CN107547488A - A kind of DNS tunnel detection methods and DNS tunnel detectors - Google Patents
A kind of DNS tunnel detection methods and DNS tunnel detectors Download PDFInfo
- Publication number
- CN107547488A CN107547488A CN201610498923.3A CN201610498923A CN107547488A CN 107547488 A CN107547488 A CN 107547488A CN 201610498923 A CN201610498923 A CN 201610498923A CN 107547488 A CN107547488 A CN 107547488A
- Authority
- CN
- China
- Prior art keywords
- domain
- detecting domains
- dns
- domains
- detecting
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 38
- 238000000034 method Methods 0.000 claims abstract description 33
- 238000007689 inspection Methods 0.000 claims description 4
- 238000012360 testing method Methods 0.000 claims description 2
- 230000008569 process Effects 0.000 abstract description 7
- 230000002159 abnormal effect Effects 0.000 abstract description 3
- 230000009545 invasion Effects 0.000 abstract description 3
- 230000005540 biological transmission Effects 0.000 abstract 1
- 241001269238 Data Species 0.000 description 13
- 238000004891 communication Methods 0.000 description 7
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 238000004458 analytical method Methods 0.000 description 2
- 230000006399 behavior Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 2
- 230000008878 coupling Effects 0.000 description 2
- 238000004880 explosion Methods 0.000 description 2
- 238000010801 machine learning Methods 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 244000089409 Erythrina poeppigiana Species 0.000 description 1
- 235000009776 Rathbunia alamosensis Nutrition 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000007796 conventional method Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 235000013399 edible fruits Nutrition 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the invention discloses a kind of DNS tunnel detection methods and DNS tunnel detectors, methods described includes identifying multiple Main Domains included by passive DNS data, create at least one detecting domains corresponding with the Main Domain, and the number of the domain name included by the detecting domains is less than or equal to first threshold, if include DNS asterisk wildcard domain names in the detecting domains, the DNS asterisk wildcards domain name in the detecting domains is then abandoned, identifies the detecting domains for the DNS tunnels.The present invention is not related to client user's information in detection process, avoid invasion of privacy, it can abandon and have recorded a large amount of meaningless subdomain name record Wildcard, filter out and recorded caused by Wildcard, the situation for thereby resulting in and there are a large amount of abnormal subdomain names under a domain can be eliminated, if it is determined that the detecting domains are used for the DNS tunnels, it can then be directed to and be on the defensive for the detecting domains in DNS tunnels, so as to avoid the DNS of the client of malice and outside from establishing the situation in DNS tunnels, the safety in data transmission procedure has been ensured.
Description
Technical field
The present invention relates to Internet technical field, more particularly to a kind of DNS tunnel detection methods and the inspection of DNS tunnels
Survey device.
Background technology
Domain name system (English full name:Domain Name System, English abbreviation:DNS) be internet most critical base
One of plinth service, domain name is mutually mapped, enables people to easily access internet by it with IP address, complicated without remembering
IP address.DNS Protocol will not be intercepted by firewall policy substantially, in an Intranet, it is also desirable to have DNS
Server carries out domain name mapping, also, in order to the domain name on parsing internet, the dns server of enterprises need and
Other dns servers communication on internet, this is also just to build private communication channel based on DNS Protocol to create condition.Due to DNS
Tunnel client end only needs the local dns server of request, without with tunnel other end direct communication, increase to detect and defending
Difficulty is added so that DNS tunnels turn into one of network private communication channel the most frequently used at present.
To be effectively on the defensive to DNS tunnels, then one of technological means is used by prior art:Prohibit on gateway
Only DNS tunnel clients end is communicated with the dns server that non-administrator specifies, and only allows DNS tunnel clients end to use enterprise
Dns server internal or that operator specifies.DNS operation principle determines that the request in DNS tunnels and response can pass through
The server of enterprises or operator is forwarded to the server end in the DNS tunnels by attacker's control of outside.If management
The dns server that member specifies does not do any detection and defence for DNS tunnels in itself, and the DNS tunnel clients end of malice can
To establish DNS tunnels by the dns server and outside.Therefore this method is not effective DNS tunnels defence method.
The content of the invention
First aspect of the embodiment of the present invention provides a kind of DNS tunnel detection methods, including:
Step A:Identify multiple Main Domains included by passive DNS data.
Passive Passive DNS datas shown in the present embodiment are a kind of communication by analyzing between dns server, note
Record the technology of authoritative dns resolution result resource record.
Method shown in this step is analyzed based on Passive DNS datas, is not related to client user's information, fully
The privacy of user is protected, and Passive DNS datas can exchange acquirement with the data source of multiple companies in the world, can also be certainly
Oneself layouts collection, has global view, is not limited solely to the DNS tunnels behaviors found in indivedual monitored networks.
This step identifies the Main Domain portion of the domain name included by passive DNS data using open suffix Public Suffix
Point, wherein, Public Suffix are to disclose the domain suffix that can be registered, such as com, net, com.cn, cn etc..
Step B:Create at least one detecting domains corresponding with the Main Domain, multiple domain names included by the detecting domains
For subordinate's domain name of the Main Domain, and the number of the domain name included by the detecting domains is less than or equal to first threshold;
The detecting domains created by the present embodiment so that the detecting domains corresponding with the Main Domain include multiple
Domain name, and the domain name included by the detecting domains is subordinate's domain name of the Main Domain, subordinate's domain name of the Main Domain can be
The subdomain name of the Main Domain, the next stage domain name of subdomain name etc..And the number of the domain name included by the detecting domains be less than or
Equal to first threshold.
Step C:If including DNS asterisk wildcard domain names in the detecting domains, the DNS wildcards in the detecting domains are abandoned
Identifier field name, wherein, the DNS asterisk wildcards domain name refers to have identical resource record types in the detecting domains and corresponded to identical
IP address information domain name;
In this step, it is identical to determine whether the domain name in the detecting domains corresponding to each identical resource record types corresponds to
IP address information, however, it is determined that multiple domain names with identical resource record types are with corresponding to identical IP in the detecting domains
Location information, it is determined that the DNS asterisk wildcards domain name in the detecting domains.
Step D:Identify the detecting domains for the DNS tunnels.
This step is analyzed one by one in units of detecting domains, is recorded for all Passive DNS for belonging to a detecting domains,
A series of characteristic value is calculated, and judges whether detecting domains belong to DNS tunnels based on these characteristic values.
Specifically, the disaggregated model of the rule set by hand or machine learning algorithm generation can be used, pass through the classification mould
Type determines whether the characteristic value of detecting domains belongs to DNS tunnels, if it is, the domain name of this detecting domains is considered as tunnel domain
Name.
With reference to the embodiment of the present invention in a first aspect, in the first implementation of first aspect of the embodiment of the present invention, holding
After row step A, it can also carry out:
Step A1, abandon the Main Domain not comprising subordinate's domain name and/or be superior to the domain name of the Main Domain.
In this step, if the subdomain that its subordinate of Main Domain identified according to the DNS data creates without oneself
Name, then abandon the Main Domain not comprising subordinate's domain name.If identified according to the DNS data and be superior to the Main Domain
Domain name.Such as com, then abandon the domain name that the Main Domain is superior in the DNS data.
With reference to first aspect of the embodiment of the present invention or the first implementation of first aspect of the embodiment of the present invention, the present invention
In second of implementation of embodiment first aspect,
The step B is specifically included:
Step B1, detecting domains corresponding with the Main Domain are created, the detecting domains include corresponding with the detecting domains
The Main Domain;
Step B2, recursiveness the Main Domain is divided to form the subdomain of multiple Main Domains, the master
The subdomain of domain name includes subordinate's domain name of the Main Domain, and the number of domain name that is included of the subdomain of the Main Domain be less than or
Equal to the first threshold;
Step B3, detecting domains corresponding with the subdomain of the Main Domain are respectively created, so that the detecting domains are including described
The subdomain of Main Domain.
The detailed process of division detecting domains shown in the present embodiment is that recurrence is carried out, specifically, firstly, for each
The detecting domains of Main Domain, the number for the different domain names that the next stage subdomain of Main Domain is included is counted, if under Main Domain
The number for the different domain names that one-level subdomain is included exceedes the first threshold, then is included the next stage subdomain of Main Domain
Different domain names be divided into different detecting domains, after the completion of division, the lower two level of the Main Domain in statistic mixed-state domain
The number for the different domain names that subdomain is included, if in detecting domains the lower two level subdomain of the Main Domain included it is different
The number of domain name exceedes the first threshold, then the different domain names that the lower two level subdomain of Main Domain is included is divided into difference
Detecting domains in, by that analogy, until the Main Domain corresponding to each detecting domains included by domain name number be less than or
Equal to the first threshold.
Any one of second of implementation with reference to first aspect of the embodiment of the present invention to first aspect of the embodiment of the present invention
Described method, in the third implementation of first aspect of the embodiment of the present invention,
Before shown step C, methods described also includes:
Step C1, determined according to the passive DNS data more with identical resource record types in the detecting domains
IP address information corresponding to individual domain name;
Step C2, determine whether multiple domain names with identical resource record types correspond to identical in the detecting domains
IP address information;
If multiple domain names with identical resource record types correspond to identical IP address in step C3, described detecting domains
Information, it is determined that the DNS asterisk wildcards domain name in the detecting domains.
In this step, if detecting to include the DNS asterisk wildcards domain name in the detecting domains, illustrate that the detecting domains are matched somebody with somebody
Asterisk wildcard Wildcard DNS are put.
Wildcard DNS are recorded in caused by Passive DNS databases a large amount of meaningless domain names records, especially when
Have tried to carry out the domain name recorded with Wildcard DNS subdomain explosion, or the DNS of progress random domain name prefix is refused
During exhausted service attack, filter out and recorded caused by DNS asterisk wildcards domain name, can eliminate to thereby result under a domain there are a large amount of exceptions
The situation of domain name.
With reference to any one of first aspect of the embodiment of the present invention to the third implementation of first aspect of the embodiment of the present invention
Described method, in the 4th kind of implementation of first aspect of the embodiment of the present invention,
Before shown step C, methods described also includes:
Determine the number of different domain names included in the detecting domains;
Target detection domain is determined, the number of the different domain names included by the target detection domain is less than or equal to the second threshold
Value;
Abandon the target detection domain.
It can be seen that the fewer detecting domains of domain name can be excluded using the step C shown in the present embodiment, then to improve after
The continuous efficiency for judging DNS tunnels.
Any one of the 4th kind of implementation with reference to first aspect of the embodiment of the present invention to first aspect of the embodiment of the present invention
Described method, in the 5th kind of implementation of first aspect of the embodiment of the present invention,
It is described to determine whether the detecting domains are used for DNS tunnels and include:
It is determined that meet that one or more detecting domains as shown below are used for DNS tunnels:
The number of included different domain names is at least one more than in Second Threshold, the detecting domains in the detecting domains
The length of domain name is more than or equal to the 4th threshold more than or equal to the average length of all domain names in the 3rd threshold value, the detecting domains
The ratio that value, the detecting domains include all domain names that the domain name of non-targeted character and the detecting domains are included is more than or equal to
The ratio that 5th threshold value, the detecting domains include all domain names that the domain name of unprintable character and the detecting domains are included is big
In or equal to the 6th threshold value, the number of different resource records included in the detecting domains be more than or equal to the 7th threshold value,
Wherein, target character is to be used for containing female, and/or numeral, and/or the character of hyphen, and/or underscore, the resource record
Record in the detecting domains each domain name and respectively IP address information corresponding with each domain name in the detecting domains.
Second aspect of the embodiment of the present invention provides a kind of DNS tunnel detectors, including:
For performing step A the first recognition unit, for identifying multiple Main Domains included by passive DNS data;
It is described for creating at least one detecting domains corresponding with the Main Domain for performing step B creating unit
Multiple domain names included by detecting domains are subordinate's domain name of the Main Domain, and the number of the domain name included by the detecting domains is small
In or equal to first threshold;
For performing step C the second recognition unit, if for including DNS asterisk wildcard domain names in the detecting domains, lose
The DNS asterisk wildcards domain name abandoned in the detecting domains, wherein, the DNS asterisk wildcards domain name refers to have in the detecting domains
The domain name of identical resource record types and corresponding identical IP address information;
For performing step D the 3rd recognition unit, for identifying the detecting domains for the DNS tunnels.
With reference to second aspect of the embodiment of the present invention, in the first implementation of second aspect of the embodiment of the present invention,
The DNS tunnel detectors also include:4th recognition unit, for abandoning the Main Domain not comprising subordinate's domain name
And/or it is superior to the domain name of the Main Domain.
With reference to second aspect of the embodiment of the present invention or the first implementation of second aspect of the embodiment of the present invention, the present invention
In second of implementation of embodiment second aspect,
The creating unit includes:
First creation module, for creating detecting domains corresponding with the Main Domain, the detecting domains include and the inspection
Survey the Main Domain corresponding to domain;
Second creation module, for recursiveness the Main Domain is divided to form the son of multiple Main Domains
Domain, the subdomain of the Main Domain include subordinate's domain name of the Main Domain, and the domain name that is included of the subdomain of the Main Domain
Number is less than or equal to the first threshold;
3rd creation module, for detecting domains corresponding with the subdomain of the Main Domain to be respectively created, so that the detection
Domain includes the subdomain of the Main Domain.
Any one of second of implementation with reference to second aspect of the embodiment of the present invention to second aspect of the embodiment of the present invention
Described DNS tunnel detectors, in the third implementation of second aspect of the embodiment of the present invention,
The DNS tunnel detectors also include:
First determining unit, for determining that there is identical resource note in the detecting domains according to the passive DNS data
Record IP address information corresponding to multiple domain names of type;
Second determining unit, for determine in the detecting domains with identical resource record types multiple domain names whether
Corresponding identical IP address information;
3rd determining unit, if for having multiple domain names of identical resource record types to correspond to phase in the detecting domains
Same IP address information, it is determined that the DNS asterisk wildcards domain name in the detecting domains.
With reference to any one of second aspect of the embodiment of the present invention to the third implementation of second aspect of the embodiment of the present invention
Described DNS tunnel detectors, in the 4th kind of implementation of second aspect of the embodiment of the present invention,
The DNS tunnel detectors also include:
4th determining unit, for determining the number of different domain names included in the detecting domains;
5th determining unit, for determining target detection domain, of the different domain names included by the target detection domain
Number is less than or equal to Second Threshold;
6th determining unit, for abandoning the target detection domain.
Any one of the 4th kind of implementation with reference to second aspect of the embodiment of the present invention to second aspect of the embodiment of the present invention
Described DNS tunnel detectors, in the 5th kind of implementation of second aspect of the embodiment of the present invention,
3rd recognition unit is used for, it is determined that meeting that one or more detecting domains as shown below are used for DNS tunnels
Road:
The number of included different domain names is at least one more than in Second Threshold, the detecting domains in the detecting domains
The length of domain name is more than or equal to the 4th threshold more than or equal to the average length of all domain names in the 3rd threshold value, the detecting domains
The ratio that value, the detecting domains include all domain names that the domain name of non-targeted character and the detecting domains are included is more than or equal to
The ratio that 5th threshold value, the detecting domains include all domain names that the domain name of unprintable character and the detecting domains are included is big
In or equal to the 6th threshold value, the number of different resource records included in the detecting domains be more than or equal to the 7th threshold value,
Wherein, target character is to be used for containing female, and/or numeral, and/or the character of hyphen, and/or underscore, the resource record
Record in the detecting domains each domain name and respectively IP address information corresponding with each domain name in the detecting domains.
As can be seen from the above technical solutions, the embodiment of the present invention has advantages below:The present invention uses Passive DNS
Data are not related to client user's information in detection process then, avoid invasion of privacy, can abandon and have recorded as data source
A large amount of meaningless subdomain name record Wildcard, filter out and are recorded caused by Wildcard, can eliminate and thereby result in a domain
Under have the situations of a large amount of abnormal subdomain names, however, it is determined that the detecting domains are used for the DNS tunnels, then can be for being used for DNS tunnels
Detecting domains be on the defensive, so as to avoid the client of malice from establishing with outside DNS the situation in DNS tunnels, ensured data
Safety in transmitting procedure.
Brief description of the drawings
Fig. 1 is a kind of embodiment flow chart of steps of DNS tunnel detection methods provided by the present invention;
Fig. 2 is a kind of example structure schematic diagram of DNS tunnel detectors provided by the present invention.
Embodiment
Present embodiments provide a kind of DNS tunnel detection methods, below in conjunction with shown in Fig. 1 to DNS tunnel detection methods
Specific steps are described in detail.
Step 101, obtain passive DNS data.
Passive Passive DNS datas shown in the present embodiment are a kind of communication by analyzing between dns server, note
Record the technology of authoritative dns resolution result resource record.
Passive DNS datas are very conventional in malware analysis, also, Passive DNS datas do not contain DNS
The information at tunnel client end, the infringement to privacy of user is avoided, therefore there are multiple businesses and institutions to carry out Passive in the world
The construction and data sharing of DNS database.
Method shown in the present embodiment is analyzed based on Passive DNS datas, is not related to client user's information, is filled
Code insurance protects the privacy of user, and Passive DNS datas can exchange acquirement with the data source of multiple companies in the world, can also
Oneself layout collection, there is global view, be not limited solely to the DNS tunnels behaviors found in indivedual monitored networks.
Specifically, the Passive DNS datas shown in the present embodiment include but is not limited to domain name Name, resource record
Type Type, resource record data Data and timestamp.
More specifically, the present embodiment can obtain whole historical records of Passive DNS datas or in a period of time
Passive DNS datas record.
The present embodiment is not limited the cycle, scope and the time span that obtain Passive DNS datas.
Multiple Main Domains included by step 102, the passive DNS data of identification.
The present embodiment identifies the Main Domain of the domain name included by passive DNS data using open suffix Public Suffix
Part.
Public Suffix shown in the present embodiment are to disclose the domain suffix that can be registered, such as com, net,
Com.cn, cn etc..
Main Domain shown in the present embodiment, it is the domain name registered under Public Suffix, it is next again without being included in it
The subdomain name that level creates oneself.
Such as www.huawei.com Main Domain is huawei.com, www.sina.com.cn Main Domain is
sina.com.cn。
More specifically, Public Suffix lists can be based on public suffix list Public Suffix List, its
In, one " public suffix " is the name that an Internet user can directly register.The example of some public suffix is:
.com,.co.ukand pvt.k12.ma.us.Public suffix list lists all known public suffix.
Public Suffix lists can combine some customization because Public Suffix List in itself not comprising
Some conventional services for being available for voluntarily registering free subdomain name, such as 3322.org etc., can exempt from these in the present embodiment
The domain name of expense subdomain name service is also added in the Public Suffix after customization.
Step 103, abandon the Main Domain not comprising subordinate's domain name and be superior to the domain name of the Main Domain.
If the subdomain name that its subordinate of Main Domain identified according to the DNS data creates without oneself, is abandoned
Main Domain not comprising subordinate's domain name.
If the domain name for being superior to the Main Domain is identified according to the DNS data.Such as com, then abandon institute
State the domain name that the Main Domain is superior in DNS data.
Step 104, create at least one detecting domains corresponding with the Main Domain.
The detecting domains created by the present embodiment so that the detecting domains corresponding with the Main Domain include multiple
Domain name, and the domain name included by the detecting domains is subordinate's domain name of the Main Domain, subordinate's domain name of the Main Domain can be
The subdomain name of the Main Domain, the next stage domain name of subdomain name etc..And the number of the domain name included by the detecting domains be less than or
Equal to first threshold.
It is described in detail below to how to create detecting domains.
First, recursiveness the Main Domain is divided to form the subdomain of multiple Main Domains.
The subdomain of the Main Domain includes subordinate's domain name of the Main Domain, and the domain that the subdomain of the Main Domain is included
The number of name is less than or equal to the first threshold.
Then, detecting domains corresponding with the subdomain of the Main Domain are respectively created, so that the detecting domains include the master
The subdomain of domain name.
The detailed process of division detecting domains shown in the present embodiment is that recurrence is carried out, specifically, firstly, for each
The detecting domains of Main Domain, the number for the different domain names that the next stage subdomain of Main Domain is included is counted, if under Main Domain
The number for the different domain names that one-level subdomain is included exceedes the first threshold, then is included the next stage subdomain of Main Domain
Different domain names be divided into different detecting domains, after the completion of division, the lower two level of the Main Domain in statistic mixed-state domain
The number for the different domain names that subdomain is included, if in detecting domains the lower two level subdomain of the Main Domain included it is different
The number of domain name exceedes the first threshold, then the different domain names that the lower two level subdomain of Main Domain is included is divided into difference
Detecting domains in, by that analogy, until the Main Domain corresponding to each detecting domains included by domain name number be less than or
Equal to the first threshold.
For example, the Main Domain identified in a step 102 is " tunnel.com ", Main Domain " tunnel.com " is determined
Different subdomains, and judge whether the number of the domain name included by the different subdomains of Main Domain " tunnel.com " big one by one
In or equal to the first threshold;
" if the number for the domain name that * .a.tunnel.com " are included exceedes described the subdomain of Main Domain " tunnel.com "
First threshold, then detecting domains are re-created, so that " * .a.tunnel.com " are divided into the detecting domains re-created to subdomain, can
See, " it is next that * .a.tunnel.com " are taken as an independent detecting domains to mark off to subdomain.
And except " other subdomain relative recordings in addition to * .a.tunnel.com " are still under Main Domain " tunnel.com "
Belong to the detecting domains of Main Domain " tunnel.com " to analyze, so, the record of Main Domain " tunnel.com " is divided into two
Detecting domains:Including " * .a.tunnel.com " subdomain and not comprising subdomain " * .a.tunnel.com " " tunnel.com ".
This process recurrence performs, such as detecting domains " the * .a.tunnel.com ", if under it extracted to previous step
" * .x.a.tunnel.com " domain name number exceedes the first threshold to an also subdomain, then subdomain " *
.x.a.tunnel.com a detecting domains are marked off " and individually, so we just there are three detecting domains:Including subdomain " *
.x.a.tunnel.com detecting domains ", including subdomain " * .a.tunnel.com " detecting domains and do not include subdomain " *
.x.a.tunnel.com " and subdomain " detecting domains of * .a.tunnel.com " " tunnel.com ", and mark off come it is each
The number for the domain name that detecting domains are included is less than or equal to the first threshold.
Step 105, determined according to the passive DNS data it is more with identical resource record types in the detecting domains
IP address information corresponding to individual domain name.
Specifically, the passive DNS data includes resource record data Data, the resource record data is used to record and divided
Resource record types not corresponding with each domain name in the detecting domains and IP address corresponding with each domain name in the detecting domains
Information.
More specifically, the form of each resource record data is:" domain name, resource record types, IP address information ", its
In, domain name and the IP address information are corresponding.
For example, it can be determined and the domain name in detecting domains according to the resource record data of the passive DNS data:“*
.mydomain.com resource record types corresponding to " and corresponding IP address information are 1.2.3.4.
Step 106, determine whether multiple domain names with identical resource record types correspond to identical in the detecting domains
IP address information, if so, then perform step 107.
Specifically, determining whether the domain name in the detecting domains corresponding to each identical resource record types corresponds to identical
IP address information, however, it is determined that multiple domain names with identical resource record types correspond to identical IP address in the detecting domains
Information, then perform step 107.
Step 107, determine the DNS asterisk wildcards domain name in the detecting domains.
In the present embodiment, the DNS asterisk wildcards domain name refer to have in the detecting domains identical resource record types and
The domain name of corresponding identical IP address information.
The DNS asterisk wildcards domain name in step 108, the discarding detecting domains.
In the present embodiment, if detecting to include the DNS asterisk wildcards domain name in the detecting domains, illustrate the detecting domains
It is configured with asterisk wildcard Wildcard DNS.
Wildcard DNS are recorded in caused by Passive DNS databases a large amount of meaningless domain names records, especially when
Have tried to carry out the domain name recorded with Wildcard DNS subdomain explosion, or the DNS of progress random domain name prefix is refused
During exhausted service attack, filter out and recorded caused by DNS asterisk wildcards domain name, can eliminate to thereby result under a domain there are a large amount of exceptions
The situation of domain name.
Step 109, the number for determining different domain names included in the detecting domains.
In the present embodiment, the number of different domain names included in ready-portioned detecting domains is determined.
Step 110, determine target detection domain.
Wherein, the number of the different domain names included by the target detection domain is less than or equal to Second Threshold.
The present embodiment is not limited the size of the Second Threshold, can be set by user according to the demand of actual use
It is fixed.
Step 111, abandon the target detection domain.
If it is determined that the number including different domain names is less than or equal to the target detection domain of Second Threshold, then this reality
Apply the discardable target detection domain of example.
It can be seen that the fewer detecting domains of domain name can be excluded using the step 111 shown in the present embodiment, then to improve
The follow-up efficiency for judging DNS tunnels.
Step 109 to step 111 shown in the present embodiment is optional step, and the present embodiment to being in specific implementation procedure
No execution is not construed as limiting.
Step 112, determine detecting domains for DNS tunnels.
The present embodiment is analyzed one by one in units of detecting domains, is remembered for all Passive DNS for belonging to a detecting domains
Record, calculates a series of characteristic value, and judge whether detecting domains belong to DNS tunnels based on these characteristic values.
Specifically, the disaggregated model of the rule set by hand or machine learning algorithm generation can be used, pass through the classification mould
Type determines whether the characteristic value of detecting domains belongs to DNS tunnels, if it is, the domain name of this detecting domains is considered as tunnel domain
Name.
The present embodiment is not limited the characteristic value.
For example, when the present embodiment determines whether the detecting domains are used for the mode in DNS tunnels, as long as presetting one in advance
If condition, if detecting domains meet the preparatory condition, the detecting domains are used for DNS tunnels.
Specifically, determine to meet that one or more detecting domains as shown below are used for DNS tunnels:Need it is clear that,
Following condition show optional example, does not limit.
The number of included different domain names is at least one more than in Second Threshold, the detecting domains in the detecting domains
The length of domain name is more than or equal to the 4th threshold more than or equal to the average length of all domain names in the 3rd threshold value, the detecting domains
The ratio that value, the detecting domains include all domain names that the domain name of non-targeted character and the detecting domains are included is more than or equal to
The ratio that 5th threshold value, the detecting domains include all domain names that the domain name of unprintable character and the detecting domains are included is big
It is more than or equal to the 7th threshold value in or equal to the 6th threshold value, the number of different resource records included in the detecting domains.
Wherein, target character is containing female, and/or numeral, and/or the character of hyphen, and/or underscore, the resource
Record for recording in the detecting domains each domain name and respectively IP address information corresponding with each domain name in the detecting domains.
In the present embodiment, however, it is determined that the detecting domains are used for the DNS tunnels, then can be directed to the detection for DNS tunnels
Domain is on the defensive, and the present embodiment is not construed as limiting to how to be directed to the means being on the defensive for the detecting domains in DNS tunnels, as long as disliking
The client of meaning can not establish DNS tunnels with the DNS of outside.
Beneficial effect using the DNS tunnel detection methods shown in the present embodiment is that the present invention uses Passive DNS
Data input as data source, flow are based on tradition, that is, need to analyze DNS request or answer the mode difference of bag, this reality
Apply detection of the example based on Passive DNS datas and be not related to client user's information, avoid invasion of privacy, and Passive
DNS data has large-scale collection in the world, can be exchanged from multiple companies and obtain data source, obtained testing result has
Global view.And during detection, it can abandon and have recorded a large amount of meaningless subdomain name record Wildcard, filter out
Recorded caused by Wildcard, the situation for thereby resulting in and there are a large amount of abnormal subdomain names under a domain, conventional method can be eliminated
Some are detected in units of single DNS messages, and some are then detected in units of the combination of a client and Main Domain, and this reality
Applying the method shown in example is analyzed in units of detecting domains, and the division of detecting domains is divided into two steps:First with
Public Suffix carry out preliminary Main Domain division, and this step is only accomplished in processing of the existing analysis method to domain name mostly,
But we also add extra detecting domains partiting step.A son under some Main Domain is only used in view of many attackers
Domain carries out DNS tunnels, meanwhile, there is also all subdomain name registration services are not included comprehensively, this is walked Public Suffix
It is rapid help to be accurately positioned for tunnel domain name in itself.For example Public Suffix List do not include 3322.org, such as
Fruit someone have registered a free tunnel.3322.org, be divided only according to Main Domain, can be by 3322.org as tunnel domain
Name, other validated users using 3322.org are accidentally injured, we then can be after having done detecting domains division
Tunnel.3322.org is independent more accurately to be analyzed.
Illustrated below in conjunction with the structure of the DNS tunnel detectors provided shown in Fig. 2 the embodiment of the present invention, its
In, the DNS tunnel detectors shown in Fig. 2 can realize the DNS tunnel detection methods shown in Fig. 1, the DNS tunnels inspection
Specific the execution flow and beneficial effect of survey method in detail as shown in Figure 1, do not repeat specifically please in the present embodiment.
The DNS tunnel equipments shown in the present embodiment include:
First recognition unit 201, for identifying multiple Main Domains included by passive DNS data;
4th recognition unit 202, for abandoning the Main Domain not comprising subordinate's domain name and/or being superior to the Main Domain
Domain name.
Creating unit 203, for creating corresponding with the Main Domain at least one detecting domains, included by the detecting domains
Multiple domain names be the Main Domain subordinate's domain name, and the number of the domain name included by the detecting domains be less than or equal to first
Threshold value;
Wherein, the creating unit 203 includes:
First creation module 2031, for creating detecting domains corresponding with the Main Domain, the detecting domains include and institute
State the Main Domain corresponding to detecting domains;
Second creation module 2032, for recursiveness the Main Domain is divided to form multiple Main Domains
Subdomain, the subdomain of the Main Domain includes subordinate's domain name of the Main Domain, and the domain that the subdomain of the Main Domain is included
The number of name is less than or equal to the first threshold;
3rd creation module 2033, for detecting domains corresponding with the subdomain of the Main Domain to be respectively created, so that described
Detecting domains include the subdomain of the Main Domain.
First determining unit 204, for determining that there is identical resource in the detecting domains according to the passive DNS data
IP address information corresponding to multiple domain names of record type;
Second determining unit 205, for the multiple domain names for determining that there are identical resource record types in the detecting domains
Whether identical IP address information is corresponded to;
3rd determining unit 206, if for having multiple domain names pair of identical resource record types in the detecting domains
Answer identical IP address information, it is determined that the DNS asterisk wildcards domain name in the detecting domains.
Second recognition unit 207, if for including DNS asterisk wildcard domain names in the detecting domains, abandon the detecting domains
The interior DNS asterisk wildcards domain name, wherein, the DNS asterisk wildcards domain name refers to there is identical resource note in the detecting domains
Record the domain name of type and corresponding identical IP address information;
4th determining unit 208, for determining the number of different domain names included in the detecting domains;
5th determining unit 209, for determining target detection domain, different domain names included by the target detection domain
Number is less than or equal to Second Threshold;
6th determining unit 210, for abandoning the target detection domain.
3rd recognition unit 211, for identifying the detecting domains for the DNS tunnels.
3rd recognition unit 211 is additionally operable to, it is determined that meeting that one or more detecting domains as shown below are used for
DNS tunnels:
The number of included different domain names is at least one more than in Second Threshold, the detecting domains in the detecting domains
The length of domain name is more than or equal to the 4th threshold more than or equal to the average length of all domain names in the 3rd threshold value, the detecting domains
The ratio that value, the detecting domains include all domain names that the domain name of non-targeted character and the detecting domains are included is more than or equal to
The ratio that 5th threshold value, the detecting domains include all domain names that the domain name of unprintable character and the detecting domains are included is big
In or equal to the 6th threshold value, the number of different resource records included in the detecting domains be more than or equal to the 7th threshold value,
Wherein, target character is to be used for containing female, and/or numeral, and/or the character of hyphen, and/or underscore, the resource record
Record in the detecting domains each domain name and respectively IP address information corresponding with each domain name in the detecting domains.
It is apparent to those skilled in the art that for convenience and simplicity of description, the system of foregoing description,
The specific work process of device and unit, the corresponding process in preceding method embodiment is may be referred to, will not be repeated here.
In several embodiments provided herein, it should be understood that disclosed system, apparatus and method can be with
Realize by another way.For example, device embodiment described above is only schematical, for example, the unit
Division, only a kind of division of logic function, can there is other dividing mode, such as multiple units or component when actually realizing
Another system can be combined or be desirably integrated into, or some features can be ignored, or do not perform.It is another, it is shown or
The mutual coupling discussed or direct-coupling or communication connection can be the indirect couplings by some interfaces, device or unit
Close or communicate to connect, can be electrical, mechanical or other forms.
The unit illustrated as separating component can be or may not be physically separate, show as unit
The part shown can be or may not be physical location, you can with positioned at a place, or can also be distributed to multiple
On NE.Some or all of unit therein can be selected to realize the mesh of this embodiment scheme according to the actual needs
's.
In addition, each functional unit in each embodiment of the present invention can be integrated in a processing unit, can also
That unit is individually physically present, can also two or more units it is integrated in a unit.Above-mentioned integrated list
Member can both be realized in the form of hardware, can also be realized in the form of SFU software functional unit.
If the integrated unit is realized in the form of SFU software functional unit and is used as independent production marketing or use
When, it can be stored in a computer read/write memory medium.Based on such understanding, technical scheme is substantially
The part to be contributed in other words to prior art or all or part of the technical scheme can be in the form of software products
Embody, the computer software product is stored in a storage medium, including some instructions are causing a computer
Equipment (can be personal computer, server, or network equipment etc.) performs the complete of each embodiment methods described of the present invention
Portion or part steps.And foregoing storage medium includes:USB flash disk, mobile hard disk, read-only storage (ROM, Read-Only
Memory), random access memory (RAM, Random Access Memory), magnetic disc or CD etc. are various can store journey
The medium of sequence code.
Described above, the above embodiments are merely illustrative of the technical solutions of the present invention, rather than its limitations;Although with reference to before
Embodiment is stated the present invention is described in detail, it will be understood by those within the art that:It still can be to preceding
State the technical scheme described in each embodiment to modify, or equivalent substitution is carried out to which part technical characteristic;And these
Modification is replaced, and the essence of appropriate technical solution is departed from the spirit and scope of various embodiments of the present invention technical scheme.
Claims (12)
- A kind of 1. DNS tunnel detection methods, it is characterised in that including:Identify multiple Main Domains included by passive DNS data;At least one detecting domains corresponding with the Main Domain are created, multiple domain names included by the detecting domains are the main domain Subordinate's domain name of name, and the number of the domain name included by the detecting domains is less than or equal to first threshold;If including DNS asterisk wildcard domain names in the detecting domains, the DNS asterisk wildcards domain name in the detecting domains is abandoned, its In, the DNS asterisk wildcards domain name refers to there is identical resource record types and corresponding identical IP address in the detecting domains The domain name of information;Identify the detecting domains for the DNS tunnels.
- 2. according to the method for claim 1, it is characterised in that multiple main domains included by the passive DNS data of identification After name, methods described also includes:Abandon the Main Domain not comprising subordinate's domain name and/or be superior to the domain name of the Main Domain.
- 3. method according to claim 1 or 2, it is characterised in that described to create corresponding with the Main Domain at least one Individual detecting domains include:Detecting domains corresponding with the Main Domain are created, the detecting domains include the Main Domain corresponding with the detecting domains;Recursiveness the Main Domain is divided to form the subdomain of multiple Main Domains, the subdomain bag of the Main Domain Include subordinate's domain name of the Main Domain, and the number of domain name that the subdomain of the Main Domain is included is less than or equal to described first Threshold value;Detecting domains corresponding with the subdomain of the Main Domain are respectively created, so that the detecting domains include the son of the Main Domain Domain.
- 4. according to the method described in any one of claims 1 to 3, it is characterised in that if leading in the detecting domains including DNS With identifier field name, then before abandoning the DNS asterisk wildcards domain name in the detecting domains, methods described also includes:According to corresponding to the passive DNS data determines multiple domain names with identical resource record types in the detecting domains IP address information;Determine whether multiple domain names with identical resource record types correspond to identical IP address information in the detecting domains;If multiple domain names with identical resource record types correspond to identical IP address information in the detecting domains, it is determined that The DNS asterisk wildcards domain name in the detecting domains.
- 5. according to the method described in any one of Claims 1-4, it is characterised in that described to determine whether the detecting domains are used for Before DNS tunnels, methods described also includes:Determine the number of different domain names included in the detecting domains;Target detection domain is determined, the number of the different domain names included by the target detection domain is less than or equal to Second Threshold;Abandon the target detection domain.
- 6. according to the method described in any one of Claims 1-4, it is characterised in that described to determine whether the detecting domains are used for DNS tunnels include:It is determined that meet that one or more detecting domains as shown below are used for DNS tunnels:The number of included different domain names is more than at least one domain name in Second Threshold, the detecting domains in the detecting domains Length be more than or equal to the 3rd threshold value, the average length of all domain names is more than or equal to the 4th threshold value, institute in the detecting domains State detecting domains and include the ratio for all domain names that the domain name of non-targeted character and the detecting domains are included more than or equal to the 5th Threshold value, the detecting domains include all domain names that the domain name of unprintable character and the detecting domains are included ratio be more than or Number equal to different resource records included in the 6th threshold value, the detecting domains is more than or equal to the 7th threshold value, wherein, Target character is containing female, and/or numeral, and/or the character of hyphen, and/or underscore, and the resource record is used to record institute State in detecting domains each domain name and respectively IP address information corresponding with each domain name in the detecting domains.
- A kind of 7. DNS tunnel detectors, it is characterised in that including:First recognition unit, for identifying multiple Main Domains included by passive DNS data;Creating unit, it is multiple included by the detecting domains for establishment at least one detecting domains corresponding with the Main Domain Domain name is subordinate's domain name of the Main Domain, and the number of the domain name included by the detecting domains is less than or equal to first threshold;Second recognition unit, if for including DNS asterisk wildcard domain names in the detecting domains, abandon described in the detecting domains DNS asterisk wildcard domain names, wherein, the DNS asterisk wildcards domain name refer to have in the detecting domains identical resource record types and The domain name of corresponding identical IP address information;3rd recognition unit, for identifying the detecting domains for the DNS tunnels.
- 8. DNS tunnel detectors according to claim 7, it is characterised in that the DNS tunnel detectors are also wrapped Include:4th recognition unit, for abandoning the Main Domain not comprising subordinate's domain name and/or being superior to the domain name of the Main Domain.
- 9. the DNS tunnel detectors according to claim 7 or 8, it is characterised in that the creating unit includes:First creation module, for creating detecting domains corresponding with the Main Domain, the detecting domains include and the detecting domains The corresponding Main Domain;Second creation module, for recursiveness the Main Domain is divided to form the subdomain of multiple Main Domains, The subdomain of the Main Domain includes subordinate's domain name of the Main Domain, and the number of domain name that the subdomain of the Main Domain is included Less than or equal to the first threshold;3rd creation module, for detecting domains corresponding with the subdomain of the Main Domain to be respectively created, so that the detecting domains bag Include the subdomain of the Main Domain.
- 10. the DNS tunnel detectors according to any one of claim 7 to 9, it is characterised in that the DNS Tunnel testings Device also includes:First determining unit, for determining that there is identical resource record class in the detecting domains according to the passive DNS data IP address information corresponding to multiple domain names of type;Second determining unit, for determining whether multiple domain names with identical resource record types correspond in the detecting domains Identical IP address information;3rd determining unit, if for having multiple domain names of identical resource record types to correspond to identical in the detecting domains IP address information, it is determined that the DNS asterisk wildcards domain name in the detecting domains.
- 11. the DNS tunnel detectors according to any one of claim 7 to 10, it is characterised in that the DNS tunnels inspection Surveying device also includes:4th determining unit, for determining the number of different domain names included in the detecting domains;5th determining unit, for determining target detection domain, the number of the different domain names included by the target detection domain is small In or equal to Second Threshold;6th determining unit, for abandoning the target detection domain.
- 12. the DNS tunnel detectors according to any one of claim 7 to 11, it is characterised in that the 3rd identification is single Member is used for, it is determined that meeting that one or more detecting domains as shown below are used for DNS tunnels:The number of included different domain names is more than at least one domain name in Second Threshold, the detecting domains in the detecting domains Length be more than or equal to the 3rd threshold value, the average length of all domain names is more than or equal to the 4th threshold value, institute in the detecting domains State detecting domains and include the ratio for all domain names that the domain name of non-targeted character and the detecting domains are included more than or equal to the 5th Threshold value, the detecting domains include all domain names that the domain name of unprintable character and the detecting domains are included ratio be more than or Number equal to different resource records included in the 6th threshold value, the detecting domains is more than or equal to the 7th threshold value, wherein, Target character is containing female, and/or numeral, and/or the character of hyphen, and/or underscore, and the resource record is used to record institute State in detecting domains each domain name and respectively IP address information corresponding with each domain name in the detecting domains.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610498923.3A CN107547488B (en) | 2016-06-29 | 2016-06-29 | DNS tunnel detection method and DNS tunnel detection device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610498923.3A CN107547488B (en) | 2016-06-29 | 2016-06-29 | DNS tunnel detection method and DNS tunnel detection device |
Publications (2)
Publication Number | Publication Date |
---|---|
CN107547488A true CN107547488A (en) | 2018-01-05 |
CN107547488B CN107547488B (en) | 2020-12-15 |
Family
ID=60966132
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610498923.3A Expired - Fee Related CN107547488B (en) | 2016-06-29 | 2016-06-29 | DNS tunnel detection method and DNS tunnel detection device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107547488B (en) |
Cited By (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108848201A (en) * | 2018-06-14 | 2018-11-20 | 深信服科技股份有限公司 | Detection utilizes the method, system and device of DNS tunnel transmission secret data |
CN109120733A (en) * | 2018-07-20 | 2019-01-01 | 杭州安恒信息技术股份有限公司 | A kind of detection method communicated using DNS |
CN109218461A (en) * | 2018-08-09 | 2019-01-15 | 北京奇安信科技有限公司 | A kind of method and device detecting tunnel domain name |
CN109474575A (en) * | 2018-09-11 | 2019-03-15 | 北京奇安信科技有限公司 | A kind of detection method and device in the tunnel DNS |
CN110149418A (en) * | 2018-12-12 | 2019-08-20 | 国网信息通信产业集团有限公司 | A kind of hidden tunnel detection method of DNS based on deep learning |
CN110855632A (en) * | 2019-10-24 | 2020-02-28 | 新华三信息安全技术有限公司 | Message detection method, device, network equipment and computer readable storage medium |
CN111262881A (en) * | 2020-02-26 | 2020-06-09 | 杭州云缔盟科技有限公司 | Method for hiding DNS domain name of server accessed by mobile phone APP |
CN111953673A (en) * | 2020-08-10 | 2020-11-17 | 深圳市联软科技股份有限公司 | DNS hidden tunnel detection method and system |
CN112118205A (en) * | 2019-06-19 | 2020-12-22 | 腾讯科技(深圳)有限公司 | Domain name information detection method and related device |
CN112204930A (en) * | 2018-05-29 | 2021-01-08 | 华为技术有限公司 | Malicious domain name detection device and method |
CN113691489A (en) * | 2020-05-19 | 2021-11-23 | 北京观成科技有限公司 | Malicious domain name detection feature processing method and device and electronic equipment |
CN115297083A (en) * | 2022-08-03 | 2022-11-04 | 左道明 | Domain name system tunnel detection method and system based on data volume and behavior characteristics |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102938769A (en) * | 2012-11-22 | 2013-02-20 | 国家计算机网络与信息安全管理中心 | Detection method of Domain flux botnet domain names |
US20130067115A1 (en) * | 2011-09-12 | 2013-03-14 | Isaac Omar Lapanc | Method And System For Mapping Domain Prefixes To Qualified URLs |
CN103561120A (en) * | 2013-10-08 | 2014-02-05 | 北京奇虎科技有限公司 | Method and device for detecting suspicious DNS and method and system for processing suspicious DNS |
CN103957282A (en) * | 2013-09-12 | 2014-07-30 | 赛尔网络有限公司 | Domain name resolution accelerating system of in-domain terminal users and method thereof |
CN104579773A (en) * | 2014-12-31 | 2015-04-29 | 北京奇虎科技有限公司 | Domain name system analysis method and device |
CN104967629A (en) * | 2015-07-16 | 2015-10-07 | 网宿科技股份有限公司 | Network attack detection method and apparatus |
-
2016
- 2016-06-29 CN CN201610498923.3A patent/CN107547488B/en not_active Expired - Fee Related
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20130067115A1 (en) * | 2011-09-12 | 2013-03-14 | Isaac Omar Lapanc | Method And System For Mapping Domain Prefixes To Qualified URLs |
CN102938769A (en) * | 2012-11-22 | 2013-02-20 | 国家计算机网络与信息安全管理中心 | Detection method of Domain flux botnet domain names |
CN103957282A (en) * | 2013-09-12 | 2014-07-30 | 赛尔网络有限公司 | Domain name resolution accelerating system of in-domain terminal users and method thereof |
CN103561120A (en) * | 2013-10-08 | 2014-02-05 | 北京奇虎科技有限公司 | Method and device for detecting suspicious DNS and method and system for processing suspicious DNS |
CN104579773A (en) * | 2014-12-31 | 2015-04-29 | 北京奇虎科技有限公司 | Domain name system analysis method and device |
CN104967629A (en) * | 2015-07-16 | 2015-10-07 | 网宿科技股份有限公司 | Network attack detection method and apparatus |
Non-Patent Citations (1)
Title |
---|
章思宇,姜开达: "《DNS拒绝服务攻击与对策》", 《通信学报》 * |
Cited By (21)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112204930A (en) * | 2018-05-29 | 2021-01-08 | 华为技术有限公司 | Malicious domain name detection device and method |
CN112204930B (en) * | 2018-05-29 | 2022-03-01 | 华为云计算技术有限公司 | Malicious domain name detection device, system and method |
CN108848201A (en) * | 2018-06-14 | 2018-11-20 | 深信服科技股份有限公司 | Detection utilizes the method, system and device of DNS tunnel transmission secret data |
CN109120733A (en) * | 2018-07-20 | 2019-01-01 | 杭州安恒信息技术股份有限公司 | A kind of detection method communicated using DNS |
CN109120733B (en) * | 2018-07-20 | 2021-06-01 | 杭州安恒信息技术股份有限公司 | Detection method for communication by using DNS (Domain name System) |
CN109218461B (en) * | 2018-08-09 | 2022-02-22 | 奇安信科技集团股份有限公司 | Method and device for detecting tunnel domain name |
CN109218461A (en) * | 2018-08-09 | 2019-01-15 | 北京奇安信科技有限公司 | A kind of method and device detecting tunnel domain name |
CN109474575A (en) * | 2018-09-11 | 2019-03-15 | 北京奇安信科技有限公司 | A kind of detection method and device in the tunnel DNS |
CN109474575B (en) * | 2018-09-11 | 2022-04-12 | 奇安信科技集团股份有限公司 | DNS tunnel detection method and device |
CN110149418A (en) * | 2018-12-12 | 2019-08-20 | 国网信息通信产业集团有限公司 | A kind of hidden tunnel detection method of DNS based on deep learning |
CN112118205B (en) * | 2019-06-19 | 2022-08-16 | 腾讯科技(深圳)有限公司 | Domain name information detection method and related device |
CN112118205A (en) * | 2019-06-19 | 2020-12-22 | 腾讯科技(深圳)有限公司 | Domain name information detection method and related device |
CN110855632A (en) * | 2019-10-24 | 2020-02-28 | 新华三信息安全技术有限公司 | Message detection method, device, network equipment and computer readable storage medium |
CN110855632B (en) * | 2019-10-24 | 2022-03-11 | 新华三信息安全技术有限公司 | Message detection method, device, network equipment and computer readable storage medium |
CN111262881B (en) * | 2020-02-26 | 2021-07-02 | 杭州云缔盟科技有限公司 | Method for hiding DNS domain name of server accessed by mobile phone APP |
CN111262881A (en) * | 2020-02-26 | 2020-06-09 | 杭州云缔盟科技有限公司 | Method for hiding DNS domain name of server accessed by mobile phone APP |
CN113691489A (en) * | 2020-05-19 | 2021-11-23 | 北京观成科技有限公司 | Malicious domain name detection feature processing method and device and electronic equipment |
CN111953673A (en) * | 2020-08-10 | 2020-11-17 | 深圳市联软科技股份有限公司 | DNS hidden tunnel detection method and system |
CN111953673B (en) * | 2020-08-10 | 2022-07-05 | 深圳市联软科技股份有限公司 | DNS hidden tunnel detection method and system |
CN115297083A (en) * | 2022-08-03 | 2022-11-04 | 左道明 | Domain name system tunnel detection method and system based on data volume and behavior characteristics |
CN115297083B (en) * | 2022-08-03 | 2023-09-12 | 左道明 | Domain name system tunnel detection method and system based on data volume and behavior characteristics |
Also Published As
Publication number | Publication date |
---|---|
CN107547488B (en) | 2020-12-15 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN107547488A (en) | A kind of DNS tunnel detection methods and DNS tunnel detectors | |
Singh et al. | Issues and challenges in DNS based botnet detection: A survey | |
Guo et al. | Ip-based iot device detection | |
Torabi et al. | Detecting Internet abuse by analyzing passive DNS traffic: A survey of implemented systems | |
US20190028508A1 (en) | Gateway apparatus, detecting method of malicious domain and hacked host thereof, and non-transitory computer readable medium | |
US20180034837A1 (en) | Identifying compromised computing devices in a network | |
US10044736B1 (en) | Methods and apparatus for identifying and characterizing computer network infrastructure involved in malicious activity | |
Mansmann et al. | Visual support for analyzing network traffic and intrusion detection events using TreeMap and graph representations | |
US11546356B2 (en) | Threat information extraction apparatus and threat information extraction system | |
Fachkha et al. | Investigating the dark cyberspace: Profiling, threat-based analysis and correlation | |
Wang et al. | Alert correlation system with automatic extraction of attack strategies by using dynamic feature weights | |
CN107979581A (en) | The detection method and device of corpse feature | |
US20240146753A1 (en) | Automated identification of false positives in dns tunneling detectors | |
TWI656778B (en) | Malicious domain detection method combining network information and network traffic | |
Ghabban et al. | Comparative analysis of network forensic tools and network forensics processes | |
Fei et al. | Modeling and analysis of Internet worm propagation | |
CN113438332A (en) | DoH service identification method and device | |
Metcalf et al. | Everything you wanted to know about blacklists but were afraid to ask | |
WO2020106326A1 (en) | Extending encrypted traffic analytics with traffic flow data | |
TWI634769B (en) | Method for detecting domain name transformation botnet through proxy server log | |
Oudah et al. | Using burstiness for network applications classification | |
Alharbi et al. | Domain name system (dns) tunnelling detection using structured occurrence nets (sons) | |
CN111031068B (en) | DNS analysis method based on complex network | |
Ostap et al. | A concept of clustering-based method for botnet detection | |
Mohammed et al. | Visualization of DNS tunneling attacks using parallel coordinates technique |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20201215 |