CN109688165A - A kind of method and apparatus for excavating malice domain name - Google Patents

A kind of method and apparatus for excavating malice domain name Download PDF

Info

Publication number
CN109688165A
CN109688165A CN201910142386.2A CN201910142386A CN109688165A CN 109688165 A CN109688165 A CN 109688165A CN 201910142386 A CN201910142386 A CN 201910142386A CN 109688165 A CN109688165 A CN 109688165A
Authority
CN
China
Prior art keywords
domain name
default
malice
information
condition
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201910142386.2A
Other languages
Chinese (zh)
Inventor
崔寅
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing ThreatBook Technology Co Ltd
Original Assignee
Beijing ThreatBook Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing ThreatBook Technology Co Ltd filed Critical Beijing ThreatBook Technology Co Ltd
Priority to CN201910142386.2A priority Critical patent/CN109688165A/en
Publication of CN109688165A publication Critical patent/CN109688165A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1483Countermeasures against malicious traffic service impersonation, e.g. phishing, pharming or web spoofing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/146Tracing the source of attacks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

This application provides the method and apparatus for excavating malice domain name, which comprises obtains the first malice domain name;According to the first malice domain Name acquisition first element information;It is concentrated according to the first element information and default excavation condition from default historical information and obtains at least one first domain name;Judge whether first domain name meets default auditing rule;If so, determining that first domain name is the second malice domain name.Method described herein detects unknown malice domain name by domain name service quotient, the relationship of domain name registration time and associated with domain name renewal time and known malicious domain name.Improve network security.

Description

A kind of method and apparatus for excavating malice domain name
Technical field
This application involves network safety fileds, and in particular to the method for excavating malice domain name, and excavate malice domain name Device.
Background technique
Domain name (Domain Name, also referred to as domain) is counted for a certain on the Internet that form of name separated by " " Calculation machine or the title for calculating unit, for identifying electronic bearing (the sometimes referred to as geographical location of computer when data are transmitted.Ground Domain name in reason refers to a local area for having administrative autonomy to weigh).It is easy for the address of memory and the one group of server linked up (website, Email, FTP etc.).Purpose is specifically named and addressed to domain name for various network environments and application program.Than Such as, " www.baidu.com " is exactly a domain name.
Domain name inquiry system (Whois), for inquiring information associated with domain name on the internet.May 25 in 2018 A few days ago, believed by the service provider of the available domain name of Whois nslookup, registion time, expired time, the related of registrant Breath.Domain name holder registers the registrations letter such as used name, contact address, phone, Email after service provider's successful registration Breath will be stored in domain name Whois information database, anyone, which can disclose, inquires these information (unless registrant uses Secret protection service).
Malice domain name refers to the domain name for being attacked the network equipment in internet and being generated destruction.According to attacking It hits mode and is usually divided fishing website and Malware website.
Fishing website refers to a kind of website for the legal entities such as the bank or Online Store website that disguises oneself as, it attempts to inveigle User inputs user name, password or other personal informations in its website, and this kind of website can make individual privacy and property safety It is threatened at certain.
Malware website includes malicious code, and by installing Malware on the user computer, hacker is using this Software obtains and transmits the privacy or sensitive information of user.For example, C&C server.
Order and control (Command and Control, abbreviation C&C or C2) refer to that C&C takes in some cases Business device, that is, control terminal.On the one hand C&C server can receive the letter transmitted by wooden horse active above control computer Breath, understands the secrets such as system environments, the available capability even privacy information of compromised slave;It on the other hand can also be to controlled master Machine sends control instruction, indicates that the wooden horse in compromised slave executes predefined malicious action, it is a variety of different to meet controller Demand.After each C&C server must correspond to a specific IP, it could be accessed by wooden horse.Most of wooden horses use domain Name is directed toward C&C server (domain name can be converted to the specific IP address of server after parsing).
It in the prior art, is that these are passed through by attacker's application, maintenance mostly for the C&C domain name of wooden horse Hui Lian The registration information of domain name can be reversed their proprietary information of tracking and be associated with out more malice domain names of its registration.
One universal method of malice domain name tracking finds malice domain name registration people, registration postal by the way that Whois is counter Case, and the control force of association discovery domain name behind accordingly.Although registrant, registration body in domain name registration information, registration Address may be false, but registration mailbox must be true.Attacker needs to realize the dimension to domain name by the mailbox Pillar reason, therefore registration mailbox is determined to the most important mode of the tracking of malice domain name.
On May 17th, 2018, ICANN (Internet Name and Number Assignment Agency) Yu Gongbu " generic top-level domain Log-on data Interim Specification (Temporary Specification for gTLD Registration Data) ", it is desirable that note Volume office and service provider carry out necessary adjustment to the open display information of Whois query service.This time adjustment is that ICANN is reply The adjustment that the European Union " general data conservation regulation (GDPR) " that on May 25th, 2018 comes into force is made.
Therefore, it includes domain name registration people, management that most domain name service quotient no longer provide from after on May 25th, 2018 The information such as the name of contact person and technical relation people, mailbox, phone, street address cause to track by domain name registration mailbox and dislike The method of meaning domain name also fails substantially.
Summary of the invention
The application provides a kind of method for excavating malice domain name, a kind of device excavating malice domain name;It is disliked with solving tracking The problem of domain name of anticipating.
In order to solve the above-mentioned technical problem, the embodiment of the present application provides the following technical solution:
This application provides a kind of methods for excavating malice domain name, comprising:
Obtain the first malice domain name;
According to the first malice domain Name acquisition first element information;
Concentrated according to the first element information and default excavation condition from default historical information obtain at least one first Domain name;
Judge whether first domain name meets default auditing rule;
If so, determining that first domain name is the second malice domain name.
Preferably, described according to the first malice domain Name acquisition first element information, it includes at least following two and obtains One of mode:
The first malice domain name is inquired by domain name inquiry system, obtains first element information;
Historical information collection is preset according to the first malice inquiry of the domain name, obtains first element information.
Preferably, it is described concentrated according to the first element information and default excavation condition from default historical information obtain to Few first domain name, comprising:
First, which is obtained, according to the first element information and default excavation condition excavates condition;
It concentrates to obtain from default historical information and meets described first at least one first domain name for excavating condition.
Further, the first element information, comprising: the first malice domain name service quotient information, the first malice domain name note Volume time and renewal time associated with the first malice domain name;
Default excavation condition, comprising: preset domain name service quotient condition and default domain name registration time conditions and/or preset Renewal time condition.
Further, described first condition is excavated, comprising: domain name service quotient information and the first malice domain name service quotient Information is identical and the domain name registration time meets the first registion time range and/or renewal time meets the first renewal time model It encloses;Wherein, the first registion time range, when according to the first malice domain name registration time and the default domain name registration Between condition generate;The first renewal time range, according to renewal time associated with the first malice domain name with it is described Default renewal time condition generates.
