CN108270778B - DNS domain name abnormal access detection method and device - Google Patents
DNS domain name abnormal access detection method and device Download PDFInfo
- Publication number
- CN108270778B CN108270778B CN201711473667.3A CN201711473667A CN108270778B CN 108270778 B CN108270778 B CN 108270778B CN 201711473667 A CN201711473667 A CN 201711473667A CN 108270778 B CN108270778 B CN 108270778B
- Authority
- CN
- China
- Prior art keywords
- domain name
- dns
- divergence
- abnormal access
- access
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4505—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
- H04L61/4511—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a DNS domain name abnormal access detection method, which comprises the following steps: acquiring mirror DNS messages of a DNS server and a DNS client; performing KL divergence calculation on DNS data of the DNS message; if the KL divergence is larger than a divergence threshold, calculating KL divergence contribution of each domain name in the current period; judging the domain name with KL divergence contribution degree exceeding a contribution degree threshold value as an abnormal domain name, sending DNS domain name abnormal access alarm information and writing the DNS domain name abnormal access alarm information into a database; if the KL divergence is not larger than the divergence threshold, judging whether a TopN newly-added domain name exists in the current period compared with the normal period, and if the TopN newly-added domain name exists, sending DNS domain name abnormal access alarm information and writing the DNS domain name abnormal access alarm information into a database; if no TopN newly-added domain name exists, judging whether the variation rate of the TopN domain name access times exceeds a variation threshold value, and if so, sending DNS domain name abnormal access alarm information and writing the DNS domain name abnormal access alarm information into a database. The invention also provides a DNS domain name abnormal access detection device.
Description
Technical Field
The invention belongs to the field of computer network communication, and particularly relates to a DNS domain name abnormal access detection method and device.
Background
In computer network communication, hosts can communicate with each other through an IP network only by knowing the IP address of the opposite communication terminal. However, a 32-bit IPv4 address (128-bit IPv6 address) is not easy to remember for the communicating party. Therefore, more intuitive domain names (e.g., www.google.com.hk) are widely used to solve the problem of IP addresses that are difficult to remember. However, network communication operates based on the IP protocol, and a host to be accessed cannot be directly found by a domain name. The host needs to convert the domain name entered by the user into an IP address, a process known as domain name resolution.
To accomplish Domain Name resolution, a Domain Name System (DNS) is required to coordinate, which is a distributed database for TCP/IP applications that provides translation between Domain names and IP addresses. Through the domain name system, when a user performs certain applications, the user can directly use the domain name which is convenient to remember and meaningful, and the domain name is resolved into a correct IP address by a DNS server in the network and then returned to the host of the user. The domain name server is a server that stores domain names and corresponding IP addresses of all hosts in the network and has a function of converting domain names into IP addresses. The domain name resolution process means that when a host name needs to be resolved into an IP address by an application process, the application process becomes a client of a domain name system DNS, and the domain name to be resolved is placed in a DNS request message and sent to a domain name server, and the domain name server places the corresponding IP address in an answer message after looking up the domain name and returns the IP address to the client application process. The DNS recursive server is an important device in the DNS analysis system, and responds to DNS query initiated by a terminal user according to the domain name address information in the cache.
At present, the following methods are mainly used for attacking the DNS system:
the first attack is a traffic-type denial of service attack. Such as a User Datagram Protocol (UDP) flow, a Transmission Control Protocol (TCP) flow, a DNS request flow, or a pin flow. The attack in this manner is typically characterized by consuming resources of the DNS server, making it unable to respond to normal DNS resolution requests in a timely manner. The consumption of resources includes consumption of server CPU, network resources, and the like.
The second attack mode is an abnormal request access attack. Such as a very long domain name request, an abnormal domain name request, etc. The attack under the mode is characterized in that by discovering the vulnerability of the DNS server and by forging a specific request message, the DNS server software is abnormal to work and quit or collapse, so that the DNS server cannot be started, and the aim of influencing the normal work of the DNS server is fulfilled.
The third attack mode is a DNS hijacking attack. Such as DNS cache "poison", tampering with authorized domain content, ARP spoofing to hijack authorized domains, etc. The attack under the mode is characterized in that the aim of influencing the analysis result is achieved by directly tampering the analysis record or tampering the content or preemptively responding in the transmission process of the analysis record.
The fourth attack mode is that an attacker uses the DNS to attack. For example, an attacker controls a zombie cluster to adopt the IP address of an attacked host to disguise the attacked host to send a domain name resolution request, after a large number of domain name resolution requests are recursively inquired and resolved by a DNS (domain name system) server, the DNS server sends a response to the attacked host, and a large number of response data packets are sent back from different DNS servers to form a Distributed Denial of Service (DDoS) attack.
As can be seen from the above description of the four attacks, when the DNS server is subjected to DNS attack, the DNS server side mostly shows abnormal access to the DNS domain name. By detecting abnormal access of the DNS domain name, the occurrence of DNS attack behavior can be timely found, so that effective measures can be taken, and the loss is reduced to the minimum.
Disclosure of Invention
The invention aims to provide a method and a device for detecting abnormal DNS domain name access, which are used for detecting the abnormal DNS domain name access and giving an alarm in time based on KL divergence (also called relative entropy).
In order to achieve the purpose, the technical scheme of the invention is as follows:
a DNS domain name abnormal access detection method comprises the following steps:
acquiring mirror DNS messages of a DNS server and a DNS client;
performing KL divergence calculation on DNS data of the DNS message;
if the KL divergence is larger than a divergence threshold, calculating KL divergence contribution of each domain name in the current period;
judging the domain name with KL divergence contribution degree exceeding a contribution degree threshold value as an abnormal domain name, sending DNS domain name abnormal access alarm information and writing the DNS domain name abnormal access alarm information into a database;
if the KL divergence is not larger than the divergence threshold, judging whether a TopN newly-added domain name exists in the current period compared with the normal period, and if the TopN newly-added domain name exists (in the invention, the TopN is a ranking counted according to the access times, and N is set as required), sending DNS domain name abnormal access alarm information and writing the DNS domain name abnormal access alarm information into a database;
if no new domain name is added to the TopN, judging whether the variation rate of the TopN domain name access times (namely the ratio of the difference value of the domain name access times with the TopN ranking K in the current period and the domain name access times with the TopN ranking K in the normal period to the domain name access times with the TopN ranking K in the normal period) exceeds a variation threshold, and if so, sending DNS domain name abnormal access alarm information and writing the DNS domain name abnormal access alarm information into a database.
Further, the DNS data includes the number of times of domain name access in the current period and the normal period.
Further, the KL divergence calculation formula is D (p | | q) ═ E [ log (p) -log (q) ], where p is the probability distribution of the number of times of domain name access in the current period, and q is the probability distribution of the number of times of domain name access in the normal period.
Further, the KL divergence contribution degree calculation formula is c (K) ═ p (K) [ logp (K) — logq (K) ], where p (K) is the query probability of domain names ranked as K by query times in the current period in the current statistical period, and q (K) is the query probability of domain names ranked as K by query times in the normal period.
Further, the DNS domain name abnormal access warning information includes warning time, an abnormal domain name, and the number of times of domain name abnormal access.
Further, the variation threshold may be 50% of the number of times of TopN domain name access in the normal period, where the 50% is an empirical value and may be adjusted according to different DNS application environments.
Further, if the KL divergence contribution exceeds the contribution threshold, ending the current cycle abnormal access detection after sending the DNS domain name abnormal access warning information and writing the DNS domain name abnormal access warning information into the database, otherwise directly ending the current cycle abnormal access detection.
Further, if the TopN newly added domain name exists, the abnormal access detection of the current period is finished after the DNS domain name abnormal access warning information is sent and written into the database.
Further, if the variation rate of the TopN domain name access times exceeds the variation threshold, the abnormal access detection in the current period is finished after the DNS domain name abnormal access warning information is sent and written into the database.
A DNS domain name anomaly access detection apparatus, comprising a DNS nameanalyzer, connected to a router, comprising a memory and a processor, the memory storing a computer program configured to be executed by the processor, the program comprising instructions of the steps of the above method.
It should be noted that the divergence threshold, the contribution threshold and the variation threshold of the present invention have different values according to different DNS application environments, and need to be set according to the domain name distribution condition during abnormal access, and the setting principle is to find the abnormal access of the domain name and reduce the false alarm condition.
The invention has the technical effects that: 1) when the DNS based on the domain name attacks, the calculation time of abnormal domain name positioning can be reduced by calculating the KL divergence, and the abnormal domain name can be quickly positioned. By comparing the change of the newly added domain name of the TopN and the change rate of the number of times of domain name access, the domain name abnormity which cannot be found by the KL divergence can be detected in a supplementing manner. 2) DNS operation and maintenance personnel can limit the flow of DNS query packets according to the extracted DNS domain name characteristic information, so that the influence of DNS domain name attack on a DNS client and a DNS server is eliminated.
Drawings
Fig. 1 is a schematic diagram of a deployment of a DNS nameanalyzer.
Fig. 2 is a flowchart of a DNS domain name abnormal access detection method according to the present invention.
Detailed Description
In order to make the aforementioned and other features and advantages of the invention more comprehensible, embodiments accompanied with figures are described in detail below.
The present embodiment provides a DNS domain name anomaly access detection apparatus, which mainly comprises a DNS domain name analyzer disposed beside a router and connected to the router, as shown in fig. 1.
In combination with the DNS nameanalyzer, this embodiment further provides a DNS nameanomaly access detection method, a flow is shown in fig. 2, and the steps are as follows:
1) and the DNS domain name analyzer receives the mirrored DNS message.
2) The DNS data of the DNS message comprises domain name access times in the current period and domain name access times in the normal period, the probability distribution p of the domain name access times in the current period and the probability distribution q of the domain name access times in the normal period are calculated, and then KL divergence calculation is carried out by using a formula D (p | | q) ═ E [ log (p) -log (q) ].
3) When the KL divergence exceeds a divergence threshold, marking the statistical period as a DNS abnormal access period, and calculating KL divergence contribution degrees of domain names in the statistical period by using a formula C (k) ═ P (k) ([ logP (k) -logQ (k)) ]; wherein, p (K) is the query probability of domain names ranked as K according to the query times in the current period in the current statistical period, and q (K) is the query probability of domain names ranked as K according to the query times in the normal period.
4) If the KL divergence contribution degree exceeds a contribution degree threshold value, extracting an abnormal domain name of the KL divergence contribution degree, sending DNS domain name abnormal access alarm information, writing the DNS domain name abnormal access alarm information into a database, and finishing the current period access detection, or if the KL divergence contribution degree does not exceed the contribution degree threshold value, directly finishing the current period access detection.
5) And if the KL divergence ratio is normal, analyzing the variation of the TopN domain name and the variation of the domain name access times.
6) And if the TopN newly-added domain name exists, sending DNS domain name abnormal access alarm information and writing the DNS domain name abnormal access alarm information into the database, and finishing the current period access detection.
7) If the change rate of the domain name access times exceeds a change threshold (namely 50% of the mean value of the TopN domain name access times in the normal period, wherein the 50% is an empirical value and can be changed according to different DNS application environments), sending DNS domain name abnormal access alarm information and writing the DNS domain name abnormal access alarm information into a database, and ending the access detection in the current period.
Examples of two cases are listed based on the above method, specifically as follows:
example one: abnormal situation of KL divergence
Acquiring mirror DNS messages of a DNS server and a DNS client, wherein DNS data of the DNS messages comprises: the number of times of access to the Top20 of the three-level domain name in the normal period is [6929,4125,2882,2558,2247,1909,1606,1524,1521,1493,1492,1438,1396,1393,1366,1327,1310,1111,1096,1090], and the number of times of access to the Top20 of the three-level domain name in the current period is [5162,5125,4291,3877,3699,2909,2396,2255,2099,2077,1799,1698,1586,1031,913,871,832,637,583,579 ].
KL divergence calculation:
using the formula D (p | | q) ═ E [ log (p) -log (q) ], the calculation result is 0.0592836940216, and if it is greater than the divergence threshold value of 0.05, the calculation of KL divergence contribution is triggered.
Calculation of KL divergence contribution:
using formula c (k) ═ p (k) [ logp (k) — logq (k) ], the calculation results are [ -0.0469338,0.01241366,0.02787585,0.02674004,0.03239344,0.0204169,0.01567415,0.01433331,0.01004723,0.01031805,0.00314446,0.00216838,0.00064735, -0.00952581, -0.01053159, -0.01040258, -0.01055334, -0.0095469, -0.00972182, -0.0096733 ];
and if the contribution threshold is set to 0.01 as required, and if the calculation result is greater than 0.01, the abnormal domain name access is determined, and the abnormal domain name access with the rank of 2-10 in the current period can be detected.
Example two: the KL divergence is not abnormal
Acquiring mirror DNS messages of a DNS server and a DNS client, wherein DNS data of the DNS messages comprises: the number of times of access of the Top20 of the three-level domain name in the normal period is [6929,4125,2882,2558,2247,1909,1606,1524,1521,1493,1492,1438,1396,1393,1366,1327,1310,1111,1096,1090], and the number of times of access of the Top20 of the three-level domain name in the current period is as follows: [6758,5125,5082,5058,5047,4909,3606,1634,1591,1583,1512,1498,1486,1453,1396,1382,1350,1259,1188,1002].
KL divergence calculation:
by using a formula D (p | | q) ═ E [ log (p) -log (q) ], the calculation result is 0.0253884375402, which is less than the divergence threshold value of 0.05, the calculation of the contribution of the KL divergence is not triggered, and instead, whether a Top20 newly added domain name exists in the current period is checked compared with the normal period, and if no newly added domain name is found in the present example, the change rate of the domain name access times needs to be further calculated.
2. And (3) calculating the change rate of the access times:
the calculation results are [0.72420263,0.02278788, -0.04059681, -0.01016419,0.06408545, -0.00838135,0.05915318,0.06167979,0.00723208,0.01205626,0.00268097,0.01599444,0.00787966,0.00430725,0.0124451, -0.00602864, -0.00839695,0.07470747,0.0100365,0.00825688] by using the formula (N-M)/M, wherein N is the number of times of domain name access named K in the current period Top20 and M is the number of times of domain name access named K in the normal period Top 20.
If the change threshold is set to 50% as required, and if the calculation result is greater than 50%, it is determined that the domain name access is abnormal, and a domain name access with rank 1 is found.
The above embodiments are only intended to illustrate the technical solution of the present invention and not to limit the same, and a person skilled in the art can modify the technical solution of the present invention or substitute the same without departing from the spirit and scope of the present invention, and the scope of the present invention should be determined by the claims.
Claims (8)
1. A DNS domain name abnormal access detection method comprises the following steps:
acquiring mirror DNS messages of a DNS server and a DNS client;
performing KL divergence calculation on DNS data of the DNS message according to the probability distribution of the domain name access times in the current period and the probability distribution of the domain name access times in the normal period;
if the KL divergence is larger than a divergence threshold value, performing KL divergence contribution calculation on each domain name in the current period, wherein the KL divergence contribution calculation formula is C (K) P (K) log P (K) -log Q (K), wherein P (K) is the query probability of the domain name ranked as K according to the query times in the current period in the current statistical period, and Q (K) is the query probability of the domain name ranked as K according to the query times in the normal period;
judging the domain name with KL divergence contribution degree exceeding a contribution degree threshold value as an abnormal domain name, sending DNS domain name abnormal access alarm information and writing the DNS domain name abnormal access alarm information into a database;
if the KL divergence is not larger than the divergence threshold, judging whether a TopN newly added domain name exists in the current period compared with the normal period, wherein the TopN is the rank counted according to the access times, and N is set according to the requirement; if the TopN newly-added domain name exists, sending DNS domain name abnormal access alarm information and writing the DNS domain name abnormal access alarm information into a database;
if no TopN newly-added domain name exists, judging whether the variation rate of the TopN domain name access times exceeds a variation threshold value, and if so, sending DNS domain name abnormal access alarm information and writing the DNS domain name abnormal access alarm information into a database.
2. The method of claim 1, wherein the DNS data includes a number of domain name visits in a current cycle and a normal cycle.
3. The method according to claim 1, wherein the KL divergence calculation formula is D (p | | q) ═ E [ log (p) -log (q) ], where p is a probability distribution of the number of times of domain name accesses in a current period and q is a probability distribution of the number of times of domain name accesses in a normal period.
4. The method according to claim 1, wherein the DNS domain name abnormal access warning information includes warning time, abnormal domain name, and number of times of domain name abnormal access.
5. The method according to claim 1, wherein if the KL divergence contribution exceeds a contribution threshold, the current cycle abnormal access detection is ended after DNS domain name abnormal access warning information is sent and written into the database, otherwise the current cycle abnormal access detection is ended directly.
6. The method of claim 1, wherein if there is a TopN newly added domain name, the abnormal access detection in the current period is finished after sending the DNS domain name abnormal access warning message and writing it into the database.
7. The method according to claim 1, wherein if the variation rate of the number of times of TopN domain name access exceeds the variation threshold, the detection of the abnormal access in the current period is ended after the DNS domain name abnormal access warning message is sent and written into the database.
8. A DNS domain name anomaly access detection apparatus comprising a DNS nameanalyzer connected to a router, comprising a memory and a processor, the memory storing a computer program configured to be executed by the processor, the program comprising the step instructions of the method of any of the preceding claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711473667.3A CN108270778B (en) | 2017-12-29 | 2017-12-29 | DNS domain name abnormal access detection method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711473667.3A CN108270778B (en) | 2017-12-29 | 2017-12-29 | DNS domain name abnormal access detection method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108270778A CN108270778A (en) | 2018-07-10 |
| CN108270778B true CN108270778B (en) | 2020-11-20 |
Family
ID=62772935
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201711473667.3A Active CN108270778B (en) | 2017-12-29 | 2017-12-29 | DNS domain name abnormal access detection method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108270778B (en) |
Families Citing this family (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109409042B (en) * | 2018-08-23 | 2021-04-20 | 顺丰科技有限公司 | User authority distribution abnormity detection system, method, equipment and storage medium |
| CN109976316B (en) * | 2019-04-25 | 2021-06-18 | 山东科技大学 | Fault-related variable selection method |
| CN110445779B (en) * | 2019-08-02 | 2021-08-17 | 深圳互联先锋科技有限公司 | Automatic protection method and system for DNS system under attack |
| CN112839005B (en) * | 2019-11-22 | 2022-11-04 | 中国互联网络信息中心 | DNS domain name abnormal access monitoring method and device |
| CN112989327A (en) * | 2019-12-18 | 2021-06-18 | 拓尔思天行网安信息技术有限责任公司 | Detection method, device, equipment and storage medium for stealing website data |
| CN112202638B (en) * | 2020-09-29 | 2022-03-01 | 北京百度网讯科技有限公司 | Data processing method, device, equipment and computer storage medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101547129A (en) * | 2009-05-05 | 2009-09-30 | 中国科学院计算技术研究所 | Method and system for detecting distributed denial of service attack |
| CN101567815A (en) * | 2009-05-27 | 2009-10-28 | 清华大学 | Method for effectively detecting and defending domain name server (DNS) amplification attacks |
| CN102999809A (en) * | 2012-11-07 | 2013-03-27 | 中国电力科学研究院 | Safety assessment method for intermittent power high-permeability power network planning |
| CN105827599A (en) * | 2016-03-11 | 2016-08-03 | 中国互联网络信息中心 | Cache infection detection method and apparatus based on deep analysis on DNS message |
| CN106230819A (en) * | 2016-07-31 | 2016-12-14 | 上海交通大学 | A kind of DDoS detection method based on stream sampling |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9392010B2 (en) * | 2011-11-07 | 2016-07-12 | Netflow Logic Corporation | Streaming method and system for processing network metadata |
-
2017
- 2017-12-29 CN CN201711473667.3A patent/CN108270778B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101547129A (en) * | 2009-05-05 | 2009-09-30 | 中国科学院计算技术研究所 | Method and system for detecting distributed denial of service attack |
| CN101567815A (en) * | 2009-05-27 | 2009-10-28 | 清华大学 | Method for effectively detecting and defending domain name server (DNS) amplification attacks |
| CN102999809A (en) * | 2012-11-07 | 2013-03-27 | 中国电力科学研究院 | Safety assessment method for intermittent power high-permeability power network planning |
| CN105827599A (en) * | 2016-03-11 | 2016-08-03 | 中国互联网络信息中心 | Cache infection detection method and apparatus based on deep analysis on DNS message |
| CN106230819A (en) * | 2016-07-31 | 2016-12-14 | 上海交通大学 | A kind of DDoS detection method based on stream sampling |
Non-Patent Citations (1)
| Title |
|---|
| 《一种针对算法自动生成恶意域名的检测方法》;王峥;《信息工程大学学报》;20171215;全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108270778A (en) | 2018-07-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108270778B (en) | DNS domain name abnormal access detection method and device | |
| US11108799B2 (en) | Name translation monitoring | |
| US9578040B2 (en) | Packet receiving method, deep packet inspection device and system | |
| US8392963B2 (en) | Techniques for tracking actual users in web application security systems | |
| US11290485B2 (en) | Method and system for detecting and blocking data transfer using DNS protocol | |
| EP3297248B1 (en) | System and method for generating rules for attack detection feedback system | |
| US9300684B2 (en) | Methods and systems for statistical aberrant behavior detection of time-series data | |
| EP3264720A1 (en) | Using dns communications to filter domain names | |
| JP2019021294A (en) | SYSTEM AND METHOD OF DETERMINING DDoS ATTACKS | |
| JP2008177714A (en) | Network system, server, ddns server, and packet relay device | |
| EP3945739A1 (en) | Non-intrusive / agentless network device identification | |
| JP2019523584A (en) | Network attack prevention system and method | |
| CN105827599A (en) | Cache infection detection method and apparatus based on deep analysis on DNS message | |
| US10432646B2 (en) | Protection against malicious attacks | |
| CN112839005B (en) | DNS domain name abnormal access monitoring method and device | |
| CN110061998B (en) | Attack defense method and device | |
| US20120180125A1 (en) | Method and system for preventing domain name system cache poisoning attacks | |
| WO2018113727A1 (en) | Method and apparatus for reducing the risk of dns hijacking | |
| JP5568344B2 (en) | Attack detection apparatus, attack detection method, and program | |
| Salim et al. | Preventing ARP spoofing attacks through gratuitous decision packet | |
| CN112261004B (en) | Method and device for detecting Domain Flux data stream | |
| US9077639B2 (en) | Managing data traffic on a cellular network | |
| CN111371917B (en) | Domain name detection method and system | |
| CN109889619B (en) | Abnormal domain name monitoring method and device based on block chain | |
| US10462180B1 (en) | System and method for mitigating phishing attacks against a secured computing device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |