CN108848201A - Detection utilizes the method, system and device of DNS tunnel transmission secret data - Google Patents
Detection utilizes the method, system and device of DNS tunnel transmission secret data Download PDFInfo
- Publication number
- CN108848201A CN108848201A CN201810615014.2A CN201810615014A CN108848201A CN 108848201 A CN108848201 A CN 108848201A CN 201810615014 A CN201810615014 A CN 201810615014A CN 108848201 A CN108848201 A CN 108848201A
- Authority
- CN
- China
- Prior art keywords
- request packet
- dns
- dns request
- domain
- detection
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4505—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
- H04L61/4511—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/50—Testing arrangements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/10—Mapping addresses of different types
- H04L61/103—Mapping addresses of different types across network layers, e.g. resolution of network layer into physical layer addresses or address resolution protocol [ARP]
Abstract
This application discloses a kind of methods that detection utilizes DNS tunnel transmission secret data, this method not only used conventional signature analysis mode to whether detecting comprising improper domain-name information, when also combining under truth through DNS tunnel transmission secret data along with temporal characteristics, the preliminary abnormal DNS request packet for whether occurring remote super arm's length standard quantity in predetermined period detected, it sets out while differentiating from different perspectives, precision is higher, specific aim is stronger, anti-stronger around ability, actually detected better effect.The application further simultaneously discloses a kind of system, device and computer readable storage medium for detecting and utilizing DNS tunnel transmission secret data, has above-mentioned beneficial effect.
Description
Technical field
This application involves DNS applied technical field, in particular to a kind of detection utilizes the side of DNS tunnel transmission secret data
Method, system, device and computer readable storage medium.
Background technique
Dns server, Domain Name Server, the entitled name server of Chinese are to carry out domain name and in contrast
The server that the IP address answered is converted.Wherein, domain name is the title of a certain computer or calculating unit on Internet,
And dns server is realized by saving the table of each domain name of write-in and corresponding IP address and determines corresponding IP address
Purpose.
Usually, dns server is used for according to the domain-name information carried in DNS request packet, will be by parsing determination
The targeted website of row data interaction or the true address (IP address) of server, and data transmission channel is established after completing parsing
To carry out subsequent data interaction, and it is some improper to occur a kind of domain name part addition in DNS request packet now
Domain-name information is directed to the existing detection means of such mode in a manner of transmitting concealed data by dns server, usually all
To be detected from the feature of the DNS request packet of transmission, that is, utilize realistic case construction feature library, by with this feature library
The comparison for carrying out characteristic information is detected, and such detection mode means are more single, are gradually well known in detection mode
It is easily targetedly modified afterwards to bypass detection, so that actually detected ineffective.
Therefore, the existing DNS characteristic information that is based on how to be overcome to detect whether in the presence of existing by DNS tunnel transmission secret data
Items technological deficiency existing for the method for elephant, provides that a kind of detection angles are more, actual conditions feature, detection is more combined to determine
The higher detection of accuracy is those skilled in the art's urgent problem to be solved using the method for DNS tunnel transmission secret data.
Summary of the invention
The purpose of the application is to provide a kind of method that detection utilizes DNS tunnel transmission secret data, and this method not only makes
With conventional signature analysis mode to whether including that improper domain-name information detects, also combines and pass through under truth
When DNS tunnel transmission secret data along with temporal characteristics, i.e., whether there is remote super arm's length standard in detection predetermined period
The preliminary abnormal DNS request packet of quantity, sets out from different perspectives while differentiating, precision is higher, specific aim is stronger, anti-around ability
It is stronger, actually detected better effect.
The another object of the application is the provision of a kind of detection and utilizes the systems of DNS tunnel transmission secret data, device
And computer readable storage medium.
To achieve the above object, this application provides a kind of method that detection utilizes DNS tunnel transmission secret data, the party
Method includes:
Obtain all DNS request packets by dns server;
It whether detects in each DNS request packet comprising improper domain-name information;
If being by the DNS request packet making comprising the improper domain-name information comprising the improper domain-name information
Preliminary exception DNS request packet;
Judge that the preliminary abnormal DNS request packet newly occurs in the quantity period identical as history just in present period
Whether the ratio often occurred between the upper limit of the number is greater than the first default ratio;
It is passed if the ratio greater than the described first default ratio, determines to exist in the dns server by the tunnel DNS
The phenomenon that defeated secret data.
Optionally, whether detect in each DNS request packet includes improper domain-name information, including:
Using preset comentropy algorithm judge the domain name part in each DNS request packet whether be concealed with encryption to
Transmit data.
Optionally, whether detect in each DNS request packet includes improper domain-name information, including:
Detect whether the domain name part in each DNS request packet re-encodes by malice.
Optionally, whether detect in each DNS request packet includes improper domain-name information, including:
Detect whether the corresponding DNS request type initiated of each DNS request packet is TXT class, MX class or CNAME class.
Optionally, whether comprising further including after improper domain-name information in detecting each DNS request packet:
Whether the purpose IP address for judging that each DNS request packet is directed toward is in blacklist.
Optionally, judge the preliminary abnormal DNS request packet in present period newly occur quantity it is identical as history when
Whether the ratio normally occurred between the upper limit of the number in section is greater than the first default ratio, including:
Judge that the preliminary abnormal DNS request packet newly occurs in the quantity period identical as history just in present period
Whether the ratio often occurred between the upper limit of the number is greater than 3.
Optionally, this method further includes:
When newly occur quantity of the preliminary abnormal DNS request packet in present period the upper limit of the number normally occurs with described
Between ratio be less than the described first default ratio but be greater than the second default ratio when, determine that the dns server is passing through
The tunnel DNS carries out C&C communication.
Optionally, whether comprising further including before improper domain-name information in detecting each DNS request packet:
Parse the corresponding sender's domain name of each DNS request packet;
Judge whether sender's domain name is in white list, if so, not being in the white name to sender's domain name
DNS request packet in list carries out subsequent detection.
