CN109862129A - DNS Traffic anomaly detection method, apparatus, electronic equipment and storage medium - Google Patents
DNS Traffic anomaly detection method, apparatus, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN109862129A CN109862129A CN201811600351.0A CN201811600351A CN109862129A CN 109862129 A CN109862129 A CN 109862129A CN 201811600351 A CN201811600351 A CN 201811600351A CN 109862129 A CN109862129 A CN 109862129A
- Authority
- CN
- China
- Prior art keywords
- data
- residual error
- current
- dns
- error data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Abstract
The present invention provides a kind of DNS Traffic anomaly detection method, apparatus, electronic equipment and storage mediums, which comprises obtains the historical data and current data of DNS flow;According to the historical data and current data of DNS flow, residual error data is obtained, the residual error data includes the residual error data of historical data and the residual error data of current data;According to the residual error data of the residual error data of historical data and current data, current DNS flow is detected with the presence or absence of abnormal.DNS Traffic anomaly detection method provided by the invention can find the exception of DNS business in time, and DNS service operation maintenance personnel is enable to adjust the external service of dns server in time, to eliminate the influence of DNS abnormal flow.
Description
Technical field
The present invention relates to field of computer technology, and in particular to a kind of DNS Traffic anomaly detection method, apparatus, electronics are set
Standby and storage medium.
Background technique
Need to know in computer network communication, between host Correspondent Node IP address can by IP network with it is right
Fang Jinhang communication.However 32 addresses IPv4 (address IPv6 is 128) is to be not easy to remember for communication participant
's.Therefore, more intuitive domain name (such as www.google.com.hk) is widely adopted is asked with solve that IP address is difficult to remember
Topic.However network communication is operated based on IP agreement, can not directly find the host to be accessed by domain name.Therefore main
Machine needs the domain name for inputting user to be converted to IP address, this process is referred to as domain name mapping.
In order to complete domain name mapping, domain name system (Domain Name System, DNS) Lai Peihe is needed, is a kind of
For the distributed data base of TCP/IP application program, the conversion between domain name and IP address is provided.Pass through domain name system, user
Carry out it is certain in application, can directly using convenient for memory and significant domain name, and by the dns server in network by domain
Name resolves to the host that correct IP address is then returned to user.Name server refers to and preserves all masters in the network
The domain name of machine and corresponding IP address, and there is the server that domain name is converted to IP address function.Domain name resolution process, which refers to, works as
Some application process need by hostname resolution be IP address when, which just becomes a client of domain name system DNS,
And domain name to be resolved is placed in DNS request message and issues name server, name server will correspond to after searching domain name
IP address be placed in reply message and return to client application process.DNS recursion server is important in dns resolution system
Equipment, according to the domain name address information in caching, the DNS query initiated terminal user responds DNS recursion server.
Currently, being mainly the following mode to the attack pattern of DNS system:
The first attack pattern is flow type Denial of Service attack.Such as based on User Datagram Protocol (UDP, User
Datagram Protocol) it flows (flood), be based on transmission control protocol (TCP, Transmission Control
Protocol) flood, DNS request flood, or spell (PING) flood etc..Attack under this kind of mode is typically characterised by disappearing
The resource for consuming dns server requests that it from timely responding to normal dns resolution.Wherein, the consumption of resource includes to clothes
The consumption of business device CPU, Internet resources etc..
Second of attack pattern is exception request access attack.Such as overlength domain name request, abnormal domain name request etc..This kind
The characteristics of attack under mode is that the loophole by excavating dns server causes DNS to take by forging specific request message
Business device software work is abnormal and exits or collapses and can not start, and achieving the purpose that, which influences dns server, works normally.
The third attack pattern is DNS hijack attack.Such as DNS cache " poisoning ", distort Authorized Domain content, ARP deception
Kidnap Authorized Domain etc..The characteristics of attack under this kind of mode is by directly distorting solution new record or in solution new record transmittance process
In distort response of perhaps trying to be the first in it, thus achieve the purpose that influence parsing result.
4th kind of attack pattern is that attacker is attacked using DNS.Such as attacker's control corpse group of planes is used and is attacked
The IP address for hitting host, which disguises oneself as, sends domain name analysis request by attack host, and a large amount of domain name mapping request is by dns server
After recursive query parsing, dns server is sent the response to by attacker, and a large amount of response data packet is from different dns servers
It passes back and constitutes distributed denial of service (DDoS, Distributed Denial of Service) attack.
When the behavior that above-mentioned four kinds are attacked occurs, it is usually expressed as DNS Traffic Anomaly.By to DNS Traffic Anomaly
Detection, can find the generation of DNS attack in time, so as to adopt an effective measure, be minimized loss.
Summary of the invention
For the problems of the prior art, the present invention provides a kind of DNS Traffic anomaly detection method, apparatus, electronic equipment
And storage medium.
Specifically, the present invention the following technical schemes are provided:
In a first aspect, the present invention provides a kind of DNS Traffic anomaly detection methods, comprising:
Obtain the historical data and current data of DNS flow;
According to the historical data and current data of DNS flow, residual error data is obtained, the residual error data includes historical data
Residual error data and current data residual error data;
According to the residual error data of the residual error data of historical data and current data, current DNS flow is detected with the presence or absence of different
Often.
Further, described according to the residual error data of historical data and the residual error data of current data, detect current DNS stream
Amount is with the presence or absence of abnormal, comprising:
According to the determining matched distributed model of residual error data with historical data of the residual error data of historical data, and according to working as
The exceptional value criterion of the residual error data of preceding data and the distributed model detects current DNS flow with the presence or absence of abnormal.
Further, the distributed model is Gaussian Profile;
Correspondingly, the exceptional value criterion of the residual error data according to current data and the distributed model, detection
Current DNS flow is with the presence or absence of abnormal, comprising:
Judge whether the residual error data of current data meets the exceptional value criterion of the Gaussian Profile, if so, really
Settled preceding DNS flow exists abnormal.
Further, the exceptional value criterion of the Gaussian Profile is+4 σ of μ, wherein μ indicates the mean value of Gaussian Profile,
The standard deviation of σ expression Gaussian Profile;
Correspondingly, the exceptional value that whether residual error data for judging current data meets the Gaussian Profile determines mark
It is quasi-, comprising:
Judge whether the residual error data of current data is greater than+4 σ of μ, if so, it is abnormal to determine that current DNS flow exists.
Further, the historical data and current data according to DNS flow obtains residual error data, comprising:
Time Series are carried out using historical data and current data of the preset decomposition algorithm to DNS flow, acquisition becomes
Gesture data, periodic data and residual error data;The tendency data, periodic data and residual error data include historical data
Tendency data, periodic data and residual error data and current data tendency data, periodic data and residual error data.
Second aspect, the present invention also provides a kind of DNS Traffic anomaly detection devices, comprising:
First obtains module, for obtaining the historical data and current data of DNS flow;
Second obtains module, for the historical data and current data according to DNS flow, obtains residual error data, described residual
Difference data includes the residual error data of historical data and the residual error data of current data;
Abnormality detection module, for according to the residual error data of historical data and the residual error data of current data, detection to be current
DNS flow is with the presence or absence of abnormal.
Further, the abnormality detection module, is specifically used for:
According to the determining matched distributed model of residual error data with historical data of the residual error data of historical data, and according to working as
The exceptional value criterion of the residual error data of preceding data and the distributed model detects current DNS flow with the presence or absence of abnormal.
Further, the distributed model is Gaussian Profile;
Correspondingly, the abnormality detection module is according to the residual error data of current data and the exceptional value of the distributed model
Criterion is specifically used for when detecting current DNS flow with the presence or absence of exception:
Judge whether the residual error data of current data meets the exceptional value criterion of the Gaussian Profile, if so, really
Settled preceding DNS flow exists abnormal.
The third aspect, the present invention also provides a kind of electronic equipment, including memory, processor and storage are on a memory
And the computer program that can be run on a processor, the processor realize DNS as described in relation to the first aspect when executing described program
The step of Traffic anomaly detection method.
Fourth aspect, the present invention also provides a kind of computer readable storage mediums, are stored thereon with computer program, should
The step of DNS Traffic anomaly detection method as described in relation to the first aspect is realized when computer program is executed by processor.
As shown from the above technical solution, DNS Traffic anomaly detection method provided by the invention obtains DNS flow first
Historical data and current data;Then according to the historical data and current data of DNS flow, residual error data, the residual error are obtained
Data include the residual error data of historical data and the residual error data of current data;Finally according to the residual error data of historical data and work as
The residual error data of preceding data detects current DNS flow with the presence or absence of abnormal.As it can be seen that DNS Traffic anomaly detection provided by the invention
Method, according to the residual error data of the residual error data of historical data and current data, detecting current DNS flow whether there is exception,
So as to finding the exception of DNS business in time, DNS service operation maintenance personnel is enable to adjust the external service of dns server in time,
To eliminate the influence of DNS abnormal flow.It should be noted that since the present invention is the residual error data according to historical data and is worked as
The residual error data of preceding data detects current DNS flow with the presence or absence of exception, so that detection process is not by history exception
The influence of data, stability are good.More importantly since the present invention is the residual error data and current data using historical data
Residual error data, detect current DNS flow with the presence or absence of abnormal, therefore the detection mode actually belongs to the different of unsupervised learning
Normal detection mode, does not need manual intervention and pre-training, therefore can be on adaptive line due to flow caused by the variation of DNS business
Variation, and detection speed is fast, can find the exception of DNS business in time.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below
There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is the present invention
Some embodiments for those of ordinary skill in the art without creative efforts, can also basis
These attached drawings obtain other attached drawings.
Fig. 1 is the flow chart for the DNS Traffic anomaly detection method that one embodiment of the invention provides;
Fig. 2 is becoming to what is obtained after the progress time data sequence decomposition of DNS data on flows for one embodiment of the invention offer
The schematic diagram of gesture sexual factor data, periodical factor data and residual error factor data;
Fig. 3 is the physical support realization figure for the DNS Traffic anomaly detection method that one embodiment of the invention provides;
Fig. 4 be another embodiment of the present invention provides DNS Traffic anomaly detection device structural schematic diagram;
Fig. 5 is the structural schematic diagram for the electronic equipment that further embodiment of this invention provides.
Specific embodiment
In order to make the object, technical scheme and advantages of the embodiment of the invention clearer, below in conjunction with the embodiment of the present invention
In attached drawing, the technical scheme in the embodiment of the invention is clearly and completely described, it is clear that described embodiment is
A part of the embodiment of the present invention, instead of all the embodiments.Based on the embodiments of the present invention, those of ordinary skill in the art
Every other embodiment obtained without creative efforts, shall fall within the protection scope of the present invention.
For the exception for finding DNS business in time, DNS service operation maintenance personnel is enable to adjust the external clothes of dns server in time
Business, to eliminate the influence of DNS abnormal flow, the present invention provides a kind of DNS Traffic anomaly detection method, apparatus, electronics to set
Standby and storage medium.Explanation will be explained in detail to content provided by the invention by specific embodiment below.
Fig. 1 shows the flow chart of the DNS Traffic anomaly detection method of one embodiment of the invention offer.As shown in Figure 1, this
The DNS Traffic anomaly detection method that inventive embodiments provide includes the following steps:
Step 101: obtaining the historical data and current data of DNS flow.
In this step, DNS flow per minute can be counted, the historical traffic data and current stream of DNS access are obtained
Measure data.In this step, the historical data of DNS flow can be in nearest one month or two months according to acquisition frequency per minute
The data of rate acquisition, the current data of DNS flow are the data that current time is acquired according to frequency acquisition per minute.Wherein,
The acquisition time length of historical data, which can according to need, to be adjusted, on condition that the historical data obtained is required to embody closely
Phase for a period of time in DNS flow partial data rule, for example, at least to acquire the historical data in 2-3 period.Current number
According to acquisition time length can be 1 minute or 2 minutes or other times length.For example, if the acquisition time of current data is long
Short is 2 minutes, then it represents that whether the primary current DNS flow of judgement in every 2 minutes is normal.
Step 102: according to the historical data and current data of DNS flow, obtaining residual error data, the residual error data includes
The residual error data of historical data and the residual error data of current data.
In this step, the residual error data of historical data here refers to the historical data and current number according to DNS flow
According to the residual error data of acquisition.Here the residual error data of current data refers to the residual error obtained according to the current data of DNS flow
Data.In this step, the residual error data refers to the data that random factor has an impact DNS flow.
In this step, when obtaining residual error data, some common data processing algorithms can be used, the time is such as used
Sequence is decomposed addition model and is handled the historical data and current data of DNS flow, residual error data is obtained, certainly according to need
It wants to obtain using other data processing algorithms, which is not limited by the present invention.
Step 103: according to the residual error data of the residual error data of historical data and current data, detecting current DNS flow is
It is no to there is exception.
In this step, due to detecting current DNS according to the residual error data of historical data and the residual error data of current data
Flow is with the presence or absence of exception, so that detection process is not influenced by history abnormal data, stability is good.It is even more important
, since this step is the residual error data of the residual error data and current data using historical data, detecting current DNS flow is
No exist abnormal, therefore the detection mode actually belongs to the abnormality detection mode of unsupervised learning, do not need manual intervention and
Pre-training, therefore can be on adaptive line due to changes in flow rate caused by the variation of DNS business, and it is fast to detect speed, it can be timely
It was found that the exception of DNS business, enables DNS service operation maintenance personnel to adjust the external service of dns server in time, to eliminate DNS
The influence of abnormal flow.
As shown from the above technical solution, DNS Traffic anomaly detection method provided in this embodiment, first acquisition DNS flow
Historical data and current data;Then according to the historical data and current data of DNS flow, residual error data is obtained, it is described residual
Difference data includes the residual error data of historical data and the residual error data of current data;Finally according to the residual error data of historical data and
The residual error data of current data detects current DNS flow with the presence or absence of abnormal.As it can be seen that DNS Traffic Anomaly inspection provided by the invention
Survey method detects current DNS flow with the presence or absence of different according to the residual error data of the residual error data of historical data and current data
Often, so as to find the exception of DNS business in time, DNS service operation maintenance personnel is enable to adjust the external clothes of dns server in time
Business, to eliminate the influence of DNS abnormal flow.It should be noted that since the present embodiment is the residual error number according to historical data
According to the residual error data with current data, current DNS flow is detected with the presence or absence of exception, so that detection process is not gone through
The influence of history abnormal data, stability are good.More importantly due to the present embodiment be using historical data residual error data and
The residual error data of current data detects current DNS flow with the presence or absence of abnormal, thus the detection mode actually belong to it is unsupervised
The abnormality detection mode of study does not need manual intervention and pre-training, therefore can lead on adaptive line since DNS business changes
The changes in flow rate of cause, and detection speed is fast, can find the exception of DNS business in time.
Content based on the above embodiment, in a kind of optional embodiment, above-mentioned steps 103 can be real in the following way
It is existing:
According to the determining matched distributed model of residual error data with historical data of the residual error data of historical data, and according to working as
The exceptional value criterion of the residual error data of preceding data and the distributed model detects current DNS flow with the presence or absence of abnormal.
In the present embodiment, distributed model is determined according to the residual error data of historical data, then further according to current data
Residual error data and the distributed model exceptional value criterion, judge current DNS flow with the presence or absence of abnormal.For example, logical
It crosses and the residual error data of historical data is analyzed, determine that the regularity of distribution of the residual error data of historical data meets Gaussian Profile mould
Type, then when judging current DNS flow with the presence or absence of exception, it can be by the residual error data and Gaussian distribution model of current data
Exceptional value criterion compare, and then judge whether current data abnormal.
Content based on the above embodiment, in a kind of optional embodiment, the distributed model is Gaussian Profile;
Correspondingly, the exceptional value criterion of the residual error data according to current data and the distributed model, detection
Current DNS flow is with the presence or absence of abnormal, comprising:
Judge whether the residual error data of current data meets the exceptional value criterion of the Gaussian Profile, if so, really
Settled preceding DNS flow exists abnormal.
Content based on the above embodiment, in a kind of optional embodiment, the exceptional value of the Gaussian Profile determines mark
Standard is+4 σ of μ, wherein μ indicates the mean value of Gaussian Profile, and σ indicates the standard deviation of Gaussian Profile;
Correspondingly, the exceptional value that whether residual error data for judging current data meets the Gaussian Profile determines mark
It is quasi-, comprising:
Judge whether the residual error data of current data is greater than+4 σ of μ, if so, it is abnormal to determine that current DNS flow exists.
Content based on the above embodiment, in a kind of optional embodiment, above-mentioned steps 102 can be real in the following way
It is existing:
Time Series are carried out using historical data and current data of the preset decomposition algorithm to DNS flow, acquisition becomes
Gesture data, periodic data and residual error data;The tendency data, periodic data and residual error data include historical data
Tendency data, periodic data and residual error data and current data tendency data, periodic data and residual error data.
It in the present embodiment, can be using preset decomposition algorithm such as Time Series addition model to DNS flow
Historical data and current data carry out Time Series and are respectively as follows: as shown in Fig. 2, DNS data on flows is decomposed into 3 parts
Tendency factor data, periodical factor data and residual error factor data.When being carried out using Time Series addition model
Between sequence decompose when, specific decomposition formula are as follows: Qt=TCt+St+It, wherein Qt be original DNS traffic statistics, TCt
For tendency factor data, St is periodical factor data, and It is residual error factor data.
Below with reference to Fig. 3 and specific example to DNS Traffic anomaly detection method provided in this embodiment give into
The detailed description of one step.Fig. 3 shows the DNS Traffic anomaly detection system of complete set, and DNS NetStream Data Analyzer therein is exactly
The physical implementation carrier of DNS Traffic anomaly detection method provided in this embodiment.As shown in figure 3, the DNS NetStream Data Analyzer,
It is deployed in by router and connects router.The DNS NetStream Data Analyzer counts DNS per minute for analyzing DNS flow
Then flow extracts the statistical data of DNS flow histories data and current time per minute, carry out time series data point
Solution, the residual error factor data collection of acquisition time sequence then calculate the mean value and standard deviation of residual error factor data collection, and judge to work as
The residual error factor data of preceding time data, the relationship with mean value obtained above and standard deviation, if current time data is residual
Poor factor data is greater than+4 times of standard deviations of mean value being derived above, then it is assumed that current DNS Traffic Anomaly.
For example, the DNS flow histories data and current traffic data collected in certain test are as follows: [721064,
673281,627559,574970,640955,696712,713148,637213,613145,649408,790291,844250,
928218,1009852,1156153,1154271,1172230,1409376,1468183,768111 ... ..., 302573,
315633,317465,343284,333349,349530,418243,412894,406421,354891,393011,325776,
311318,348228,336205,358029,367939,359351,394292,1357068]。
Result figure as shown in Figure 2 is obtained after carrying out the decomposition of time data sequence to above-mentioned DNS data on flows, wherein
" Observed " is original data on flows, and " Trend " is tendency factor data, and " Seasonal " is periodical factor data,
" Residual " is residual error factor data.Know by calculating, the mean value of the residual error data of historical data is -12728, standard deviation
It is 170822, the residual error data of current data is 717609, is judged that the residual error data of current data is greater than+4 times of above-mentioned mean value
Standard deviation, therefore judge current DNS Traffic Anomaly.
It should be noted that the DNS flow mentioned in the present embodiment can refer to DNS query flow, it can also refer to DNS response
Flow.
As seen from the above description, advantage of this embodiment is that: calculating speed is fast, and operand is small, and stability is good, is not gone through
History abnormal data influences.More it is essential that method for detecting abnormality provided in this embodiment, belongs to the detection side of unsupervised learning
Method does not need manual intervention and pre-training, changes in flow rate caused by changing on the adaptive line of energy due to DNS business.
Based on identical inventive concept, another embodiment of the present invention provides a kind of DNS Traffic anomaly detection device, referring to
Fig. 4, the device include: that the first acquisition module 21, second obtains module 22 and abnormality detection module 23, in which:
First obtains module 21, for obtaining the historical data and current data of DNS flow;
Second obtains module 22, for the historical data and current data according to DNS flow, obtains residual error data, described
Residual error data includes the residual error data of historical data and the residual error data of current data;
Abnormality detection module 23, for according to the residual error data of historical data and the residual error data of current data, detection to be worked as
Preceding DNS flow is with the presence or absence of abnormal.
Content based on the above embodiment, in a kind of optional embodiment, the abnormality detection module 23 is specific to use
In:
According to the determining matched distributed model of residual error data with historical data of the residual error data of historical data, and according to working as
The exceptional value criterion of the residual error data of preceding data and the distributed model detects current DNS flow with the presence or absence of abnormal.
Content based on the above embodiment, in a kind of optional embodiment, the distributed model is Gaussian Profile;
Correspondingly, the abnormality detection module is according to the residual error data of current data and the exceptional value of the distributed model
Criterion is specifically used for when detecting current DNS flow with the presence or absence of exception:
Judge whether the residual error data of current data meets the exceptional value criterion of the Gaussian Profile, if so, really
Settled preceding DNS flow exists abnormal.
Due to DNS Traffic anomaly detection device provided in this embodiment, it can be used for executing DNS described in above-described embodiment
Traffic anomaly detection method, working principle is similar with beneficial effect, therefore and will not be described here in detail, and particular content can be found in above-mentioned reality
Apply the introduction of example.
Based on identical inventive concept, further embodiment of this invention provides a kind of electronic equipment, referring to Fig. 5, the electricity
Sub- equipment specifically includes following content: processor 501, memory 502, communication interface 503 and bus 504;
Wherein, the processor 501, memory 502, communication interface 503 complete mutual lead to by the bus 504
Letter;The communication interface 503 is for realizing the information between the relevant devices such as each modeling software and intelligent manufacturing equipment module library
Transmission;
The processor 501 is used to call the computer program in the memory 502, and the processor executes the meter
The Overall Steps of above-mentioned DNS Traffic anomaly detection method are realized when calculation machine program, for example, the processor executes the computer
Following step is realized when program:
Step 101: obtaining the historical data and current data of DNS flow.
Step 102: according to the historical data and current data of DNS flow, obtaining residual error data, the residual error data includes
The residual error data of historical data and the residual error data of current data.
Step 103: according to the residual error data of the residual error data of historical data and current data, detecting current DNS flow is
It is no to there is exception.
Based on identical inventive concept, further embodiment of this invention provides a kind of computer readable storage medium, the meter
It is stored with computer program on calculation machine readable storage medium storing program for executing, which realizes above-mentioned DNS flow when being executed by processor
The Overall Steps of method for detecting abnormality, for example, the processor realizes following step when executing the computer program:
Step 101: obtaining the historical data and current data of DNS flow.
Step 102: according to the historical data and current data of DNS flow, obtaining residual error data, the residual error data includes
The residual error data of historical data and the residual error data of current data.
Step 103: according to the residual error data of the residual error data of historical data and current data, detecting current DNS flow is
It is no to there is exception.
In the description of the present invention, it should be noted that the orientation or positional relationship of the instructions such as term " on ", "lower" is base
In orientation or positional relationship shown in the drawings, it is merely for convenience of description of the present invention and simplification of the description, rather than indication or suggestion
Signified device or element must have a particular orientation, be constructed and operated in a specific orientation, therefore should not be understood as to this
The limitation of invention.Unless otherwise clearly defined and limited, term " installation ", " connected ", " connection " shall be understood in a broad sense, example
Such as, it may be fixed connection or may be dismantle connection, or integral connection;It can be mechanical connection, be also possible to be electrically connected
It connects;It can be directly connected, the connection inside two elements can also be can be indirectly connected through an intermediary.For this
For the those of ordinary skill in field, the specific meanings of the above terms in the present invention can be understood according to specific conditions.
It should also be noted that, herein, relational terms such as first and second and the like are used merely to one
Entity or operation are distinguished with another entity or operation, without necessarily requiring or implying between these entities or operation
There are any actual relationship or orders.Moreover, the terms "include", "comprise" or its any other variant are intended to contain
Lid non-exclusive inclusion, so that the process, method, article or equipment including a series of elements is not only wanted including those
Element, but also including other elements that are not explicitly listed, or further include for this process, method, article or equipment
Intrinsic element.In the absence of more restrictions, the element limited by sentence "including a ...", it is not excluded that
There is also other identical elements in process, method, article or equipment including the element.
The above examples are only used to illustrate the technical scheme of the present invention, rather than its limitations;Although with reference to the foregoing embodiments
Invention is explained in detail, those skilled in the art should understand that: it still can be to aforementioned each implementation
Technical solution documented by example is modified or equivalent replacement of some of the technical features;And these are modified or replace
It changes, the spirit and scope for technical solution of various embodiments of the present invention that it does not separate the essence of the corresponding technical solution.
Claims (10)
1. a kind of DNS Traffic anomaly detection method characterized by comprising
Obtain the historical data and current data of DNS flow;
According to the historical data and current data of DNS flow, residual error data is obtained, the residual error data includes the residual of historical data
The residual error data of difference data and current data;
According to the residual error data of the residual error data of historical data and current data, current DNS flow is detected with the presence or absence of abnormal.
2. the method according to claim 1, wherein the residual error data and current data according to historical data
Residual error data, detect current DNS flow with the presence or absence of abnormal, comprising:
According to the determining matched distributed model of residual error data with historical data of the residual error data of historical data, and according to current number
According to residual error data and the distributed model exceptional value criterion, detect current DNS flow with the presence or absence of abnormal.
3. according to the method described in claim 2, it is characterized in that, the distributed model is Gaussian Profile;
Correspondingly, the exceptional value criterion of the residual error data according to current data and the distributed model, detection are current
DNS flow is with the presence or absence of abnormal, comprising:
Judge whether the residual error data of current data meets the exceptional value criterion of the Gaussian Profile, if so, determination is worked as
Preceding DNS flow exists abnormal.
4. according to the method described in claim 3, it is characterized in that, the exceptional value criterion of the Gaussian Profile be+4 σ of μ,
Wherein, μ indicates the mean value of Gaussian Profile, and σ indicates the standard deviation of Gaussian Profile;
Correspondingly, whether the residual error data for judging current data meets the exceptional value criterion of the Gaussian Profile, packet
It includes:
Judge whether the residual error data of current data is greater than+4 σ of μ, if so, it is abnormal to determine that current DNS flow exists.
5. method according to any one of claims 1 to 4, which is characterized in that the historical data according to DNS flow and
Current data obtains residual error data, comprising:
Time Series are carried out using historical data and current data of the preset decomposition algorithm to DNS flow, obtain tendency
Data, periodic data and residual error data;The tendency data, periodic data and residual error data include becoming for historical data
Tendency data, periodic data and the residual error data of gesture data, periodic data and residual error data and current data.
6. a kind of DNS Traffic anomaly detection device characterized by comprising
First obtains module, for obtaining the historical data and current data of DNS flow;
Second obtains module, for the historical data and current data according to DNS flow, obtains residual error data, the residual error number
According to the residual error data of the residual error data and current data that include historical data;
Abnormality detection module, for detecting current DNS stream according to the residual error data of historical data and the residual error data of current data
Amount is with the presence or absence of abnormal.
7. device according to claim 6, which is characterized in that the abnormality detection module is specifically used for:
According to the determining matched distributed model of residual error data with historical data of the residual error data of historical data, and according to current number
According to residual error data and the distributed model exceptional value criterion, detect current DNS flow with the presence or absence of abnormal.
8. device according to claim 7, which is characterized in that the distributed model is Gaussian Profile;
Correspondingly, the abnormality detection module determines according to the residual error data of current data and the exceptional value of the distributed model
Standard is specifically used for when detecting current DNS flow with the presence or absence of exception:
Judge whether the residual error data of current data meets the exceptional value criterion of the Gaussian Profile, if so, determination is worked as
Preceding DNS flow exists abnormal.
9. a kind of electronic equipment including memory, processor and stores the calculating that can be run on a memory and on a processor
Machine program, which is characterized in that the processor realizes the DNS flow as described in any one of claim 1 to 5 when executing described program
The step of method for detecting abnormality.
10. a kind of computer readable storage medium, is stored thereon with computer program, which is characterized in that the computer program quilt
It is realized when processor executes as described in any one of claim 1 to 5 the step of DNS Traffic anomaly detection method.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811600351.0A CN109862129A (en) | 2018-12-26 | 2018-12-26 | DNS Traffic anomaly detection method, apparatus, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811600351.0A CN109862129A (en) | 2018-12-26 | 2018-12-26 | DNS Traffic anomaly detection method, apparatus, electronic equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN109862129A true CN109862129A (en) | 2019-06-07 |
Family
ID=66892438
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811600351.0A Pending CN109862129A (en) | 2018-12-26 | 2018-12-26 | DNS Traffic anomaly detection method, apparatus, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109862129A (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110519290A (en) * | 2019-09-03 | 2019-11-29 | 南京中孚信息技术有限公司 | Anomalous traffic detection method, device and electronic equipment |
| CN112099983A (en) * | 2020-09-22 | 2020-12-18 | 北京知道创宇信息技术股份有限公司 | Service exception handling method and device, electronic equipment and computer readable storage medium |
| WO2021027697A1 (en) * | 2019-08-15 | 2021-02-18 | 华为技术有限公司 | Traffic abnormality detection method, and model training method and apparatus |
| WO2021056724A1 (en) * | 2019-09-23 | 2021-04-01 | 平安科技(深圳)有限公司 | Anomaly detection method and apparatus, electronic device and storage medium |
| CN112668661A (en) * | 2020-12-31 | 2021-04-16 | 新奥数能科技有限公司 | Identification method and device for photovoltaic power abnormal data |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102694696A (en) * | 2012-05-14 | 2012-09-26 | 中国科学院计算机网络信息中心 | Method and device for anomaly detection of DNS (domain name system) server |
| US20140163916A1 (en) * | 2012-12-10 | 2014-06-12 | International Business Machines Corporation | Techniques for Iterative Reduction of Uncertainty in Water Distribution Networks |
| CN103973663A (en) * | 2013-02-01 | 2014-08-06 | 中国移动通信集团河北有限公司 | Method and device for dynamic threshold anomaly traffic detection of DDOS (distributed denial of service) attack |
| CN106713677A (en) * | 2016-05-24 | 2017-05-24 | 国家电网公司客户服务中心 | Prediction method for incoming call traffic of power client service center |
| CN106941490A (en) * | 2017-03-20 | 2017-07-11 | 湖南友道信息技术有限公司 | Online network flow abnormal detecting method based on bidirectional two-dimensional principal component analysis |
| CN108924118A (en) * | 2018-06-27 | 2018-11-30 | 亚信科技(成都)有限公司 | One kind hitting library behavioral value method and system |
-
2018
- 2018-12-26 CN CN201811600351.0A patent/CN109862129A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102694696A (en) * | 2012-05-14 | 2012-09-26 | 中国科学院计算机网络信息中心 | Method and device for anomaly detection of DNS (domain name system) server |
| US20140163916A1 (en) * | 2012-12-10 | 2014-06-12 | International Business Machines Corporation | Techniques for Iterative Reduction of Uncertainty in Water Distribution Networks |
| CN103973663A (en) * | 2013-02-01 | 2014-08-06 | 中国移动通信集团河北有限公司 | Method and device for dynamic threshold anomaly traffic detection of DDOS (distributed denial of service) attack |
| CN106713677A (en) * | 2016-05-24 | 2017-05-24 | 国家电网公司客户服务中心 | Prediction method for incoming call traffic of power client service center |
| CN106941490A (en) * | 2017-03-20 | 2017-07-11 | 湖南友道信息技术有限公司 | Online network flow abnormal detecting method based on bidirectional two-dimensional principal component analysis |
| CN108924118A (en) * | 2018-06-27 | 2018-11-30 | 亚信科技(成都)有限公司 | One kind hitting library behavioral value method and system |
Non-Patent Citations (3)
| Title |
|---|
| 侯重远 等: "《工业网络流量异常检测的概率主成分分析法》", 《西安交通大学学报》 * |
| 左青云 等: "《一种基于SDN的在线流量异常检测方法》", 《西安电子科技大学学报(自然科学版)》 * |
| 邹柏贤: "《一种网络异常实时检测方法》", 《计算机学报》 * |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2021027697A1 (en) * | 2019-08-15 | 2021-02-18 | 华为技术有限公司 | Traffic abnormality detection method, and model training method and apparatus |
| CN110519290A (en) * | 2019-09-03 | 2019-11-29 | 南京中孚信息技术有限公司 | Anomalous traffic detection method, device and electronic equipment |
| WO2021056724A1 (en) * | 2019-09-23 | 2021-04-01 | 平安科技(深圳)有限公司 | Anomaly detection method and apparatus, electronic device and storage medium |
| CN112099983A (en) * | 2020-09-22 | 2020-12-18 | 北京知道创宇信息技术股份有限公司 | Service exception handling method and device, electronic equipment and computer readable storage medium |
| CN112668661A (en) * | 2020-12-31 | 2021-04-16 | 新奥数能科技有限公司 | Identification method and device for photovoltaic power abnormal data |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109862129A (en) | DNS Traffic anomaly detection method, apparatus, electronic equipment and storage medium | |
| Kwon et al. | PsyBoG: A scalable botnet detection method for large-scale DNS traffic | |
| Jiang et al. | Identifying suspicious activities through dns failure graph analysis | |
| EP3092569B1 (en) | Cyber security adaptive analytics threat monitoring system and method | |
| Zhang et al. | A survey on latest botnet attack and defense | |
| US8260914B1 (en) | Detecting DNS fast-flux anomalies | |
| US9692772B2 (en) | Detection of malware using time spans and periods of activity for network requests | |
| CN108270778A (en) | A kind of DNS domain name abnormal access detection method and device | |
| Stevanovic et al. | On the ground truth problem of malicious DNS traffic analysis | |
| US11095671B2 (en) | DNS misuse detection through attribute cardinality tracking | |
| CA3069437A1 (en) | Cyberanalysis workflow acceleration | |
| CN111885086B (en) | Malicious software heartbeat detection method, device and equipment and readable storage medium | |
| KR101761781B1 (en) | Big data processing method for applying integrated management framework for the open source database | |
| CN108111548A (en) | A kind of domain name system attack detection method, apparatus and system | |
| CN103905456B (en) | DNS inverse solution attack detecting method based on entropy model | |
| CN112839054A (en) | Network attack detection method, device, equipment and medium | |
| Zang et al. | Identifying fast-flux botnet with AGD names at the upper DNS hierarchy | |
| CN114978614A (en) | IP asset rapid scanning processing system | |
| TWI677209B (en) | Domain name filtering method | |
| CN117424743A (en) | Data processing method and device, electronic equipment and storage medium | |
| US10728273B1 (en) | Systems, devices, and methods for detecting and mitigating domain name registrations used for malicious behavior | |
| CN113726775B (en) | Attack detection method, device, equipment and storage medium | |
| Yan et al. | Detect and identify DDoS attacks from flash crowd based on self-similarity and Renyi entropy | |
| CN112800415B (en) | Weak password detection method and system based on greedy algorithm model | |
| CN112929369A (en) | Distributed real-time DDoS attack detection method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190607 |