CN110177123A - Botnet detection method based on DNS mapping association figure - Google Patents

Botnet detection method based on DNS mapping association figure Download PDF

Info

Publication number
CN110177123A
CN110177123A CN201910534665.3A CN201910534665A CN110177123A CN 110177123 A CN110177123 A CN 110177123A CN 201910534665 A CN201910534665 A CN 201910534665A CN 110177123 A CN110177123 A CN 110177123A
Authority
CN
China
Prior art keywords
node
component
name
indicate
universe
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201910534665.3A
Other languages
Chinese (zh)
Other versions
CN110177123B (en
Inventor
张小松
牛伟纳
熊智鹏
谢鑫
将天宇
葛洪麟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
University of Electronic Science and Technology of China
Original Assignee
University of Electronic Science and Technology of China
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by University of Electronic Science and Technology of China filed Critical University of Electronic Science and Technology of China
Priority to CN201910534665.3A priority Critical patent/CN110177123B/en
Publication of CN110177123A publication Critical patent/CN110177123A/en
Application granted granted Critical
Publication of CN110177123B publication Critical patent/CN110177123B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/144Detection or countermeasures against botnets

Abstract

The present invention relates to the Botnet detection methods based on DNS mapping association figure, comprising: A. filters DNS flow and the response data packet flow comprising A record, pre-processes to the filtered response data packet flow;B. pretreated response data packet flow is constructed respectively using universe name and IP as the bigraph (bipartite graph) component set of center node, and merge the figure component in each bigraph (bipartite graph) component set respectively using universe name and IP as keyword extraction relationship maps relationship;C. the element that the bigraph (bipartite graph) is concentrated is analyzed, figure feature vector is extracted;D. it is inputted using published Fast-flux and Domain-flux Botnet collection as data, executes step A~step C, according to the figure feature vector of extraction, data divided into training set and test set and obtain disaggregated model using LightGBM algorithm;E. application class model is completed to detect to the Botnet of measurement of discharge.The present invention can simultaneously detect two kinds of Botnets of Fast-flux and Domain-flux, and Detection accuracy with higher.