It to achieve the above object, should present invention also provides a kind of system that detection utilizes DNS tunnel transmission secret data
System includes:
DNS request packet acquiring unit, for obtaining all DNS request packets by dns server;
Improper domain-name information detection unit, for whether detecting in each DNS request packet comprising improper domain name letter
Breath;
Preliminary exception DNS request packet making unit, for that will include the DNS request packet making of the improper domain-name information
For preliminary abnormal DNS request packet;
Identical period number comparing unit, for judging preliminary abnormal DNS request packet newly the going out in present period
Whether the ratio normally occurred between the upper limit of the number in the existing quantity period identical as history is greater than the first default ratio;
There are judging units for concealed data transport phenomena, for sentencing when the ratio is greater than the first default ratio
There is the phenomenon that by DNS tunnel transmission secret data in the fixed dns server.
Optionally, the improper domain-name information detection unit includes:
Comentropy calculates detection sub-unit, for being judged in each DNS request packet using preset comentropy algorithm
Whether domain name part is concealed with the data to be transmitted of encryption.
Optionally, the improper domain-name information detection unit includes:
Domain name malice re-encoding detection sub-unit, for detecting whether the domain name part in each DNS request packet passes through
Malice re-encodes.
Optionally, the improper domain-name information detection unit includes:
Specific DNS request type detection subelement, for detecting the corresponding DNS request class initiated of each DNS request packet
Whether type is TXT class, MX class or CNAME class.
Optionally, which further includes:
Whether target ip address blacklist judging unit, the purpose IP address for judging that the DNS request packet is directed toward are located
In in blacklist.
Optionally, the identical period number comparing unit includes:
3 times of quantity judgment sub-units, for judging that the preliminary abnormal DNS request packet number newly occurs in present period
Whether the ratio normally occurred between the upper limit of the number measured in the period identical as history is greater than 3.
Optionally, which further includes:
There are judging units for C&C communication phenomena, for when preliminary abnormal DNS request packet newly the going out in present period
Existing quantity and the ratio normally occurred between the upper limit of the number are less than the described first default ratio but are greater than the second default ratio
When, determine that the dns server is passing through the tunnel DNS and carrying out C&C communication.
Optionally, which further includes:
Sender's domain name resolution unit, for parsing the corresponding sender's domain name of each DNS request packet;
White list judgement and processing unit, for judging whether sender's domain name is in white list, if so, not
DNS request packet in the white list is in sender's domain name and carries out subsequent detection.
It to achieve the above object, should present invention also provides the device that a kind of detection utilizes DNS tunnel transmission secret data
Device includes:
Memory, for storing computer program;
Processor realizes that the detection as described in above content utilizes the tunnel DNS when for executing the computer program
The step of transmitting the method for concealed data.
To achieve the above object, described computer-readable to deposit present invention also provides a kind of computer readable storage medium
It is stored with computer program on storage media, the inspection as described in above content is realized when the computer program is executed by processor
The step of surveying the method for utilizing DNS tunnel transmission secret data.
Obviously, the method that a kind of detection provided herein utilizes DNS tunnel transmission secret data, this method are examined first
It surveys whether comprising some improper domain-name informations in addition to normal domain-name information in each DNS request packet, and is anti-after detecting
Only erroneous judgement is marked as preliminary abnormal DNS request packet, and following binding time characteristic synthetic judges to be marked in present period
Whether the appearance quantity for being denoted as preliminary abnormal DNS request packet is much larger than the quantity normally occurred in the history identical period, because
Using DNS tunnel transmission secret data inevitably result in largely comprising the improper domain-name information DNS request packet appearance, one
This occurs can regard as the presence of the phenomenon that by DNS tunnel transmission secret data for denier.The detection method is not used only
Whether conventional signature analysis mode also combines and passes through under truth to detecting comprising improper domain-name information
When DNS tunnel transmission secret data along with temporal characteristics, i.e., whether there is remote super arm's length standard in detection predetermined period
The preliminary abnormal DNS request packet of quantity, sets out from different perspectives while differentiating, precision is higher, specific aim is stronger, anti-around ability
It is stronger, actually detected better effect.The application additionally provides a kind of detect using DNS tunnel transmission secret data simultaneously
System, device and computer readable storage medium have above-mentioned beneficial effect, and details are not described herein.
Detailed description of the invention
In order to illustrate the technical solutions in the embodiments of the present application or in the prior art more clearly, to embodiment or will show below
There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this
The embodiment of application for those of ordinary skill in the art without creative efforts, can also basis
The attached drawing of offer obtains other attached drawings.
Fig. 1 is a kind of process for detecting the method using DNS tunnel transmission secret data provided by the embodiment of the present application
Figure;
Fig. 2 is that detection provided by the embodiment of the present application utilizes a kind of parsing in the method for DNS tunnel transmission secret data
DNS request packet and the flow chart for detecting whether the method comprising improper domain-name information;
Fig. 3 is that detection provided by the embodiment of the present application utilizes a kind of utilization in the method for DNS tunnel transmission secret data
Temporal characteristics determine currently with the presence or absence of the flow chart of the method using DNS tunnel transmission secret data phenomenon;
Fig. 4 is a kind of structure for detecting the system using DNS tunnel transmission secret data provided by the embodiment of the present application
Block diagram.
Specific embodiment
The core of the application is to provide a kind of method, system, device and meter for detecting and utilizing DNS tunnel transmission secret data
Calculation machine readable storage medium storing program for executing, this method not only used conventional signature analysis mode to whether comprising improper domain-name information into
Row detection, when also combining under truth through DNS tunnel transmission secret data along with temporal characteristics, i.e. detection is default
Whether occur the preliminary abnormal DNS request packet of remote super arm's length standard quantity in period, sets out while differentiating from different perspectives, essence
Du Genggao, specific aim are stronger, anti-stronger around ability, actually detected better effect.
To keep the purposes, technical schemes and advantages of the embodiment of the present application clearer, below in conjunction with the embodiment of the present application
In attached drawing, the technical scheme in the embodiment of the application is clearly and completely described, it is clear that described embodiment is
Some embodiments of the present application, instead of all the embodiments.Based on the embodiment in the application, those of ordinary skill in the art
All other embodiment obtained without making creative work, shall fall in the protection scope of this application.
It is simply illustrated using DNS tunnel transmission secret data to how realizing here:
The DNS request carried in DNS request packet is generally included following several by the difference of record type:
(1) A class records:A (Address) record is used to refer to determine the corresponding IP address record of host name (or domain name) (i.e.
The IP of WEB server is directed toward), the Website server under the domain name can be directed on the web server of oneself by user.It is logical
A record is exactly the IP of server for custom, and it is exactly to tell dns server that domain name, which binds A record,:It is given when you input domain name
You guide to the A that DNS is arranged in and record corresponding server;
(2) AAAA is recorded:The record is translated domain names into onto the IP of a specified IPV6, and the IP that A class record refers to is
IPV4;
(3) CNAME is recorded:Commonly referred to as alias resolution can all go to the different domain names of registration on one domain name record,
Analytic uniform management is recorded by this domain name, unlike A record, the setting of CNAME canonical name can be a domain name
Description and be not necessarily IP address;
(4) MX is recorded:MX (Mail Exchanger) record is mail exchange record, it is directed toward a mail server,
Mail server is positioned according to the address suffix of receiver when sending out mail for e-mail system.For example, working as Internet
On certain user when sending out an envelope and believing to user@mydomain.com, the mailing system of the user passes through dns lookup
The MX of this domain name of mydomain.com is recorded, if MX record exists, subscriber computer just sends MX record institute for mail
On specified mail server;
(5) TXT is recorded:Refer generally to the explanation of some host name or domain name, such as:Admin IN TXT " administrator, phone:
XXXXXXXXXXX ", mail IN TXT " mail host, are stored in xxx, administrator:AAA ", Jim IN TXT " contact:
Abc@mailserver.com ", that is, can be by setting TXT content so that other people know contact method.
Except the record type of above-mentioned several common DNS requests, there are also a kind of record types:NS record, Name
Which dns server Server, name server record, be used to specify the domain name by be parsed.In registered domain name, always
There is the dns server of default, the domain name of each registration is parsed by a DNS name server, dns server
NS recording address generally occurs in the following form:Ns1.domain.com, ns2.domain.com etc..Briefly, NS remembers
Record is to specify which dns server to parse some domain name to be resolved by.
Based on above content, DNS secret tunnel is constructed between transmitting terminal and receiving end to transmit concealed data most critical
Be a little that building side will modify (or newly-increased) NS record, i.e., asked by the DNS that the information that NS is recorded generates the transmitting terminal
Ask packet is corresponding to parse this DNS request packet using a dns server for belonging to building side oneself.And due to most of network
Firewall will not stop the outgoing of DNS request packet, therefore building side can be by when constructing the DNS request side, enciphering hiding
Some concealed data to be transmitted, it is corresponding to be obtained using corresponding manner of decryption when receiving the DNS request packet
To original concealed data, the purpose for transmitting concealed data is realized with this.
Below in conjunction with Fig. 1, Fig. 1 is that a kind of detect provided by the embodiment of the present application utilizes DNS tunnel transmission secret data
Method flow chart.
It specifically includes following steps:
S101:Obtain all DNS request packets by dns server;
S102:It whether detects in each DNS request packet comprising improper domain-name information;
The purpose of S101 and S102 be detect by the dns server all DNS request packets in whether carry or
Conceal improper domain-name information.
Dns server be mainly used for complete domain name arrive IP address parsing work, and newly occur now it is a kind of utilize DNS
Server builds the new paragon of DNS tunnel transmission secret data, and which is different from common information transmission mode, not by
In conventional network and corresponding port, but utilize dns server in the parsing some tricks of DNS request Bao Shidong, to establish
The tunnel DNS of concealed data is transmitted between transmitting terminal and receiving end, wherein the concealed data of transmission would generally be in the form of ciphertext
It is present in original domain name part, therefore whether the purpose of this step is in each DNS request packet of detection comprising improper domain name
Information.
How to define the domain-name information for including in DNS request packet is normal or improper, the distinctive points ten of the two
It is clearly demarcated aobvious, it is simple for, all domain-name informations for not meeting general domain name composed structure all should belong to improper domain-name information,
For example, most common and known domain name is usually shaped like www.xxxxx.com or http://www.xxxxx.com is based on certainly
Domain name naming rule now, can also exist it is some seem more strange domain name, and in the above-mentioned two examples
Suffix also can with region it is different occur it is corresponding change, but when occur one shaped like
The domain of a9210307290000000007bab9c88d277.asdfa51as2512a4f224.bc.6 ca.ns.fastercc.cc
When name, it is evident that it can be seen that this is not just a normal domain name, even if the domain name meets current domain name naming rule, but
Largely only have malicious person that can just go to apply for the domain name, to build DNS tunnel transmission secret data.
In addition to a kind of improper domain name that example from above provides, arranged side by side therewith there are also use certain special coding staff
The domain name for carrying concealed data is converted into the improper domain name of certain particular type by formula, is obtained after solving coding for recipient
The concealed data restored, there is also other similar modes, to be transmitted regardless of being provided to hide using which kind of mode
Concealed data, thus those skilled in the art can from this point forward or backwards provide a variety of this purpose that can be realized
Whether specific embodiment is not defined containing improper domain name data to how detecting in DNS request packet herein, can root
Different according to actual conditions selectively use most suitable mode, and explanation can be unfolded in this part in subsequent embodiment.
In some systems, to reduce the required computing resource of detection, the believable domain name in part can be added in white list, i.e.,
When detecting the domain name carried in DNS request packet is the domain name in white list, without carrying out subsequent detection, to increase detection effect
Hardware cost needed for rate and reduction.
S103:It is preliminary abnormal DNS request packet by the DNS request packet making comprising improper domain-name information;
On the basis of S102, this step is intended to detect by improper domain-name information, and detects comprising improper
The DNS request packet making of domain-name information is preliminary abnormal DNS request packet.
It why is only marked as preliminary abnormal DNS request packet, is because combining the actual use feelings of dns server
Scape, it is possible to can exist a small number of because various failure, abnormal factors cause to generate the DNS request comprising the improper domain-name information
Packet, therefore only with discovery, there are some DNS request packet, there are be not sufficient to accurately determine when such phenomenon.Simultaneously as every
A DNS request packet small volume, limited size really utilize and usually will detect that a large amount of incite somebody to action when DNS tunnel transmission secret data
It is marked as the DNS request packet of preliminary abnormal DNS request packet, it is therefore necessary to be differentiated together in conjunction with other feature, with to the greatest extent
Possible reduction False Rate.
S104:The preliminary abnormal DNS request packet of judgement newly occurs in the quantity period identical as history in present period
Whether the ratio normally occurred between the upper limit of the number is greater than the first default ratio;
On the basis of S103, this step be intended to exception DNS request packet preliminary in present period newly occur quantity with
The quantity that normally occurs of history identical period carries out same period comparison, wherein ratio measures the one of the two size relation as a kind of
Kind mode, is more suitably applied in this step, because the first default ratio should be much larger than 1 under normal conditions, minority is because various
Failure, abnormal factors cause to generate the DNS request packet comprising the improper domain-name information to be minority after all, only when the default ratio
When value is 2,5 even greater several, the phenomenon that could illustrating in the presence of using DNS tunnel transmission secret data.
The application combines a kind of actual application scenarios, and the size that this can be preset to ratio is set as 3, i.e., only when certain a period of time
The quantity that newly occurs of preliminary abnormal DNS request packet is at least three times in preliminary exception DNS request packet in the history identical period in section
When normally there is quantity, just enter the branching options that subsequent judging result is "Yes".Certainly, the specific size of the default ratio can
Depending on the difference of practical application scene, flexibly adjustment, to meet the security level and other particular/special requirements of setting.For example, this week
One with belong to the identical period last Monday, also belong to the identical period with the Monday being located further forward in week, therefore comparable this Monday one
Preliminary exception DNS request packet newly occurs whether quantity was at least three times in one day last Monday preliminary abnormal DNS request packet in it
Old there is quantity.
S105:The phenomenon that determining in dns server there is no by DNS tunnel transmission secret data;
This step establish the judging result of S104 be the ratio be not more than the first default ratio when on the basis of, i.e., this
There is the preliminary abnormal DNS request packet occurred in the quantity far super same period in Shi Bingwei, illustrates in the normal range, therefore can determine that this
When dns server in and the phenomenon that there is no by DNS tunnel transmission secret data.
S106:Determine there is the phenomenon that by DNS tunnel transmission secret data in dns server.
On the basis of the judging result of S104 is when the ratio is greater than the first default ratio, i.e., at this time this step is established
There are the preliminary abnormal DNS request packets for allowing to occur in a large amount of remote super same periods, can determine that exist in dns server at this time and pass through
The phenomenon that DNS tunnel transmission secret data.
Based on the above-mentioned technical proposal, a kind of detection provided by the embodiments of the present application utilizes DNS tunnel transmission secret data
Method, whether it includes some improper domain-name informations in addition to normal domain-name information that this method is detected first in each DNS request packet,
And to prevent erroneous judgement to be marked as preliminary abnormal DNS request packet after detecting, following binding time characteristic synthetic judges
Be marked as in present period preliminary abnormal DNS request packet appearance quantity whether be much larger than it is normal in the history identical period
The quantity of appearance, because inevitably resulting in DNS largely comprising the improper domain-name information using DNS tunnel transmission secret data
The appearance of request packet, once this occurs can regard as the presence of the phenomenon that by DNS tunnel transmission secret data.The inspection
Survey method not only used conventional signature analysis mode to whether including that improper domain-name information detects, and also combine true
In real situation pass through DNS tunnel transmission secret data when along with temporal characteristics, i.e., detection predetermined period in whether occur
The preliminary exception DNS request packet of remote super arm's length standard quantity, sets out from different perspectives while differentiating, precision is higher, specific aim more
By force, prevent, actually detected better effect stronger around ability.
It is the side that detection utilizes DNS tunnel transmission secret data provided by the embodiment of the present application below in conjunction with Fig. 2, Fig. 2
A kind of flow chart for parsing DNS request packet and detecting whether the method comprising improper domain-name information, the present embodiment are main in method
It whether include that improper domain-name information provides a kind of more specific mode of operation for how to detect in each DNS request packet:
S201:Obtain all DNS request packets by dns server;
S202:Parse the corresponding sender's domain name of each DNS request packet;
S203:Judge whether sender's domain name is in white list;
S204:DNS request packet in white list is not in sender's domain name and carries out subsequent detection;
The DNS request packet that a part includes credible domain name is filtered out using white list first.
S205:Judge whether the domain name part in each DNS request packet is concealed with encryption using preset comentropy algorithm
Data to be transmitted;
This step detects whether the domain name part in DNS request packet is concealed with encryption by the way of based on comentropy
Data to be transmitted, wherein comentropy algorithm can be according to specific formula metric, that is, is quantified, entropy this
Uncertainty and confusion degree of the concept source in physics.
Because the information enciphering hiding that can will generally transmit is in domain name portion when passing through DNS tunnel transmission secret data
Point, such as this domain name below:
a921030729000000007bab9c88d277b1fee2c6757ad7dd7aa31d8a58c02f.3d4647713ca18f55
acfef375b9b2d088949c4a3674e72d297ac83451c1bc.d62c80b122bcfa664d6bd4e6ca.ns.fa
stercc.cc
The comentropy of the domain name just can be significantly hotter than the comentropy of normal operation in normal domain name, therefore can judge domain using this mode
Whether name part is concealed with the data to be transmitted of encryption, that is to say, that it is original number that we, which look like the same character string of messy code,
According to what is obtained after encrypted.
S206:Detect whether the domain name part in each DNS request packet re-encodes by malice;
Similarly with S205, only this step describes the mode of another enciphering hiding information to be transmitted:Re-encoding.
Such as this passes through the domain name re-encoded below:
5-8-5-3-6-0-6-6-4-1-2-2-7-0-4-6-7-2-8-7-6-8-7-3-1-8-7-6-3-0-1-.0-0-0-
0-0-0-0-0-0-0-0-0-0-10-0-0-0-0-0-0-0-0-0-0-0-0-0.info
The domain name every two intercharacter is all separated using "-", this like the similar the same cipher mode of Morse code,
Purpose is identical as S205, hides data to be transmitted.
S207:Detect whether the corresponding DNS request type initiated of each DNS request packet is TXT class, MX class or CNAME class;
This step is from another angle, due to that would generally make when normal one IP address of DNS name resolution
With A class record or AAAA class record DNS request, and if when having initiated the DNS request of a large amount of TXT, MX, CNAME classes,
It can reflect the concealed data it includes available for transmission from side.
Further, it can also judge whether the IP address for including in each DNS request packet is in blacklist, because some
Country where IP address may be defined as high-risk country, therefore when security level is higher, may be also required to intercept packet
DNS request packet containing this type of information.
S208:It is preliminary abnormal DNS request packet by the DNS request packet making comprising improper domain-name information.
Next step of this step as S205, S206 and S207, for being by this three detecting steps judging result
The DNS request packet making for being is preliminary exception DSN request packet.
It should be noted that S205, S206 and S207 for being related in the present embodiment can be used alone, Ke Yican
See the contact method in Fig. 2 flow chart with S208, this three is in juxtaposition, but as long as there are one such, so that it may
Corresponding DNS request packet is determined as that preliminary abnormal DNS request packet in order to realize better detection effect, can also appoint certainly
Meaning is combined these types of mode by the sequencing of detection, can also be used only when precision prescribed is not high one such
Be made whether include improper domain-name information judgement, the present embodiment is merely given as a kind of more preferred, detection effect more
Good preliminary abnormal DNS request packet decision procedure, those skilled in the art should be able to recognize in basic think of provided in this embodiment
Other similar embodiments are obtained under thinking, all should belong to the protection scope of the application.
It is the side that detection utilizes DNS tunnel transmission secret data provided by the embodiment of the present application below in conjunction with Fig. 3, Fig. 3
It is a kind of in method to be determined currently using temporal characteristics with the presence or absence of the process of the method using DNS tunnel transmission secret data phenomenon
Figure, the present embodiment compares mainly for quantity and final result judging section gives a kind of implementation of combination practical application scene
Step:
S301:It is preliminary abnormal DNS request packet by the DNS request packet making comprising improper domain-name information;
S302:The preliminary abnormal DNS request packet of judgement newly occurs in the quantity period identical as history in present period
Whether the ratio normally occurred between the upper limit of the number is greater than the first default ratio;
S303:Determine there is the phenomenon that by DNS tunnel transmission secret data in dns server;
This step is established on the basis of the judging result of S302 is that the ratio is greater than the first default ratio, i.e., goes out at this time
The preliminary abnormal DNS request packets for allowing to occur in a large amount of remote super same periods are showed, can determine that exist in dns server at this time and pass through
The phenomenon that DNS tunnel transmission secret data.
S304:The preliminary abnormal DNS request packet of judgement newly occurs in the quantity period identical as history in present period
Whether the ratio normally occurred between the upper limit of the number is greater than the second default ratio;
This step is established on the basis of the judging result of S302 is that the ratio is less than the first default ratio, it is intended to be judged
Whether the ratio is greater than a second default ratio smaller than the first default ratio, why is so determined, is because depositing
A possibility that carrying out C&C communication using the tunnel DNS, in this case, newly there is quantity not in preliminary exception DNS request packet
It can significantly increase, therefore carry out C&C communication and a large amount of DNS request packet can be generated not as good as transmitting concealed data, therefore
The ratio is less than the first default ratio, when being greater than the second default ratio, although can determine that out that there is no utilize the tunnel DNS at this time
The phenomenon that transmitting concealed data, but can determine that out that it is probably normally carried out C&C communication.
Size relation between i.e. second default ratio, the first default ratio and 1, should be:1<Second default ratio<First
Default ratio.
S305:Determine that the dns server works normally;
This step is established on the basis of the judging result of S304 is that ratio is not more than the second default ratio, can determine that this
Dns server is in normal operating conditions, and what is found at this time is marked as the number of the DNS request packet of preliminary abnormal DNS request packet
It measures also in the normal quantitative range for allowing to occur.
S306:Determine that dns server is passing through the tunnel DNS and carrying out C&C communication.
This step is established on the basis of the judging result of S304 is that ratio is greater than the second default ratio, that is, can determine that this
Dns server is passing through the tunnel DNS and is carrying out C&C communication.
Based on the above embodiment, the present embodiment provides on the basis of reservation above-described embodiment has the advantage that
It is a variety of to be used to detect in DNS request packet whether include the mode of improper domain-name information, while the mechanism for introducing black and white lists is come
Detection efficiency and hardware cost are reduced, and is further judged using the second default ratio, also achieves and detects whether to carry out
The purpose of C&C communication, actually detected better effect.
Because situation is complicated, it can not enumerate and be illustrated, those skilled in the art should be able to recognize according to the application
The basic skills principle combination actual conditions of offer may exist many examples, in the case where not paying enough creative works,
It should within the scope of protection of this application.
Fig. 4 is referred to below, and Fig. 4 is that a kind of detect provided by the embodiment of the present application utilizes DNS tunnel transmission secret number
According to system structural block diagram.
The system may include:
DNS request packet acquiring unit 100, for obtaining all DNS request packets by dns server;
Improper domain-name information detection unit 200, for whether detecting in each DNS request packet comprising improper domain name letter
Breath;
Preliminary exception DNS request packet making unit 300, for that will include the DNS request packet making of improper domain-name information
For preliminary abnormal DNS request packet;
Identical period number comparing unit 400, for judging new appearance of the preliminary abnormal DNS request packet in present period
Whether the ratio normally occurred between the upper limit of the number in the quantity period identical as history is greater than the first default ratio;
There are judging units 500 for concealed data transport phenomena, for determining DNS when ratio is greater than the first default ratio
There is the phenomenon that by DNS tunnel transmission secret data in server.
Wherein, improper domain-name information detection unit 200 may include:
Comentropy calculates detection sub-unit, for judging the domain name in each DNS request packet using preset comentropy algorithm
Whether part is concealed with the data to be transmitted of encryption;
Domain name malice re-encoding detection sub-unit, for detecting whether the domain name part in each DNS request packet passes through malice
Re-encoding;
Specific DNS request type detection subelement, the DNS request type for detecting the corresponding initiation of each DNS request packet are
No is TXT class, MX class or CNAME class.
Wherein, identical period number comparing unit 400 may include:
3 times of quantity judgment sub-units, for judge preliminary abnormal DNS request packet in present period newly occur quantity with
Whether the ratio normally occurred between the upper limit of the number in the history identical period is greater than 3.
Further, which can also include:
Whether target ip address blacklist judging unit, the purpose IP address for judging that DNS request packet is directed toward are in black
In list;
Sender's domain name resolution unit, for parsing the corresponding sender's domain name of each DNS request packet;
White list judgement and processing unit, for judging whether sender's domain name is in white list, if so, not to hair
The person's of sending domain name is in the DNS request packet in white list and carries out subsequent detection;
There are judging units for C&C communication phenomena, for that tentatively number newly ought occur in present period by exception DNS request packet
Amount and the normal ratio occurred between the upper limit of the number determine DNS service less than the first default ratio but when being greater than the second default ratio
Device is passing through the tunnel DNS and is carrying out C&C communication.
It based on the above embodiment, should present invention also provides the device that a kind of detection utilizes DNS tunnel transmission secret data
Device may include memory and processor, wherein have computer program in the memory, which calls the memory
In computer program when, step provided by above-described embodiment may be implemented.Certainly, which can also include various necessity
Network interface, power supply and other components etc..
Present invention also provides a kind of computer readable storage mediums, have computer program thereon, the computer program
Step provided by above-described embodiment may be implemented when being performed terminal or processor execution.The storage medium may include:U
Disk, mobile hard disk, read-only memory (Read-Only Memory, ROM), random access memory (Random Access
Memory, RAM), the various media that can store program code such as magnetic or disk.
Each embodiment is described in a progressive manner in specification, the highlights of each of the examples are with other realities
The difference of example is applied, the same or similar parts in each embodiment may refer to each other.For device disclosed in embodiment
Speech, since it is corresponded to the methods disclosed in the examples, so being described relatively simple, related place is referring to method part illustration
?.
Professional further appreciates that, unit described in conjunction with the examples disclosed in the embodiments of the present disclosure
And algorithm steps, can be realized with electronic hardware, computer software, or a combination of the two, in order to clearly demonstrate hardware and
The interchangeability of software generally describes each exemplary composition and step according to function in the above description.These
Function is implemented in hardware or software actually, the specific application and design constraint depending on technical solution.Profession
Technical staff can use different methods to achieve the described function each specific application, but this realization is not answered
Think beyond scope of the present application.
Specific examples are used herein to illustrate the principle and implementation manner of the present application, and above embodiments are said
It is bright to be merely used to help understand the present processes and its core concept.For those skilled in the art,
Under the premise of not departing from the application principle, can also to the application, some improvement and modification can also be carried out, these improvement and modification
It falls into the protection scope of the claim of this application.
It should also be noted that, in the present specification, relational terms such as first and second and the like be used merely to by
One entity or operation are distinguished with another entity or operation, without necessarily requiring or implying these entities or operation
Between there are any actual relationship or orders.Moreover, the terms "include", "comprise" or its any other variant meaning
Covering non-exclusive inclusion, so that the process, method, article or equipment for including a series of elements not only includes that
A little elements, but also other elements including being not explicitly listed, or further include for this process, method, article or
The intrinsic element of equipment.In the absence of more restrictions, the element limited by sentence "including a ...", is not arranged
Except there is also other identical elements in the process, method, article or equipment for including element.
Claims (18)
1. a kind of method that detection utilizes DNS tunnel transmission secret data, which is characterized in that including:
Obtain all DNS request packets by dns server;
It whether detects in each DNS request packet comprising improper domain-name information;
If being preliminary by the DNS request packet making comprising the improper domain-name information comprising the improper domain-name information
Abnormal DNS request packet;
Judge that the preliminary abnormal DNS request packet normally going out in the quantity period identical as history newly occurs in present period
Whether the ratio between existing the upper limit of the number is greater than the first default ratio;
If the ratio is greater than the described first default ratio, determine to exist in the dns server hidden by DNS tunnel transmission
The phenomenon that secret data.
2. the method according to claim 1, wherein whether comprising improper in each DNS request packet of detection
Domain-name information, including:
Judge whether the domain name part in each DNS request packet is concealed with the to be transmitted of encryption using preset comentropy algorithm
Data.
3. the method according to claim 1, wherein whether comprising improper in each DNS request packet of detection
Domain-name information, including:
Detect whether the domain name part in each DNS request packet re-encodes by malice.
4. the method according to claim 1, wherein whether comprising improper in each DNS request packet of detection
Domain-name information, including:
Detect whether the corresponding DNS request type initiated of each DNS request packet is TXT class, MX class or CNAME class.
5. method according to any one of claims 1 to 4, which is characterized in that in detecting each DNS request packet whether
After improper domain-name information, further include:
Whether the purpose IP address for judging that each DNS request packet is directed toward is in blacklist.
6. according to the method described in claim 5, it is characterized in that, judging the preliminary abnormal DNS request packet in present period
Whether the interior ratio normally occurred between the upper limit of the number newly occurred in the quantity period identical as history is greater than the first default ratio,
Including:
Judge that the preliminary abnormal DNS request packet normally going out in the quantity period identical as history newly occurs in present period
Whether the ratio between existing the upper limit of the number is greater than 3.
7. according to the method described in claim 5, it is characterized in that, further including:
When the preliminary abnormal DNS request packet quantity newly occurs and described normally occur between the upper limit of the number in present period
When ratio is less than the described first default ratio but is greater than the second default ratio, determine that the dns server is passing through DNS tunnel
Road carries out C&C communication.
8. the method according to the description of claim 7 is characterized in that in detecting each DNS request packet whether comprising it is non-just
Before normal domain-name information, further include:
Parse the corresponding sender's domain name of each DNS request packet;
Judge whether sender's domain name is in white list, if so, not being in the white list to sender's domain name
DNS request packet carry out subsequent detection.
9. a kind of system that detection utilizes DNS tunnel transmission secret data, which is characterized in that including:
DNS request packet acquiring unit, for obtaining all DNS request packets by dns server;
Improper domain-name information detection unit, for whether detecting in each DNS request packet comprising improper domain-name information;
Preliminary exception DNS request packet making unit, the DNS request packet making for that will include the improper domain-name information is first
Walk abnormal DNS request packet;
Identical period number comparing unit, for judging that the preliminary abnormal DNS request packet number newly occurs in present period
Whether the ratio normally occurred between the upper limit of the number measured in the period identical as history is greater than the first default ratio;
There are judging units for concealed data transport phenomena, for determining institute when the ratio is greater than the first default ratio
It states and there is the phenomenon that by DNS tunnel transmission secret data in dns server.
10. detection system according to claim 9, which is characterized in that the improper domain-name information detection unit includes:
Comentropy calculates detection sub-unit, for judging the domain name in each DNS request packet using preset comentropy algorithm
Whether part is concealed with the data to be transmitted of encryption.
11. system according to claim 9, which is characterized in that the improper domain-name information detection unit includes:
Domain name malice re-encoding detection sub-unit, for detecting whether the domain name part in each DNS request packet passes through malice
Re-encoding.
12. system according to claim 9, which is characterized in that the improper domain-name information detection unit includes:
Specific DNS request type detection subelement, the DNS request type for detecting the corresponding initiation of each DNS request packet are
No is TXT class, MX class or CNAME class.
13. according to the described in any item systems of claim 9 to 12, which is characterized in that further include:
Whether target ip address blacklist judging unit, the purpose IP address for judging that the DNS request packet is directed toward are in black
In list.
14. 3 described in any item systems according to claim 1, which is characterized in that the identical period number comparing unit packet
It includes:
3 times of quantity judgment sub-units, for judge the preliminary abnormal DNS request packet in present period newly occur quantity with
Whether the ratio normally occurred between the upper limit of the number in the history identical period is greater than 3.
15. system according to claim 13, which is characterized in that further include:
There are judging units for C&C communication phenomena, for newly there is number in present period when the preliminary abnormal DNS request packet
When amount and the ratio normally occurred between the upper limit of the number are less than the described first default ratio but are greater than the second default ratio, sentence
The fixed dns server is passing through the tunnel DNS and is carrying out C&C communication.
16. system according to claim 15, which is characterized in that further include:
Sender's domain name resolution unit, for parsing the corresponding sender's domain name of each DNS request packet;
White list judgement and processing unit, for judging whether sender's domain name is in white list, if so, not to hair
The person's of sending domain name is in the DNS request packet in the white list and carries out subsequent detection.
17. the device that a kind of detection utilizes DNS tunnel transmission secret data, which is characterized in that including:
Memory, for storing computer program;
Processor realizes that detection as claimed in any one of claims 1 to 8 utilizes DNS when for executing the computer program
The step of method of tunnel transmission secret data.
18. a kind of computer readable storage medium, which is characterized in that be stored with computer on the computer readable storage medium
Program, the computer program realize that detection as claimed in any one of claims 1 to 8 utilizes DNS tunnel when being executed by processor
Transmit the step of method of concealed data in road.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810615014.2A CN108848201A (en) | 2018-06-14 | 2018-06-14 | Detection utilizes the method, system and device of DNS tunnel transmission secret data |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810615014.2A CN108848201A (en) | 2018-06-14 | 2018-06-14 | Detection utilizes the method, system and device of DNS tunnel transmission secret data |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN108848201A true CN108848201A (en) | 2018-11-20 |
Family
ID=64202131
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810615014.2A Pending CN108848201A (en) | 2018-06-14 | 2018-06-14 | Detection utilizes the method, system and device of DNS tunnel transmission secret data |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108848201A (en) |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110958241A (en) * | 2019-11-27 | 2020-04-03 | 腾讯科技(深圳)有限公司 | Network data detection method and device, computer equipment and storage medium |
| CN111262881A (en) * | 2020-02-26 | 2020-06-09 | 杭州云缔盟科技有限公司 | Method for hiding DNS domain name of server accessed by mobile phone APP |
| CN111565187A (en) * | 2020-04-30 | 2020-08-21 | 深信服科技股份有限公司 | DNS (Domain name System) anomaly detection method, device, equipment and storage medium |
| CN112118205A (en) * | 2019-06-19 | 2020-12-22 | 腾讯科技(深圳)有限公司 | Domain name information detection method and related device |
| CN112583692A (en) * | 2020-12-04 | 2021-03-30 | 中国移动通信集团黑龙江有限公司 | Method, device and equipment for cleaning flow and computer storage medium |
| CN112640392A (en) * | 2020-11-20 | 2021-04-09 | 华为技术有限公司 | Trojan horse detection method, device and equipment |
| CN112953916A (en) * | 2021-01-29 | 2021-06-11 | 丁牛信息安全科技(江苏)有限公司 | Anomaly detection method and device |
| CN113839948A (en) * | 2021-09-26 | 2021-12-24 | 新华三信息安全技术有限公司 | DNS tunnel traffic detection method and device, electronic equipment and storage medium |
| CN115118464A (en) * | 2022-06-10 | 2022-09-27 | 深信服科技股份有限公司 | Method and device for detecting defect host, electronic equipment and storage medium |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102624706A (en) * | 2012-02-22 | 2012-08-01 | 上海交通大学 | Method for detecting DNS (domain name system) covert channels |
| CN102694696A (en) * | 2012-05-14 | 2012-09-26 | 中国科学院计算机网络信息中心 | Method and device for anomaly detection of DNS (domain name system) server |
| US8347394B1 (en) * | 2009-07-15 | 2013-01-01 | Trend Micro, Inc. | Detection of downloaded malware using DNS information |
| CN107124434A (en) * | 2017-07-06 | 2017-09-01 | 中国互联网络信息中心 | A kind of discovery method and system of DNS malicious attacks flow |
| CN107172006A (en) * | 2017-03-22 | 2017-09-15 | 深信服科技股份有限公司 | Detect the malicious method and device of wireless network |
| CN107547488A (en) * | 2016-06-29 | 2018-01-05 | 华为技术有限公司 | A kind of DNS tunnel detection methods and DNS tunnel detectors |
| CN107733851A (en) * | 2017-08-23 | 2018-02-23 | 刘胜利 | DNS tunnels Trojan detecting method based on communication behavior analysis |
-
2018
- 2018-06-14 CN CN201810615014.2A patent/CN108848201A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8347394B1 (en) * | 2009-07-15 | 2013-01-01 | Trend Micro, Inc. | Detection of downloaded malware using DNS information |
| CN102624706A (en) * | 2012-02-22 | 2012-08-01 | 上海交通大学 | Method for detecting DNS (domain name system) covert channels |
| CN102694696A (en) * | 2012-05-14 | 2012-09-26 | 中国科学院计算机网络信息中心 | Method and device for anomaly detection of DNS (domain name system) server |
| CN107547488A (en) * | 2016-06-29 | 2018-01-05 | 华为技术有限公司 | A kind of DNS tunnel detection methods and DNS tunnel detectors |
| CN107172006A (en) * | 2017-03-22 | 2017-09-15 | 深信服科技股份有限公司 | Detect the malicious method and device of wireless network |
| CN107124434A (en) * | 2017-07-06 | 2017-09-01 | 中国互联网络信息中心 | A kind of discovery method and system of DNS malicious attacks flow |
| CN107733851A (en) * | 2017-08-23 | 2018-02-23 | 刘胜利 | DNS tunnels Trojan detecting method based on communication behavior analysis |
Non-Patent Citations (2)
| Title |
|---|
| 徐琨: "DNS隐蔽通道检测技术研究", 《中国优秀硕士学位论文全文数据库》 * |
| 罗友强 等: "基于通信行为分析的DNS隧道木马检测方法", 《浙江大学学报(工学版)》 * |
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112118205B (en) * | 2019-06-19 | 2022-08-16 | 腾讯科技(深圳)有限公司 | Domain name information detection method and related device |
| CN112118205A (en) * | 2019-06-19 | 2020-12-22 | 腾讯科技(深圳)有限公司 | Domain name information detection method and related device |
| CN110958241A (en) * | 2019-11-27 | 2020-04-03 | 腾讯科技(深圳)有限公司 | Network data detection method and device, computer equipment and storage medium |
| CN110958241B (en) * | 2019-11-27 | 2021-08-24 | 腾讯科技(深圳)有限公司 | Network data detection method and device, computer equipment and storage medium |
| CN111262881A (en) * | 2020-02-26 | 2020-06-09 | 杭州云缔盟科技有限公司 | Method for hiding DNS domain name of server accessed by mobile phone APP |
| CN111262881B (en) * | 2020-02-26 | 2021-07-02 | 杭州云缔盟科技有限公司 | Method for hiding DNS domain name of server accessed by mobile phone APP |
| CN111565187A (en) * | 2020-04-30 | 2020-08-21 | 深信服科技股份有限公司 | DNS (Domain name System) anomaly detection method, device, equipment and storage medium |
| CN112640392A (en) * | 2020-11-20 | 2021-04-09 | 华为技术有限公司 | Trojan horse detection method, device and equipment |
| CN112583692A (en) * | 2020-12-04 | 2021-03-30 | 中国移动通信集团黑龙江有限公司 | Method, device and equipment for cleaning flow and computer storage medium |
| CN112953916A (en) * | 2021-01-29 | 2021-06-11 | 丁牛信息安全科技(江苏)有限公司 | Anomaly detection method and device |
| CN113839948A (en) * | 2021-09-26 | 2021-12-24 | 新华三信息安全技术有限公司 | DNS tunnel traffic detection method and device, electronic equipment and storage medium |
| CN113839948B (en) * | 2021-09-26 | 2023-10-24 | 新华三信息安全技术有限公司 | DNS tunnel traffic detection method and device, electronic equipment and storage medium |
| CN115118464A (en) * | 2022-06-10 | 2022-09-27 | 深信服科技股份有限公司 | Method and device for detecting defect host, electronic equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108848201A (en) | Detection utilizes the method, system and device of DNS tunnel transmission secret data | |
| US11005871B2 (en) | Cloud-based anomalous traffic detection and protection in a remote network via DNS properties | |
| US10462084B2 (en) | Control and management of electronic messaging via authentication and evaluation of credentials | |
| US9060003B2 (en) | System and method to associate a private user identity with a public user identity | |
| Li et al. | An overview of anonymity technology usage | |
| US20060080444A1 (en) | System and method for controlling access to a network resource | |
| JP4692776B2 (en) | Method for protecting SIP-based applications | |
| US20090248840A1 (en) | Network topology detection using a server | |
| US8862671B2 (en) | Aggregate communications with intelligent sourcing | |
| Wang et al. | A large-scale and longitudinal measurement study of {DKIM} deployment | |
| Clayton | Anonymity and traceability in cyberspace | |
| Dai et al. | Smap: Internet-wide scanning for spoofing | |
| CN105516070B (en) | A kind of method and device that Service Ticket substitutes | |
| US10069845B2 (en) | System and methods for secure short message service encryption and provisioning | |
| Peuhkuri | Internet traffic measurements–aims, methodology, and discoveries | |
| US8683063B1 (en) | Regulating internet traffic that is communicated through anonymizing gateways | |
| CN102137090B (en) | Method for logging in VOIP (Voice Over Internet Protocol) network and authentication server | |
| Wallace et al. | Can SDN deanonymize Bitcoin users? | |
| Kurowski | Using a whatsapp vulnerability for profiling individuals | |
| Farrell et al. | Report from the Strengthening the Internet (STRINT) workshop | |
| Franz et al. | Comparison of commitment schemes used in mix-mediated anonymous communication for preventing pool-mode attacks | |
| Löbbecke et al. | Session: Secure Messenger with additional Measures for Metadata Protection | |
| Banu et al. | VOIP PERFORMANCE ENHANCEMENT THROUGH SPIT DETECTION AND BLOCKING | |
| Blanchet et al. | Internet Architecture Board (IAB) S. Farrell Request for Comments: 7687 Trinity College, Dublin Category: Informational R. Wenning | |
| Neumann | Privacy in Voice-Over-Ip Mitigating the Risks at Sip Intermediaries |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20181120 |
|
| RJ01 | Rejection of invention patent application after publication |