Preferably, the default auditing rule, comprising: default tissue domain name rule, default audit IP address rule and/or Default domain name access rule.
It is further, described to judge whether first domain name meets default tissue domain name rule, comprising:
It parses first domain Name acquisition first and parses information;
The first parsing information is matched with default domain name audit data, obtains similarity mode result;
Judge whether the similarity mode result meets default domain name and pass through condition.
Preferably, whether the IP address for judging first domain name meets default audit IP address rule, comprising:
Parse the first IP address of the first domain Name acquisition parsing information;
The data that first IP address parsing information is concentrated with preset IP address are matched, similarity mode knot is obtained Fruit;
Judge whether the similarity mode result meets preset IP address and pass through condition.
It is preferably, described to judge whether first domain name meets default domain name access rule, comprising:
The access information of first domain name and the access information of the first malice domain name are matched, similarity is obtained Matching result;
Judge whether the similarity mode result meets default domain name access and pass through condition.
This application provides a kind of devices for excavating malice domain name, comprising:
The first malice domain name unit is obtained, for obtaining the first malice domain name;
First element unit is obtained, for according to the first malice domain Name acquisition first element information;
Obtain the first domain name unit, for according to the first element information and default excavation condition from default historical information It concentrates and obtains at least one first domain name;
Judging unit, for judging whether first domain name meets default auditing rule;
The second malice domain name unit is determined, if the output result for the judging unit is "Yes", it is determined that described the One domain name is the second malice domain name.
Disclosure based on the above embodiment can know, the embodiment of the present application have it is following the utility model has the advantages that
This application provides the method and apparatus for excavating malice domain name, which comprises obtains the first malice domain name;Root According to the first malice domain Name acquisition first element information;It is gone through according to the first element information and default excavation condition from default History information, which is concentrated, obtains at least one first domain name;Judge whether first domain name meets default auditing rule;If so, really Fixed first domain name is the second malice domain name.Method described herein, by domain name service quotient, the domain name registration time and The relationship of associated with domain name renewal time and known malicious domain name detect unknown malice domain name.Improve network security.
Detailed description of the invention
Fig. 1 is the flow chart of the method provided by the embodiments of the present application for excavating malice domain name;
Fig. 2 is the unit block diagram of the device provided by the embodiments of the present application for excavating malice domain name.
Specific embodiment
In the following, being described in detail in conjunction with specific embodiment of the attached drawing to the application, but not as the restriction of the application.
It should be understood that various modifications can be made to disclosed embodiments.Therefore, description above should not regard To limit, and only as the example of embodiment.Those skilled in the art will expect in the scope and spirit of the present application Other modifications.
The attached drawing being included in the description and forms part of the description shows embodiments herein, and with it is upper What face provided is used to explain the application together to substantially description and the detailed description given below to embodiment of the application Principle.
By the description of the preferred form with reference to the accompanying drawings to the embodiment for being given as non-limiting example, the application's These and other characteristic will become apparent.
It is also understood that although the application is described referring to some specific examples, those skilled in the art Member realizes many other equivalents of the application in which can determine, they have feature as claimed in claim and therefore all In the protection scope defined by whereby.
When read in conjunction with the accompanying drawings, in view of following detailed description, above and other aspect, the feature and advantage of the application will become It is more readily apparent.
The specific embodiment of the application is described hereinafter with reference to attached drawing;It will be appreciated, however, that the disclosed embodiments are only Various ways implementation can be used in the example of the application.Known and/or duplicate function and structure and be not described in detail to avoid Unnecessary or extra details makes the application smudgy.Therefore, specific structural and functionality disclosed herein is thin Section is not intended to restrictions, but as just the basis of claim and representative basis be used to instructing those skilled in the art with Substantially any appropriate detailed construction diversely uses the application.
This specification can be used phrase " in one embodiment ", " in another embodiment ", " in another embodiment In " or " in other embodiments ", it can be referred to one or more of the identical or different embodiment according to the application.
The application provides a kind of method for excavating malice domain name;The application also provides a kind of device for excavating malice domain name. It is described in detail one by one in the following embodiments.
To first embodiment provided by the present application, i.e., a kind of embodiment for the method for excavating malice domain name.
The present embodiment is described in detail below with reference to Fig. 1, wherein Fig. 1 is excavation provided by the embodiments of the present application evil The flow chart of the method for domain name of anticipating.
Step S101 obtains the first malice domain name.
The malice domain name, refers to the domain name for being attacked the network equipment in internet and being generated destruction.
The first malice domain name of the acquisition, that is, from disclosed information (for example, newspaper, periodical, broadcast, TV or mutually The information of the media releasings such as networking) the first malice domain name of middle acquisition.
Step S102, according to the first malice domain Name acquisition first element information.
The first element information is exactly element information associated with the first malice domain name.
The element information refers to that can obtaining from the first malice domain-name information, malice domain name is close with excavating Cut relevant information.
It is described according to the first malice domain Name acquisition first element information, include at least following two acquisition modes it One:
Mode one inquires the first malice domain name by domain name inquiry system, obtains first element information;
Mode two presets historical information collection according to the first malice inquiry of the domain name, obtains first element information.
Domain name inquiry system (Whois), for inquiring information associated with domain name on the internet.But by On May 17th, 2018, " generic top-level domain registered number to ICANN (Internet Name and Number Assignment Agency) Yu Gongbu According to Interim Specification (Temporary Specification for gTLD Registration Data) ", it is desirable that registration office and Service provider carries out necessary adjustment to the open display information of Whois query service.Therefore, most domain name service quotient are from 2018 After on May 25, in, limited information associated with domain name is provided solely for domain-name information.For example, domain-name information, domain name take It is engaged in quotient's information, domain name registration time and renewal time associated with domain name.
Therefore, the first element information, comprising: when the first malice domain name service quotient information, the first malice domain name registration Between and renewal time associated with the first malice domain name.
The default historical information collection refers to for saving data set associated with global domain name Whois historical information. For example, the data set is database.Data in the data set can regularly update, to guarantee the validity of data.It is logical Often, the collection work of global domain name Whois historical information is arranged at the progress of network utilization low ebb period, not for the whole world It, can timesharing collection with the network utilization low ebb period.It is inquired when the default historical information collection is in off-line state Work can greatly improve the efficiency of inquiry, reduce network load.
The default historical information collection includes at least following information: domain-name information, domain name service quotient information, domain name registration Time and renewal time associated with domain name.
Step S103 is concentrated from default historical information according to the first element information and default excavation condition and is obtained at least One the first domain name.
The default excavation condition, comprising: default domain name service quotient condition and default domain name registration time conditions and/or Default renewal time condition.
Described concentrated according to the first element information and default excavation condition from default historical information obtains at least one First domain name, comprising:
Step S103-1 obtains first according to the first element information and default excavation condition and excavates condition.
Step S103-2 concentrates at least one first domain for obtaining and meeting the first excavation condition from default historical information Name.
Described first excavates condition, is generated according to the first element information and default excavation condition, from described Default historical information Integrated query and the condition for obtaining first domain name.Described first excavates condition, comprising: domain name service quotient Information is identical as the first malice domain name service quotient's information and the domain name registration time meet the first registion time range and/ Or renewal time meets the first renewal time range;Wherein, the first registion time range, according to the first malice domain name Registion time and the default domain name registration time conditions generate;The first renewal time range is disliked according to described first Meaning domain name associated renewal time and the default renewal time condition generate.
For example, the domain name provided is " www.sohu.cn ", service provider is that " Name.com, Inc. ", registion time are On 2 18th, 2010 14 points, the change time be 12 points of June 18 in 2010;The default excavation condition, comprising: default domain Name service provider's condition and default domain name registration time conditions and/or default renewal time condition;Wherein, the default domain name clothes Business quotient's condition is that domain name service quotient information is identical as the domain name service quotient's information provided;The default domain name registration time conditions, The relationship of the registion time of the domain name registration time range of inquiry and the domain name of offer is limited, for example, being greater than or equal to offer The registion time 3 hours (i.e. on 2 18th, 2,010 11 points) of domain name, and the registion time 3 for being less than or equal to the domain name provided is small When (on 2 18th, 2,010 17 points);The domain name of the default renewal time condition, restriction renewal time range and offer is more The relationship of new time, for example, 3 hours renewal times (i.e. 9 points of June 18 in 2010) of the domain name provided are provided, and Less than or equal to 3 hours renewal times (i.e. 5 points of June 18 in 2010) of the domain name of offer;Therefore, when the domain name of offer is institute When stating the first malice domain name, then the first excavation condition generated is disliked for the domain name service quotient information and described first of inquiry Domain name service quotient information of anticipating is identical, and is greater than or equal to described the first malice domain name registration time 3 hours, and be less than or equal to Described the first malice domain name registration time 3 hours, and/or it is greater than or equal to 3 hours the first malice renewal times, and be less than Or it is equal to 3 hours the first malice renewal times.
Step S104, judges whether first domain name meets default auditing rule.
The default auditing rule, the rule that exactly acquired first domain name is further screened and identified Then, to improve the validity of first domain name.The default auditing rule, comprising: default tissue domain name rule, default audit IP address rule and/or default domain name access rule.
The default tissue domain name rule, the rule that exactly title of domain name is audited.
It is described to judge whether first domain name meets default tissue domain name rule, comprising:
Step S104-1 parses first domain Name acquisition first and parses information.
For example, first domain name is " www.sohu.com.cn ", the first parsing information after parsing is “sohu.com.cn”。
The first parsing information is matched with default domain name audit data, obtains similarity mode by step S104-2 As a result.
The default domain name audits data, can be stored in data set.For example, in database.
For example, continuing above-mentioned example, the default domain name audit data being stored in data set include " sohu.com ", The first parsing information and the default domain name audit data are matched, the similarity mode result of acquisition is that likelihood is 72.73%.
Step S104-3, judges whether the similarity mode result meets default domain name and pass through condition.
For example, continuing above-mentioned example, the default domain name is likelihood 60% by condition.
The default audit IP address rule, the rule that exactly IP address of domain name is audited.For example, by described The IP address of the IP address of one domain name and the first malice domain name is in same network segment as auditing rule.
Whether the IP address for judging first domain name meets default audit IP address rule, comprising:
Step S104-4 parses first IP address of the first domain Name acquisition and parses information.
For example, first IP address is " 172.168.0.2 ", then the first IP address parsing information is "172.168.0".First IP address parsing information and preset IP address audit data are matched, are obtained by step S104-5 Take similarity mode result.
The IP address audits data, can be stored in data set.For example, in database.
For example, continuing above-mentioned example, the IP address audit data being stored in data set include " 172.168.0 ", The first parsing information and the default domain name audit data are matched, the similarity mode result of acquisition is that likelihood is 100%.
Step S104-6, judges whether the similarity mode result meets preset IP address and pass through condition.
For example, continuing above-mentioned example, the preset IP address is likelihood 100% by condition.
Certainly, those skilled in the art can parse information and described first by the first IP address of first domain name The relationship of the IP address parsing information of malice domain name is a variety of by the replacement setting of simple logic on the basis of the above embodiments Auditing standards, the application is with no restrictions herein.
The default domain name access rule, the rule that exactly IP address for accessing first domain name is audited.Institute It states and judges whether first domain name meets default domain name access rule, comprising:
Step S104-7, by the access information phase of the access information of first domain name and the first malice domain name Match, obtains similarity mode result.
The access information, the IP address information including access.
Step S104-8, judges whether the similarity mode result meets default domain name access and pass through condition.
For example, continuing above-mentioned example, the default domain name access is likelihood 60% by condition.
Step S105, if so, determining that first domain name is the second malice domain name.
By above-mentioned audit, if meeting audit condition, it can determine that first domain name is the second malice domain name.
Method described in the present embodiment passes through domain name service quotient, domain name registration time and update associated with domain name The relationship of time and known malicious domain name detect unknown malice domain name.Improve network security.
Corresponding with first embodiment provided by the present application, present invention also provides second embodiment, i.e., a kind of excavation is disliked The device for domain name of anticipating.Since second embodiment is substantially similar to first embodiment, so describe fairly simple, relevant part Refer to the corresponding explanation of first embodiment.Installation practice described below is only schematical.
Fig. 2 shows a kind of embodiments for the device for excavating malice domain name provided by the present application.Fig. 2 is the embodiment of the present application The unit block diagram of the device of the excavation malice domain name of offer.
Shown in Figure 2, the present embodiment provides a kind of devices for excavating malice domain name, comprising: obtains the first malice domain Name unit 201, obtains first element unit 202, obtains the first domain name unit 203, and judging unit 204 generates the second malice domain Name unit 205;
The first malice domain name unit 201 is obtained, for obtaining the first malice domain name;
First element unit 202 is obtained, for according to the first malice domain Name acquisition first element information;
Obtain the first domain name unit 203, for according to the first element information and default excavation condition from default history Information, which is concentrated, obtains at least one first domain name;
Judging unit 204, for judging whether first domain name meets default auditing rule;
It determines the second malice domain name unit 205, if the output result for the judging unit is "Yes", then determines institute Stating the first domain name is the second malice domain name.
In the acquisition first element unit 202, includes at least following two and obtains one of subelement:
First obtains first element information sub-elements, for inquiring the first malice domain name by domain name inquiry system, Obtain first element information;
Second obtains first element information sub-elements, for presetting history letter according to the first malice inquiry of the domain name Breath collection, obtains first element information.
In the first domain name unit 203 of the acquisition, comprising:
It obtains first and excavates condition subelement, for obtaining first according to the first element information and default excavation condition Excavation condition;
Obtain the first domain name subelement, for from default historical information concentrate obtain meet it is described first excavate condition to Few first domain name.
Preferably, the first element information, comprising: the first malice domain name service quotient information, the first malice domain name registration Time and renewal time associated with the first malice domain name;
Default excavation condition, comprising: preset domain name service quotient condition and default domain name registration time conditions and/or preset Renewal time condition.
Preferably, described first condition is excavated, comprising: domain name service quotient information and the first malice domain name service quotient believe Manner of breathing is same and the domain name registration time meets the first registion time range and/or renewal time meets the first renewal time range; Wherein, the first registion time range, according to the first malice domain name registration time and the default domain name registration time Condition generates;The first renewal time range, according to renewal time associated with the first malice domain name with it is described pre- If renewal time condition generates.
Preferably, the default auditing rule, comprising: default tissue domain name rule, default audit IP address rule and/or Default domain name access rule.
In the judging unit 204, comprising:
The first parsing information sub-elements are obtained, parse information for parsing first domain Name acquisition first;
The first similarity mode result subelement is obtained, for the first parsing information and default domain name to be audited data Match, obtains similarity mode result;
First judgment sub-unit passes through condition for judging whether the similarity mode result meets default domain name.
In the judging unit 204, comprising:
It obtains IP address and parses information sub-elements, for parsing the first IP address of the first domain Name acquisition parsing information;
The second similarity mode result subelement is obtained, for first IP address to be parsed information and preset IP address The data of concentration match, and obtain similarity mode result;
Second judgment sub-unit passes through condition for judging whether the similarity mode result meets preset IP address.
In the judging unit 204, comprising:
Third similarity matching result subelement is obtained, for disliking the access information of first domain name and described first The access information of meaning domain name matches, and obtains similarity mode result;
Third judgment sub-unit passes through item for judging whether the similarity mode result meets default domain name access Part.
Method described in the present embodiment passes through domain name service quotient, domain name registration time and update associated with domain name The relationship of time and known malicious domain name detect unknown malice domain name.Improve network security.
Above embodiments are only the exemplary embodiment of the application, are not used in limitation the application, the protection scope of the application It is defined by the claims.Those skilled in the art can make respectively the application in the essence and protection scope of the application Kind modification or equivalent replacement, this modification or equivalent replacement also should be regarded as falling within the scope of protection of this application.

Claims (10)

1. a kind of method for excavating malice domain name characterized by comprising
Obtain the first malice domain name;
According to the first malice domain Name acquisition first element information;
It is concentrated according to the first element information and default excavation condition from default historical information and obtains at least one first domain name;
Judge whether first domain name meets default auditing rule;
If so, determining that first domain name is the second malice domain name.
2. the method according to claim 1, wherein described according to the first malice domain Name acquisition first element Information includes at least one of following two acquisition modes:
The first malice domain name is inquired by domain name inquiry system, obtains first element information;
Historical information collection is preset according to the first malice inquiry of the domain name, obtains first element information.
3. according to the first element information and default excavating item the method according to claim 1, wherein described Part is concentrated from default historical information and obtains at least one first domain name, comprising:
First, which is obtained, according to the first element information and default excavation condition excavates condition;
It concentrates to obtain from default historical information and meets described first at least one first domain name for excavating condition.
4. according to the method described in claim 3, it is characterized in that, the first element information, comprising: the first malice domain name clothes It is engaged in quotient's information, the first malice domain name registration time and renewal time associated with the first malice domain name;
Default excavation condition, comprising: default domain name service quotient condition and default domain name registration time conditions and/or default update Time conditions.
5. according to the method described in claim 4, it is characterized in that, described first excavates condition, comprising: domain name service quotient's information And domain name registration time identical as the first malice domain name service quotient's information meets the first registion time range and/or more The new time meets the first renewal time range;Wherein, the first registion time range, according to the first malice domain name registration Time and the default domain name registration time conditions generate;The first renewal time range, according to first malice domain Name associated renewal time and the default renewal time condition generate.
6. the method according to claim 1, wherein the default auditing rule, comprising: default tissue domain name rule Then, audit IP address rule and/or default domain name access rule are preset.
7. according to the method described in claim 6, it is characterized in that, described judge whether first domain name meets default tissue Domain name rule, comprising:
It parses first domain Name acquisition first and parses information;
The first parsing information is matched with default domain name audit data, obtains similarity mode result;
Judge whether the similarity mode result meets default domain name and pass through condition.
8. according to the method described in claim 6, it is characterized in that, whether the IP address for judging first domain name meets Default audit IP address rule, comprising:
Parse the first IP address of the first domain Name acquisition parsing information;
The data that first IP address parsing information is concentrated with preset IP address are matched, similarity mode result is obtained;
Judge whether the similarity mode result meets preset IP address and pass through condition.
9. according to the method described in claim 6, it is characterized in that, described judge whether first domain name meets default domain name Access rule, comprising:
The access information of first domain name and the access information of the first malice domain name are matched, similarity mode is obtained As a result;
Judge whether the similarity mode result meets default domain name access and pass through condition.
10. a kind of device for excavating malice domain name characterized by comprising
The first malice domain name unit is obtained, for obtaining the first malice domain name;
First element unit is obtained, for according to the first malice domain Name acquisition first element information;
The first domain name unit is obtained, for concentrating according to the first element information and default excavation condition from default historical information Obtain at least one first domain name;
Judging unit, for judging whether first domain name meets default auditing rule;
The second malice domain name unit is determined, if the output result for the judging unit is "Yes", it is determined that first domain Entitled second malice domain name.
CN201910142386.2A 2019-02-26 2019-02-26 A kind of method and apparatus for excavating malice domain name Pending CN109688165A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910142386.2A CN109688165A (en) 2019-02-26 2019-02-26 A kind of method and apparatus for excavating malice domain name

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910142386.2A CN109688165A (en) 2019-02-26 2019-02-26 A kind of method and apparatus for excavating malice domain name

Publications (1)

Publication Number Publication Date
CN109688165A true CN109688165A (en) 2019-04-26

Family

ID=66197173

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910142386.2A Pending CN109688165A (en) 2019-02-26 2019-02-26 A kind of method and apparatus for excavating malice domain name

Country Status (1)

Country Link
CN (1) CN109688165A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111881186A (en) * 2020-07-30 2020-11-03 北京微步在线科技有限公司 Domain name association relation judgment method and device
CN113691540A (en) * 2021-08-25 2021-11-23 杭州安恒信息技术股份有限公司 Abnormal domain name detection method, system and related components
CN113779389A (en) * 2021-08-26 2021-12-10 杭州安恒信息技术股份有限公司 Illegal website identification method and device, electronic device and storage medium

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8239668B1 (en) * 2009-04-15 2012-08-07 Trend Micro Incorporated Computer security threat data collection and aggregation with user privacy protection
US20130268675A1 (en) * 2012-04-05 2013-10-10 Institute For Information Industry Method and System for Tracing Domain Names and Computer Readable Storage Medium Storing the Method
CN104994117A (en) * 2015-08-07 2015-10-21 国家计算机网络与信息安全管理中心江苏分中心 Malicious domain name detection method and system based on DNS (Domain Name Server) resolution data
CN105072120A (en) * 2015-08-14 2015-11-18 中国传媒大学 Method and device for malicious domain name detection based on domain name service state analysis
CN108111526A (en) * 2017-12-29 2018-06-01 哈尔滨工业大学(威海) A kind of illegal website method for digging based on abnormal WHOIS information
CN108306901A (en) * 2018-05-11 2018-07-20 国家计算机网络与信息安全管理中心 The method for obtaining domain name WHOWAS log-on messages
CN108600249A (en) * 2018-05-04 2018-09-28 哈尔滨工业大学(威海) The method that illegal domain name registration clique excavates is carried out based on multidimensional related information

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8239668B1 (en) * 2009-04-15 2012-08-07 Trend Micro Incorporated Computer security threat data collection and aggregation with user privacy protection
US20130268675A1 (en) * 2012-04-05 2013-10-10 Institute For Information Industry Method and System for Tracing Domain Names and Computer Readable Storage Medium Storing the Method
CN104994117A (en) * 2015-08-07 2015-10-21 国家计算机网络与信息安全管理中心江苏分中心 Malicious domain name detection method and system based on DNS (Domain Name Server) resolution data
CN105072120A (en) * 2015-08-14 2015-11-18 中国传媒大学 Method and device for malicious domain name detection based on domain name service state analysis
CN108111526A (en) * 2017-12-29 2018-06-01 哈尔滨工业大学(威海) A kind of illegal website method for digging based on abnormal WHOIS information
CN108600249A (en) * 2018-05-04 2018-09-28 哈尔滨工业大学(威海) The method that illegal domain name registration clique excavates is carried out based on multidimensional related information
CN108306901A (en) * 2018-05-11 2018-07-20 国家计算机网络与信息安全管理中心 The method for obtaining domain name WHOWAS log-on messages

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
程亚楠: "恶意域名挖掘与分析系统的设计与实现", 《中国优秀硕士学位论文全文数据库》 *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111881186A (en) * 2020-07-30 2020-11-03 北京微步在线科技有限公司 Domain name association relation judgment method and device
CN113691540A (en) * 2021-08-25 2021-11-23 杭州安恒信息技术股份有限公司 Abnormal domain name detection method, system and related components
CN113779389A (en) * 2021-08-26 2021-12-10 杭州安恒信息技术股份有限公司 Illegal website identification method and device, electronic device and storage medium

Similar Documents

Publication Publication Date Title
US8316440B1 (en) System for detecting change of name-to-IP resolution
US7694343B2 (en) Client compliancy in a NAT environment
US8447856B2 (en) Policy-managed DNS server for to control network traffic
US8769706B2 (en) System and method for user to verify a network resource address is trusted
US20060230039A1 (en) Online identity tracking
CN109688165A (en) A kind of method and apparatus for excavating malice domain name
US20080104021A1 (en) Systems and methods for controlling access to online personal information
EP2933973A1 (en) Data protection method, apparatus and system
JP4746053B2 (en) Apparatus and method for controlling personal data
US20040073668A1 (en) Policy delegation for access control
CN107018167A (en) Ask Route Selection processing
CN108353079A (en) Detection to the Cyberthreat for application based on cloud
US20220300659A1 (en) Data breach prevention and remediation
CN104067280A (en) System and method for detecting a malicious command and control channel
CN102906756A (en) Security threat detection associated with security events and actor category model
RU2724713C1 (en) System and method of changing account password in case of threatening unauthorized access to user data
US20040068518A1 (en) Layered virtual identity system and method
AU2022370400B2 (en) User entity normalization and association
JP5569819B2 (en) Cybercrime detection prevention system
EP3311555A1 (en) Advanced security for domain names
US20090077227A1 (en) System and method for monitoring network communications originating in monitored jurisdictions
JP2007226343A (en) Presence system, presence presentation method, and program
KR100777659B1 (en) Device of detecting invalid use of keyword advertisement
CN108306901A (en) The method for obtaining domain name WHOWAS log-on messages
Alharbi et al. A New Framework to Protect Privacy of Location from Malicious Applications

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20190426

RJ01 Rejection of invention patent application after publication