Description

Botnet detection method based on DNS mapping association figure
Technical field
It is especially the Botnet detection based on DNS mapping association figure the present invention relates to the detection method of network security Method.
Background technique
Botnet is in the malicious codes base such as traditional computer virus, Trojan Horse, network worm, spyware A kind of platform of the comprehensive attack method developed on plinth.In recent years, novel Botnet program can also be by 0DAY The technical applications such as loophole, phishing, p2p enable to legacy hosts, mobile device even cloud equipment, road into its propagation The host for infecting and becoming Botnet control by device, is commonly called as " broiler chicken ".And Botnet is still the great prestige of current internet One of side of body adds its continuous Change and Development.Security fields personnel all the time great is become to the detection of Botnet Challenge.
DNS is the abbreviation of domain name system (Domain Name System), it is the Xiang Chong in present internet system It services and the distributed data base of domain name and IP address relationship maps, similar and telephone directory can be recorded domain name by one With the corresponding relationship of IP address.
Fast-flux technology refers to a kind of meeting of the incidence relation between domain name and IP address constantly changed technology, It is referred to as FFSN (Fast-flux Service Network) using the network that Fast-flux technology is disposed, FFSN passes through continuous Change DNS record, multiple (or even thousands of) IP address can be distributed for a legitimate domain name, ensure that the relatively High Availabitity of domain name Property.
Domain-flux then refers to that controller's dynamic of Botnet changes domain name to escape detection.Pass among these Key is exactly domain name generating algorithm (DGA), it generates a large amount of domain name using seed at random, and then zombie host initiates DNS one by one Communication connection is attempted in request, and only has component requests that can just be responded among these.The communication node of attacker and compromised slave It is dynamic change, can be good at escaping detection.
Summary of the invention
The present invention provides a kind of Botnet detection method based on DNS mapping association figure, for Fast-flux with The detection of two kinds of Botnets of Domain-flux, Detection accuracy with higher.
The present invention is based on the Botnet detection methods of DNS mapping association figure, comprising:
A.DNS traffic filtering and pretreatment: according to the traffic mirroring of network under test exit equipment, according to scheduled rule Filter DNS flow, refilter comprising A record (A (Address) record be used to refer to determining the corresponding IP of host name (or domain name) Location record) response data packet flow, then the filtered response data packet flow is pre-processed;
B. figure mapping association is handled: to pretreated response data packet flow, being responded according to DNS query, respectively with complete Domain name (FQDN, Fully Qualified Domain Name) and IP are keyword (key), extract relationship maps therein and close System, constructs respectively using universe name and IP as the bigraph (bipartite graph) component set of center node, and to the figure group in each bigraph (bipartite graph) component set Part merges respectively;
C. it the analysis of figure module diagnostic and extracts: analyzing the element that the bigraph (bipartite graph) is concentrated, in conjunction with the information that pretreatment obtains, Extract figure feature vector;
D. figure component classification: using published Fast-flux and Domain-flux Botnet collection as data input, It executes step A~step C and the standardization of data is completed according to the figure feature vector of extraction, the data after the standardization are drawn Training set and test set is divided to obtain disaggregated model using LightGBM algorithm;LightGBM is a kind of quick, high-performance, distribution The outstanding gradient lift frame of formula, it is the machine learning times such as can be used for sorting, classify, returning in open source in 2017 by Microsoft Business.It is based on decision Tree algorithms, using the wise strategy division leaf node of optimal leaf, in the premise for not reducing accuracy rate Under, the sorting algorithm speed compared to mainstream improves 10 times or so, and the memory of occupancy has dropped 3 times or so instead.
E. by the information input of measurement of discharge into disaggregated model, by disaggregated model calculate this to measurement of discharge whether be The classification of malicious traffic stream is calculated by disaggregated model if calculating to measurement of discharge is malice strength for malicious traffic stream (Fast-flux or Domain-flux Botnet).
After tested, method of the invention can cover Fast-flux and Domain-flux two types Botnet simultaneously Detection, and have higher Detection accuracy.
Further, pretreatment described in step A includes the response data recorded according to the white list of universe name and IP to A Packet stream amount carries out secondary filter, and is ID with the timestamp of flow, extracts multiple field informations of every record in A record, packet Include timestamp, source MAC, target MAC (Media Access Control) address, source IP, destination IP, TTL numerical value, source port and destination port etc..
Further, when being merged in step B to the figure component in bigraph (bipartite graph) component set, to centered on universe name It bigraph (bipartite graph) component set and corresponding mode is respectively adopted as the bigraph (bipartite graph) component set of center node using IP carries out figure component Merge.
Specifically, when being merged to the figure component with the entitled central node of universe, the first hierarchical nature according to universe name, The diversity factor DD between similar domain name is calculated, similar two figure components are then merged using k means clustering algorithm, wherein calculating Diversity factor DD between similar domain name are as follows:
Wherein, ωλFor the median that domain name diversity factor calculates, λ is the level of domain name, and X and Y respectively indicate one entirely Domain name, XλIndicate λ layers of universe name X, YλIndicate λ layers of universe name Y, such as universe name www.baidu.com, first layer For com, | Xλ| indicate XλLength, | Yλ| indicate YλLength, | X | indicate the number of levels of X, | Y | indicate the number of levels of Y, α is Parameter preset, initialization α are 2.The effect of α is balance weight, and initial value is empirical value, subsequent to optimize adjustment.ddλWith Ω is respectively the median of calculating process.
Specifically, being mentioned when to being merged using IP as the figure component of center node with the IP address that the central node is neighbouring It is condition for similar service, and under conditions of meeting specific time span, calculates the similarity IS of the two IP, reach threshold Value then merges the similar figure component;The time span refers to the time interval of data processing in actual implementation, usually Initial value is 12 hours, wherein calculating the similarity IS of two IP are as follows:
In above formula, X indicates the IP address of figure component central node, and Y indicates the neighbouring IP address, XmIndicate X's Numerical value, YmIndicate the numerical value of Y, XtIndicate the timestamp of X, YtIndicate the timestamp of Y, α and β respectively indicate parameter preset, initial value Respectively 1.8 and 0.2, λ indicate that the classification difference of two IP address, such as the classification difference of Class A IP address and Class B IP address are The classification difference of 1, A IP like and C IP like is 2.
On this basis, figure module diagnostic described in step C, which is analyzed, includes:
C1. the structure feature of analysis chart component: calculating the number of nodes in figure component, including universe name node and IP are saved Point calculates the equal degree of maximum degree peace of all central nodes;
C2. universe name node diagnostic is analyzed: with the pretreated information of the flow of step A, according to the public affairs of Whois database Data are opened, the Whois information of universe name is calculated;Whois information is domain name and the public information of IP, shows its basic related letter Breath.
C3. analyzing IP node diagnostic: with the pretreated information of the flow of step A, according to the open number of Whois database According to the Whois information of calculating IP node;
C4. analysis connection is in feature: by connecting when connection between figure component interior joint and node, a connection side is DNS query response, chooses TTL information (Time To Live, field including its average value and variance yields in connection side Specified IP coating router allow before abandoning by maximum web segment number) as connection side feature;
C5. calculate blacklist feature: blacklist includes universe name blacklist and IP blacklist, the blacklist of analysis chart component When feature, in conjunction with published blacklist library, the quantity of the full domain name mark of figure component, second level domain+top level domain (2- are calculated LD+TLD) labeled quantity, the labeled maximum degree of universe name node, the quantity of labeled IP node, IP node quilt The maximum degree of label is labeled the ratio of the total node of node Zhan.
Further, the Whois information of universe name described in step C2, creation time, update time including universe name Number, integrity degree, the maximum number of plies of universe name, the draw number of plies, top level domain (TLD) number of species, second level domain (2-LD) type Quantity and the maximum length of second level domain (2-LD) character, average length include word quantity and character repetition degree.
Further, the Whois information of IP node described in step C3, state, renewal time, institute including IP node Belong to the quantity of country, autonomous system number (ASN) quantity of node IP and autonomous system number (ASN) and the ratio of IP.
The present invention is based on the Botnet detection method of DNS mapping association figure, beneficial effect includes:
1, the detection to Fast-flux and two kinds of Botnets of Domain-flux can be covered simultaneously.
2, for the response bag flow of DNS traffic filtering A record, the data volume of very big less subsequent processing.
3, a kind of new DNS flow processing is provided using universe name and IP as the bigraph (bipartite graph) collection of center node by constructing Thinking.
4, with IP is carried out merging for algorithms of different to universe name respectively, greatly reduces figure module data collection, while also more Meet the technical characteristic of Fast-flux and Domain-flux well.
5, by the signature analysis to DNS mapping association figure, the accuracy of Botnet detection is greatly improved, simultaneously It can also be suitable for the processing of the mass data of high speed network.
Specific embodiment with reference to embodiments is described in further detail above content of the invention again. But the range that this should not be interpreted as to the above-mentioned theme of the present invention is only limitted to example below.Think not departing from the above-mentioned technology of the present invention In the case of thinking, the various replacements or change made according to ordinary skill knowledge and customary means should all be included in this hair In bright range.
Detailed description of the invention
Fig. 1 is that the present invention is based on the flow charts of the Botnet detection method of DNS mapping association figure.
Specific embodiment
The present embodiment uses the release operating system CentOS system based on Linux, version number 7.6.1810.
The present invention is based on the Botnet detection methods of DNS mapping association figure as shown in Figure 1, comprising:
A.DNS traffic filtering and pretreatment: the equipment in network under test exit, including interchanger, router etc., by matching Port Mirroring is set, flow is imported into specific server network interface, and PF_RING packet is installed on that server, if data volume It is larger, the flow collection of 10Gbps rank can also be realized, according to BPF (Bai Ke by the way of PF_RING+Zero Copy Lay Packet Filter, Berkeley Packet Filter) rule-based filtering DNS flow, it refilters and records (A comprising A (Address) record is used to refer to determine the corresponding IP address of host name (or domain name) and records) response data packet flow.
Then the filtered response data packet flow is pre-processed, including the white list pair according to universe name and IP The response data packet flow of A record carries out secondary filter, and is ID with the timestamp of flow, extracts in A record every record Multiple field informations, including timestamp, source MAC, target MAC (Media Access Control) address, source IP, destination IP, TTL numerical value, source port and mesh Port etc..
B. figure mapping association is handled: to pretreated response data packet flow, being responded according to DNS query, respectively with complete Domain name (FQDN, Fully Qualified Domain Name) and IP are keyword (key), extract relationship maps therein and close System, constructs respectively using universe name and IP as the bigraph (bipartite graph) component set of center node, and to the bigraph (bipartite graph) component centered on universe name Integrate and the merging that corresponding mode carries out figure component is respectively adopted as the bigraph (bipartite graph) component set of center node with IP.
Wherein, when being merged to the figure component with the entitled central node of universe, first according to the hierarchical nature of universe name, meter The diversity factor DD between similar domain name is calculated, similar two figure components are then merged using k means clustering algorithm, wherein calculating phase Like the diversity factor DD between domain name are as follows:
Wherein, ωλFor the median that domain name diversity factor calculates, λ is the level of domain name, and X and Y respectively indicate one entirely Domain name, XλIndicate λ layers of universe name X, YλIndicate λ layers of universe name Y, | Xλ| indicate XλLength, | Yλ| indicate YλLength Degree, | X | indicate the number of levels of X, | Y | indicate the number of levels of Y, α is parameter preset, and initialization α is 2.The effect of α is balance power Weight, initial value is empirical value, subsequent to optimize adjustment.ddλIt is respectively the median of calculating process with Ω.
When to being merged using IP as the figure component of center node, provided with the neighbouring IP address of the central node similar Service is condition, and under conditions of meeting specific time span, calculates the similarity IS of the two IP, reach threshold value and then merge The similar figure component;The time span refers to the time interval of data processing in actual implementation, and usual initial value is 12 hours, wherein calculating the similarity IS of two IP are as follows:
In above formula, X indicates the IP address of figure component central node, and Y indicates the neighbouring IP address, XmIndicate X's Numerical value, YmIndicate the numerical value of Y, XtIndicate the timestamp of X, YtIndicate the timestamp of Y, α and β respectively indicate parameter preset, initial value Respectively 1.8 and 0.2, λ indicate the classification difference of two IP address, such as A class and B class difference are 1.
C. it the analysis of figure module diagnostic and extracts: analyzing the element that the bigraph (bipartite graph) is concentrated, in conjunction with the information that pretreatment obtains, Extract figure feature vector.Wherein the figure module diagnostic, which is analyzed, includes:
C1. the structure feature of analysis chart component: calculating the number of nodes in figure component, including universe name node and IP are saved Point calculates the equal degree of maximum degree peace of all central nodes;
C2. universe name node diagnostic is analyzed: with the pretreated information of the flow of step A, according to the public affairs of Whois database Data are opened, calculate the Whois information of universe name, creation time, update times, integrity degree, universe name including universe name are most The big number of plies, the draw number of plies, TLD (top level domain) number of species, 2-LD (second level domain) number of species and 2-LD (second-level domain Name) it the maximum length of character, average length, include word quantity and character repetition degree etc.;
C3. analyzing IP node diagnostic: with the pretreated information of the flow of step A, according to the open number of Whois database According to, calculate the Whois information of IP node, it is good working condition, renewal time, belonging country including IP node, affiliated personal, affiliated Regional, node IP ASN (autonomous system number) quantity and ASN (autonomous system number) quantity and the ratio of IP etc.;
C4. analysis connection is in feature: by connecting when connection between figure component interior joint and node, a connection side is DNS query response, chooses TTL information (Time To Live, field including its average value and variance yields in connection side Specified IP coating router allow before abandoning by maximum web segment number) as connection side feature;
C5. calculate blacklist feature: blacklist includes universe name blacklist and IP blacklist, the blacklist of analysis chart component When feature, in conjunction with published blacklist library, the quantity of the full domain name mark of figure component, 2-LD+TLD (second level domain+top are calculated Grade domain name) labeled quantity, the labeled maximum degree of universe name node, the quantity of labeled IP node, IP node quilt The maximum degree of label is labeled the ratio of the total node of node Zhan.
D. figure component classification: using published Fast-flux and Domain-flux Botnet collection as data input, It is reset in laboratory environments by the flow of TCPReplay, building includes the mixed data set of real traffic.Wherein Fast- Flux public data integrate as in CTU-13 pure Fast-flux malicious traffic stream and ISOT in Strom, Waledoc and Zeus it is stiff The sample flow of corpse network.Domain-flux public data integrates as the ISOT HTTP Botnet number of Alenazi A et al. building According to collection.It executes step A~step C and the standardization of data is completed according to the figure feature vector of extraction, after the standardization Data divide training set and test set and obtain disaggregated model using LightGBM algorithm.
E. by the information input of measurement of discharge into disaggregated model, by disaggregated model calculate this to measurement of discharge whether be The classification of malicious traffic stream is calculated by disaggregated model, is if calculating to measurement of discharge is malice strength for malicious traffic stream Fast-flux or Domain-flux Botnet.

Claims (8)

1. based on the Botnet detection method of DNS mapping association figure, feature includes:
A.DNS traffic filtering and pretreatment: according to the traffic mirroring of network under test exit equipment, according to scheduled rule-based filtering DNS flow refilters the response data packet flow comprising A record, then carries out to the filtered response data packet flow pre- Processing;
B. figure mapping association is handled: to pretreated response data packet flow, being responded according to DNS query, respectively with universe name It is keyword with IP, extracts relationship maps relationship therein, constructed respectively using universe name and IP as the bigraph (bipartite graph) group of center node Part collection, and the figure component in each bigraph (bipartite graph) component set is merged respectively;
C. the analysis of figure module diagnostic and extraction: analyzing the element that the bigraph (bipartite graph) is concentrated, and in conjunction with the information that pretreatment obtains, extracts Figure feature vector;
D. it figure component classification: is inputted using published Fast-flux and Domain-flux Botnet collection as data, execution Step A~step C completes the standardization of data according to the figure feature vector of extraction, divides training set and test set, uses LightGBM algorithm, obtains disaggregated model;
E. by the information input of measurement of discharge, whether into disaggregated model, calculating this to measurement of discharge by disaggregated model is malice The classification of malicious traffic stream is calculated by disaggregated model if calculating to measurement of discharge is malice strength for flow.
2. the Botnet detection method as described in claim 1 based on DNS mapping association figure, it is characterized in that: described in step A Pretreatment include that the response data packet flow recorded according to the white list of universe name and IP to A carries out secondary filter, and with stream The timestamp of amount is ID, extracts multiple field informations of every record in A record.
3. the Botnet detection method as described in claim 1 based on DNS mapping association figure, it is characterized in that: it is right in step B When figure component in bigraph (bipartite graph) component set merges, saved to the bigraph (bipartite graph) component set centered on universe name and centered on IP The merging that corresponding mode carries out figure component is respectively adopted in the bigraph (bipartite graph) component set of point.
4. the Botnet detection method as claimed in claim 3 based on DNS mapping association figure, it is characterized in that: to universe When the figure component of entitled central node merges, first according to the hierarchical nature of universe name, the difference between similar domain name is calculated DD is spent, similar two figure components are then merged using k means clustering algorithm, wherein calculating the diversity factor DD between similar domain name Are as follows:
Wherein, ωλFor the median that domain name diversity factor calculates, λ is the level of domain name, and X and Y respectively indicate a universe name, XλIndicate λ layers of universe name X, YλIndicate λ layers of universe name Y, | Xλ| indicate XλLength, | Yλ| indicate YλLength, | X | Indicate the number of levels of X, | Y | indicate the number of levels of Y, α is parameter preset, and initialization α is 2, ddλIt is respectively calculating process with Ω Median.
5. the Botnet detection method as claimed in claim 3 based on DNS mapping association figure, it is characterized in that: it is to IP When the figure component of central node merges, similar service is provided as condition using the neighbouring IP address of the central node, and Under conditions of meeting specific time span, the similarity IS of the two IP is calculated, reaches threshold value and then merges the similar figure component; Wherein calculate the similarity IS of two IP are as follows:
In above formula, X indicates the IP address of figure component central node, and Y indicates the neighbouring IP address, XmIndicate the numerical value of X, YmIndicate the numerical value of Y, XtIndicate the timestamp of X, YtIndicate that the timestamp of Y, α and β respectively indicate parameter preset, λ indicates two IP The classification difference of address.
6. the Botnet detection method based on DNS mapping association figure as described in one of claim 1 to 5, it is characterized in that: step Figure module diagnostic described in rapid C, which is analyzed, includes:
C1. the number of nodes in figure component, including universe name node and IP node, meter the structure feature of analysis chart component: are calculated Calculate the equal degree of maximum degree peace of all central nodes;
C2. universe name node diagnostic is analyzed: with the pretreated information of the flow of step A, according to the open number of Whois database According to the Whois information of calculating universe name;
C3. analyzing IP node diagnostic: with the pretreated information of the flow of step A, according to the public data of Whois database, Calculate the Whois information of IP node;
C4. analysis connection is in feature: by connecting when connection between figure component interior joint and node, a connection side is as primary DNS query response chooses TTL information of the connection including its average value and variance yields in as feature when connecting;
C5. calculate blacklist feature: blacklist includes universe name blacklist and IP blacklist, the blacklist feature of analysis chart component When, in conjunction with published blacklist library, the quantity of the full domain name mark of figure component is calculated, second level domain+top level domain is labeled Quantity, the labeled maximum degree of universe name node, the quantity of labeled IP node, the labeled maximal degree of IP node Number is labeled the ratio of the total node of node Zhan.
7. the Botnet detection method as claimed in claim 6 based on DNS mapping association figure, it is characterized in that: in step C2 The Whois information of the universe name, creation time, update times, integrity degree, the maximum layer of universe name including universe name The maximum length, average of number, the draw number of plies, top level domain number of species, second level domain number of species and second level domain character Length includes word quantity and character repetition degree.
8. the Botnet detection method as claimed in claim 6 based on DNS mapping association figure, it is characterized in that: in step C3 The Whois information of the IP node, state, renewal time, belonging country, the autonomous system number of node IP including IP node The ratio of the quantity and IP of number of codes and autonomous system number.
CN201910534665.3A 2019-06-20 2019-06-20 Botnet detection method based on DNS mapping association graph Active CN110177123B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910534665.3A CN110177123B (en) 2019-06-20 2019-06-20 Botnet detection method based on DNS mapping association graph

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910534665.3A CN110177123B (en) 2019-06-20 2019-06-20 Botnet detection method based on DNS mapping association graph

Publications (2)

Publication Number Publication Date
CN110177123A true CN110177123A (en) 2019-08-27
CN110177123B CN110177123B (en) 2020-09-18

Family

ID=67698615

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910534665.3A Active CN110177123B (en) 2019-06-20 2019-06-20 Botnet detection method based on DNS mapping association graph

Country Status (1)

Country Link
CN (1) CN110177123B (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110598774A (en) * 2019-09-03 2019-12-20 中电长城网际安全技术研究院(北京)有限公司 Encrypted flow detection method and device, computer readable storage medium and electronic equipment
CN112468484A (en) * 2020-11-24 2021-03-09 山西三友和智慧信息技术股份有限公司 Internet of things equipment infection detection method based on abnormity and reputation
CN113381962A (en) * 2020-02-25 2021-09-10 深信服科技股份有限公司 Data processing method, device and storage medium
CN113449782A (en) * 2021-06-18 2021-09-28 中电积至(海南)信息技术有限公司 CDN (content delivery network) hosting node detection method based on graph semi-supervised classification
CN114244580A (en) * 2021-11-29 2022-03-25 北京华清信安科技有限公司 Graphic analysis and recognition method for internet botnet

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102045215A (en) * 2009-10-21 2011-05-04 成都市华为赛门铁克科技有限公司 Botnet detection method and device
CN102291268A (en) * 2011-09-23 2011-12-21 杜跃进 Safety domain name server and hostile domain name monitoring system and method based on same
CN102938769A (en) * 2012-11-22 2013-02-20 国家计算机网络与信息安全管理中心 Detection method of Domain flux botnet domain names
US20160261625A1 (en) * 2014-07-30 2016-09-08 Zscaler, Inc. Zero day threat detection based on fast flux detection and aggregation
CN106230867A (en) * 2016-09-29 2016-12-14 北京知道创宇信息技术有限公司 Prediction domain name whether method, system and the model training method thereof of malice, system
EP3306900A1 (en) * 2016-10-07 2018-04-11 Secucloud GmbH Dns routing for improved network security
CN108494790A (en) * 2018-04-08 2018-09-04 南京大学 A method of detecting sustained network attack in distributed network

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102045215A (en) * 2009-10-21 2011-05-04 成都市华为赛门铁克科技有限公司 Botnet detection method and device
CN102291268A (en) * 2011-09-23 2011-12-21 杜跃进 Safety domain name server and hostile domain name monitoring system and method based on same
CN102938769A (en) * 2012-11-22 2013-02-20 国家计算机网络与信息安全管理中心 Detection method of Domain flux botnet domain names
US20160261625A1 (en) * 2014-07-30 2016-09-08 Zscaler, Inc. Zero day threat detection based on fast flux detection and aggregation
CN106230867A (en) * 2016-09-29 2016-12-14 北京知道创宇信息技术有限公司 Prediction domain name whether method, system and the model training method thereof of malice, system
EP3306900A1 (en) * 2016-10-07 2018-04-11 Secucloud GmbH Dns routing for improved network security
CN108494790A (en) * 2018-04-08 2018-09-04 南京大学 A method of detecting sustained network attack in distributed network

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
ZHONGLIU ZHUO: "Website Fingerprinting Attack on Anonymity Networks Based on Profile Hidden Markov Model", 《IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY 》 *
刘资茂等: "基于代理控制力的Fast-Flux僵尸网络检测方法 ", 《广西大学学报(自然科学版)》 *
王中晴: "基于网络流量的Fast-Flux僵尸网络检测方法研究", 《中国优秀硕士学位论文全文数据库 信息科技辑》 *

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110598774A (en) * 2019-09-03 2019-12-20 中电长城网际安全技术研究院(北京)有限公司 Encrypted flow detection method and device, computer readable storage medium and electronic equipment
CN113381962A (en) * 2020-02-25 2021-09-10 深信服科技股份有限公司 Data processing method, device and storage medium
CN113381962B (en) * 2020-02-25 2023-02-03 深信服科技股份有限公司 Data processing method, device and storage medium
CN112468484A (en) * 2020-11-24 2021-03-09 山西三友和智慧信息技术股份有限公司 Internet of things equipment infection detection method based on abnormity and reputation
CN113449782A (en) * 2021-06-18 2021-09-28 中电积至(海南)信息技术有限公司 CDN (content delivery network) hosting node detection method based on graph semi-supervised classification
CN113449782B (en) * 2021-06-18 2022-05-24 中电积至(海南)信息技术有限公司 CDN (content delivery network) hosting node detection method based on graph semi-supervised classification
CN114244580A (en) * 2021-11-29 2022-03-25 北京华清信安科技有限公司 Graphic analysis and recognition method for internet botnet

Also Published As

Publication number Publication date
CN110177123B (en) 2020-09-18

Similar Documents

Publication Publication Date Title
CN110177123A (en) Botnet detection method based on DNS mapping association figure
US20200344246A1 (en) Apparatus, system and method for identifying and mitigating malicious network threats
CN112104677B (en) Controlled host detection method and device based on knowledge graph
CN105681250B (en) A kind of Botnet distribution real-time detection method and system
Kayacik et al. Selecting features for intrusion detection: A feature relevance analysis on KDD 99 intrusion detection datasets
CN109450842B (en) Network malicious behavior recognition method based on neural network
CN104169904B (en) Detect the method and system of transparent network communication interception instrument
CN112910929B (en) Malicious domain name detection method and device based on heterogeneous graph representation learning
CN109391602A (en) A kind of zombie host detection method
CN114257386B (en) Training method, system, equipment and storage medium for detection model
US20180063163A1 (en) Learning indicators of compromise with hierarchical models
WO2020133986A1 (en) Botnet domain name family detecting method, apparatus, device, and storage medium
CN107683586A (en) Method and apparatus for rare degree of the calculating in abnormality detection based on cell density
CN110336789A (en) Domain-flux Botnet detection method based on blended learning
Alenazi et al. Holistic model for http botnet detection based on dns traffic analysis
Tajalizadehkhoob et al. Apples, oranges and hosting providers: Heterogeneity and security in the hosting market
CN113179260B (en) Botnet detection method, device, equipment and medium
CN108462675A (en) A kind of network accesses recognition methods and system
CN110324327A (en) User and server ip address caliberating device and method based on specific enterprise domain name data
Li et al. Street-Level Landmarks Acquisition Based on SVM Classifiers.
Lei et al. Detecting malicious domains with behavioral modeling and graph embedding
Hussain et al. Deep learning based intrusion detection system: Software defined network
Silva et al. A statistical analysis of intrinsic bias of network security datasets for training machine learning mechanisms
CN109067778B (en) Industrial control scanner fingerprint identification method based on honeynet data
CN110445772A (en) A kind of the internet host scan method and system of Intrusion Detection based on host relationship

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
CB03 Change of inventor or designer information

Inventor after: Zhang Xiaosong

Inventor after: Niu Weina

Inventor after: Xiong Zhipeng

Inventor after: Xie Xin

Inventor after: Jiang Tianyu

Inventor after: Ge Honglin

Inventor before: Zhang Xiaosong

Inventor before: Niu Weina

Inventor before: Xiong Zhipeng

Inventor before: Xie Xin

Inventor before: Jiang Tianyu

Inventor before: Ge Honglin

CB03 Change of inventor or designer information
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant