CN107689965A - Means of defence, the apparatus and system of the network equipment - Google Patents

Means of defence, the apparatus and system of the network equipment Download PDF

Info

Publication number
CN107689965A
CN107689965A CN201710923180.4A CN201710923180A CN107689965A CN 107689965 A CN107689965 A CN 107689965A CN 201710923180 A CN201710923180 A CN 201710923180A CN 107689965 A CN107689965 A CN 107689965A
Authority
CN
China
Prior art keywords
domain name
network equipment
domain
information
default
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201710923180.4A
Other languages
Chinese (zh)
Inventor
刘健皓
宋戈
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Qihoo Technology Co Ltd
Original Assignee
Beijing Qihoo Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Qihoo Technology Co Ltd filed Critical Beijing Qihoo Technology Co Ltd
Priority to CN201710923180.4A priority Critical patent/CN107689965A/en
Publication of CN107689965A publication Critical patent/CN107689965A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a kind of means of defence of the network equipment, apparatus and system.Wherein, method includes:The domain name mapping request from the network equipment is obtained, it is determined that the domain name mapping result corresponding with domain name analysis request;Whether the domain-name information according to being included in default threat information library inquiry domain name analysis result is fallacious message;When Query Result is to be, default protective treatment is performed for domain name analysis request.Using this programme, it is possible to achieve the security protection to the network equipment, ensure the normal operation of the network equipment, avoid influenceing to connect because of the malicious attack on the network equipment safety of the Internet of things system of the network equipment.

Description

Means of defence, the apparatus and system of the network equipment
Technical field
The present invention relates to electronic information technical field, and in particular to a kind of means of defence of the network equipment, apparatus and system.
Background technology
With the continuous development of Information technology, Internet of Things has gradually permeated the Working Life of people.Internet of Things is to utilize office The communication technology such as portion's network or internet is linked togather sensor, controller, machine, personnel and article etc., formed people and thing, Thing is connected with thing, realizes information-based, remote management and control and intelligentized network.Include multiple network equipments in Internet of Things, The shooting being such as connected with router is first-class.
But it is as follows to have found that aforesaid way of the prior art is at least present during the present invention is realized by inventor Problem:At present, the malicious attack for the network equipment in Internet of Things emerges in an endless stream, and attacker is by stealing user account and close Code, illegal logging in network equipment, or user use the network equipment in kidnap the network equipment network request, so as to access dislike Meaning address, influences the security of the network equipment, or even influences the normal operation of the whole Internet of things system comprising the network equipment.
The content of the invention
In view of the above problems, it is proposed that the present invention so as to provide one kind overcome above mentioned problem or at least in part solve on State means of defence, the apparatus and system of the network equipment of problem.
According to an aspect of the invention, there is provided a kind of means of defence of the network equipment, including:
The domain name mapping request from the network equipment is obtained, it is determined that the domain name mapping corresponding with domain name analysis request As a result;
Whether it is that malice is believed according to the domain-name information included in default threat information library inquiry domain name analysis result Breath;
When Query Result is to be, default protective treatment is performed for domain name analysis request.
According to another aspect of the present invention, there is provided a kind of protector of the network equipment, including:
Acquisition module, suitable for obtain from the network equipment domain name mapping request, it is determined that with domain name analysis request phase Corresponding domain name mapping result;
Enquiry module, suitable for according to the domain-name information included in default threat information library inquiry domain name analysis result Whether it is fallacious message;
Protection module, suitable for when enquiry module Query Result is to be, being performed for domain name analysis request default Protective treatment.
In accordance with a further aspect of the present invention, there is provided a kind of guard system of the network equipment, including:The above-mentioned network equipment Protector.
According to a further aspect of the invention, there is provided a kind of electronic equipment, including:Processor, memory, communication interface And communication bus, the processor, the memory and the communication interface complete mutual lead to by the communication bus Letter;
The memory is used to deposit an at least executable instruction, and the executable instruction makes the computing device above-mentioned Operated corresponding to the means of defence of the network equipment.
According to a further aspect of the invention, there is provided a kind of computer-readable storage medium, be stored with the storage medium An at least executable instruction, the executable instruction make to operate corresponding to the means of defence of the above-mentioned network equipment of computing device.
According to the means of defence of the network equipment provided by the invention, apparatus and system, by obtaining from the network equipment Domain name mapping is asked, and determines the domain name mapping result corresponding with domain name analysis request;And further according to default Threaten whether the domain-name information included in information library inquiry domain name analysis result is fallacious message;When Query Result is yes When, perform default protective treatment for domain name analysis request.Using this programme, it is possible to achieve to the safety of the network equipment Protection, ensure the normal operation of the network equipment, avoid influenceing the thing for connecting the network equipment because of the malicious attack on the network equipment The safety of networked system.
Described above is only the general introduction of technical solution of the present invention, in order to better understand the technological means of the present invention, And can be practiced according to the content of specification, and in order to allow above and other objects of the present invention, feature and advantage can Become apparent, below especially exemplified by the embodiment of the present invention.
Brief description of the drawings
By reading the detailed description of hereafter preferred embodiment, it is various other the advantages of and benefit it is common for this area Technical staff will be clear understanding.Accompanying drawing is only used for showing the purpose of preferred embodiment, and is not considered as to the present invention Limitation.And in whole accompanying drawing, identical part is denoted by the same reference numerals.In the accompanying drawings:
Fig. 1 shows the flow chart of the means of defence of the network equipment provided according to one embodiment of the invention;
Fig. 2 shows the flow chart of the means of defence of the network equipment provided according to a further embodiment of the invention;
Fig. 3 shows the structured flowchart of the protector of the network equipment provided according to one embodiment of the invention;
Fig. 4 shows the structured flowchart of the guard system of the network equipment provided according to one embodiment of the invention;
Fig. 5 shows the structural representation of a kind of electronic equipment provided according to one embodiment of the invention.
Embodiment
The exemplary embodiment of the disclosure is more fully described below with reference to accompanying drawings.Although the disclosure is shown in accompanying drawing Exemplary embodiment, it being understood, however, that may be realized in various forms the disclosure without should be by embodiments set forth here Limited.On the contrary, these embodiments are provided to facilitate a more thoroughly understanding of the present invention, and can be by the scope of the present disclosure Completely it is communicated to those skilled in the art.
Fig. 1 shows the flow chart of the means of defence of the network equipment provided according to one embodiment of the invention.Such as Fig. 1 institutes Show, this method includes:
Step S110, the domain name mapping request from the network equipment is obtained, it is determined that corresponding with domain name analysis request Domain name mapping result.
The network equipment needs to carry out domain name mapping first, that is, passes through domain name resolution service during network access is carried out Device is resolved to the reference address corresponding with the domain name, and the money corresponding with the reference address is then accessed according to the reference address Source.
Domain name mapping request can be obtained after the network equipment sends domain name mapping request in this step, and further really The fixed domain name mapping result corresponding with domain name mapping request.Wherein, domain-name information, such as domain name are included in domain name mapping result Information can be reference address corresponding with the domain name in domain name mapping request etc..
Step S120, according to the domain-name information that includes in default threat information library inquiry domain name analysis result whether For fallacious message, if so, then performing step S130.
Wherein, the safety level information related to domain-name information is stored with default threat information bank, for example, it is default Threaten in information bank and be stored with white list, blacklist, and/or gray list of domain name or the reference address corresponding with domain name etc.. Pass through the safety level information, it may be determined that whether the domain-name information included in domain name mapping result is fallacious message.For example, work as The IP address corresponding with the domain name is included in domain-name information in domain name mapping result, and is stored in default threat information bank There is IP address blacklist, when some addresses match in the IP address and IP address blacklist, determine that the domain-name information is Fallacious message, then perform step S130.
Step S130, default protective treatment is performed for domain name analysis request.
If the domain-name information inquired about in step S120 is fallacious message, being directed to the corresponding parsing of the domain-name information please Execution protective treatment is asked, such as directly intercepts domain name mapping request, prevents the network equipment from accessing domain name mapping request corresponding Analysis result in reference address.
As can be seen here, the means of defence of the network equipment provided by the invention, before the network equipment accesses Internet resources, obtain The domain name mapping request of automatic network equipment is fetched, and determines the domain name mapping result corresponding with domain name analysis request;And And further threaten whether the domain-name information included in information library inquiry domain name analysis result is that malice is believed according to default Breath;When Query Result is to be, default protective treatment is performed for domain name mapping request.It is direct so as to avoid the network equipment The Internet resources with potential safety hazard are accessed, the security protection to the network equipment is realized, ensures the normal operation of the network equipment, keep away Exempt to influence to connect the safety of the Internet of things system of the network equipment because of the malicious attack on the network equipment.
Fig. 2 shows the flow chart of the means of defence of the network equipment provided according to a further embodiment of the invention.Such as Fig. 2 Shown, this method includes:
Step S210, obtain the domain name mapping request from the network equipment.
Wherein, the network equipment includes routing device, also, the routing device is connected with least one internet of things equipment.Road It can be integrated in one by equipment and coupled internet of things equipment, also separate and set, for example, IP Camera includes shooting Device and the routing device being connected with camera device, camera device and routing unit are integrated in one;And the air in Internet of Things The generally connected routing device of clarifier is separately positioned.
Specifically, internet of things equipment need to first pass through coupled routing device and forward its domain when carrying out network request Name analysis request.In this step, after the domain name mapping request that coupled internet of things equipment is forwarded in routing device, obtaining should Domain name mapping is asked.Wherein, the internet of things equipment domain-name information to be accessed is included in domain name mapping request.
Step S220, translate domain names into request and be sent to default domain name resolution server, receive domain name resolution server The domain name mapping result corresponding with domain name mapping request returned.
Wherein, default domain name resolution server can be dns server.Translate domain names into request be sent to it is default After domain name resolution server, domain name resolution server is according to the domain name of storage and the mapping relations of reference address (such as IP address) Deng obtaining corresponding domain name mapping result, IP address as corresponding to obtaining with the domain name that includes in domain name mapping request etc..And Further receive the domain name mapping result corresponding with domain name mapping request that domain name resolution server returns.
Optionally, domain name mapping request and/or domain name mapping result can be by based on UDP (user data The message transmission of datagram protocol (User Datagram Protocol, UDP).
Step S230, translate domain names into the domain-name information included in result and be sent to default threat information service device, and Receive threaten information service device according to the domain-name information included in default threat information library inquiry domain name mapping result whether For the Query Result returned after fallacious message.
Wherein, the domain-name information included in domain name mapping result includes domain name and/or IP address.Translating domain names into result In after the domain-name information that includes is sent to default threat information service device, threaten information service device to inquire about threat information bank, Judge whether the domain-name information is fallacious message.For example, IP address blacklist and/or white list can be included by threatening in information bank. When the IP address in domain-name information is located at IP address blacklist, it is determined that the domain-name information corresponding to the IP address is believed for malice Breath;If the IP address in domain-name information is located at IP address white list, it is determined that the domain-name information corresponding to the IP address is non- Fallacious message.Or threaten in information bank and include domain name blacklist and/or white list, according to default matched rule, work as domain When the certain domain name in domain name and domain name blacklist in name information matches, it is determined that the domain-name information is fallacious message, example Such as, when the domain name in domain-name information and the certain domain name in domain name blacklist are completely the same, or when the domain name in domain-name information (domain name in such as domain-name information is in blacklist when middle certain domain name field is identical with the certain domain name field in domain name blacklist The subdomain name of certain domain name, then the domain name in domain-name information and the domain name in the blacklist have some identical domain name field) When, it is fallacious message to determine the domain-name information.If the domain name in domain-name information matches with the certain domain name in domain name white list, It is non-malicious information to determine the domain-name information.
Believed threatening information service device according to the domain name included in default threat information library inquiry domain name mapping result After whether breath is fallacious message, the Query Result that the threat information service device is returned is received.Wherein, domain is included in Query Result Name information whether be fallacious message relevant information.Concrete form those skilled in the art of Query Result can voluntarily be set, example Represent whether domain-name information is that (e.g., Query Result is " N " to fallacious message, then shows the domain-name information such as by preset characters For fallacious message).
Optionally, the information in information bank is threatened to be determined according to the information of each network equipment in Internet of Things.For example, Can be by default multiple information scratching nodes, the state that each network equipment in Internet of Things is obtained by parallel form is believed Breath, and the status information is subjected to partition by fine granularities, store into corresponding Database Systems, can such as store to HBase and be distributed In formula database.And the status information of each network equipment by corresponding search engine, can be searched for, it can be stored in so as to obtain Threaten the information in information bank.For example, can search for the log recording of multiple network equipments, analyze whether multiple network equipments are visiting The situation that operation exception occurs after some IP address or domain name is asked, flow surge and/or operation troubles such as are expended, if so, then The IP address or domain name are stored into the blacklist threatened in information bank.It is further alternative, threaten the information in information bank It can be updated according to the default cycle, when reaching the default update cycle, the shape newly-increased by obtaining each network equipment State information, the information threatened in information bank can be stored in by obtaining, so as to threatening the information in information bank to be updated.
Step S240, if domain-name information is fallacious message, default protective treatment is performed for domain name analysis request.
In one embodiment, if being determined in the Query Result received in step S230, domain-name information is believed for malice Breath, then domain name mapping request is intercepted.Prevent the internet of things equipment corresponding with domain name mapping request by with Its connected routing device accesses the reference address in the domain name mapping result.For example, can be for internet of things equipment with returning to loopback Location or invalid IP address, so that internet of things equipment can not access the domain name mapping result by coupled routing device In reference address.
In another embodiment, if being determined in the Query Result received in step S230, domain-name information is believed for malice Breath, then with the domain name mapping corresponding domain name mapping result will be asked to return to the corresponding network equipment, also, to the network The domain-name information that equipment returns to for prompting to include in domain name mapping result is the Query Result of fallacious message, so that the network is set It is standby to be intercepted for domain name mapping request.Specifically, the routing device into the network equipment is returned for prompting domain name solution The domain-name information included in analysis result is the Query Result of fallacious message, so that routing device is carried out for domain name mapping request Intercept.Wherein, the domain-name information for prompting to include in domain name mapping result is the concrete mode of the Query Result of fallacious message, Those skilled in the art can voluntarily be set.For example, it can enter in a manner of message, voice, word pop-up, and/or alarm are blown a whistle etc. Row prompting.For example, if the domain name mapping result received in step S220 is an IP address, and the IP address is positioned at threat In IP blacklists in information service device, then the inquiry knot that the IP address for threatening server to return is fallacious message can be received Fruit, then the IP address can be returned to corresponding routing device, but prompt the IP address as evil using prompting modes such as messages simultaneously Meaning address, routing device can intercept domain automatically according to the local security protection logic of equipment when receiving fallacious message prompting Name analysis request;Or alarm is carried out to the user corresponding with the routing device, instructed in the prevention for receiving user Afterwards, domain name mapping request is intercepted, the internet of things equipment for preventing to be connected with the routing device accesses the IP address.
Step S250, sent a warning message to the default recipient corresponding with the network equipment.
Specifically, it may be determined that the routing device mark letter of the routing device included in the domain name mapping request of the network equipment Breath and/or the internet of things equipment identification information of internet of things equipment being connected with the routing device, according to routing device identification information, The domain-name information generation alarm information included in internet of things equipment identification information, domain name mapping result.Wherein, the road of routing device Include device name and/or MAC Address of routing device etc. by equipment identification information, the Internet of Things being connected with the routing device is set Standby internet of things equipment identification information includes the device name and/or MAC Address of the internet of things equipment.For example, routing device exists The MAC Address of the routing device is usually contained in the domain name mapping request of transmission, and contains the thing being connected with the routing device The MAC Address of networked devices, if it is an IP address that corresponding domain name mapping result is asked in the domain name mapping, and the IP address is true It is set to fallacious message, then can be given birth to according to the MAC Address of the routing device, the MAC Address of the internet of things equipment and the IP address Into corresponding warning information.Wherein, concrete form those skilled in the art of warning information can voluntarily be set.
Further, by alarm information storage into default Distributed Message Queue, according in Distributed Message Queue The alarm information of storage sends a warning message to the default recipient corresponding with the network equipment.Wherein, default distribution Message queue can be the message queue based on kafka distributed systems.The alarm information is stored to message queue, subscribed to Consume the warning information in the information consumption side of the message.Wherein, the information consumption side of the message is that the network equipment is corresponding Default recipient, or default push server, wherein, default push server is after alarm information is consumed to right The default recipient answered sends a warning message.Optionally, the corresponding default recipient of the network equipment can be network equipment factory Business.
For example, the network equipment has its corresponding network equipment vendor, the road that the network equipment can be included by it It is corresponding with network equipment vendor foundation by the device identification and/or the internet of things equipment mark connected with the routing device of equipment Mapping relations, the mapping relations can be stored in default push server.Set according to routing device identification information, Internet of Things After the domain-name information generation alarm information included in standby identification information, domain name mapping result, the warning information is stored to default Distributed Message Queue in, default push server can subscribe to the warning information in the Distributed Message Queue, Mei Dangyou When alarm information is stored to the message queue, default push server can obtain the warning information, and according to the warning information In the device identification of routing device included and/or the internet of things equipment mark being connected with the routing device, inquiry is corresponding thereto The network equipment vendor answered, so as to which the warning information to be pushed to the network equipment vendor corresponding with the warning information.The net Network equipment vendors can repair the security breaches of the network equipment according to warning information, so as to improve the security of the network equipment.
In addition, the threat information bank in the present embodiment can be determined by the monitored results of the internet of things equipment to magnanimity, from And determine to threaten information based on big data, and then can more efficiently protect the safety of internet of things equipment.
As can be seen here, the means of defence of the network equipment provided by the invention, before the network equipment accesses Internet resources, obtain The domain name mapping request of automatic network equipment is fetched, and translates domain names into request and is sent to default domain name resolution server, and is connect Receive the domain name mapping result corresponding with domain name mapping request that domain name resolution server returns.And translate domain names into result Comprising domain-name information be sent to it is default threat information service device, for threaten information service device determine in domain name mapping result Domain-name information whether be fallacious message, if so, then can directly intercept the domain name mapping request, or think the network equipment send accuse Alert information, so that the network equipment intercepts domain name mapping request, so as to prevent the network equipment from accessing the fallacious message, realize to net The security protection of network equipment, ensure the normal operation of the network equipment, avoid influenceing to connect because of the malicious attack on the network equipment The safety of the Internet of things system of the network equipment.Also, it can be sent a warning message to the default recipient corresponding with the network equipment, So that default recipient, as network equipment vendor can carry out security breaches reparation according to warning information to the network equipment, from And the further security protection of reinforcing network equipment, improve the security of the network equipment.
Fig. 3 shows the structured flowchart of the protector of the network equipment provided according to one embodiment of the invention.Such as Fig. 3 Shown, the device includes:Acquisition module 31, enquiry module 32 and protection module 33.
Acquisition module 31, suitable for obtaining the domain name mapping request from the network equipment, it is determined that relative with domain name mapping request The domain name mapping result answered.
Optionally, the network equipment includes:Routing device, also, the routing device and at least one internet of things equipment phase Even.
Optionally, acquisition module 31 is further adapted for:The coupled Internet of Things for obtaining the routing device forwarding is set Standby domain name mapping request.
Optionally, acquisition module 31 is further adapted for:Domain name analysis request is sent to default domain name mapping clothes Business device, receive the domain name mapping result corresponding with domain name analysis request that domain name resolution server returns.
Enquiry module 32, suitable for being according to the domain-name information included in default threat information bank nslookup analysis result No is fallacious message.
Optionally, enquiry module 32 is further adapted for:The domain-name information included in domain name analysis result is sent to Default threat information service device, receive threat information service device domain according to the default threat information library inquiry Whether the domain-name information that includes is the Query Result returned after fallacious message in name analysis result.
Optionally, domain name mapping request and/or domain name mapping result are transmitted by the message based on UDP; Also, domain-name information includes:Domain name and/or IP address.
Protection module 33, suitable for when enquiry module Query Result is to be, being performed for domain name mapping request default anti- Shield processing.
Optionally, protection module 33 is further adapted for:Domain name mapping request is intercepted;Or will be with domain name mapping Ask corresponding domain name mapping result to return to the network equipment, also, returned to the network equipment for prompting domain name mapping knot The domain-name information included in fruit is the Query Result of fallacious message, so that the network equipment is intercepted for domain name mapping request.
Optionally, protection module 33 is further adapted for:Returned to routing device for prompting to include in domain name mapping result Domain-name information be fallacious message Query Result, for routing device for domain name mapping request intercepted.
Optionally, the present apparatus also includes:Alarm module is sent, suitable for the default reception corresponding with the network equipment Side sends a warning message.
Optionally, alarm module is sent to be further adapted for:Determine the route of routing device included in domain name mapping request The internet of things equipment identification information of equipment identification information and/or the internet of things equipment being connected with routing device, according to routing device The domain-name information generation alarm information included in identification information, internet of things equipment identification information, domain name mapping result;Alarm is disappeared Breath storage into default Distributed Message Queue, according to the alarm information stored in Distributed Message Queue to the network equipment Corresponding default recipient sends a warning message.
Wherein, the concrete principle of each functional module of the protector for the network equipment that the present embodiment provides and embodiment party Formula etc., the elaboration in corresponding steps in the means of defence embodiment of the network equipment shown in Fig. 1 and/or Fig. 2 is can refer to, herein not Repeat.
As can be seen here, the protector of the network equipment provided by the invention, before the network equipment accesses Internet resources, obtain The domain name mapping request of automatic network equipment is fetched, and determines the domain name mapping result corresponding with domain name analysis request;And And further threaten whether the domain-name information included in information library inquiry domain name analysis result is that malice is believed according to default Breath;When Query Result is to be, default protective treatment is performed for domain name mapping request.It is direct so as to avoid the network equipment The Internet resources with potential safety hazard are accessed, the security protection to the network equipment is realized, ensures the normal operation of the network equipment, keep away Exempt to influence to connect the safety of the Internet of things system of the network equipment because of the malicious attack on the network equipment.
Fig. 4 shows the structured flowchart of the guard system of the network equipment provided according to one embodiment of the invention.Such as Fig. 4 Shown, the system includes:The protector 41 of the network equipment as shown in Figure 3.
Optionally, the system also includes:Domain name resolution server 42, threaten information service device 43.
Wherein, domain name resolution server 42, the domain name mapping request that the protector suitable for receiving the network equipment is sent, and Domain name mapping request is parsed, obtains domain name mapping result;
Information service device 43 is threatened, suitable for according to the domain name included in default threat information bank nslookup analysis result Whether information is fallacious message, and Query Result is sent to the protector of the network equipment.
A kind of nonvolatile computer storage media is provided according to one embodiment of the invention, the computer storage is situated between Matter is stored with an at least executable instruction, and the network that the computer executable instructions can perform in above-mentioned any means embodiment is set Standby means of defence.
Fig. 5 shows the structural representation of the electronic equipment provided according to one embodiment of the invention, of the invention specific real Specific implementation of the example not to electronic equipment is applied to limit.
As shown in figure 5, the electronic equipment can include:Processor (processor) 502, communication interface (Communications Interface) 504, memory (memory) 506 and communication bus 508.
Wherein:Processor 502, communication interface 504 and memory 506 complete mutual lead to by communication bus 508 Letter.
Communication interface 504, for being communicated with the network element of miscellaneous equipment such as client or other servers etc..
Processor 502, for configuration processor 510, in the means of defence embodiment that can specifically perform the above-mentioned network equipment Correlation step.
Specifically, program 510 can include program code, and the program code includes computer-managed instruction.
Processor 502 is probably central processor CPU, or specific integrated circuit ASIC (Application Specific Integrated Circuit), or it is arranged to implement the integrated electricity of one or more of the embodiment of the present invention Road.The one or more processors that electronic equipment includes, can be same type of processor, such as one or more CPU;Also may be used To be different types of processor, such as one or more CPU and one or more ASIC.
Memory 506, for depositing program 510.Memory 506 may include high-speed RAM memory, it is also possible to also include Nonvolatile memory (non-volatile memory), for example, at least a magnetic disk storage.
Program 510 specifically can be used for so that processor 502 performs following operation:
The domain name mapping request from the network equipment is obtained, it is determined that the domain name mapping corresponding with domain name analysis request As a result;
Whether it is that malice is believed according to the domain-name information included in default threat information library inquiry domain name analysis result Breath;
When Query Result is to be, default protective treatment is performed for domain name analysis request.
In a kind of optional embodiment, program 510 specifically can be used for so that processor 502 performs following operation:
Domain name analysis request is intercepted;Or
The domain name mapping result corresponding with domain name analysis request is returned into the network equipment, also, to institute The Query Result that the domain-name information that the network equipment is returned for prompting to include in domain name analysis result is fallacious message is stated, with Intercepted for the network equipment for domain name analysis request.
In a kind of optional embodiment, program 510 specifically can be used for so that processor 502 performs following operation:
Domain name analysis request is sent to default domain name resolution server, domain name resolution server is received and returns The domain name mapping result corresponding with domain name analysis request returned.
In a kind of optional embodiment, program 510 specifically can be used for so that processor 502 performs following operation:
The domain-name information included in domain name analysis result is sent to default threat information service device, described in reception Threaten information service device is according to the domain-name information included in the default threat information library inquiry domain name analysis result The no Query Result to be returned after fallacious message.
In a kind of optional embodiment, the network equipment includes:Routing device, also, the routing device with At least one internet of things equipment is connected.Then program 510 specifically can be used for so that processor 502 performs following operation:
Obtain the domain name mapping request of the coupled internet of things equipment of the routing device forwarding;
The domain-name information returned to the routing device for prompting to include in domain name analysis result is fallacious message Query Result, so that the routing device is intercepted for domain name analysis request.
In a kind of optional embodiment, program 510 specifically can be used for so that processor 502 performs following operation:
Sent a warning message to the default recipient corresponding with the network equipment.
In a kind of optional embodiment, program 510 specifically can be used for so that processor 502 performs following operation:
Determine the routing device identification information of routing device that is included in domain name analysis request and/or with the route The internet of things equipment identification information of the connected internet of things equipment of equipment, according to the routing device identification information, internet of things equipment The domain-name information generation alarm information included in identification information, domain name analysis result;
By alarm information storage into default Distributed Message Queue, deposited according in the Distributed Message Queue The alarm information of storage sends a warning message to the default recipient corresponding with the network equipment.
Algorithm and display be not inherently related to any certain computer, virtual system or miscellaneous equipment provided herein. Various general-purpose systems can also be used together with teaching based on this.As described above, required by constructing this kind of system Structure be obvious.In addition, the present invention is not also directed to any certain programmed language.It should be understood that it can utilize various Programming language realizes the content of invention described herein, and the description done above to language-specific is to disclose this hair Bright preferred forms.
In the specification that this place provides, numerous specific details are set forth.It is to be appreciated, however, that the implementation of the present invention Example can be put into practice in the case of these no details.In some instances, known method, structure is not been shown in detail And technology, so as not to obscure the understanding of this description.
Similarly, it will be appreciated that in order to simplify the disclosure and help to understand one or more of each inventive aspect, Above in the description to the exemplary embodiment of the present invention, each feature of the invention is grouped together into single implementation sometimes In example, figure or descriptions thereof.However, the method for the disclosure should be construed to reflect following intention:I.e. required guarantor The application claims of shield features more more than the feature being expressly recited in each claim.It is more precisely, such as following Claims reflect as, inventive aspect is all features less than single embodiment disclosed above.Therefore, Thus the claims for following embodiment are expressly incorporated in the embodiment, wherein each claim is in itself Separate embodiments all as the present invention.
Those skilled in the art, which are appreciated that, to be carried out adaptively to the module in the equipment in embodiment Change and they are arranged in one or more equipment different from the embodiment.Can be the module or list in embodiment Member or component be combined into a module or unit or component, and can be divided into addition multiple submodule or subelement or Sub-component.In addition at least some in such feature and/or process or unit exclude each other, it can use any Combination is disclosed to all features disclosed in this specification (including adjoint claim, summary and accompanying drawing) and so to appoint Where all processes or unit of method or equipment are combined.Unless expressly stated otherwise, this specification (including adjoint power Profit requires, summary and accompanying drawing) disclosed in each feature can be by providing the alternative features of identical, equivalent or similar purpose come generation Replace.
In addition, it will be appreciated by those of skill in the art that although some embodiments in this include institute in other embodiments Including some features rather than further feature, but the combination of the feature of different embodiments means to be in the scope of the present invention Within and form different embodiments.For example, in the following claims, embodiment claimed it is any it One mode can use in any combination.
The all parts embodiment of the present invention can be realized with hardware, or to be run on one or more processor Software module realize, or realized with combinations thereof.It will be understood by those of skill in the art that it can use in practice Microprocessor or digital signal processor (DSP) are realized in the protector of the network equipment according to embodiments of the present invention The some or all functions of some or all parts.The present invention is also implemented as being used to perform method as described herein Some or all equipment or program of device (for example, computer program and computer program product).Such reality The program of the existing present invention can store on a computer-readable medium, or can have the form of one or more signal. Such signal can be downloaded from internet website and obtained, and either be provided or in the form of any other on carrier signal There is provided.
It should be noted that the present invention will be described rather than limits the invention for above-described embodiment, and ability Field technique personnel can design alternative embodiment without departing from the scope of the appended claims.In the claims, Any reference symbol between bracket should not be configured to limitations on claims.Word "comprising" does not exclude the presence of not Element or step listed in the claims.Word "a" or "an" before element does not exclude the presence of multiple such Element.The present invention can be by means of including the hardware of some different elements and being come by means of properly programmed computer real It is existing.In if the unit claim of equipment for drying is listed, several in these devices can be by same hardware branch To embody.The use of word first, second, and third does not indicate that any order.These words can be explained and run after fame Claim.
The invention discloses:A1. a kind of means of defence of the network equipment, including:
The domain name mapping request from the network equipment is obtained, it is determined that the domain name mapping corresponding with domain name analysis request As a result;
Whether it is that malice is believed according to the domain-name information included in default threat information library inquiry domain name analysis result Breath;
When Query Result is to be, default protective treatment is performed for domain name analysis request.
A2. the method according to A1, wherein, it is described to perform default protective treatment for domain name analysis request Step specifically includes:
Domain name analysis request is intercepted;Or
The domain name mapping result corresponding with domain name analysis request is returned into the network equipment, also, to institute The Query Result that the domain-name information that the network equipment is returned for prompting to include in domain name analysis result is fallacious message is stated, with Intercepted for the network equipment for domain name analysis request.
A3. the method according to A1 or A2, wherein, it is described to determine the domain name solution corresponding with domain name analysis request The step of analysing result specifically includes:
Domain name analysis request is sent to default domain name resolution server, domain name resolution server is received and returns The domain name mapping result corresponding with domain name analysis request returned.
A4. according to any described methods of A1-A3, wherein, it is described according to default threat information library inquiry domain name The step of whether domain-name information included in analysis result is fallacious message specifically includes:
The domain-name information included in domain name analysis result is sent to default threat information service device, described in reception Threaten information service device is according to the domain-name information included in the default threat information library inquiry domain name analysis result The no Query Result to be returned after fallacious message.
A5. according to any described methods of A2-A4, wherein, the network equipment includes:Routing device, also, the road It is connected by equipment with least one internet of things equipment;The step of then domain name mapping of the acquisition from the network equipment is asked is specific Including:Obtain the domain name mapping request of the coupled internet of things equipment of the routing device forwarding;
Described returned to the network equipment for the domain-name information for prompting to include in domain name analysis result is malice The Query Result of information, the step of being intercepted for the network equipment for domain name analysis request, specifically include:To The domain-name information that the routing device returns to for prompting to include in domain name analysis result is the Query Result of fallacious message, So that the routing device is intercepted for domain name analysis request.
A6. the method according to A5, wherein, it is described to perform default protective treatment for domain name analysis request After step, further comprise:Sent a warning message to the default recipient corresponding with the network equipment.
A7. the method according to A6, wherein, described sent to the default recipient corresponding with the network equipment is accused The step of alert information, specifically includes:
Determine the routing device identification information of routing device that is included in domain name analysis request and/or with the route The internet of things equipment identification information of the connected internet of things equipment of equipment, according to the routing device identification information, internet of things equipment The domain-name information generation alarm information included in identification information, domain name analysis result;
By alarm information storage into default Distributed Message Queue, deposited according in the Distributed Message Queue The alarm information of storage sends a warning message to the default recipient corresponding with the network equipment.
A8. according to any described methods of A1-A7, wherein, domain name analysis request and/or domain name mapping result pass through Message transmission based on UDP;Also, domain name information includes:Domain name and/or IP address.
The invention also discloses:B9. a kind of protector of the network equipment, including:
Acquisition module, suitable for obtain from the network equipment domain name mapping request, it is determined that with domain name analysis request phase Corresponding domain name mapping result;
Enquiry module, suitable for according to the domain-name information included in default threat information library inquiry domain name analysis result Whether it is fallacious message;
Protection module, suitable for when enquiry module Query Result is to be, being performed for domain name analysis request default Protective treatment.
B10. the device according to B9, wherein, the protection module is further adapted for:
Domain name analysis request is intercepted;Or
The domain name mapping result corresponding with domain name analysis request is returned into the network equipment, also, to institute The Query Result that the domain-name information that the network equipment is returned for prompting to include in domain name analysis result is fallacious message is stated, with Intercepted for the network equipment for domain name analysis request.
B11. the device according to B9 or B10, wherein, the acquisition module is further adapted for:
Domain name analysis request is sent to default domain name resolution server, domain name resolution server is received and returns The domain name mapping result corresponding with domain name analysis request returned.
B12. according to any described devices of B9-B11, wherein, the enquiry module is further adapted for:
The domain-name information included in domain name analysis result is sent to default threat information service device, described in reception Threaten information service device is according to the domain-name information included in the default threat information library inquiry domain name analysis result The no Query Result to be returned after fallacious message.
B13. according to any described devices of B10-B12, wherein, the network equipment includes:Routing device, also, institute Routing device is stated with least one internet of things equipment to be connected;
Then the acquisition module is further adapted for:Obtain the coupled internet of things equipment of the routing device forwarding Domain name mapping is asked;
The protection module is further adapted for:Returned to the routing device for prompting to wrap in domain name analysis result The domain-name information contained is the Query Result of fallacious message, so that the routing device is blocked for domain name analysis request Cut.
B14. the device according to B13, wherein, described device also includes:
Alarm module is sent, suitable for being sent a warning message to the default recipient corresponding with the network equipment.
B15. the device according to B14, wherein, the transmission alarm module is further adapted for:
Determine the routing device identification information of routing device that is included in domain name analysis request and/or with the route The internet of things equipment identification information of the connected internet of things equipment of equipment, according to the routing device identification information, internet of things equipment The domain-name information generation alarm information included in identification information, domain name analysis result;
By alarm information storage into default Distributed Message Queue, deposited according in the Distributed Message Queue The alarm information of storage sends a warning message to the default recipient corresponding with the network equipment.
B16. according to any described devices of B9-B15, wherein, domain name analysis request and/or domain name mapping result are led to Cross the message transmission based on UDP;Also, domain name information includes:Domain name and/or IP address.
The invention also discloses:C17. a kind of guard system of the network equipment, including:Network as described in B9-B16 is any The protector of equipment.
C18. the system according to C17, wherein, the system also includes:
Domain name resolution server, the domain name mapping request that the protector suitable for receiving the network equipment is sent, and solve Domain name analysis request is analysed, obtains domain name mapping result;
Information service device is threatened, suitable for according to the domain included in default threat information library inquiry domain name analysis result Whether name information is fallacious message, and Query Result is sent to the protector of the network equipment.
The invention also discloses:D19. a kind of electronic equipment, including:Processor, memory, communication interface and communication are total Line, the processor, the memory and the communication interface complete mutual communication by the communication bus;
The memory is used to deposit an at least executable instruction, and the executable instruction makes the computing device such as Operated corresponding to the means of defence of the network equipment any one of A1-A8.
The invention also discloses:E20. a kind of computer-readable storage medium, being stored with least one in the storage medium can hold Row instruction, the executable instruction make the means of defence of the network equipment of the computing device as any one of A1-A8 corresponding Operation.

Claims (10)

1. a kind of means of defence of the network equipment, including:
The domain name mapping request from the network equipment is obtained, it is determined that the domain name mapping knot corresponding with domain name analysis request Fruit;
Whether the domain-name information according to being included in default threat information library inquiry domain name analysis result is fallacious message;
When Query Result is to be, default protective treatment is performed for domain name analysis request.
2. according to the method for claim 1, wherein, the domain name analysis request that is directed to performs default protective treatment The step of specifically include:
Domain name analysis request is intercepted;Or
The domain name mapping result corresponding with domain name analysis request is returned into the network equipment, also, to the net The domain-name information that network equipment returns to for prompting to include in domain name analysis result is the Query Result of fallacious message, for institute The network equipment is stated to be intercepted for domain name analysis request.
3. method according to claim 1 or 2, wherein, it is described to determine the domain name corresponding with domain name analysis request The step of analysis result, specifically includes:
Domain name analysis request is sent to default domain name resolution server, receives what domain name resolution server returned The domain name mapping result corresponding with domain name analysis request.
4. according to any described methods of claim 1-3, wherein, it is described according to default threat information library inquiry domain name The step of whether domain-name information included in analysis result is fallacious message specifically includes:
The domain-name information included in domain name analysis result is sent to default threat information service device, receives the threat Information service device according to it is described it is default threaten in information library inquiry domain name analysis result the domain-name information that includes whether be The Query Result returned after fallacious message.
5. according to any described methods of claim 2-4, wherein, the network equipment includes:Routing device, also, it is described Routing device is connected with least one internet of things equipment;The step of then domain name mapping of the acquisition from the network equipment is asked has Body includes:Obtain the domain name mapping request of the coupled internet of things equipment of the routing device forwarding;
The domain-name information returned to the network equipment for prompting to include in domain name analysis result is fallacious message Query Result, the step of being intercepted for the network equipment for domain name analysis request specifically includes:To described The domain-name information that routing device returns to for prompting to include in domain name analysis result is the Query Result of fallacious message, for The routing device is intercepted for domain name analysis request.
6. according to the method for claim 5, wherein, the domain name analysis request that is directed to performs default protective treatment The step of after, further comprise:Sent a warning message to the default recipient corresponding with the network equipment.
7. a kind of protector of the network equipment, including:
Acquisition module, suitable for obtaining the domain name mapping request from the network equipment, it is determined that corresponding with domain name analysis request Domain name mapping result;
Enquiry module, suitable for whether threatening the domain-name information included in information library inquiry domain name analysis result according to default For fallacious message;
Protection module, suitable for when enquiry module Query Result is to be, default protection is performed for domain name analysis request Processing.
8. a kind of guard system of the network equipment, including:The protector of the network equipment as described in claim 9-16 is any.
9. a kind of electronic equipment, including:Processor, memory, communication interface and communication bus, the processor, the storage Device and the communication interface complete mutual communication by the communication bus;
The memory is used to deposit an at least executable instruction, and the executable instruction makes the computing device such as right will Ask and operated corresponding to the means of defence of the network equipment any one of 1-6.
10. a kind of computer-readable storage medium, an at least executable instruction, the executable instruction are stored with the storage medium Make operation corresponding to the means of defence of the network equipment of the computing device as any one of claim 1-6.
CN201710923180.4A 2017-09-30 2017-09-30 Means of defence, the apparatus and system of the network equipment Pending CN107689965A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710923180.4A CN107689965A (en) 2017-09-30 2017-09-30 Means of defence, the apparatus and system of the network equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710923180.4A CN107689965A (en) 2017-09-30 2017-09-30 Means of defence, the apparatus and system of the network equipment

Publications (1)

Publication Number Publication Date
CN107689965A true CN107689965A (en) 2018-02-13

Family

ID=61154168

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710923180.4A Pending CN107689965A (en) 2017-09-30 2017-09-30 Means of defence, the apparatus and system of the network equipment

Country Status (1)

Country Link
CN (1) CN107689965A (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109413091A (en) * 2018-11-20 2019-03-01 中国联合网络通信集团有限公司 A kind of network security monitoring method and apparatus based on internet-of-things terminal
CN110336805A (en) * 2019-06-27 2019-10-15 维沃移动通信有限公司 Network access management method and mobile terminal
CN110401614A (en) * 2018-04-24 2019-11-01 中移(杭州)信息技术有限公司 The source tracing method and device of malice domain name
CN111245784A (en) * 2019-12-30 2020-06-05 杭州安恒信息技术股份有限公司 Method for multi-dimensional detection of malicious domain name
CN111277585A (en) * 2020-01-16 2020-06-12 深信服科技股份有限公司 Threat processing method, device, equipment and readable storage medium
CN114024947A (en) * 2022-01-05 2022-02-08 北京微步在线科技有限公司 Web access method and device based on browser
CN116112230A (en) * 2022-12-30 2023-05-12 安天科技集团股份有限公司 Method, device, equipment and storage medium for determining ip white list

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103607385A (en) * 2013-11-14 2014-02-26 北京奇虎科技有限公司 Method and apparatus for security detection based on browser
US20140143414A1 (en) * 2011-06-21 2014-05-22 Zte Corporation Method for sending information and gateway
CN103957201A (en) * 2014-04-18 2014-07-30 上海聚流软件科技有限公司 Method, device and system for processing domain name information based on DNS
US20140304378A1 (en) * 2010-12-30 2014-10-09 Verisign, Inc. Method and system for partitioning recursive name servers
CN104125209A (en) * 2014-01-03 2014-10-29 腾讯科技(深圳)有限公司 Malicious website prompt method and router
CN105763660A (en) * 2014-12-17 2016-07-13 中兴通讯股份有限公司 Domain name analysis method and device

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140304378A1 (en) * 2010-12-30 2014-10-09 Verisign, Inc. Method and system for partitioning recursive name servers
US20140143414A1 (en) * 2011-06-21 2014-05-22 Zte Corporation Method for sending information and gateway
CN103607385A (en) * 2013-11-14 2014-02-26 北京奇虎科技有限公司 Method and apparatus for security detection based on browser
CN104125209A (en) * 2014-01-03 2014-10-29 腾讯科技(深圳)有限公司 Malicious website prompt method and router
CN103957201A (en) * 2014-04-18 2014-07-30 上海聚流软件科技有限公司 Method, device and system for processing domain name information based on DNS
CN105763660A (en) * 2014-12-17 2016-07-13 中兴通讯股份有限公司 Domain name analysis method and device

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110401614A (en) * 2018-04-24 2019-11-01 中移(杭州)信息技术有限公司 The source tracing method and device of malice domain name
CN110401614B (en) * 2018-04-24 2021-08-13 中移(杭州)信息技术有限公司 Malicious domain name tracing method and device
CN109413091A (en) * 2018-11-20 2019-03-01 中国联合网络通信集团有限公司 A kind of network security monitoring method and apparatus based on internet-of-things terminal
CN110336805A (en) * 2019-06-27 2019-10-15 维沃移动通信有限公司 Network access management method and mobile terminal
CN110336805B (en) * 2019-06-27 2022-02-08 维沃移动通信有限公司 Network access management method and mobile terminal
CN111245784A (en) * 2019-12-30 2020-06-05 杭州安恒信息技术股份有限公司 Method for multi-dimensional detection of malicious domain name
CN111277585A (en) * 2020-01-16 2020-06-12 深信服科技股份有限公司 Threat processing method, device, equipment and readable storage medium
CN114024947A (en) * 2022-01-05 2022-02-08 北京微步在线科技有限公司 Web access method and device based on browser
CN114024947B (en) * 2022-01-05 2022-04-01 北京微步在线科技有限公司 Web access method and device based on browser
CN116112230A (en) * 2022-12-30 2023-05-12 安天科技集团股份有限公司 Method, device, equipment and storage medium for determining ip white list

Similar Documents

Publication Publication Date Title
CN107689965A (en) Means of defence, the apparatus and system of the network equipment
CN103957195B (en) DNS systems and the defence method and defence installation of DNS attacks
CN102687480B (en) Based on firewall system and the service of cloud
US9258289B2 (en) Authentication of IP source addresses
US9648033B2 (en) System for detecting the presence of rogue domain name service providers through passive monitoring
US8904524B1 (en) Detection of fast flux networks
CN105359157B (en) The network safety system and method for alarm are generated for detecting security breaches
CN105099821A (en) Flow monitoring method and apparatus based on cloud virtual environment
US20130219500A1 (en) Network intrusion detection in a network that includes a distributed virtual switch fabric
AU2018301781A1 (en) Cyberanalysis workflow acceleration
KR20060013491A (en) Network attack signature generation
US20180131708A1 (en) Identifying Fraudulent and Malicious Websites, Domain and Sub-domain Names
CN104468554A (en) Attack detection method and device based on IP and HOST
CN103546590A (en) Method and device for choosing DNS (domain name server)
US11363068B2 (en) Method and system for providing a complete traceability of changes incurred in a security policy
CN109088909B (en) Service gray level publishing method and device based on merchant type
US10659335B1 (en) Contextual analyses of network traffic
CN109074454A (en) Malware is grouped automatically based on artefact
CN103023905A (en) Device, method and system for detecting spamming links
CN103701816A (en) Scanning method and scanning device of server executing DOS (Denial Of service)
US20230108362A1 (en) Key-value storage for url categorization
CN103036896A (en) Method and system for testing malicious links
US11528291B2 (en) Methods and apparatus for defending against exploitation of vulnerable software
CN107623693A (en) Domain name mapping means of defence and device, system, computing device, storage medium
Desmet et al. Premadoma: An operational solution to prevent malicious domain name registrations in the. eu tld

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20180213