CN110401614A - The source tracing method and device of malice domain name - Google Patents

The source tracing method and device of malice domain name Download PDF

Info

Publication number
CN110401614A
CN110401614A CN201810371587.5A CN201810371587A CN110401614A CN 110401614 A CN110401614 A CN 110401614A CN 201810371587 A CN201810371587 A CN 201810371587A CN 110401614 A CN110401614 A CN 110401614A
Authority
CN
China
Prior art keywords
domain name
address
terminal
log
malice domain
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201810371587.5A
Other languages
Chinese (zh)
Other versions
CN110401614B (en
Inventor
吴君轶
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhongchang (hangzhou) Information Technology Co Ltd
China Mobile Communications Group Co Ltd
Original Assignee
Zhongchang (hangzhou) Information Technology Co Ltd
China Mobile Communications Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhongchang (hangzhou) Information Technology Co Ltd, China Mobile Communications Group Co Ltd filed Critical Zhongchang (hangzhou) Information Technology Co Ltd
Priority to CN201810371587.5A priority Critical patent/CN110401614B/en
Publication of CN110401614A publication Critical patent/CN110401614A/en
Application granted granted Critical
Publication of CN110401614B publication Critical patent/CN110401614B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/10Active monitoring, e.g. heartbeat, ping or trace-route
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1483Countermeasures against malicious traffic service impersonation, e.g. phishing, pharming or web spoofing

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • Cardiology (AREA)
  • General Health & Medical Sciences (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The source tracing method and device of a kind of malice domain name are disclosed in the embodiment of the present application.The source tracing method obtains the DNS log, NAT log and remote authentication dial-in user service log of the malice domain name after determining that the domain name of URL of terminal application access is malice domain name;Based on determining malice domain name and above-mentioned three kinds of logs, obtain the cascade information of the malice domain name, the cascade information includes the corresponding relationship of malice domain name and public network IP address, the corresponding relationship and IP address of internal network of public network IP address and IP address of internal network and the corresponding relationship of terminal iidentification, the terminal iidentification are the mark of the terminal of application access malice domain name;Later according to cascade information, alarm instruction information is sent to terminal.The program, which can trace to the source, accesses the terminal iidentification of malice domain name, and triggering terminal is actively filtered malice domain name, improves user experience.

Description

The source tracing method and device of malice domain name
Technical field
This application involves filed of network information security more particularly to a kind of source tracing methods and device of malice domain name.
Background technique
Currently, malice domain name is usually used in counterfeit other standards website as a kind of popular method of network attack, help It helps virus, wooden horse quickly to propagate, steals user sensitive information, obtain hacker attack instruction etc., give user's normal use network Bring serious influence.
Existing malice domain name detection system is to need based on data mining and cloud analysis, collects a large amount of domain name request, The feature progress analysis mining in terms of the behaviors such as frequency is initiated according to Domain Name Form registering sites, length and request to mark malice domain name, and By network side disparate networks equipment and safety equipment, (such as shielding in advance) is filtered to malice domain name, prevent user from Access the malice domain name.
However, after the filtering fallacious domain name of malice domain name detection system, user side does not simultaneously know about and cannot access the domain name Reason, i.e. user do not know that the domain name of access is malice domain name, cause user experience poor.
Summary of the invention
The embodiment of the present application provides the source tracing method and device of a kind of malice domain name, and the program, which can trace to the source, accesses malice domain The terminal of name, triggering terminal are actively filtered malice domain name, improve user experience.
In a first aspect, providing a kind of source tracing method of malice domain name, this method may include:
The domain name for determining the uniform resource position mark URL of terminal application access is malice domain name;
The system log of the malice domain name is obtained, system log includes domain name system DNS log, network address translation NAT Log and remote authentication dial-in user service Radius log, DNS log are record domain name and public network internet protocol address Between preset corresponding relationship, NAT log be record terminal by IP address of internal network access public network IP address the first access information, Radius log is to record the second access information of terminal access IP address of internal network;
Based on malice domain name, DNS log, NAT log and Radius log, the cascade information of malice domain name is obtained, The cascade information includes the corresponding relationship of malice domain name Yu public network internet protocol address, public network in the first access information The corresponding relationship of IP address of internal network and terminal iidentification in the corresponding relationship and the second access information of IP address and IP address of internal network, should Terminal iidentification is the mark of the terminal of application access malice domain name;
Cascade information is inquired, the terminal iidentification of terminal is obtained.
As it can be seen that passing through malice domain name and the cascade of the DNS log, NAT log, Radius log that acquire in real time Relationship is obtained the session path of terminal step by step, is traced to the source based on terminal of the home network malice domain name to access, and trigger end End is actively filtered malice domain name, improves user experience.
In an optional realization, it is based on malice domain name, DNS log, NAT log and Radius log, obtains and dislikes The cascade information for domain name of anticipating, comprising:
Based on DNS log and malice domain name, the corresponding public network IP address of malice domain name is obtained;
Based on NAT log and public network IP address, the corresponding IP address of internal network of public network IP address is obtained;
Based on Radius log and IP address of internal network, the terminal iidentification of the corresponding terminal of IP address of internal network is obtained.It is above-mentioned Implementation process is the specific implementation process that server obtains cascade information by carrying out log analysis, is traced to the source with realizing.
In an optional realization, this method further include: according to terminal iidentification, alarm instruction information is sent to terminal, Using the domain name of the URL of instruction terminal application access as malice domain name, and whether prompt terminal continues to access the URL.
As it can be seen that the program may be implemented to carry out prompting alarm to terminal before accessing malice domain name, it is right from source to realize Malice domain name is filtered.
In an optional realization, determine that the domain name for the uniform resource position mark URL that terminal please access is malice domain name, Include:
Obtain the domain name to be detected of the URL of terminal application access;
Domain name to be detected is matched with default malice domain name;
If successful match, it is determined that domain name to be detected is malice domain name.
Which is a kind of mode that server determines malice domain name.
In an optional realization, this method further include: malice domain name is stored, when so as to subsequent access domain name It uses.
Second aspect, provides one kind and traces to the source device, which comprises determining that unit, acquiring unit and query unit;
Determination unit, for determining that the domain name of uniform resource position mark URL of terminal application access is malice domain name;
Acquiring unit, for obtaining the system log of the malice domain name, system log includes domain name system DNS log, net Network address conversion NAT log and remote authentication dial-in user service Radius log, DNS log are that record domain name and public network interconnect Preset corresponding relationship between fidonetFido IP address, NAT log are that record terminal passes through IP address of internal network access public network IP address First access information, Radius log are to record the second access information of terminal access IP address of internal network;
Based on malice domain name, DNS log, NAT log and Radius log, the cascade information of malice domain name is obtained, Cascade information includes the corresponding relationship of malice domain name Yu public network internet protocol address, public network IP in the first access information The corresponding relationship of IP address of internal network and terminal iidentification, terminal in the corresponding relationship and the second access information of address and IP address of internal network It is identified as the mark of the terminal of application access malice domain name;
Query unit obtains the terminal iidentification of terminal for inquiring cascade information.
In an optional realization, acquiring unit is specifically used for:
Based on DNS log and malice domain name, the corresponding public network IP address of malice domain name is obtained;
Based on NAT log and public network IP address, the corresponding IP address of internal network of public network IP address is obtained;
Based on Radius log and IP address of internal network, the terminal iidentification of the corresponding terminal of IP address of internal network is obtained.
In an optional realization, which further includes transmission unit;
Transmission unit, for alarm instruction information being sent to terminal, with instruction terminal application access according to terminal iidentification The domain name of URL is malice domain name, and whether prompt terminal continues to access URL.
In an optional realization, determination unit is specifically used for:
Obtain the domain name to be detected of the URL of terminal application access;
Domain name to be detected is matched with default malice domain name;
If successful match, it is determined that domain name to be detected is malice domain name.
In an optional realization, which further includes storage unit;
Storage unit, for being stored to malice domain name.
The third aspect provides a kind of electronic equipment, which includes processor, communication interface, memory and lead to Believe bus, wherein processor, communication interface, memory complete mutual communication by communication bus;
Memory, for storing computer program;
Processor when for executing the program stored on memory, realizes any side in above-mentioned first aspect Method step.
Fourth aspect provides a kind of computer readable storage medium, and meter is stored in the computer readable storage medium Calculation machine program, the computer program realize any method and step in above-mentioned first aspect when being executed by processor.
The technical solution of the embodiment of the present invention is determining the domain name of the uniform resource position mark URL of terminal application access for evil After domain name of anticipating, obtain acquisition according to cascade information, send alarm the instruction log of information domain name system DNS, net to terminal Network address conversion NAT log and remote authentication dial-in user service Radius log, DNS log are that record domain name and public network interconnect Preset mapping relations between fidonetFido IP address, NAT log are that record terminal passes through IP address of internal network access public network IP address First access information, Radius log are to record the second access information of terminal access IP address of internal network;Based on determining malice Domain name and above-mentioned three kinds of logs, obtain the cascade information of the malice domain name, which includes malice domain name With the corresponding relationship of public network IP address, the corresponding relationship and second of public network IP address and IP address of internal network is visited in the first access information Ask the corresponding relationship of IP address of internal network and terminal iidentification in information, which is the mark of the terminal of application access RUL;It The cascade information for inquiring acquisition afterwards, obtains terminal iidentification.The program, which can trace to the source, accesses the terminal iidentification of malice domain name, touching Hair terminal is actively filtered malice domain name, improves user experience.
Detailed description of the invention
Fig. 1 is a kind of system structure diagram of source tracing method for applying malice domain name provided in an embodiment of the present invention;
Fig. 2 is a kind of flow diagram of the source tracing method of malice domain name provided in an embodiment of the present invention;
Fig. 3 is the flow diagram of the source tracing method of another malice domain name provided in an embodiment of the present invention;
Fig. 4 is a kind of structural schematic diagram for device of tracing to the source provided in an embodiment of the present invention;
Fig. 5 is the structural schematic diagram of a kind of electronic equipment provided in an embodiment of the present invention.
Specific embodiment
Below in conjunction with the attached drawing in the embodiment of the present application, technical solutions in the embodiments of the present application carries out clear, complete Site preparation description, it is clear that described embodiment is only some embodiments of the present application, is not whole embodiments.Based on this Apply for embodiment, every other implementation obtained by those of ordinary skill in the art without making creative efforts Example, shall fall in the protection scope of this application.
For the source tracing method of malice domain name provided by the present application suitable for system architecture shown in Fig. 1, which can be with The terminal run under network server (hereinafter referred to as server) and home network including public network (or outer net).The side of tracing to the source Method can be using on that server.Wherein, terminal also may operate under other network environments, such as corporate networks, the application It is described under the network environment of home network with terminal operating.
In order to improve the accuracy traced to the source, server can be the network server with stronger computing capability.
Terminal can be described as user equipment (User quipment, UE), mobile station (Mobile Station, MS), movement again Terminal ((Mobile Terminal) etc..The terminal has through wireless access network (RadioAccess Network, RAN) and one The ability that a or multiple cores net is communicated, for example, terminal can be mobile phone (or being " honeycomb " phone), notebook Computer, digit broadcasting receiver, personal digital assistant (PDA), tablet computer (PAD), portable media player (PMP), Navigation device etc..
Compared with prior art, existing malice domain name detection method lacks unified log analysis and means of accurately tracing to the source, Cause network side to malice domain filter after, the user of home network does not perceive, and later period user is caused to be also possible to continue to access The domain name reduces user experience.And the application passes through determining malice domain name, and to the domain name system (Domain acquired in real time Name System, DNS) log, network address translation (Network Address Translation, NAT) log and long-range It authenticates dial-in user service (Radius) log and carries out big data analysis, obtain the cascade information with malice domain name, be based on Cascade information inquires the session path of user step by step, to pass through house after being accurately traceable to the terminal iidentification of home network Front yard network is to the terminal iidentification corresponding target terminal push alarm instruction information, to indicate that target terminal domain name to be visited is Malice domain name has carried out the filtering of malice domain name to realize the filtering of malice domain name in terminal side that is, from source.Terminal mark Know the broadband account that can be home network.
Wherein, DNS log is used to record the mapping relations that terminal accesses domain name by public network internet protocol address, should Log is able to use family and more easily accesses internet, and without spending, remember can be by IP address number string that machine is directly read. For example, the IP address of the Web server of Microsoft is 207.46.230.229, corresponding domain name is Www.microsoft.com, i.e., regardless of user input in a browser be 207.46.230.229 or Www.microsoft.com can access the Web site of Microsoft.
NAT log is used to record the first access information that terminal accesses public network IP address by IP address of internal network, and first visits Ask that information includes the mapping relations of public network IP address and IP address of internal network, in more detail, NAT log is for recording public network IP The mapping relations of the port of location, the port of public network IP address and IP address of internal network, IP address of internal network.That is NAT log can be realized Mutual conversion between IP address of internal network and public network IP address.For example, IP address of internal network is IP1~IP4,4 IP address of internal network It is mapped to outer net IP address: IP5, mapping relations are as follows: (IP1, Port1) is mapped to (IP5, Port1);(IP2, Port1) It is mapped to (IP5, Port2);(IP3, Port2) is mapped to (IP5, Port3);(IP4, Port2) is mapped to (IP5, Port4). Wherein, Port1~Port4 indicates 1~port of port 4.
Radius log is used to record the second access information of terminal access IP address of internal network, and the second access information includes interior The mapping relations of the terminal iidentification of net IP address and access terminal, in more detail, Radius log is for recording Intranet IP The mapping relations of the terminal iidentification of location, the port of IP address of internal network and access terminal.When the broadband that terminal iidentification is home network When account, terminal iidentification and IP address of internal network are one-to-one mapping relations.
The application is by the identification of malice domain name, tracing to the source step by step to the conversation procedure of terminal, and gives Terminal Alert The whole closed loop for indicating information, makes the filtering fallacious domain name of terminal active, to preferably go to avoid access malice from user side Domain name.
Preferred embodiment of the present application is illustrated below in conjunction with Figure of description, it should be understood that described herein Preferred embodiment only for the purpose of illustrating and explaining the present invention and is not intended to limit the present invention, and in the absence of conflict, this Shen Please in embodiment and embodiment in feature can be combined with each other.
Fig. 2 is a kind of flow diagram of the source tracing method of malice domain name provided in an embodiment of the present invention.As shown in Fig. 2, The executing subject of this method can be server, and this method may include:
Step 210, the domain name for determining the uniform resource position mark URL of terminal application access are malice domain name.
Uniform resource locator (Uniform Resource Locator, URL) is to can obtain from internet The position of resource and a kind of succinct expression of access method, are the addresses of standard resource on internet.Each of on internet File has a unique URL.
The domain name to be detected of the available terminal application access URL of server;
Domain name to be detected is matched with default malice domain name;
If successful match, it is determined that the domain name to be detected is malice domain name.
If it fails to match, it is determined that the domain name to be detected is legitimate domain name, accesses terminal normally.
Optionally, the domain name to be detected of the URL of the available terminal application access of server;
The malicious IP addresses of intrusion prevention system (Intrusion Prevention System, IPS) label are obtained, and Based on the mapping relations of the public network IP address recorded and domain name in DNS log, the public network IP address of domain name to be detected is obtained, In, malicious IP addresses refer to the IP address with attack signature, IPS can according to the number of times of attack of IP address, attack frequency, attack The severity of behavior is hit, to mark the severity of corresponding malice domain name;
Server matches the malicious IP addresses that IPS is marked with the IP address of domain name to be detected;
If successful match, it is determined that the domain name to be detected is malice domain name.
If it fails to match, it is determined that the domain name to be detected is legitimate domain name, accesses terminal normally.
Optionally, server stores the malice domain name determined.
Wherein, presetting malice domain name can store in default malice domain name library or malice domain name table.To avoid omission pair The content of the defence of malice domain name, malice domain name library or malice domain name table can only increase in principle, not can be reduced.
In the case where server storage anxiety, the record before setting time can be cleared up, or be registered as The corresponding IP address of malice domain name can be by it from malice domain name table if not finding the feature of attack again within the set time Middle deletion.
Increased approach can also be obtained by crawler other than above-mentioned server identifies malice domain name and be hung wood The domain name of horse;Or disclosed spam database is utilized, and domain name therein is extracted, it can also be from the existing evil of the Internet download The malice domain name that meaning domain name, such as special security organization can regularly update.
It should be noted that default malice domain name library or malice domain name table also can store malicious IP addresses.
Step 220, the system log for obtaining the malice domain name, the system log include DNS log, NAT log and Radius log.
It should be noted that server acquires the system log of all domain names in real time, the system day of the malice domain name is chosen Will, and the system log of malice domain name is parsed, obtain the DNS log, NAT log and Radius log of the malice domain name.DNS days Will is the mapping relations for recording terminal and accessing domain name by public network IP address, and NAT log is that record terminal passes through IP address of internal network The first access information of public network IP address is accessed, Radius log is the second access letter for recording terminal access IP address of internal network Breath.
Step 230 is based on the malice domain name, DNS log, NAT log and Radius log, obtains the net of the malice domain name Network cascaded message.
Cascade information includes the corresponding relationship of malice domain name and public network IP address, public network IP in the first access information The corresponding relationship of IP address of internal network and terminal iidentification, terminal mark in the corresponding relationship and the second access information of location and IP address of internal network Know the mark of the terminal for application access malice domain name.
Server is based on DNS log and the malice domain name, obtains the corresponding public network IP address of malice domain name;
Public network IP address based on NAT log and acquisition obtains the corresponding IP address of internal network of the public network IP address;
IP address of internal network based on Radius log and acquisition obtains the terminal mark of the corresponding terminal of the IP address of internal network Know.
For example, terminal application accesses URL1, server identifies that the malice domain name of URL1 is 192.163.xxx.xx, inquiry DNS log, obtaining public network IP address corresponding with the malice domain name is IP1, is based on NAT log and IP1, inquires with IP1 The corresponding IP address of internal network in location is IP2, is based on Radius log and IP2, inquiring terminal iidentification corresponding with the address IP2 is UE1。
Step 240, according to cascade information, send alarm instruction information to terminal.
Server is inquired step by step: the corresponding public network IP address of malice domain name, Intranet IP corresponding with the public network IP address Address, the terminal iidentification of the terminal corresponding with the IP address of internal network, to obtain the terminal iidentification of terminal.
Further, server sends alarm instruction information to the terminal, with instruction terminal application visit according to terminal iidentification The domain name of the URL asked is malice domain name, and prompts whether the terminal continues to access the URL.Server can pass through home network Platform pushes alarm instruction information to home network APP, to carry out the filtering of malice domain name.
Alarm instruction information can be sent to terminal in the form of prompting frame, which may include instruction terminal Shen The URL that please be accessed is whether the instruction information of malice domain name and prompt terminal continue to access the "Yes" of the URL and proposing for "No" Show key.
In one example, as shown in figure 3, the source tracing method of another kind malice domain name provided in an embodiment of the present invention.It should The executing subject of method is server, and this method may include:
Step 301, the domain name A to be detected for obtaining terminal application access URL1.
Step 302 matches domain name A to be detected with the malice domain name in default malice domain name library;If successful match, 303 are thened follow the steps, if it fails to match, thens follow the steps 306.
Step 303 determines that the domain name A to be detected is malice domain name.
Step 304, DNS log, NAT log, the Radius log for analyzing domain name A obtain network level corresponding with domain name A Join information.
Step 305, according to the terminal iidentification in cascade information, send alarm instruction information to the terminal.
After reception terminal check continues to access URL instruction, step 306 is executed.
After reception terminal check does not access URL instruction, step 307 is executed.
Step 306 allows terminal normally to access the URL.
Step 307, refusal terminal access URL.
As it can be seen that the source tracing method of the embodiment of the present invention is in the domain for the uniform resource position mark URL for determining terminal application access After entitled malice domain name, the domain name system DNS log, network address translation NAT log and remote authentication of the malice domain name are obtained Dial-in user service Radius log;Based on determining malice domain name and above-mentioned three kinds of logs, the net of the malice domain name is obtained Network cascaded message, the cascade information include the corresponding relationship of malice domain name and public network IP address, public network IP address and Intranet The corresponding relationship and IP address of internal network of IP address and the corresponding relationship of terminal iidentification, the terminal iidentification are the end of application access RUL The mark at end;Later according to cascade information, alarm instruction information is sent to terminal.The program, which can trace to the source, accesses malice domain The terminal iidentification of name, triggering terminal are actively filtered malice domain name, improve user experience.
Corresponding with the above method, the embodiment of the present invention also provides one kind and traces to the source device, the device as shown in figure 4, this is traced to the source It may include: determination unit 410, acquiring unit 420 and query unit 430;
Determination unit 410, for determining that the domain name of uniform resource position mark URL of terminal application access is malice domain name;
Acquiring unit 420, for obtaining the system log of the malice domain name, system log include domain name system DNS log, Network address translation NAT log and remote authentication dial-in user service Radius log, DNS log are that record terminal passes through public network Internet protocol address accesses the mapping relations of domain name, and NAT log is to record terminal to access public network IP by IP address of internal network First access information of address, Radius log are to record the second access information of terminal access IP address of internal network;
Based on malice domain name, DNS log, NAT log and Radius log, the cascade information of malice domain name is obtained, Cascade information includes the corresponding relationship of malice domain name Yu public network internet protocol address, public network IP in the first access information The corresponding relationship of IP address of internal network and terminal iidentification, described in the corresponding relationship and the second access information of address and IP address of internal network Terminal iidentification is the mark of the terminal of application access malice domain name;
Transmission unit 430, for alarm instruction information being sent to terminal, with instruction terminal Shen according to cascade information The domain name for the URL that please be accessed is malice domain name, and whether prompt terminal continues to access URL.
Optionally, acquiring unit 420 are specifically used for:
Based on DNS log and malice domain name, the corresponding public network IP address of malice domain name is obtained;
Based on NAT log and public network IP address, the corresponding IP address of internal network of public network IP address is obtained;
Based on Radius log and IP address of internal network, the terminal iidentification of the corresponding terminal of IP address of internal network is obtained.
Optionally, transmission unit 430, specifically for sending and accusing to terminal according to the terminal iidentification in cascade information Alert instruction information.
Optionally it is determined that unit 410, is specifically used for:
Obtain the domain name to be detected of the URL of terminal application access;
Domain name to be detected is matched with default malice domain name;
If successful match, it is determined that domain name to be detected is malice domain name.
Optionally, which further includes storage unit 440;
Storage unit 440, for being stored to malice domain name.
The device of tracing to the source of the embodiment of the present invention is determining the domain name of the uniform resource position mark URL of terminal application access for evil After domain name of anticipating, obtain acquisition with the associated domain name system DNS log of malice domain name, network address translation NAT log and long-range Authenticate dial-in user service Radius log;Based on determining malice domain name and above-mentioned three kinds of logs, the malice domain name is obtained Cascade information, which includes the corresponding relationship of malice domain name and public network IP address, public network IP address with The corresponding relationship and IP address of internal network of IP address of internal network and the corresponding relationship of terminal iidentification, the terminal iidentification are application access RUL Terminal mark;Later according to cascade information, alarm instruction information is sent to terminal.The program can trace to the source to access and dislike The terminal iidentification for domain name of anticipating, triggering terminal are actively filtered malice domain name, improve user experience.
The embodiment of the invention also provides a kind of electronic equipment, as shown in figure 5, include processor 510, communication interface 520, Memory 530 and communication bus 540, wherein processor 510, communication interface 520, memory 530 are complete by communication bus 540 At mutual communication.
Memory 530, for storing computer program;
Processor 510 when for executing the program stored on memory 530, realizes following steps:
The domain name for determining the uniform resource position mark URL of terminal application access is malice domain name;
Obtain acquisition with malice domain name associated system log, system log includes domain name system DNS log, network NAT log and remote authentication dial-in user service Radius log are converted in location, and DNS log is that record terminal passes through public network internet Protocol IP address accesses the mapping relations of domain name, and NAT log is that record terminal passes through IP address of internal network access public network IP address First access information, Radius log are to record the second access information of terminal access IP address of internal network;
Based on malice domain name, DNS log, NAT log and Radius log, the cascade information of malice domain name is obtained, The cascade information includes the corresponding relationship of malice domain name Yu public network internet protocol address, public network in the first access information The corresponding relationship of IP address of internal network and terminal iidentification, institute in the corresponding relationship and the second access information of IP address and IP address of internal network State the mark for the terminal that terminal iidentification is application access malice domain name;
According to cascade information, alarm instruction information is sent to terminal, with the domain name of the URL of instruction terminal application access For malice domain name, and whether prompt terminal continues to access URL.
Optionally, it is based on malice domain name, DNS log, NAT log and Radius log, obtains the network with malice domain name Cascaded message, comprising:
Based on DNS log and malice domain name, the corresponding public network IP address of malice domain name is obtained;
Based on NAT log and public network IP address, the corresponding IP address of internal network of public network IP address is obtained;
Based on Radius log and IP address of internal network, the terminal iidentification of the corresponding terminal of IP address of internal network is obtained.
Optionally, processor 510 is also used to: according to the terminal iidentification in cascade information, being sent alarm to terminal and is referred to Show information.
Optionally it is determined that the domain name of the uniform resource position mark URL of terminal application access is malice domain name, comprising:
Obtain the domain name to be detected of the URL of terminal application access;
Domain name to be detected is matched with default malice domain name;
If successful match, it is determined that domain name to be detected is malice domain name.
Optionally, processor 510 is also used to: being stored to malice domain name.
Communication bus mentioned above can be Peripheral Component Interconnect standard (Peripheral Component Interconnect, PCI) bus or expanding the industrial standard structure (Extended Industry Standard Architecture, EISA) bus etc..The communication bus can be divided into address bus, data/address bus, control bus etc..For just It is only indicated with a thick line in expression, figure, it is not intended that an only bus or a type of bus.
Communication interface is for the communication between above-mentioned electronic equipment and other equipment.
Memory may include random access memory (Random Access Memory, RAM), also may include non-easy The property lost memory (Non-Volatile Memory, NVM), for example, at least a magnetic disk storage.Optionally, memory may be used also To be storage device that at least one is located remotely from aforementioned processor.
Above-mentioned processor can be general processor, including central processing unit (Central Processing Unit, CPU), network processing unit (Network Processor, NP) etc.;It can also be digital signal processor (Digital Signal Processing, DSP), it is specific integrated circuit (Application Specific Integrated Circuit, ASIC), existing It is field programmable gate array (Field-Programmable Gate Array, FPGA) or other programmable logic device, discrete Door or transistor logic, discrete hardware components.
The embodiment and beneficial effect solved the problems, such as due to each device of electronic equipment in above-described embodiment can join Each step in embodiment as shown in Figure 2 realizes, therefore, specific work process provided in an embodiment of the present invention and beneficial to effect Fruit does not repeat again herein.
In another embodiment provided by the invention, a kind of computer readable storage medium is additionally provided, which can It reads to be stored with instruction in storage medium, when run on a computer, so that computer executes any institute in above-described embodiment The source tracing method stated.
In another embodiment provided by the invention, a kind of computer program product comprising instruction is additionally provided, when it When running on computers, so that computer executes any source tracing method in above-described embodiment.
It should be understood by those skilled in the art that, the embodiment in the embodiment of the present application can provide as method, system or meter Calculation machine program product.Therefore, complete hardware embodiment, complete software embodiment can be used in the embodiment of the present application or combine soft The form of the embodiment of part and hardware aspect.Moreover, being can be used in the embodiment of the present application in one or more wherein includes meter Computer-usable storage medium (including but not limited to magnetic disk storage, CD-ROM, the optical memory of calculation machine usable program code Deng) on the form of computer program product implemented.
It is referring to according to the method for embodiment, equipment (system) and calculating in the embodiment of the present application in the embodiment of the present application The flowchart and/or the block diagram of machine program product describes.It should be understood that can be realized by computer program instructions flow chart and/or The combination of the process and/or box in each flow and/or block and flowchart and/or the block diagram in block diagram.It can mention For the processing of these computer program instructions to general purpose computer, special purpose computer, Embedded Processor or other programmable datas The processor of equipment is to generate a machine, so that being executed by computer or the processor of other programmable data processing devices Instruction generation refer to for realizing in one or more flows of the flowchart and/or one or more blocks of the block diagram The device of fixed function.
These computer program instructions, which may also be stored in, is able to guide computer or other programmable data processing devices with spy Determine in the computer-readable memory that mode works, so that it includes referring to that instruction stored in the computer readable memory, which generates, Enable the manufacture of device, the command device realize in one box of one or more flows of the flowchart and/or block diagram or The function of being specified in multiple boxes.
These computer program instructions also can be loaded onto a computer or other programmable data processing device, so that counting Series of operation steps are executed on calculation machine or other programmable devices to generate computer implemented processing, thus in computer or The instruction executed on other programmable devices is provided for realizing in one or more flows of the flowchart and/or block diagram one The step of function of being specified in a box or multiple boxes.
Although the preferred embodiment in the embodiment of the present application has been described, once a person skilled in the art knows Basic creative concept, then additional changes and modifications may be made to these embodiments.So appended claims are intended to explain Being includes preferred embodiment and all change and modification for falling into range in the embodiment of the present application.
Obviously, those skilled in the art embodiment in the embodiment of the present application can be carried out various modification and variations without It is detached from the spirit and scope of embodiment in the embodiment of the present application.If in this way, in the embodiment of the present application embodiment these modification Within the scope of belonging in the embodiment of the present application claim and its equivalent technologies with modification, then also it is intended in the embodiment of the present application It includes these modifications and variations.

Claims (12)

1. a kind of source tracing method of malice domain name, which is characterized in that the described method includes:
The domain name for determining the uniform resource position mark URL of terminal application access is malice domain name;
The system log with the malice domain name of acquisition is obtained, the system log includes domain name system DNS log, network NAT log and remote authentication dial-in user service log are converted in location, and the DNS log is that record terminal passes through public network internet protocol The mapping relations of IP address access domain name are discussed, the NAT log is to record terminal to access public network IP address by IP address of internal network The first access information, the Radius log be record terminal access IP address of internal network the second access information;
Based on the malice domain name, the DNS log, the NAT log and the remote authentication dial-in user service log, obtain The cascade information of the malice domain name is taken, the cascade information includes the mapping pass of malice domain name and public network IP address It is Intranet in the corresponding relationship and second access information of public network IP address and IP address of internal network in first access information The corresponding relationship of IP address and terminal iidentification, the terminal iidentification are the mark of the terminal of application access malice domain name;
According to the cascade information, Xiang Suoshu terminal sends alarm instruction information, to indicate the terminal application access The domain name of URL is malice domain name, and prompts whether the terminal continues to access the URL.
2. the method as described in claim 1, which is characterized in that based on the malice domain name, the DNS log, NAT days described Will and the remote authentication dial-in user service log obtain cascade information corresponding with the malice domain name, comprising:
Based on the DNS log and the malice domain name, the corresponding public network IP address of the malice domain name is obtained;
Based on the NAT log and the public network IP address, the corresponding IP address of internal network of the public network IP address is obtained;
Based on the remote authentication dial-in user service log and the IP address of internal network, it is corresponding to obtain the IP address of internal network The terminal iidentification of the terminal.
3. method according to claim 2, which is characterized in that according to the cascade information, Xiang Suoshu terminal, which is sent, is accused Alert instruction information, comprising:
According to the terminal iidentification in the cascade information, Xiang Suoshu terminal sends alarm instruction information.
4. the method as described in claim 1, which is characterized in that determine the uniform resource position mark URL of terminal application access Domain name is malice domain name, comprising:
Obtain the domain name to be detected of the URL of the terminal application access;
The domain name to be detected is matched with default malice domain name;
If successful match, it is determined that the domain name to be detected is malice domain name.
5. method as claimed in claim 3, which is characterized in that the method also includes:
The malice domain name is stored.
The device 6. one kind is traced to the source, which is characterized in that described device includes:
Determination unit, for determining that the domain name of uniform resource position mark URL of terminal application access is malice domain name;
Acquiring unit, for obtaining the system log of the malice domain name, the system log include DNS log, NAT log and Remote authentication dial-in user service log, the DNS log are preset between record domain name and public network internet protocol address Corresponding relationship, the NAT log is the first access information for recording terminal and accessing public network IP address by IP address of internal network, described Remote authentication dial-in user service log is to record the second access information of terminal access IP address of internal network;
Based on the malice domain name, the DNS log, the NAT log and the remote authentication dial-in user service log, obtain The cascade information of the malice domain name is taken, the cascade information, which includes that malice domain name is corresponding with public network IP address, closes It is Intranet in the corresponding relationship and second access information of public network IP address and IP address of internal network in first access information The corresponding relationship of IP address and terminal iidentification, the terminal iidentification are the mark of the terminal of application access malice domain name;
Query unit obtains the terminal iidentification of the terminal for inquiring the cascaded message.
7. device as claimed in claim 6, which is characterized in that the acquiring unit is specifically used for:
Based on the DNS log and the malice domain name, the corresponding public network IP address of the malice domain name is obtained;
Based on the NAT log and the public network IP address, the corresponding IP address of internal network of the public network IP address is obtained;
Based on the remote authentication dial-in user service log and the IP address of internal network, it is corresponding to obtain the IP address of internal network The terminal iidentification of the terminal.
8. device as claimed in claim 6, which is characterized in that described device further includes transmission unit;
The transmission unit, for according to the terminal iidentification, Xiang Suoshu terminal to send alarm instruction information, to indicate the end The domain name of the URL of end application access is malice domain name, and prompts whether the terminal continues to access the URL.
9. device as claimed in claim 6, which is characterized in that the determination unit is specifically used for:
Obtain the domain name to be detected of the URL of the terminal application access;
The domain name to be detected is matched with default malice domain name;
If successful match, it is determined that the domain name to be detected is malice domain name.
10. device as claimed in claim 8, which is characterized in that described device further includes storage unit;
The storage unit, for being stored to the malice domain name.
11. a kind of electronic equipment, which is characterized in that the electronic equipment includes that processor, communication interface, memory and communication are total Line, wherein processor, communication interface, memory complete mutual communication by communication bus;
Memory, for storing computer program;
Processor when for executing the program stored on memory, realizes any method and step of claim 1-5.
12. a kind of computer readable storage medium, which is characterized in that be stored with computer in the computer readable storage medium Program realizes claim 1-5 any method and step when the computer program is executed by processor.
CN201810371587.5A 2018-04-24 2018-04-24 Malicious domain name tracing method and device Active CN110401614B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810371587.5A CN110401614B (en) 2018-04-24 2018-04-24 Malicious domain name tracing method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810371587.5A CN110401614B (en) 2018-04-24 2018-04-24 Malicious domain name tracing method and device

Publications (2)

Publication Number Publication Date
CN110401614A true CN110401614A (en) 2019-11-01
CN110401614B CN110401614B (en) 2021-08-13

Family

ID=68320370

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810371587.5A Active CN110401614B (en) 2018-04-24 2018-04-24 Malicious domain name tracing method and device

Country Status (1)

Country Link
CN (1) CN110401614B (en)

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110933201A (en) * 2019-12-31 2020-03-27 北京金山云网络技术有限公司 IP address tracing method and device, electronic equipment and storage medium
CN111294336A (en) * 2020-01-15 2020-06-16 深圳开源互联网安全技术有限公司 Login behavior detection method and device, computer equipment and storage medium
CN111405080A (en) * 2020-03-09 2020-07-10 北京冠程科技有限公司 Terminal IP management system and user behavior auditing method based on same
CN111818075A (en) * 2020-07-20 2020-10-23 北京华赛在线科技有限公司 Illegal external connection detection method, device, equipment and storage medium
CN112118249A (en) * 2020-09-11 2020-12-22 江苏云柜网络技术有限公司 Security protection method and device based on log and firewall
CN112667875A (en) * 2020-12-24 2021-04-16 恒安嘉新(北京)科技股份公司 Data acquisition method, data analysis method, data acquisition device, data analysis device, equipment and storage medium
CN112866005A (en) * 2020-12-31 2021-05-28 恒安嘉新(北京)科技股份公司 Method, device and equipment for processing user access log and storage medium
CN112887310A (en) * 2021-01-27 2021-06-01 华南理工大学 Method, device and medium for improving network attack risk assessment efficiency
CN113489738A (en) * 2021-07-15 2021-10-08 恒安嘉新(北京)科技股份公司 Violation handling method, device, equipment and medium for broadband account
CN113821743A (en) * 2021-09-23 2021-12-21 猪八戒股份有限公司 Dubbo service tracing method and device
CN114173346A (en) * 2021-12-01 2022-03-11 恒安嘉新(北京)科技股份公司 Coverage detection method, device, equipment and medium for malicious program monitoring system
CN114500122A (en) * 2022-04-18 2022-05-13 国家计算机网络与信息安全管理中心江苏分中心 Specific network behavior analysis method and system based on multi-source data fusion

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103220302A (en) * 2013-05-07 2013-07-24 腾讯科技(深圳)有限公司 Malicious website access defending method and related device
US20160344750A1 (en) * 2013-01-30 2016-11-24 Blue Coat Systems, Inc. Apparatus and Method for Characterizing the Risk of a User Contracting Malicious Software
US9807053B1 (en) * 2014-08-29 2017-10-31 Uniregistry, Corp. System and method related to domain name tracking and transfer
CN107689965A (en) * 2017-09-30 2018-02-13 北京奇虎科技有限公司 Means of defence, the apparatus and system of the network equipment

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160344750A1 (en) * 2013-01-30 2016-11-24 Blue Coat Systems, Inc. Apparatus and Method for Characterizing the Risk of a User Contracting Malicious Software
CN103220302A (en) * 2013-05-07 2013-07-24 腾讯科技(深圳)有限公司 Malicious website access defending method and related device
US9807053B1 (en) * 2014-08-29 2017-10-31 Uniregistry, Corp. System and method related to domain name tracking and transfer
CN107689965A (en) * 2017-09-30 2018-02-13 北京奇虎科技有限公司 Means of defence, the apparatus and system of the network equipment

Cited By (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110933201A (en) * 2019-12-31 2020-03-27 北京金山云网络技术有限公司 IP address tracing method and device, electronic equipment and storage medium
CN110933201B (en) * 2019-12-31 2021-11-26 北京金山云网络技术有限公司 IP address tracing method and device, electronic equipment and storage medium
CN111294336A (en) * 2020-01-15 2020-06-16 深圳开源互联网安全技术有限公司 Login behavior detection method and device, computer equipment and storage medium
CN111405080A (en) * 2020-03-09 2020-07-10 北京冠程科技有限公司 Terminal IP management system and user behavior auditing method based on same
CN111818075A (en) * 2020-07-20 2020-10-23 北京华赛在线科技有限公司 Illegal external connection detection method, device, equipment and storage medium
CN112118249B (en) * 2020-09-11 2022-09-16 南京云柜网络科技有限公司 Security protection method and device based on log and firewall
CN112118249A (en) * 2020-09-11 2020-12-22 江苏云柜网络技术有限公司 Security protection method and device based on log and firewall
CN112667875A (en) * 2020-12-24 2021-04-16 恒安嘉新(北京)科技股份公司 Data acquisition method, data analysis method, data acquisition device, data analysis device, equipment and storage medium
CN112866005A (en) * 2020-12-31 2021-05-28 恒安嘉新(北京)科技股份公司 Method, device and equipment for processing user access log and storage medium
CN112866005B (en) * 2020-12-31 2023-04-07 恒安嘉新(北京)科技股份公司 Method, device and equipment for processing user access log and storage medium
CN112887310A (en) * 2021-01-27 2021-06-01 华南理工大学 Method, device and medium for improving network attack risk assessment efficiency
CN113489738A (en) * 2021-07-15 2021-10-08 恒安嘉新(北京)科技股份公司 Violation handling method, device, equipment and medium for broadband account
CN113489738B (en) * 2021-07-15 2023-05-30 恒安嘉新(北京)科技股份公司 Method, device, equipment and medium for processing violations of broadband account
CN113821743A (en) * 2021-09-23 2021-12-21 猪八戒股份有限公司 Dubbo service tracing method and device
CN113821743B (en) * 2021-09-23 2023-08-04 猪八戒股份有限公司 Dubbo service tracing method and device
CN114173346A (en) * 2021-12-01 2022-03-11 恒安嘉新(北京)科技股份公司 Coverage detection method, device, equipment and medium for malicious program monitoring system
CN114173346B (en) * 2021-12-01 2024-04-12 恒安嘉新(北京)科技股份公司 Coverage detection method, device, equipment and medium of malicious program monitoring system
CN114500122A (en) * 2022-04-18 2022-05-13 国家计算机网络与信息安全管理中心江苏分中心 Specific network behavior analysis method and system based on multi-source data fusion
CN114500122B (en) * 2022-04-18 2022-07-01 国家计算机网络与信息安全管理中心江苏分中心 Specific network behavior analysis method and system based on multi-source data fusion

Also Published As

Publication number Publication date
CN110401614B (en) 2021-08-13

Similar Documents

Publication Publication Date Title
CN110401614A (en) The source tracing method and device of malice domain name
US10778626B2 (en) Determining authenticity of reported user action in cybersecurity risk assessment
CN111651757B (en) Method, device, equipment and storage medium for monitoring attack behaviors
Vasilomanolakis et al. Multi-stage attack detection and signature generation with ICS honeypots
CN105516133B (en) User identity verification method, server and client
KR101688548B1 (en) Method, one or more computer-readable non-transitory storage media and a device, in particular relating to computing resources and/or mobile-device-based trust computing
CN104144419B (en) Identity authentication method, device and system
CN105100034B (en) The method and apparatus of access function in a kind of network application
US9537889B2 (en) Trusting crowdsourced data with issued tags
CN109937564B (en) Method and apparatus for detecting fraudulent account usage in a distributed computing system
WO2014205060A1 (en) Confidence scoring of device reputation based on characteristic network behavior
CN110677384B (en) Phishing website detection method and device, storage medium and electronic device
CN105323210A (en) Method, apparatus and cloud server for detecting website security
CN106992981B (en) Website backdoor detection method and device and computing equipment
CN106549959B (en) Method and device for identifying proxy Internet Protocol (IP) address
CN107241292B (en) Vulnerability detection method and device
CN112533209B (en) Black product identification method and black product identification device
CN107332804B (en) Method and device for detecting webpage bugs
CN113259392B (en) Network security attack and defense method, device and storage medium
CN105022939B (en) Information Authentication method and device
CN110768951B (en) Method and device for verifying system vulnerability, storage medium and electronic device
CN109241733A (en) Crawler Activity recognition method and device based on web access log
CN105959294B (en) A kind of malice domain name discrimination method and device
TW201516910A (en) Method and system for authenticating service
CN107872440A (en) Identification authentication methods, devices and systems

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant