventional use state, More kinds of unusual conditions of DNS can be effectively detected in the characteristics of fully considering current DNS flow.
In order to solve the above technical problems, the technical solution adopted by the present invention is that:
A kind of DNS health degree appraisal procedure based on model of fuzzy synthetic evaluation, comprising the following steps:
Step 1: by way of interchanger mirror image, obtaining the original flow of server, acquire all numbers in DNS response bag According to;
Step 2: by DNS flow, temporally window is for statistical analysis, constitutes historical data, extracts DNS health degree shadow The factor of sound, and calculate each influence factor value;
Step 3: eliminating the influence of dimension difference generation between each influence factor, obtain commenting for each influence factor of DNS health degree Value;
Step 4: each factor being classified by influence degree, multilevel evaluation system is formed, analyzes and confirm influences at different levels The weight of factor;
Step 5: according to each influence factor weight and evaluation of estimate, assessing the safe condition of current DNS, obtain the DNS and work as The assessment result of preceding health degree.
Further, in the step 2, DNS health degree influence factor is that basis goes through DNS in campus network true environment History flow is for statistical analysis, to dns server working condition influence factor, to the use state of service area intra domain user Influence factor and three angles of influence factor of the unconventional use state of DNS are extracted.
Further, in the step 3, the influence of dimension difference generation between each influence factor is eliminated, is to utilize normalizing Change influence factor value obtained by formula manipulation, obtains each influence element assessment value.
Further, in the step 4, multilevel evaluation system is formed, is to be divided into DNS health degree directly by influence degree Connect three influence factor, indirect acting factor and DNS auxiliary data aspects.
Further, in step 4, quantitative analysis is carried out using weight of the analytic hierarchy process AHP to influence factors at different levels And confirmation.
Compared with prior art, the beneficial effects of the present invention are: 1) present invention from DNS working condition itself, DNS user, The characteristics of comprehensive multidimensional of DNS three angles of unconventional use state extracts influence factor, fully considers current DNS flow, can More kinds of unusual conditions of DNS are effectively detected, such as DNS configuration error, ddos attack and personnel change on a large scale;2) this hair Bright to assess the working condition of DNS according to the DNS data on flows currently generated, the method for opposite active probe improves point It analyses speed and is suitable for network environment complicated and changeable;3) the health degree model that invention uses is not for single attack method Or abnormal conditions, there can be stronger scalability to various attacks.
Detailed description of the invention
Fig. 1 is the DNS health degree appraisal procedure embodiment flow diagram based on model of fuzzy synthetic evaluation in the present invention.
Fig. 2 is influence factor multilevel evaluation system schematic diagram in the present invention.
Fig. 3 is the weight schematic diagram of each level influence factor in the present invention.
Specific embodiment
The present invention is made into being once described in detail with reference to the accompanying drawings and detailed description.Fig. 1 is the method for the present invention It is original to obtain server as shown, this method mainly comprises the steps that 1) by way of interchanger mirror image for flow chart Flow acquires all data in DNS response bag;2) by DNS flow, temporally window is for statistical analysis, constitutes history number According to, extraction DNS health degree influence factor, and calculate each influence factor value;3) dimension difference generation between each influence factor of elimination It influences, obtains the evaluation of estimate of each influence factor of DNS health degree;4) each factor is classified by influence degree, forms multistage and comments The weight of influence factors at different levels is analyzed and confirmed to valence system;5) according to each influence factor weight and evaluation of estimate, current DNS is assessed Safe condition, obtain the assessment result of the DNS current health degree.
Above-mentioned steps 2) in DNS health degree influence factor be according to being carried out to DNS historical traffic in campus network true environment Statistical analysis, to dns server working condition influence factor, to the influence factor of the use state of service area intra domain user And three different angles of influence factor of the unconventional use state of DNS are extracted, as shown in table 1.
1. three classes influence factor of table
It, actually can also be according to heterogeneous networks feelings herein it should be understood that influence factor listed by table 1 is used only as illustrating Condition increases or reduces influence factor.
Wherein: dns server working condition influence factor is by taking " daily DNS query total degree change rate " as an example, the variation Rate indicates result of the DNS same day inquiry times compared with historical data.Daily DNS query total degree change rate can embody this The active degree of ground DNS system, the change rate is if very big it is anticipated that there is emergency event appearance.Ideally relative to close Phase, change rate represent more greatly same day DNS query time with the historical data of period (number of weeks is identical, such as is all Monday) It counts and has showed slump or the case where rise suddenly and sharply, and such situation is likely to that failure occurs in DNS system or DNS system is subject to Attack, such as: the biggish DNS query total degree change rate in the region relatively stable for personnel such as school, companies, which implies, to be made With having happened great change.
For user's service condition influence factor by taking " user requests TOP1000 variability index " as an example, which describes the same day User asks TOP1000 and historical data (the first seven day) to be compared rear resulting as a result, the bigger expression user of the index requests TOP1000 change rate is bigger.Usually for the user in the same area, TOP ranking is relatively fixed due to user's habit Etc. reasons be not in too big variation.Therefore, the smaller explanation zone user service condition of the index is more stable, otherwise the area Domain user's service condition is unstable.
In unconventional use state, dns resolution success rate directly describes the normal use situation of DNS system.At this It is calculated using the RCODE field in the packet header DNS power is parsed into invention.
Above-mentioned steps 2) in calculate each influence factor value, be to be retouched according to history and current DNS data on flows by influence factor It states and calculates each influence factor value, each influence factor calculation formula is as shown in table 2.
Specifically: in server contention states influence factor, by taking " daily DNS query total degree change rate " as an example.If Same day DNS query total degree is v, is in the recent period and with the period n days history data sets H, wherein daily historical data is hi, history Inquiring average value isThen the change rate definition of DNS query total degree is as shown in formula (1):
In user's service condition influence factor, by taking " user requests TOP1000 variability index " as an example.In daily user In TOP1000 ranking list, includes 1000 groups of (IP, Count) key-value pairs, i.e. user and request number of times key-value pair, the same day will be calculated Ranking list be denoted as U, historical data (in actually calculating using seven days in the past data) is denoted as V, then has to any IP following Four kinds of situations:
1. the IP existed in the same day and historical data;
2. the IP is first appeared in same day data;
3. the IP only occurs in the historical data;
4. the IP does not occur in historical data and same day data.
Based on above-mentioned four kinds of situations, when calculating user's ranking list variation numerical value, for 1,2 two kind of situation directly calculate U, The difference of IP request number of times indicates the variation c of user in the set of V two, filters out this IP like for the third situation and with its request time Several sums indicates the loss l of user as negative value, for the 4th kind of situation, due to that wouldn't make beyond current and historical data range Consider.Finally such as formula (2) by calculated result normalization, user's ranking list numerical value is obtained.
In unconventional use state influence factor, if the record number that RCODE is 0 in same day DNS response record is w, note Record sum is n, then dns resolution success rate is formula such as formula (3)
S=w/n × 100% (3)
Each influence factor calculation formula of table 2
Above-mentioned steps 3) in eliminate the influence that dimension difference between each influence factor generates, be to utilize normalization formula manipulation institute Several influence factor values are obtained, each influence element assessment value is obtained.Specifically, arctan function standardization and deviation standard are used The mode of change will affect factor value and be mapped to section [0,1].The arctan function standardized method and deviation standardized method Respectively such as following formula (4) (5):
Above-mentioned steps 4) according to each influence factor weight and evaluation of estimate, multilevel evaluation system in formation is by influencing journey DNS health degree is divided into direct acting factor by degree, the influence factor of three aspects of indirect acting factor and DNS auxiliary data carries out Consider.Specifically, direct acting factor refers to that the change of the influence factor will directly influence DNS health status;Indirectly influence because Element refers to that the use of DNS can be depicted often in the DNS basic status gone out by daily DNS query traffic statistics, this kind of influence factor State can embody DNS health degree indirectly;Auxiliary data, such data are smaller to the health degree influence power of DNS, but extreme In the case of can preferably embody the health condition of DNS.
Above-mentioned steps 4) in analysis and confirm the weights of influence factors at different levels, be using AHP (analytic hierarchy process (AHP)) at different levels The weight of influence factor carries out quantitative analysis and confirmation.Specifically, if the level for needing to calculate weight includes n influence factor Ci, Judgement Matricies W, then to matrix W carry out formula (6), (7) operation after, can get its feature vector formula (8):
a′i=ai/n (8)
Above-mentioned steps 5) according to each influence factor weight and evaluation of estimate, obtain the assessment knot of the DNS current health degree Fruit, the scoring of health degree is higher to show that DNS operation conditions is the better.
Assessment mode of the present invention analyzes DNS health degree influence factor by data on flows by a kind of, assesses DNS health degree Method finally shown in the form of health degree using model of fuzzy synthetic evaluation, realize and DNS health degree commented Estimate, overcome the one-sidedness to the assessment of DNS operating status, improve analysis speed and is suitable for network rings complicated and changeable Border solves the problems, such as to be difficult to efficiently assess DNS operation conditions on the whole under complex environment.The present invention is suitable for increasingly multiple Miscellaneous network environment effectively measures and assesses a variety of situations that dns server faces in true environment.

Claims (5)

1. a kind of DNS health degree appraisal procedure based on model of fuzzy synthetic evaluation, which is characterized in that include the following steps
Step 1: by way of interchanger mirror image, obtaining the original flow of server, acquire all data in DNS response bag;
Step 2: by DNS flow, temporally window is for statistical analysis, constitute historical data, extract DNS health degree influence because Element, and calculate each influence factor value;
Step 3: eliminating the influence of dimension difference generation between each influence factor, obtain the evaluation of estimate of each influence factor of DNS health degree;
Step 4: each factor being classified by influence degree, multilevel evaluation system is formed, analyzes and confirm influence factors at different levels Weight;
Step 5: according to each influence factor weight and evaluation of estimate, assessing the safe condition of current DNS, obtain the DNS and be currently good for The assessment result of Kang Du.
2. a kind of DNS health degree appraisal procedure based on model of fuzzy synthetic evaluation as described in claim 1, feature exist In in the step 2, DNS health degree influence factor is that basis counts DNS historical traffic in campus network true environment Analysis, to dns server working condition influence factor, to the influence factor of the use state of service area intra domain user and Three angles of influence factor of the unconventional use state of DNS are extracted.
3. a kind of DNS health degree appraisal procedure based on model of fuzzy synthetic evaluation as described in claim 1, feature exist In in the step 3, eliminating the influence that dimension difference generates between each influence factor, be using obtained by normalization formula manipulation Influence factor value obtains each influence element assessment value.
4. a kind of DNS health degree appraisal procedure based on model of fuzzy synthetic evaluation as described in claim 1, feature exist In, in the step 4, formed multilevel evaluation system, be by influence degree by DNS health degree be divided into direct acting factor, Connect three aspects of influence factor and DNS auxiliary data.
5. a kind of DNS health degree appraisal procedure based on model of fuzzy synthetic evaluation as described in claim 1, feature exist In weight progress quantitative analysis and confirmation in the step 4, using analytic hierarchy process (AHP) to influence factors at different levels.
CN201710243598.0A 2017-04-14 2017-04-14 A kind of DNS health degree appraisal procedure based on model of fuzzy synthetic evaluation Active CN106911536B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710243598.0A CN106911536B (en) 2017-04-14 2017-04-14 A kind of DNS health degree appraisal procedure based on model of fuzzy synthetic evaluation

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710243598.0A CN106911536B (en) 2017-04-14 2017-04-14 A kind of DNS health degree appraisal procedure based on model of fuzzy synthetic evaluation

Publications (2)

Publication Number Publication Date
CN106911536A CN106911536A (en) 2017-06-30
CN106911536B true CN106911536B (en) 2019-08-20

Family

ID=59209522

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710243598.0A Active CN106911536B (en) 2017-04-14 2017-04-14 A kind of DNS health degree appraisal procedure based on model of fuzzy synthetic evaluation

Country Status (1)

Country Link
CN (1) CN106911536B (en)

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110324295B (en) * 2018-03-30 2022-04-12 阿里云计算有限公司 Defense method and device for domain name system flooding attack
CN109217469A (en) * 2018-09-03 2019-01-15 南京永为科技有限公司 Intelligent power distribution electrical energy monitoring system and working method
US11570244B2 (en) * 2018-12-11 2023-01-31 Amazon Technologies, Inc. Mirroring network traffic of virtual networks at a service provider network
CN109788081A (en) * 2019-01-17 2019-05-21 国家计算机网络与信息安全管理中心 A kind of dns server test constantly and QoS evaluating method
CN110336806B (en) * 2019-06-27 2020-05-01 四川大学 Covert communication detection method combining conversation behavior and communication relation
CN110995880B (en) * 2019-11-29 2022-08-16 北京工业大学 DNS data quality evaluation method
CN114866342B (en) * 2022-06-30 2023-01-17 广东睿江云计算股份有限公司 Flow characteristic identification method and device, computer equipment and storage medium
CN116016220B (en) * 2022-12-23 2024-06-18 天翼安全科技有限公司 Method, device and equipment for predicting service traffic based on DNS traffic

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103001825A (en) * 2012-11-15 2013-03-27 中国科学院计算机网络信息中心 Method and system for detecting DNS (domain name system) traffic abnormality
CN103929330A (en) * 2014-04-22 2014-07-16 中国科学院计算技术研究所 Domain name service quality evaluation method and system
CN105516196A (en) * 2016-01-19 2016-04-20 国家计算机网络与信息安全管理中心江苏分中心 HTTP message data-based parallelization network anomaly detection method and system
CN106209920A (en) * 2016-09-19 2016-12-07 贵州白山云科技有限公司 The safety protecting method of a kind of dns server and device

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103001825A (en) * 2012-11-15 2013-03-27 中国科学院计算机网络信息中心 Method and system for detecting DNS (domain name system) traffic abnormality
CN103929330A (en) * 2014-04-22 2014-07-16 中国科学院计算技术研究所 Domain name service quality evaluation method and system
CN105516196A (en) * 2016-01-19 2016-04-20 国家计算机网络与信息安全管理中心江苏分中心 HTTP message data-based parallelization network anomaly detection method and system
CN106209920A (en) * 2016-09-19 2016-12-07 贵州白山云科技有限公司 The safety protecting method of a kind of dns server and device

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
基于层次分析法的域名系统安全状况评估;尹凌晓等;《科研信息化技术与应用》;20131231;第75-79页

Also Published As

Publication number Publication date
CN106911536A (en) 2017-06-30

Similar Documents

Publication Publication Date Title
CN106911536B (en) A kind of DNS health degree appraisal procedure based on model of fuzzy synthetic evaluation
EP3211854B1 (en) Cyber security
EP4033387A1 (en) Cyber security
Mudzingwa et al. A study of methodologies used in intrusion detection and prevention systems (IDPS)
CN108848515A (en) A kind of internet of things service quality-monitoring platform and method based on big data
CN102123149B (en) Service-oriented large-scale network security situational assessment device and method
CA2655547C (en) Method and system for determining parameter distribution, variance, outliers and trends in systems
Yang et al. Deep network analyzer (DNA): A big data analytics platform for cellular networks
Nováczki An improved anomaly detection and diagnosis framework for mobile network operators
CN111049680B (en) Intranet transverse movement detection system and method based on graph representation learning
US20100071061A1 (en) Method and Apparatus for Whole-Network Anomaly Diagnosis and Method to Detect and Classify Network Anomalies Using Traffic Feature Distributions
CN105429977A (en) Method for monitoring abnormal flows of deep packet detection equipment based on information entropy measurement
CN107517216A (en) A kind of network safety event correlating method
CN106453412A (en) Malicious domain name determination method based on frequency characteristics
CN108111463A (en) The self study of various dimensions baseline and abnormal behaviour analysis based on average value and standard deviation
Hemmer et al. A process mining approach for supporting iot predictive security
CN112165470A (en) Intelligent terminal access safety early warning system based on log big data analysis
CN110719286A (en) Network optimization scheme sharing system and method based on big data
CN110881022A (en) Large-scale network security situation detection and analysis method
Yang et al. [Retracted] Computer User Behavior Anomaly Detection Based on K‐Means Algorithm
Flanagan et al. 2d2n: A dynamic degenerative neural network for classification of images of live network data
Wei et al. Defense strategy of network security based on dynamic classification
CN109873708A (en) A kind of assets portrait method clustered based on traffic characteristic and kmeans
Hu et al. Intrusion detection methods in communication-based train control systems based on relative entropy and trust evaluation
Kuang et al. [Retracted] On the Modeling of RTT Time Series for Network Anomaly Detection

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant