CN110401614A - The source tracing method and device of malice domain name - Google Patents
The source tracing method and device of malice domain name Download PDFInfo
- Publication number
- CN110401614A CN110401614A CN201810371587.5A CN201810371587A CN110401614A CN 110401614 A CN110401614 A CN 110401614A CN 201810371587 A CN201810371587 A CN 201810371587A CN 110401614 A CN110401614 A CN 110401614A
- Authority
- CN
- China
- Prior art keywords
- domain name
- address
- terminal
- log
- malice domain
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/10—Active monitoring, e.g. heartbeat, ping or trace-route
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4505—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
- H04L61/4511—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1483—Countermeasures against malicious traffic service impersonation, e.g. phishing, pharming or web spoofing
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Health & Medical Sciences (AREA)
- Cardiology (AREA)
- General Health & Medical Sciences (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The source tracing method and device of a kind of malice domain name are disclosed in the embodiment of the present application.The source tracing method obtains the DNS log, NAT log and remote authentication dial-in user service log of the malice domain name after determining that the domain name of URL of terminal application access is malice domain name;Based on determining malice domain name and above-mentioned three kinds of logs, obtain the cascade information of the malice domain name, the cascade information includes the corresponding relationship of malice domain name and public network IP address, the corresponding relationship and IP address of internal network of public network IP address and IP address of internal network and the corresponding relationship of terminal iidentification, the terminal iidentification are the mark of the terminal of application access malice domain name;Later according to cascade information, alarm instruction information is sent to terminal.The program, which can trace to the source, accesses the terminal iidentification of malice domain name, and triggering terminal is actively filtered malice domain name, improves user experience.
Description
Technical field
This application involves filed of network information security more particularly to a kind of source tracing methods and device of malice domain name.
Background technique
Currently, malice domain name is usually used in counterfeit other standards website as a kind of popular method of network attack, help
It helps virus, wooden horse quickly to propagate, steals user sensitive information, obtain hacker attack instruction etc., give user's normal use network
Bring serious influence.
Existing malice domain name detection system is to need based on data mining and cloud analysis, collects a large amount of domain name request,
The feature progress analysis mining in terms of the behaviors such as frequency is initiated according to Domain Name Form registering sites, length and request to mark malice domain name, and
By network side disparate networks equipment and safety equipment, (such as shielding in advance) is filtered to malice domain name, prevent user from
Access the malice domain name.
However, after the filtering fallacious domain name of malice domain name detection system, user side does not simultaneously know about and cannot access the domain name
Reason, i.e. user do not know that the domain name of access is malice domain name, cause user experience poor.
Summary of the invention
The embodiment of the present application provides the source tracing method and device of a kind of malice domain name, and the program, which can trace to the source, accesses malice domain
The terminal of name, triggering terminal are actively filtered malice domain name, improve user experience.
In a first aspect, providing a kind of source tracing method of malice domain name, this method may include:
The domain name for determining the uniform resource position mark URL of terminal application access is malice domain name;
The system log of the malice domain name is obtained, system log includes domain name system DNS log, network address translation NAT
Log and remote authentication dial-in user service Radius log, DNS log are record domain name and public network internet protocol address
Between preset corresponding relationship, NAT log be record terminal by IP address of internal network access public network IP address the first access information,
Radius log is to record the second access information of terminal access IP address of internal network;
Based on malice domain name, DNS log, NAT log and Radius log, the cascade information of malice domain name is obtained,
The cascade information includes the corresponding relationship of malice domain name Yu public network internet protocol address, public network in the first access information
The corresponding relationship of IP address of internal network and terminal iidentification in the corresponding relationship and the second access information of IP address and IP address of internal network, should
Terminal iidentification is the mark of the terminal of application access malice domain name;
Cascade information is inquired, the terminal iidentification of terminal is obtained.
As it can be seen that passing through malice domain name and the cascade of the DNS log, NAT log, Radius log that acquire in real time
Relationship is obtained the session path of terminal step by step, is traced to the source based on terminal of the home network malice domain name to access, and trigger end
End is actively filtered malice domain name, improves user experience.
In an optional realization, it is based on malice domain name, DNS log, NAT log and Radius log, obtains and dislikes
The cascade information for domain name of anticipating, comprising:
Based on DNS log and malice domain name, the corresponding public network IP address of malice domain name is obtained;
Based on NAT log and public network IP address, the corresponding IP address of internal network of public network IP address is obtained;
Based on Radius log and IP address of internal network, the terminal iidentification of the corresponding terminal of IP address of internal network is obtained.It is above-mentioned
Implementation process is the specific implementation process that server obtains cascade information by carrying out log analysis, is traced to the source with realizing.
In an optional realization, this method further include: according to terminal iidentification, alarm instruction information is sent to terminal,
Using the domain name of the URL of instruction terminal application access as malice domain name, and whether prompt terminal continues to access the URL.
As it can be seen that the program may be implemented to carry out prompting alarm to terminal before accessing malice domain name, it is right from source to realize
Malice domain name is filtered.
In an optional realization, determine that the domain name for the uniform resource position mark URL that terminal please access is malice domain name,
Include:
Obtain the domain name to be detected of the URL of terminal application access;
Domain name to be detected is matched with default malice domain name;
If successful match, it is determined that domain name to be detected is malice domain name.
Which is a kind of mode that server determines malice domain name.
In an optional realization, this method further include: malice domain name is stored, when so as to subsequent access domain name
It uses.
Second aspect, provides one kind and traces to the source device, which comprises determining that unit, acquiring unit and query unit;
Determination unit, for determining that the domain name of uniform resource position mark URL of terminal application access is malice domain name;
Acquiring unit, for obtaining the system log of the malice domain name, system log includes domain name system DNS log, net
Network address conversion NAT log and remote authentication dial-in user service Radius log, DNS log are that record domain name and public network interconnect
Preset corresponding relationship between fidonetFido IP address, NAT log are that record terminal passes through IP address of internal network access public network IP address
First access information, Radius log are to record the second access information of terminal access IP address of internal network;
Based on malice domain name, DNS log, NAT log and Radius log, the cascade information of malice domain name is obtained,
Cascade information includes the corresponding relationship of malice domain name Yu public network internet protocol address, public network IP in the first access information
The corresponding relationship of IP address of internal network and terminal iidentification, terminal in the corresponding relationship and the second access information of address and IP address of internal network
It is identified as the mark of the terminal of application access malice domain name;
Query unit obtains the terminal iidentification of terminal for inquiring cascade information.
In an optional realization, acquiring unit is specifically used for:
Based on DNS log and malice domain name, the corresponding public network IP address of malice domain name is obtained;
Based on NAT log and public network IP address, the corresponding IP address of internal network of public network IP address is obtained;
Based on Radius log and IP address of internal network, the terminal iidentification of the corresponding terminal of IP address of internal network is obtained.
In an optional realization, which further includes transmission unit;
Transmission unit, for alarm instruction information being sent to terminal, with instruction terminal application access according to terminal iidentification
The domain name of URL is malice domain name, and whether prompt terminal continues to access URL.
In an optional realization, determination unit is specifically used for:
Obtain the domain name to be detected of the URL of terminal application access;
Domain name to be detected is matched with default malice domain name;
If successful match, it is determined that domain name to be detected is malice domain name.
In an optional realization, which further includes storage unit;
Storage unit, for being stored to malice domain name.
The third aspect provides a kind of electronic equipment, which includes processor, communication interface, memory and lead to
Believe bus, wherein processor, communication interface, memory complete mutual communication by communication bus;
Memory, for storing computer program;
Processor when for executing the program stored on memory, realizes any side in above-mentioned first aspect
Method step.
Fourth aspect provides a kind of computer readable storage medium, and meter is stored in the computer readable storage medium
Calculation machine program, the computer program realize any method and step in above-mentioned first aspect when being executed by processor.
The technical solution of the embodiment of the present invention is determining the domain name of the uniform resource position mark URL of terminal application access for evil
After domain name of anticipating, obtain acquisition according to cascade information, send alarm the instruction log of information domain name system DNS, net to terminal
Network address conversion NAT log and remote authentication dial-in user service Radius log, DNS log are that record domain name and public network interconnect
Preset mapping relations between fidonetFido IP address, NAT log are that record terminal passes through IP address of internal network access public network IP address
First access information, Radius log are to record the second access information of terminal access IP address of internal network;Based on determining malice
Domain name and above-mentioned three kinds of logs, obtain the cascade information of the malice domain name, which includes malice domain name
With the corresponding relationship of public network IP address, the corresponding relationship and second of public network IP address and IP address of internal network is visited in the first access information
Ask the corresponding relationship of IP address of internal network and terminal iidentification in information, which is the mark of the terminal of application access RUL;It
The cascade information for inquiring acquisition afterwards, obtains terminal iidentification.The program, which can trace to the source, accesses the terminal iidentification of malice domain name, touching
Hair terminal is actively filtered malice domain name, improves user experience.
Detailed description of the invention
Fig. 1 is a kind of system structure diagram of source tracing method for applying malice domain name provided in an embodiment of the present invention;
Fig. 2 is a kind of flow diagram of the source tracing method of malice domain name provided in an embodiment of the present invention;
Fig. 3 is the flow diagram of the source tracing method of another malice domain name provided in an embodiment of the present invention;
Fig. 4 is a kind of structural schematic diagram for device of tracing to the source provided in an embodiment of the present invention;
Fig. 5 is the structural schematic diagram of a kind of electronic equipment provided in an embodiment of the present invention.
Specific embodiment
Below in conjunction with the attached drawing in the embodiment of the present application, technical solutions in the embodiments of the present application carries out clear, complete
Site preparation description, it is clear that described embodiment is only some embodiments of the present application, is not whole embodiments.Based on this
Apply for embodiment, every other implementation obtained by those of ordinary skill in the art without making creative efforts
Example, shall fall in the protection scope of this application.
For the source tracing method of malice domain name provided by the present application suitable for system architecture shown in Fig. 1, which can be with
The terminal run under network server (hereinafter referred to as server) and home network including public network (or outer net).The side of tracing to the source
Method can be using on that server.Wherein, terminal also may operate under other network environments, such as corporate networks, the application
It is described under the network environment of home network with terminal operating.
In order to improve the accuracy traced to the source, server can be the network server with stronger computing capability.
Terminal can be described as user equipment (User quipment, UE), mobile station (Mobile Station, MS), movement again
Terminal ((Mobile Terminal) etc..The terminal has through wireless access network (RadioAccess Network, RAN) and one
The ability that a or multiple cores net is communicated, for example, terminal can be mobile phone (or being " honeycomb " phone), notebook
Computer, digit broadcasting receiver, personal digital assistant (PDA), tablet computer (PAD), portable media player (PMP),
Navigation device etc..
Compared with prior art, existing malice domain name detection method lacks unified log analysis and means of accurately tracing to the source,
Cause network side to malice domain filter after, the user of home network does not perceive, and later period user is caused to be also possible to continue to access
The domain name reduces user experience.And the application passes through determining malice domain name, and to the domain name system (Domain acquired in real time
Name System, DNS) log, network address translation (Network Address Translation, NAT) log and long-range
It authenticates dial-in user service (Radius) log and carries out big data analysis, obtain the cascade information with malice domain name, be based on
Cascade information inquires the session path of user step by step, to pass through house after being accurately traceable to the terminal iidentification of home network
Front yard network is to the terminal iidentification corresponding target terminal push alarm instruction information, to indicate that target terminal domain name to be visited is
Malice domain name has carried out the filtering of malice domain name to realize the filtering of malice domain name in terminal side that is, from source.Terminal mark
Know the broadband account that can be home network.
Wherein, DNS log is used to record the mapping relations that terminal accesses domain name by public network internet protocol address, should
Log is able to use family and more easily accesses internet, and without spending, remember can be by IP address number string that machine is directly read.
For example, the IP address of the Web server of Microsoft is 207.46.230.229, corresponding domain name is
Www.microsoft.com, i.e., regardless of user input in a browser be 207.46.230.229 or
Www.microsoft.com can access the Web site of Microsoft.
NAT log is used to record the first access information that terminal accesses public network IP address by IP address of internal network, and first visits
Ask that information includes the mapping relations of public network IP address and IP address of internal network, in more detail, NAT log is for recording public network IP
The mapping relations of the port of location, the port of public network IP address and IP address of internal network, IP address of internal network.That is NAT log can be realized
Mutual conversion between IP address of internal network and public network IP address.For example, IP address of internal network is IP1~IP4,4 IP address of internal network
It is mapped to outer net IP address: IP5, mapping relations are as follows: (IP1, Port1) is mapped to (IP5, Port1);(IP2, Port1)
It is mapped to (IP5, Port2);(IP3, Port2) is mapped to (IP5, Port3);(IP4, Port2) is mapped to (IP5, Port4).
Wherein, Port1~Port4 indicates 1~port of port 4.
Radius log is used to record the second access information of terminal access IP address of internal network, and the second access information includes interior
The mapping relations of the terminal iidentification of net IP address and access terminal, in more detail, Radius log is for recording Intranet IP
The mapping relations of the terminal iidentification of location, the port of IP address of internal network and access terminal.When the broadband that terminal iidentification is home network
When account, terminal iidentification and IP address of internal network are one-to-one mapping relations.
The application is by the identification of malice domain name, tracing to the source step by step to the conversation procedure of terminal, and gives Terminal Alert
The whole closed loop for indicating information, makes the filtering fallacious domain name of terminal active, to preferably go to avoid access malice from user side
Domain name.
Preferred embodiment of the present application is illustrated below in conjunction with Figure of description, it should be understood that described herein
Preferred embodiment only for the purpose of illustrating and explaining the present invention and is not intended to limit the present invention, and in the absence of conflict, this Shen
Please in embodiment and embodiment in feature can be combined with each other.
Fig. 2 is a kind of flow diagram of the source tracing method of malice domain name provided in an embodiment of the present invention.As shown in Fig. 2,
The executing subject of this method can be server, and this method may include:
Step 210, the domain name for determining the uniform resource position mark URL of terminal application access are malice domain name.
Uniform resource locator (Uniform Resource Locator, URL) is to can obtain from internet
The position of resource and a kind of succinct expression of access method, are the addresses of standard resource on internet.Each of on internet
File has a unique URL.
The domain name to be detected of the available terminal application access URL of server;
Domain name to be detected is matched with default malice domain name;
If successful match, it is determined that the domain name to be detected is malice domain name.
If it fails to match, it is determined that the domain name to be detected is legitimate domain name, accesses terminal normally.
Optionally, the domain name to be detected of the URL of the available terminal application access of server;
The malicious IP addresses of intrusion prevention system (Intrusion Prevention System, IPS) label are obtained, and
Based on the mapping relations of the public network IP address recorded and domain name in DNS log, the public network IP address of domain name to be detected is obtained,
In, malicious IP addresses refer to the IP address with attack signature, IPS can according to the number of times of attack of IP address, attack frequency, attack
The severity of behavior is hit, to mark the severity of corresponding malice domain name;
Server matches the malicious IP addresses that IPS is marked with the IP address of domain name to be detected;
If successful match, it is determined that the domain name to be detected is malice domain name.
If it fails to match, it is determined that the domain name to be detected is legitimate domain name, accesses terminal normally.
Optionally, server stores the malice domain name determined.
Wherein, presetting malice domain name can store in default malice domain name library or malice domain name table.To avoid omission pair
The content of the defence of malice domain name, malice domain name library or malice domain name table can only increase in principle, not can be reduced.
In the case where server storage anxiety, the record before setting time can be cleared up, or be registered as
The corresponding IP address of malice domain name can be by it from malice domain name table if not finding the feature of attack again within the set time
Middle deletion.
Increased approach can also be obtained by crawler other than above-mentioned server identifies malice domain name and be hung wood
The domain name of horse;Or disclosed spam database is utilized, and domain name therein is extracted, it can also be from the existing evil of the Internet download
The malice domain name that meaning domain name, such as special security organization can regularly update.
It should be noted that default malice domain name library or malice domain name table also can store malicious IP addresses.
Step 220, the system log for obtaining the malice domain name, the system log include DNS log, NAT log and
Radius log.
It should be noted that server acquires the system log of all domain names in real time, the system day of the malice domain name is chosen
Will, and the system log of malice domain name is parsed, obtain the DNS log, NAT log and Radius log of the malice domain name.DNS days
Will is the mapping relations for recording terminal and accessing domain name by public network IP address, and NAT log is that record terminal passes through IP address of internal network
The first access information of public network IP address is accessed, Radius log is the second access letter for recording terminal access IP address of internal network
Breath.
Step 230 is based on the malice domain name, DNS log, NAT log and Radius log, obtains the net of the malice domain name
Network cascaded message.
Cascade information includes the corresponding relationship of malice domain name and public network IP address, public network IP in the first access information
The corresponding relationship of IP address of internal network and terminal iidentification, terminal mark in the corresponding relationship and the second access information of location and IP address of internal network
Know the mark of the terminal for application access malice domain name.
Server is based on DNS log and the malice domain name, obtains the corresponding public network IP address of malice domain name;
Public network IP address based on NAT log and acquisition obtains the corresponding IP address of internal network of the public network IP address;
IP address of internal network based on Radius log and acquisition obtains the terminal mark of the corresponding terminal of the IP address of internal network
Know.
For example, terminal application accesses URL1, server identifies that the malice domain name of URL1 is 192.163.xxx.xx, inquiry
DNS log, obtaining public network IP address corresponding with the malice domain name is IP1, is based on NAT log and IP1, inquires with IP1
The corresponding IP address of internal network in location is IP2, is based on Radius log and IP2, inquiring terminal iidentification corresponding with the address IP2 is
UE1。
Step 240, according to cascade information, send alarm instruction information to terminal.
Server is inquired step by step: the corresponding public network IP address of malice domain name, Intranet IP corresponding with the public network IP address
Address, the terminal iidentification of the terminal corresponding with the IP address of internal network, to obtain the terminal iidentification of terminal.
Further, server sends alarm instruction information to the terminal, with instruction terminal application visit according to terminal iidentification
The domain name of the URL asked is malice domain name, and prompts whether the terminal continues to access the URL.Server can pass through home network
Platform pushes alarm instruction information to home network APP, to carry out the filtering of malice domain name.
Alarm instruction information can be sent to terminal in the form of prompting frame, which may include instruction terminal Shen
The URL that please be accessed is whether the instruction information of malice domain name and prompt terminal continue to access the "Yes" of the URL and proposing for "No"
Show key.
In one example, as shown in figure 3, the source tracing method of another kind malice domain name provided in an embodiment of the present invention.It should
The executing subject of method is server, and this method may include:
Step 301, the domain name A to be detected for obtaining terminal application access URL1.
Step 302 matches domain name A to be detected with the malice domain name in default malice domain name library;If successful match,
303 are thened follow the steps, if it fails to match, thens follow the steps 306.
Step 303 determines that the domain name A to be detected is malice domain name.
Step 304, DNS log, NAT log, the Radius log for analyzing domain name A obtain network level corresponding with domain name A
Join information.
Step 305, according to the terminal iidentification in cascade information, send alarm instruction information to the terminal.
After reception terminal check continues to access URL instruction, step 306 is executed.
After reception terminal check does not access URL instruction, step 307 is executed.
Step 306 allows terminal normally to access the URL.
Step 307, refusal terminal access URL.
As it can be seen that the source tracing method of the embodiment of the present invention is in the domain for the uniform resource position mark URL for determining terminal application access
After entitled malice domain name, the domain name system DNS log, network address translation NAT log and remote authentication of the malice domain name are obtained
Dial-in user service Radius log;Based on determining malice domain name and above-mentioned three kinds of logs, the net of the malice domain name is obtained
Network cascaded message, the cascade information include the corresponding relationship of malice domain name and public network IP address, public network IP address and Intranet
The corresponding relationship and IP address of internal network of IP address and the corresponding relationship of terminal iidentification, the terminal iidentification are the end of application access RUL
The mark at end;Later according to cascade information, alarm instruction information is sent to terminal.The program, which can trace to the source, accesses malice domain
The terminal iidentification of name, triggering terminal are actively filtered malice domain name, improve user experience.
Corresponding with the above method, the embodiment of the present invention also provides one kind and traces to the source device, the device as shown in figure 4, this is traced to the source
It may include: determination unit 410, acquiring unit 420 and query unit 430;
Determination unit 410, for determining that the domain name of uniform resource position mark URL of terminal application access is malice domain name;
Acquiring unit 420, for obtaining the system log of the malice domain name, system log include domain name system DNS log,
Network address translation NAT log and remote authentication dial-in user service Radius log, DNS log are that record terminal passes through public network
Internet protocol address accesses the mapping relations of domain name, and NAT log is to record terminal to access public network IP by IP address of internal network
First access information of address, Radius log are to record the second access information of terminal access IP address of internal network;
Based on malice domain name, DNS log, NAT log and Radius log, the cascade information of malice domain name is obtained,
Cascade information includes the corresponding relationship of malice domain name Yu public network internet protocol address, public network IP in the first access information
The corresponding relationship of IP address of internal network and terminal iidentification, described in the corresponding relationship and the second access information of address and IP address of internal network
Terminal iidentification is the mark of the terminal of application access malice domain name;
Transmission unit 430, for alarm instruction information being sent to terminal, with instruction terminal Shen according to cascade information
The domain name for the URL that please be accessed is malice domain name, and whether prompt terminal continues to access URL.
Optionally, acquiring unit 420 are specifically used for:
Based on DNS log and malice domain name, the corresponding public network IP address of malice domain name is obtained;
Based on NAT log and public network IP address, the corresponding IP address of internal network of public network IP address is obtained;
Based on Radius log and IP address of internal network, the terminal iidentification of the corresponding terminal of IP address of internal network is obtained.
Optionally, transmission unit 430, specifically for sending and accusing to terminal according to the terminal iidentification in cascade information
Alert instruction information.
Optionally it is determined that unit 410, is specifically used for:
Obtain the domain name to be detected of the URL of terminal application access;
Domain name to be detected is matched with default malice domain name;
If successful match, it is determined that domain name to be detected is malice domain name.
Optionally, which further includes storage unit 440;
Storage unit 440, for being stored to malice domain name.
The device of tracing to the source of the embodiment of the present invention is determining the domain name of the uniform resource position mark URL of terminal application access for evil
After domain name of anticipating, obtain acquisition with the associated domain name system DNS log of malice domain name, network address translation NAT log and long-range
Authenticate dial-in user service Radius log;Based on determining malice domain name and above-mentioned three kinds of logs, the malice domain name is obtained
Cascade information, which includes the corresponding relationship of malice domain name and public network IP address, public network IP address with
The corresponding relationship and IP address of internal network of IP address of internal network and the corresponding relationship of terminal iidentification, the terminal iidentification are application access RUL
Terminal mark;Later according to cascade information, alarm instruction information is sent to terminal.The program can trace to the source to access and dislike
The terminal iidentification for domain name of anticipating, triggering terminal are actively filtered malice domain name, improve user experience.
The embodiment of the invention also provides a kind of electronic equipment, as shown in figure 5, include processor 510, communication interface 520,
Memory 530 and communication bus 540, wherein processor 510, communication interface 520, memory 530 are complete by communication bus 540
At mutual communication.
Memory 530, for storing computer program;
Processor 510 when for executing the program stored on memory 530, realizes following steps:
The domain name for determining the uniform resource position mark URL of terminal application access is malice domain name;
Obtain acquisition with malice domain name associated system log, system log includes domain name system DNS log, network
NAT log and remote authentication dial-in user service Radius log are converted in location, and DNS log is that record terminal passes through public network internet
Protocol IP address accesses the mapping relations of domain name, and NAT log is that record terminal passes through IP address of internal network access public network IP address
First access information, Radius log are to record the second access information of terminal access IP address of internal network;
Based on malice domain name, DNS log, NAT log and Radius log, the cascade information of malice domain name is obtained,
The cascade information includes the corresponding relationship of malice domain name Yu public network internet protocol address, public network in the first access information
The corresponding relationship of IP address of internal network and terminal iidentification, institute in the corresponding relationship and the second access information of IP address and IP address of internal network
State the mark for the terminal that terminal iidentification is application access malice domain name;
According to cascade information, alarm instruction information is sent to terminal, with the domain name of the URL of instruction terminal application access
For malice domain name, and whether prompt terminal continues to access URL.
Optionally, it is based on malice domain name, DNS log, NAT log and Radius log, obtains the network with malice domain name
Cascaded message, comprising:
Based on DNS log and malice domain name, the corresponding public network IP address of malice domain name is obtained;
Based on NAT log and public network IP address, the corresponding IP address of internal network of public network IP address is obtained;
Based on Radius log and IP address of internal network, the terminal iidentification of the corresponding terminal of IP address of internal network is obtained.
Optionally, processor 510 is also used to: according to the terminal iidentification in cascade information, being sent alarm to terminal and is referred to
Show information.
Optionally it is determined that the domain name of the uniform resource position mark URL of terminal application access is malice domain name, comprising:
Obtain the domain name to be detected of the URL of terminal application access;
Domain name to be detected is matched with default malice domain name;
If successful match, it is determined that domain name to be detected is malice domain name.
Optionally, processor 510 is also used to: being stored to malice domain name.
Communication bus mentioned above can be Peripheral Component Interconnect standard (Peripheral Component
Interconnect, PCI) bus or expanding the industrial standard structure (Extended Industry Standard
Architecture, EISA) bus etc..The communication bus can be divided into address bus, data/address bus, control bus etc..For just
It is only indicated with a thick line in expression, figure, it is not intended that an only bus or a type of bus.
Communication interface is for the communication between above-mentioned electronic equipment and other equipment.
Memory may include random access memory (Random Access Memory, RAM), also may include non-easy
The property lost memory (Non-Volatile Memory, NVM), for example, at least a magnetic disk storage.Optionally, memory may be used also
To be storage device that at least one is located remotely from aforementioned processor.
Above-mentioned processor can be general processor, including central processing unit (Central Processing Unit,
CPU), network processing unit (Network Processor, NP) etc.;It can also be digital signal processor (Digital Signal
Processing, DSP), it is specific integrated circuit (Application Specific Integrated Circuit, ASIC), existing
It is field programmable gate array (Field-Programmable Gate Array, FPGA) or other programmable logic device, discrete
Door or transistor logic, discrete hardware components.
The embodiment and beneficial effect solved the problems, such as due to each device of electronic equipment in above-described embodiment can join
Each step in embodiment as shown in Figure 2 realizes, therefore, specific work process provided in an embodiment of the present invention and beneficial to effect
Fruit does not repeat again herein.
In another embodiment provided by the invention, a kind of computer readable storage medium is additionally provided, which can
It reads to be stored with instruction in storage medium, when run on a computer, so that computer executes any institute in above-described embodiment
The source tracing method stated.
In another embodiment provided by the invention, a kind of computer program product comprising instruction is additionally provided, when it
When running on computers, so that computer executes any source tracing method in above-described embodiment.
It should be understood by those skilled in the art that, the embodiment in the embodiment of the present application can provide as method, system or meter
Calculation machine program product.Therefore, complete hardware embodiment, complete software embodiment can be used in the embodiment of the present application or combine soft
The form of the embodiment of part and hardware aspect.Moreover, being can be used in the embodiment of the present application in one or more wherein includes meter
Computer-usable storage medium (including but not limited to magnetic disk storage, CD-ROM, the optical memory of calculation machine usable program code
Deng) on the form of computer program product implemented.
It is referring to according to the method for embodiment, equipment (system) and calculating in the embodiment of the present application in the embodiment of the present application
The flowchart and/or the block diagram of machine program product describes.It should be understood that can be realized by computer program instructions flow chart and/or
The combination of the process and/or box in each flow and/or block and flowchart and/or the block diagram in block diagram.It can mention
For the processing of these computer program instructions to general purpose computer, special purpose computer, Embedded Processor or other programmable datas
The processor of equipment is to generate a machine, so that being executed by computer or the processor of other programmable data processing devices
Instruction generation refer to for realizing in one or more flows of the flowchart and/or one or more blocks of the block diagram
The device of fixed function.
These computer program instructions, which may also be stored in, is able to guide computer or other programmable data processing devices with spy
Determine in the computer-readable memory that mode works, so that it includes referring to that instruction stored in the computer readable memory, which generates,
Enable the manufacture of device, the command device realize in one box of one or more flows of the flowchart and/or block diagram or
The function of being specified in multiple boxes.
These computer program instructions also can be loaded onto a computer or other programmable data processing device, so that counting
Series of operation steps are executed on calculation machine or other programmable devices to generate computer implemented processing, thus in computer or
The instruction executed on other programmable devices is provided for realizing in one or more flows of the flowchart and/or block diagram one
The step of function of being specified in a box or multiple boxes.
Although the preferred embodiment in the embodiment of the present application has been described, once a person skilled in the art knows
Basic creative concept, then additional changes and modifications may be made to these embodiments.So appended claims are intended to explain
Being includes preferred embodiment and all change and modification for falling into range in the embodiment of the present application.
Obviously, those skilled in the art embodiment in the embodiment of the present application can be carried out various modification and variations without
It is detached from the spirit and scope of embodiment in the embodiment of the present application.If in this way, in the embodiment of the present application embodiment these modification
Within the scope of belonging in the embodiment of the present application claim and its equivalent technologies with modification, then also it is intended in the embodiment of the present application
It includes these modifications and variations.
Claims (12)
1. a kind of source tracing method of malice domain name, which is characterized in that the described method includes:
The domain name for determining the uniform resource position mark URL of terminal application access is malice domain name;
The system log with the malice domain name of acquisition is obtained, the system log includes domain name system DNS log, network
NAT log and remote authentication dial-in user service log are converted in location, and the DNS log is that record terminal passes through public network internet protocol
The mapping relations of IP address access domain name are discussed, the NAT log is to record terminal to access public network IP address by IP address of internal network
The first access information, the Radius log be record terminal access IP address of internal network the second access information;
Based on the malice domain name, the DNS log, the NAT log and the remote authentication dial-in user service log, obtain
The cascade information of the malice domain name is taken, the cascade information includes the mapping pass of malice domain name and public network IP address
It is Intranet in the corresponding relationship and second access information of public network IP address and IP address of internal network in first access information
The corresponding relationship of IP address and terminal iidentification, the terminal iidentification are the mark of the terminal of application access malice domain name;
According to the cascade information, Xiang Suoshu terminal sends alarm instruction information, to indicate the terminal application access
The domain name of URL is malice domain name, and prompts whether the terminal continues to access the URL.
2. the method as described in claim 1, which is characterized in that based on the malice domain name, the DNS log, NAT days described
Will and the remote authentication dial-in user service log obtain cascade information corresponding with the malice domain name, comprising:
Based on the DNS log and the malice domain name, the corresponding public network IP address of the malice domain name is obtained;
Based on the NAT log and the public network IP address, the corresponding IP address of internal network of the public network IP address is obtained;
Based on the remote authentication dial-in user service log and the IP address of internal network, it is corresponding to obtain the IP address of internal network
The terminal iidentification of the terminal.
3. method according to claim 2, which is characterized in that according to the cascade information, Xiang Suoshu terminal, which is sent, is accused
Alert instruction information, comprising:
According to the terminal iidentification in the cascade information, Xiang Suoshu terminal sends alarm instruction information.
4. the method as described in claim 1, which is characterized in that determine the uniform resource position mark URL of terminal application access
Domain name is malice domain name, comprising:
Obtain the domain name to be detected of the URL of the terminal application access;
The domain name to be detected is matched with default malice domain name;
If successful match, it is determined that the domain name to be detected is malice domain name.
5. method as claimed in claim 3, which is characterized in that the method also includes:
The malice domain name is stored.
The device 6. one kind is traced to the source, which is characterized in that described device includes:
Determination unit, for determining that the domain name of uniform resource position mark URL of terminal application access is malice domain name;
Acquiring unit, for obtaining the system log of the malice domain name, the system log include DNS log, NAT log and
Remote authentication dial-in user service log, the DNS log are preset between record domain name and public network internet protocol address
Corresponding relationship, the NAT log is the first access information for recording terminal and accessing public network IP address by IP address of internal network, described
Remote authentication dial-in user service log is to record the second access information of terminal access IP address of internal network;
Based on the malice domain name, the DNS log, the NAT log and the remote authentication dial-in user service log, obtain
The cascade information of the malice domain name is taken, the cascade information, which includes that malice domain name is corresponding with public network IP address, closes
It is Intranet in the corresponding relationship and second access information of public network IP address and IP address of internal network in first access information
The corresponding relationship of IP address and terminal iidentification, the terminal iidentification are the mark of the terminal of application access malice domain name;
Query unit obtains the terminal iidentification of the terminal for inquiring the cascaded message.
7. device as claimed in claim 6, which is characterized in that the acquiring unit is specifically used for:
Based on the DNS log and the malice domain name, the corresponding public network IP address of the malice domain name is obtained;
Based on the NAT log and the public network IP address, the corresponding IP address of internal network of the public network IP address is obtained;
Based on the remote authentication dial-in user service log and the IP address of internal network, it is corresponding to obtain the IP address of internal network
The terminal iidentification of the terminal.
8. device as claimed in claim 6, which is characterized in that described device further includes transmission unit;
The transmission unit, for according to the terminal iidentification, Xiang Suoshu terminal to send alarm instruction information, to indicate the end
The domain name of the URL of end application access is malice domain name, and prompts whether the terminal continues to access the URL.
9. device as claimed in claim 6, which is characterized in that the determination unit is specifically used for:
Obtain the domain name to be detected of the URL of the terminal application access;
The domain name to be detected is matched with default malice domain name;
If successful match, it is determined that the domain name to be detected is malice domain name.
10. device as claimed in claim 8, which is characterized in that described device further includes storage unit;
The storage unit, for being stored to the malice domain name.
11. a kind of electronic equipment, which is characterized in that the electronic equipment includes that processor, communication interface, memory and communication are total
Line, wherein processor, communication interface, memory complete mutual communication by communication bus;
Memory, for storing computer program;
Processor when for executing the program stored on memory, realizes any method and step of claim 1-5.
12. a kind of computer readable storage medium, which is characterized in that be stored with computer in the computer readable storage medium
Program realizes claim 1-5 any method and step when the computer program is executed by processor.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810371587.5A CN110401614B (en) | 2018-04-24 | 2018-04-24 | Malicious domain name tracing method and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810371587.5A CN110401614B (en) | 2018-04-24 | 2018-04-24 | Malicious domain name tracing method and device |
Publications (2)
Publication Number | Publication Date |
---|---|
CN110401614A true CN110401614A (en) | 2019-11-01 |
CN110401614B CN110401614B (en) | 2021-08-13 |
Family
ID=68320370
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201810371587.5A Active CN110401614B (en) | 2018-04-24 | 2018-04-24 | Malicious domain name tracing method and device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110401614B (en) |
Cited By (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110933201A (en) * | 2019-12-31 | 2020-03-27 | 北京金山云网络技术有限公司 | IP address tracing method and device, electronic equipment and storage medium |
CN111294336A (en) * | 2020-01-15 | 2020-06-16 | 深圳开源互联网安全技术有限公司 | Login behavior detection method and device, computer equipment and storage medium |
CN111405080A (en) * | 2020-03-09 | 2020-07-10 | 北京冠程科技有限公司 | Terminal IP management system and user behavior auditing method based on same |
CN111818075A (en) * | 2020-07-20 | 2020-10-23 | 北京华赛在线科技有限公司 | Illegal external connection detection method, device, equipment and storage medium |
CN112118249A (en) * | 2020-09-11 | 2020-12-22 | 江苏云柜网络技术有限公司 | Security protection method and device based on log and firewall |
CN112667875A (en) * | 2020-12-24 | 2021-04-16 | 恒安嘉新(北京)科技股份公司 | Data acquisition method, data analysis method, data acquisition device, data analysis device, equipment and storage medium |
CN112866005A (en) * | 2020-12-31 | 2021-05-28 | 恒安嘉新(北京)科技股份公司 | Method, device and equipment for processing user access log and storage medium |
CN112887310A (en) * | 2021-01-27 | 2021-06-01 | 华南理工大学 | Method, device and medium for improving network attack risk assessment efficiency |
CN113489738A (en) * | 2021-07-15 | 2021-10-08 | 恒安嘉新(北京)科技股份公司 | Violation handling method, device, equipment and medium for broadband account |
CN113821743A (en) * | 2021-09-23 | 2021-12-21 | 猪八戒股份有限公司 | Dubbo service tracing method and device |
CN114173346A (en) * | 2021-12-01 | 2022-03-11 | 恒安嘉新(北京)科技股份公司 | Coverage detection method, device, equipment and medium for malicious program monitoring system |
CN114417198A (en) * | 2021-12-24 | 2022-04-29 | 中国电信股份有限公司 | Phishing early warning method, phishing early warning device, phishing early warning system |
CN114500122A (en) * | 2022-04-18 | 2022-05-13 | 国家计算机网络与信息安全管理中心江苏分中心 | Specific network behavior analysis method and system based on multi-source data fusion |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103220302A (en) * | 2013-05-07 | 2013-07-24 | 腾讯科技(深圳)有限公司 | Malicious website access defending method and related device |
US20160344750A1 (en) * | 2013-01-30 | 2016-11-24 | Blue Coat Systems, Inc. | Apparatus and Method for Characterizing the Risk of a User Contracting Malicious Software |
US9807053B1 (en) * | 2014-08-29 | 2017-10-31 | Uniregistry, Corp. | System and method related to domain name tracking and transfer |
CN107689965A (en) * | 2017-09-30 | 2018-02-13 | 北京奇虎科技有限公司 | Means of defence, the apparatus and system of the network equipment |
-
2018
- 2018-04-24 CN CN201810371587.5A patent/CN110401614B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20160344750A1 (en) * | 2013-01-30 | 2016-11-24 | Blue Coat Systems, Inc. | Apparatus and Method for Characterizing the Risk of a User Contracting Malicious Software |
CN103220302A (en) * | 2013-05-07 | 2013-07-24 | 腾讯科技(深圳)有限公司 | Malicious website access defending method and related device |
US9807053B1 (en) * | 2014-08-29 | 2017-10-31 | Uniregistry, Corp. | System and method related to domain name tracking and transfer |
CN107689965A (en) * | 2017-09-30 | 2018-02-13 | 北京奇虎科技有限公司 | Means of defence, the apparatus and system of the network equipment |
Cited By (21)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110933201B (en) * | 2019-12-31 | 2021-11-26 | 北京金山云网络技术有限公司 | IP address tracing method and device, electronic equipment and storage medium |
CN110933201A (en) * | 2019-12-31 | 2020-03-27 | 北京金山云网络技术有限公司 | IP address tracing method and device, electronic equipment and storage medium |
CN111294336A (en) * | 2020-01-15 | 2020-06-16 | 深圳开源互联网安全技术有限公司 | Login behavior detection method and device, computer equipment and storage medium |
CN111405080A (en) * | 2020-03-09 | 2020-07-10 | 北京冠程科技有限公司 | Terminal IP management system and user behavior auditing method based on same |
CN111818075A (en) * | 2020-07-20 | 2020-10-23 | 北京华赛在线科技有限公司 | Illegal external connection detection method, device, equipment and storage medium |
CN112118249A (en) * | 2020-09-11 | 2020-12-22 | 江苏云柜网络技术有限公司 | Security protection method and device based on log and firewall |
CN112118249B (en) * | 2020-09-11 | 2022-09-16 | 南京云柜网络科技有限公司 | Security protection method and device based on log and firewall |
CN112667875A (en) * | 2020-12-24 | 2021-04-16 | 恒安嘉新(北京)科技股份公司 | Data acquisition method, data analysis method, data acquisition device, data analysis device, equipment and storage medium |
CN112667875B (en) * | 2020-12-24 | 2024-07-30 | 恒安嘉新(北京)科技股份公司 | Data acquisition and data analysis method, device, equipment and storage medium |
CN112866005B (en) * | 2020-12-31 | 2023-04-07 | 恒安嘉新(北京)科技股份公司 | Method, device and equipment for processing user access log and storage medium |
CN112866005A (en) * | 2020-12-31 | 2021-05-28 | 恒安嘉新(北京)科技股份公司 | Method, device and equipment for processing user access log and storage medium |
CN112887310A (en) * | 2021-01-27 | 2021-06-01 | 华南理工大学 | Method, device and medium for improving network attack risk assessment efficiency |
CN113489738A (en) * | 2021-07-15 | 2021-10-08 | 恒安嘉新(北京)科技股份公司 | Violation handling method, device, equipment and medium for broadband account |
CN113489738B (en) * | 2021-07-15 | 2023-05-30 | 恒安嘉新(北京)科技股份公司 | Method, device, equipment and medium for processing violations of broadband account |
CN113821743A (en) * | 2021-09-23 | 2021-12-21 | 猪八戒股份有限公司 | Dubbo service tracing method and device |
CN113821743B (en) * | 2021-09-23 | 2023-08-04 | 猪八戒股份有限公司 | Dubbo service tracing method and device |
CN114173346A (en) * | 2021-12-01 | 2022-03-11 | 恒安嘉新(北京)科技股份公司 | Coverage detection method, device, equipment and medium for malicious program monitoring system |
CN114173346B (en) * | 2021-12-01 | 2024-04-12 | 恒安嘉新(北京)科技股份公司 | Coverage detection method, device, equipment and medium of malicious program monitoring system |
CN114417198A (en) * | 2021-12-24 | 2022-04-29 | 中国电信股份有限公司 | Phishing early warning method, phishing early warning device, phishing early warning system |
CN114500122B (en) * | 2022-04-18 | 2022-07-01 | 国家计算机网络与信息安全管理中心江苏分中心 | Specific network behavior analysis method and system based on multi-source data fusion |
CN114500122A (en) * | 2022-04-18 | 2022-05-13 | 国家计算机网络与信息安全管理中心江苏分中心 | Specific network behavior analysis method and system based on multi-source data fusion |
Also Published As
Publication number | Publication date |
---|---|
CN110401614B (en) | 2021-08-13 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN110401614A (en) | The source tracing method and device of malice domain name | |
US10778626B2 (en) | Determining authenticity of reported user action in cybersecurity risk assessment | |
CN110609937B (en) | Crawler identification method and device | |
CN111651757B (en) | Method, device, equipment and storage medium for monitoring attack behaviors | |
Vasilomanolakis et al. | Multi-stage attack detection and signature generation with ICS honeypots | |
CN105516133B (en) | User identity verification method, server and client | |
KR101688548B1 (en) | Method, one or more computer-readable non-transitory storage media and a device, in particular relating to computing resources and/or mobile-device-based trust computing | |
CN105100034B (en) | The method and apparatus of access function in a kind of network application | |
US9537889B2 (en) | Trusting crowdsourced data with issued tags | |
CN109937564B (en) | Method and apparatus for detecting fraudulent account usage in a distributed computing system | |
CN112533209B (en) | Black product identification method and black product identification device | |
WO2014205060A1 (en) | Confidence scoring of device reputation based on characteristic network behavior | |
CN110677384B (en) | Phishing website detection method and device, storage medium and electronic device | |
CN105323210A (en) | Method, apparatus and cloud server for detecting website security | |
CN106992981B (en) | Website backdoor detection method and device and computing equipment | |
CN109241733A (en) | Crawler Activity recognition method and device based on web access log | |
CN107241292B (en) | Vulnerability detection method and device | |
CN107332804B (en) | Method and device for detecting webpage bugs | |
CN105022939B (en) | Information Authentication method and device | |
TW201516910A (en) | Method and system for authenticating service | |
CN107872440A (en) | Identification authentication methods, devices and systems | |
CN106790073B (en) | Blocking method and device for malicious attack of Web server and firewall | |
CN105959294A (en) | Malicious domain name identification method and device | |
US10462180B1 (en) | System and method for mitigating phishing attacks against a secured computing device | |
CN104462392A (en) | Statistical method and statistical device for sharing return traffic |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |