CN110535719A - A kind of plug-in behavior monitoring method of game based on DNS traffic characteristic - Google Patents

A kind of plug-in behavior monitoring method of game based on DNS traffic characteristic Download PDF

Info

Publication number
CN110535719A
CN110535719A CN201910765987.9A CN201910765987A CN110535719A CN 110535719 A CN110535719 A CN 110535719A CN 201910765987 A CN201910765987 A CN 201910765987A CN 110535719 A CN110535719 A CN 110535719A
Authority
CN
China
Prior art keywords
domain name
data
data packet
plug
address
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201910765987.9A
Other languages
Chinese (zh)
Other versions
CN110535719B (en
Inventor
刘德建
任佳伟
陈宏展
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Fujian Tianqing Online Interactive Technology Co Ltd
Original Assignee
Fujian Tianqing Online Interactive Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Fujian Tianqing Online Interactive Technology Co Ltd filed Critical Fujian Tianqing Online Interactive Technology Co Ltd
Priority to CN201910765987.9A priority Critical patent/CN110535719B/en
Publication of CN110535719A publication Critical patent/CN110535719A/en
Application granted granted Critical
Publication of CN110535719B publication Critical patent/CN110535719B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • H04L43/0876Network utilisation, e.g. volume of load or congestion level
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Environmental & Geological Engineering (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention provides a kind of plug-in behavior monitoring methods of game based on DNS traffic characteristic, and described method includes following steps: step S1, the client of Windows system application layer creates networks filter driver in driving layer;Step S2, a domain name blacklist is established;Step S3, networks filter driver captures all UDP message packets in layer data packet, and judgement is compared with domain name blacklist in the domain name parameters of UDP message packet request analysis, if domain name parameters are included in any one domain name character string in domain name blacklist, then determine that game player has plug-in usage behavior, domain name blacklist stores the domain name character string of plug-in meeting request analysis;The present invention can efficiently monitor the plug-in usage behavior of known DNS traffic characteristic.

Description

A kind of plug-in behavior monitoring method of game based on DNS traffic characteristic
Technical field
The present invention relates to computer system field of communication technology, software security, the plug-in detection fields of game, especially a kind of The plug-in behavior monitoring method of game based on DNS traffic characteristic.
Background technique
Existing plug-in behavior monitoring module is usually using the detection method based on proceeding internal memory scanning, such as scan procedure Memory headroom judges whether comprising plug-in condition code etc., temporarily without disclosed based on DNS traffic characteristic, for the plug-in behavior of game Inner nuclear layer monitoring means.
The above-mentioned existing plug-in behavior monitoring scheme of game may use hidden process, memory polymorphicization etc. by plug-in Method is around detection.The scheme of this patent description can monitor such plug-in usage behavior.In addition this patent is being applied to It monitors in the plug-in usage scenario for having DNS traffic characteristic and shows to obtain precise and high efficiency.
Technical term is explained:
The WFP filter frame that Microsoft provides delimit many layers in network packet transmission process, such as: FWPM_ LAYER_ALE_FLOW_ESTABLISHED_V4 layers (i.e. data flow foundation layer), FWPM_LAYER_STREAM_V4 layers of (i.e. data Fluid layer) and FWPM_LAYER_DATAGRAM_DATA_V4 layers (i.e. layer data packet);Since data packet needs basis in system bottom Different network protocols are packaged, therefore the data content that different layers capture is different.This patent scheme mentions FWPM_ LAYER_DATAGRAM_DATA_V4 layers (layer data packet) can capture all UDP message packets for being free of IP.
WFP (Windows Filter Platform), computerese are a kind of Windows filter stages, were used for Filter network packet.
Basic filtering engine BFE is the included user mode services of a Windows operating system, coordinates WFP component, base The main task that this filter engine BFE is executed is to add or remove filter, the configuration of stored filter device into system and strengthen WFP configures safety.The communication of application program and basic filtering engine BFE pass through the WFP management functions such as FwpmEngineOpen It carries out.
Summary of the invention
In order to overcome the problems referred above, the object of the present invention is to provide a kind of plug-in behavior prisons of game based on DNS traffic characteristic Prosecutor method is a kind of hidden plug-in behavior monitoring means, can efficiently monitor the plug-in use row of known DNS traffic characteristic For.
The present invention is realized using following scheme: a kind of plug-in behavior monitoring method of game based on DNS traffic characteristic, described Method includes the following steps: the client of step S1, Windows system application layer in driving layer creation networks filter driver;
Step S2, a domain name blacklist is established;
Step S3, networks filter driver captures all UDP message packets in layer data packet, and by UDP message packet request analysis Domain name parameters judgement is compared with domain name blacklist, if domain name parameters are to include any one in domain name blacklist Domain name character string then determines that game player has plug-in usage behavior, and domain name blacklist stores the domain of plug-in meeting request analysis Name character string.
Further, the step S2 is further specifically: during creation networks filter driver, please solve plug-in The domain name of analysis is written in the file of networks filter driver, the load of Windows system application and opening network filtration drive; After networks filter driver is opened successfully, domain name blacklist is initialized, during initializing blacklist, networks filter driver will All domain names in write-in file are inserted into domain name blacklist.
Further, between the step S2 and step S3 further include: step S21, networks filter driver uses FwpmEngineOpen function obtains basic filtering engine BFE handle, the parameter as subsequent operation;
Step S22, networks filter driver is using FwpsCalloutRegister function registration in layer data packet monitoring data Call back function;
Step S23, networks filter driver uses FwpmCalloutAdd function to basic filtering engine BFE application addition The call back function of preceding registration;
Step S24, networks filter driver uses FwpmSubLayerAdd function, sublayer is created in layer data packet, for catching Obtain data;
Step S25, networks filter driver uses FwpmFilterAdd function, by basic filtering engine BFE in data packet Layer creation filter, and call back function is associated with sublayer;After completing association, when sublayer captures network packet, system The corresponding call back function network data packet of sublayer can be called;The call back function of the layer data packet is for handling UDP message Packet.
Further, the step S3 is further specifically: when step S31, the call back function of layer data packet is called, meeting Whether the transmitting-receiving attribute for judging network packet is otherwise the machine is returned to the data packet that distal end is sent if then entering step S32 The execution of letter of transfer number terminates;
Step S32, call back function judges whether the far-end IP of data packet is 53, if then explanation is DNS data packet, enters Step S33;Otherwise call back function execution terminates;
Step S33, call back function parses packet content according to DNS message format, and DNS message is extracted from data packet It is middle to need the domain name that parses, domain name blacklist is then traversed, using string matching algorithm by the blacklist in domain name blacklist Item and the domain name of parsing make character string comparison, sentence if the domain name character string comprising the storage of any blacklist item in the domain name of parsing Determining player has plug-in usage behavior.
Further, the call back function parses packet content according to DNS message format, extracts from data packet The domain name for needing to parse in DNS message specifically comprises the following steps:
Whether step 1, verification DNS message meet format specification, meet, are not then abnormal data packets, enter step 2;No Meet, then terminates to parse;
Step 2, since the address that relative data packages 12 byte of beginning address offset analysis request data text, due to In DNS data packet the domain name of request analysis be in the form of character string store, the end of character string have an end mark ' 0 ', So the text from request data initial address into this section of space of data packet end address, use the method for charactor comparison Traversal search character ' 0 ', if do not have in this section of memory headroom character ' 0 ', determine that DNS data packet content is abnormal, exit Process;Otherwise record first appear ' 0 ' memory address be request domain name end address pEnd;
Step 3, the initial address from the text of request data, this section among the end address pEnd of request domain name The character data of memory storage is exactly that the domain name of this DNS data packet request does not extract character string;
Step 4, one section of application and the memory field Buffer for not extracting character string same size, for storing the word after extracting Symbol string;It is directed toward the initial address for not extracting character string using a first pointer p, is directed toward memory field using a second pointer q The initial address of Buffer, never first of extraction character string, which starts the cycle over, extracts string operation.
Further, whether the verification DNS message meets format specification, specially originates first from relative to data packet The zone bit information that size is 2 bytes is taken out in the address of 2 byte of address offset, then deviates from relative to data packet initial address The quantity information for the nslookup that size is 2 bytes is taken out in the addresses of 4 bytes, if meet simultaneously zone bit information equal to 16 into The digital 0x1000 of system and the quantity information of nslookup are equal to metric digital 1, then determine that this data packet meets DNS data The specification of packet.
Further, first of character string never extracted in the step 4 start the cycle over extract string operation, Further specifically: step 4.1, the size for the memory address storage being directed toward according to format the first pointer of reading of UINT8 are 1 word The data of section, the size that setting memory address stores are that the data length of 1 byte is length;
Step 4.2 judges whether this memory address of p+length exceeds the magnitude range for not extracting character string, if exceeding Then it is determined as abnormal data, terminates parsing;Otherwise enter process step 4.3;
Step 4.3, be by initial address the memory segment storage that the first pointer p, length are length data, it is byte-by-byte Copy that initial address is the second pointer q, termination address is in the application heap of q+length-1 to;
Step 4.4, p i+1=p i+length;That is the size of the first pointer changes into the value of p i+length;q i+1 =qi+length, the i.e. size of the second pointer change into the value of q i+length;
Step 4.5, judge the first pointer p be directed toward memory address storage data whether be end mark ' 0 ', if so, Be written on the memory address that the second pointer q is directed toward a byte data ' 0 ', from the initial address of memory field Buffer to The data for storing the address storage of 0 ' byte of ‘ are the domain name for needing to parse in DNS message, extract successfully, exit entire extraction Process;If not end mark ' 0 ', then the data ' ' of a byte are written on the memory address that the second pointer is directed toward, then Qi+1=qi+1, the i.e. size of the second pointer change into the value of the second pointer+1, complete a wheel circulation, then branch to step 4.1。
Further, the DNS message format are as follows: identifier+flag bit+nslookup quantity+response results number Amount+certification authority quantity+additional information quantity+request data text+corresponding data text+domain name authority's number According to+additional information data.
The beneficial effects of the present invention are: it is special can efficiently to monitor known DNS flow for 1. usage behavior blacklist mechanisms The plug-in usage behavior of sign.
2. plug-in to bypass this by traditional application layer API hook technology using the network filtering technology of inner nuclear layer Detection greatly increases plug-in reverse-examination and surveys and instead monitor difficulty.
Include login module, therefore this programme application surface is extremely wide 3. plug-in major part is all charge, can be applied to big Measure plug-in detection.
4. the plug-in behavior monitoring method of the game of this patent is a kind of hidden plug-in behavior monitoring means, monitoring is improved Ability.
5. improving prison the present invention provides a kind of scheme for extracting the domain name for needing to parse in DNS message in inner nuclear layer The accuracy of control.
Detailed description of the invention
Fig. 1 is method flow schematic diagram of the invention.
Fig. 2 is the flow diagram that the present invention extracts the domain name for needing to parse in DNS message.
Specific embodiment
The present invention will be further described with reference to the accompanying drawing.
It please refers to shown in Fig. 1 and Fig. 2, a kind of plug-in behavior monitoring method of game based on DNS traffic characteristic of the invention, The present invention is based on the WFP networks filter driver frames of Microsoft to capture plug-in net by installing network filter in system bottom Network requests behavior.Described method includes following steps: step S1, the client of Windows system application layer is in driving layer creation Networks filter driver;
Step S2, a domain name blacklist is established;The step S2 is further specifically: creates the process of networks filter driver In, the domain name of plug-in request analysis is written in the file of networks filter driver, Windows system application is loaded and opened Open networks filter driver;After networks filter driver is opened successfully, domain name blacklist is initialized, in the process of initialization blacklist In, all domain names being written in file are inserted into domain name blacklist by networks filter driver.In addition, what is stored in blacklist is black Name individual event must be plug-in distinctive feature, i.e., in addition to this remaining plug-in program does not have the access behavior of this network, or Probability is extremely low, otherwise there is wrong report risk.
Step S3, networks filter driver is in (i.e. FWPM_LAYER_DATAGRAM_DATA_V4 layers) capture institute of layer data packet There is UDP message packet, and judgement is compared with domain name blacklist in the domain name parameters of UDP message packet request analysis, if Domain name parameters be include any one domain name character string in domain name blacklist, then determine that game player has plug-in usage behavior, institute State the domain name character string that domain name blacklist stores plug-in meeting request analysis.
In the present invention, between the step S2 and step S3 further include: step S21, networks filter driver uses FwpmEngineOpen function obtains basic filtering engine BFE handle, the parameter as subsequent operation;
Step S22, networks filter driver is using FwpsCalloutRegister function registration in layer data packet monitoring data Call back function;
Step S23, networks filter driver uses FwpmCalloutAdd function to basic filtering engine BFE application addition The call back function of preceding registration;
Step S24, networks filter driver uses FwpmSubLayerAdd function, sublayer is created in layer data packet, for catching Obtain data;
Step S25, networks filter driver uses FwpmFilterAdd function, by basic filtering engine BFE in data packet Layer creation filter, and call back function is associated with sublayer;After completing association, when sublayer filter captures network packet When, system can call the corresponding call back function network data packet of sublayer;The call back function of the layer data packet is for handling UDP message packet.
In the present invention, the step S3 is further specifically: when step S31, the call back function of layer data packet is called, Whether the transmitting-receiving attribute for judging network packet is data packet of the machine to distal end transmission, if then entering step S32, otherwise Call back function execution terminates;
Step S32, call back function judges whether the far-end IP of data packet is 53, if then explanation is DNS data packet, enters Step S33;Otherwise call back function execution terminates;
Step S33, call back function parses packet content according to DNS message format, and DNS message is extracted from data packet It is middle to need the domain name that parses, domain name blacklist is then traversed, using string matching algorithm by the blacklist in domain name blacklist Item and the domain name of parsing make character string comparison, sentence if the domain name character string comprising the storage of any blacklist item in the domain name of parsing Determining player has plug-in usage behavior.Wherein, string matching algorithm can use KMP algorithm, can also use in practical application Other algorithms.
The DNS message format are as follows: identifier+flag bit+nslookup quantity+response results quantity+certification machine Quantity+additional information quantity+request data text+corresponding data text+domain name authority's data of structure+additional letter Cease data.The call back function parses packet content according to DNS message format, needs from being extracted in DNS message in data packet The domain name to be parsed specifically comprises the following steps:
Whether step 1, verification DNS message meet format specification, deviate 2 bytes from relative to data packet initial address first Address take out the zone bit information uFlags that size is 2 bytes, then deviate 4 bytes from relative to data packet initial address Address take out size be 2 bytes nslookup quantity information uQuestions, if meet simultaneously uFlags equal to 16 into The digital 0x1000 and uQuestions of system are equal to metric digital 1, then determine that this data packet meets the rule of DNS data packet Model is not abnormal data packet, enters step 2;Otherwise terminate to parse.
Step 2, since the address that relative data packages 12 byte of beginning address offset analysis request data text PRequestBuffer, since the domain name of request analysis in DNS data packet is stored in the form of character string, at the end of character string Tail have an end mark ' 0 ', so in the initial address from pRequestBuffer to this section of space of data packet end address In, using charactor comparison method traversal search character ' 0 ', if do not have in this section of memory headroom character ' 0 ', determine DNS data packet content is abnormal, exits process.Otherwise record first appear ' 0 ' memory address be request domain name end address pEnd。
Step 3, the initial address from the text pRequestBuffer of request data, to the end address of request domain name The character data of this section of memory storage among pEnd is exactly that the domain name of this DNS data packet request does not extract character string.
Step 4, one section of application and the memory field Buffer for not extracting character string same size, for storing the word after extracting Symbol string;It is directed toward the initial address for not extracting character string using a first pointer p, is directed toward memory field using a second pointer q The initial address of Buffer, never first of extraction character string, which starts the cycle over, extracts string operation.
In the present invention, first of character string is never extracted in the step 4 start the cycle over extract character string behaviour Make, further specifically: step 4.1, the size that the memory address storage that the first pointer is directed toward is read according to the format of UINT8 are The data of 1 byte, the size that setting memory address stores are that the data length of 1 byte is length;
Step 4.2 judges whether this memory address of p+length exceeds the magnitude range for not extracting character string, if exceeding Then it is determined as abnormal data, terminates parsing;Otherwise enter process step 4.3;
Step 4.3, be by initial address the memory segment storage that the first pointer p, length are length data, it is byte-by-byte Copy that initial address is the second pointer q, termination address is in the application heap of q+length-1 to;
Step 4.4, p i+1=p i+length;That is the size of the first pointer changes into the value of p i+length;q i+1 =qi+length, the i.e. size of the second pointer change into the value of q i+length;
Step 4.5, judge the first pointer p be directed toward memory address storage data whether be end mark ' 0 ', if so, Be written on the memory address that the second pointer q is directed toward a byte data ' 0 ', from the initial address of memory field Buffer to The data for storing the address storage of 0 ' byte of ‘ are the domain name for needing to parse in DNS message, extract successfully, exit entire extraction Process;If not end mark ' 0 ', then the data ' ' of a byte are written on the memory address that the second pointer is directed toward, then Qi+1=qi+1, the i.e. size of the second pointer change into the value of the second pointer+1, complete a wheel circulation, then branch to step 4.1。
Character string such as the following table 1 before conversion
Table 1
a Length is a without end mark character string b Length is b without end mark character string ...... n Length is n without end mark character string ‘\0’
Character string such as the following table 2 after conversion
Table 2
Length is a without end mark character string ‘’ Length is b without end mark character string ...... ‘’ Length is n without end mark character string ‘\0’
Below with reference to a specific embodiment, to further describe the specific implementation of this patent scheme:
1. assuming that the plug-in A of game is the externally hung software for destroying the network game client C of game company B product.Outside " tools.cheat.com " can be accessed after process initiation by hanging A, and in addition to the plug-in A of game, other processes not will do it identical Network request.
Whether run during the networks filter driver D detection player developed based on this programme 2. game company B is used Plug-in A, and scheme protects game client C whereby.
3. after player's running game client C, game client C can automatic load networks filtration drive D, network filtering drives Dynamic D initializes domain name blacklist after loading successfully, and is inserted into domain name blacklist dedicated for the black of the detection plug-in A of game Name individual event " cheat.com ".
4. networks filter driver D is in FWPM_LAYER_DATAGRAM_DATA_V4 layers (layer data packet) completion registered callbacks Start to play network data packet filtering function after the sequence of operations such as function, creation sublayer, opening filter.
5. assuming in game client C operational process, player brings into operation the plug-in A of game.Game plug-in A starting at Access " tools.cheat.com " is attempted after function, needs first to parse domain name before access, obtains the corresponding IP of domain name.Windows The system process svchost.exe of system can send a DNS data packet to domain name resolution server, be used for request analysis The IP address of " tools.cheat.com ".
After the filters trap of 6.FWPM_LAYER_DATAGRAM_DATA_V4 sublayer to this data packet, judgement is this time The transmitting-receiving attribute of network request is FWP_DIRECTION_INBOUND, and remote port is 53, it is determined that this data packet is DNS data packet.
7. call back function parses packet content according to DNS message format, DNS data packet request analysis is therefrom extracted Domain name character string " tools.cheat.com " then traverses domain name blacklist, by domain name character string " tools.cheat.com " Character string comparison is carried out with each blacklist item, when blacklist item " cheat.com " is arrived in comparison, domain name character string " tools.cheat.com " includes the character string of this blacklist item storage, therefore, it is determined that this DNS data packet meets domain name blacklist Thus rule determines that player has the behavior using the plug-in A of game.
The foregoing is merely presently preferred embodiments of the present invention, all equivalent changes done according to scope of the present invention patent with Modification, is all covered by the present invention.

Claims (8)

1. a kind of plug-in behavior monitoring method of game based on DNS traffic characteristic, it is characterised in that: the method includes walking as follows Rapid: step S1, the client of Windows system application layer creates networks filter driver in driving layer;
Step S2, a domain name blacklist is established;
Step S3, networks filter driver captures all UDP message packets in layer data packet, and by the domain of UDP message packet request analysis Judgement is compared with domain name blacklist in name parameter, if domain name parameters are to include any one domain name in domain name blacklist Character string then determines that game player has plug-in usage behavior, and domain name blacklist stores the domain name word of plug-in meeting request analysis Symbol string.
2. a kind of plug-in behavior monitoring method of game based on DNS traffic characteristic according to claim 1, feature exist In: the step S2 is further specifically: during creation networks filter driver, the domain name of plug-in request analysis is written to In the file of networks filter driver, the load of Windows system application and opening network filtration drive;Networks filter driver is opened After opening successfully, domain name blacklist is initialized, during initializing blacklist, the institute in file will be written in networks filter driver There is domain name to be inserted into domain name blacklist.
3. a kind of plug-in behavior monitoring method of game based on DNS traffic characteristic according to claim 1, feature exist In: between the step S2 and step S3 further include: step S21, networks filter driver is obtained using FwpmEngineOpen function Take basic filtering engine BFE handle, the parameter as subsequent operation;
Step S22, networks filter driver uses FwpsCalloutRegister function registration returning in layer data packet monitoring data Letter of transfer number;
Step S23, networks filter driver is infused using FwpmCalloutAdd function to basic filtering engine BFE application addition before The call back function of volume;
Step S24, networks filter driver uses FwpmSubLayerAdd function, sublayer is created in layer data packet, for capturing number According to;
Step S25, networks filter driver uses FwpmFilterAdd function, is created by basic filtering engine BFE in layer data packet Filter is built, and call back function is associated with sublayer;After completing association, when sublayer captures network packet, system can be adjusted With the corresponding call back function network data packet of sublayer;The call back function of the layer data packet is for handling UDP message packet.
4. a kind of plug-in behavior monitoring method of game based on DNS traffic characteristic according to claim 3, feature exist In: the step S3 is further specifically: when step S31, the call back function of layer data packet is called, judges network packet The transmitting-receiving attribute data packet whether be the machine send to distal end, if then entering step S32, otherwise call back function executes knot Beam;
Step S32, call back function judges whether the far-end IP of data packet is 53, is to enter step S33;Otherwise call back function is held Row terminates;
Step S33, call back function parses packet content according to DNS message format, needs from being extracted in DNS message in data packet The domain name to be parsed, then traverse domain name blacklist, using string matching algorithm by domain name blacklist blacklist item with The domain name of parsing makees character string comparison, determines to play if the domain name character string comprising the storage of any blacklist item in the domain name of parsing There is plug-in usage behavior in family.
5. a kind of plug-in behavior monitoring method of game based on DNS traffic characteristic according to claim 4, feature exist In: the call back function parses packet content according to DNS message format, needs to solve from extracting in data packet in DNS message The domain name of analysis specifically comprises the following steps:
Whether step 1, verification DNS message meet format specification, meet, are not then abnormal data packets, enter step 2;It does not meet, Then terminate to parse;
Step 2, since the address that relative data packages 12 byte of beginning address offset analysis request data text, due to DNS In data packet the domain name of request analysis be in the form of character string store, the end of character string have an end mark ' 0 ', institute , into this section of space of data packet end address, to use the mode time of charactor comparison in the initial address of the text from request data Go through search character ' 0 ', if do not have in this section of memory headroom character ' 0 ', determine that DNS data packet content is abnormal, exit stream Journey;Otherwise record first appear ' 0 ' memory address be request domain name end address pEnd;
Step 3, the initial address from the text of request data, this section of memory among the end address pEnd of request domain name The character data of storage is exactly that the domain name of this DNS data packet request does not extract character string;
Step 4, one section of application and the memory field Buffer for not extracting character string same size, for storing the character after extracting String;It is directed toward the initial address for not extracting character string using a first pointer p, is directed toward memory field using a second pointer q The initial address of Buffer, never first of extraction character string, which starts the cycle over, extracts string operation.
6. a kind of plug-in behavior monitoring method of game based on DNS traffic characteristic according to claim 5, feature exist In: whether the verification DNS message meets format specification, specially deviates 2 bytes from relative to data packet initial address first Address take out size be 2 bytes zone bit information, then from relative to data packet initial address deviate 4 bytes address take Size is the quantity information of the nslookup of 2 bytes out, if meeting the number that zone bit information is equal to 16 systems simultaneously The quantity information of 0x1000 and nslookup is equal to metric digital 1, then determines that this data packet meets the rule of DNS data packet Model.
7. a kind of plug-in behavior monitoring method of game based on DNS traffic characteristic according to claim 5, feature exist In: first of character string is never extracted in the step 4 start the cycle over and extract string operation, further specifically: Step 4.1, the data that the size that the memory address storage that the first pointer is directed toward is read according to the format of UINT8 is 1 byte, setting The size of memory address storage is that the data length of 1 byte is length;
Step 4.2 judges whether this memory address of p+length exceeds the magnitude range for not extracting character string, sentences if exceeding It is set to abnormal data, terminates parsing;Otherwise enter process step 4.3;
Step 4.3, be by initial address the memory segment storage that the first pointer p, length are length data, byte-by-byte copy To initial address be the second pointer q, termination address is in the application heap of q+length-1;
Step 4.4, pi+1=pi+length;That is the size of the first pointer changes into piThe value of+length;qi+1=qi+ length, That is the size of the second pointer changes into qiThe value of+length;
Step 4.5, judge the memory address storage that the first pointer p is directed toward data whether be end mark ' 0 ', if so, the Two pointer q be directed toward memory address on be written a byte data ' 0 ', from the initial address of memory field Buffer to storage The data of the address storage of 0 ' byte of ‘ are the domain name for needing to parse in DNS message, are extracted successfully, exit entire extract and flow Journey;If not end mark ' 0 ', then the data ' ' of a byte are written on the memory address that the second pointer is directed toward, then qi+1 =qi+ 1, i.e. the size of the second pointer changes into the value of the second pointer+1, completes a wheel circulation, then branches to step 4.1.
8. a kind of plug-in behavior monitoring method of game based on DNS traffic characteristic according to claim 5, feature exist In: the DNS message format are as follows: identifier+flag bit+nslookup quantity+response results quantity+certification authority number Amount+additional information quantity+request data text+corresponding data text+domain name authority's data+additional information number According to.
CN201910765987.9A 2019-08-19 2019-08-19 Game plug-in behavior monitoring method based on DNS flow characteristics Active CN110535719B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910765987.9A CN110535719B (en) 2019-08-19 2019-08-19 Game plug-in behavior monitoring method based on DNS flow characteristics

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910765987.9A CN110535719B (en) 2019-08-19 2019-08-19 Game plug-in behavior monitoring method based on DNS flow characteristics

Publications (2)

Publication Number Publication Date
CN110535719A true CN110535719A (en) 2019-12-03
CN110535719B CN110535719B (en) 2021-07-27

Family

ID=68663666

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910765987.9A Active CN110535719B (en) 2019-08-19 2019-08-19 Game plug-in behavior monitoring method based on DNS flow characteristics

Country Status (1)

Country Link
CN (1) CN110535719B (en)

Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101110871A (en) * 2007-08-20 2008-01-23 中兴通讯股份有限公司 E.164 domain name analyzing method and DNS server
CN102780588A (en) * 2012-05-22 2012-11-14 华为技术有限公司 Deep message detection method, device, network equipment and system
US20140304328A1 (en) * 2009-08-11 2014-10-09 Sony Computer Entertainment America Llc Management of ancillary content delivery and presentation
CN104219200A (en) * 2013-05-30 2014-12-17 杭州迪普科技有限公司 Device and method for protection from DNS cache attack
CN105117644A (en) * 2015-08-26 2015-12-02 福建天晴数码有限公司 Method and system for acquiring Android plug-in program
CN107019916A (en) * 2017-04-18 2017-08-08 蒙生福 The method and system of the anti-cheating of strange land monitoring game
CN107395564A (en) * 2017-06-15 2017-11-24 公安部交通管理科学研究所 Internet preselects the anti-snatch method and system of automotive number plate
CN108176053A (en) * 2018-01-04 2018-06-19 网易(杭州)网络有限公司 It plays plug-in detection method, device, server, client and storage medium
CN109260711A (en) * 2018-08-15 2019-01-25 宏诚盛世(天津)网络科技有限公司 A kind of network game external store detection system and method
CN109347817A (en) * 2018-10-12 2019-02-15 厦门安胜网络科技有限公司 A kind of method and device that network security redirects
CN109889511A (en) * 2019-01-31 2019-06-14 中国人民解放军61660部队 Process DNS activity monitoring method, equipment and medium

Patent Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101110871A (en) * 2007-08-20 2008-01-23 中兴通讯股份有限公司 E.164 domain name analyzing method and DNS server
US20140304328A1 (en) * 2009-08-11 2014-10-09 Sony Computer Entertainment America Llc Management of ancillary content delivery and presentation
CN102780588A (en) * 2012-05-22 2012-11-14 华为技术有限公司 Deep message detection method, device, network equipment and system
CN104219200A (en) * 2013-05-30 2014-12-17 杭州迪普科技有限公司 Device and method for protection from DNS cache attack
CN105117644A (en) * 2015-08-26 2015-12-02 福建天晴数码有限公司 Method and system for acquiring Android plug-in program
CN107019916A (en) * 2017-04-18 2017-08-08 蒙生福 The method and system of the anti-cheating of strange land monitoring game
CN107395564A (en) * 2017-06-15 2017-11-24 公安部交通管理科学研究所 Internet preselects the anti-snatch method and system of automotive number plate
CN108176053A (en) * 2018-01-04 2018-06-19 网易(杭州)网络有限公司 It plays plug-in detection method, device, server, client and storage medium
CN109260711A (en) * 2018-08-15 2019-01-25 宏诚盛世(天津)网络科技有限公司 A kind of network game external store detection system and method
CN109347817A (en) * 2018-10-12 2019-02-15 厦门安胜网络科技有限公司 A kind of method and device that network security redirects
CN109889511A (en) * 2019-01-31 2019-06-14 中国人民解放军61660部队 Process DNS activity monitoring method, equipment and medium

Also Published As

Publication number Publication date
CN110535719B (en) 2021-07-27

Similar Documents

Publication Publication Date Title
CN109951500A (en) Network attack detecting method and device
US7831703B2 (en) Apparatus and method for monitoring and auditing activity of a legacy environment
CN109347827B (en) Method, device, equipment and storage medium for predicting network attack behavior
CN107465651A (en) Network attack detecting method and device
EP2244418A1 (en) Database security monitoring method, device and system
CN110768875A (en) Application identification method and system based on DNS learning
CN105991628A (en) Network attack identification method and network attack identification device
CN106911637A (en) Cyberthreat treating method and apparatus
CN109818970A (en) A kind of data processing method and device
CN101997700A (en) Internet protocol version 6 (IPv6) monitoring equipment based on deep packet inspection and deep flow inspection
US8505098B2 (en) Method for recording, recovering, and replaying real traffic
CN109525587A (en) A kind of recognition methods of data packet and device
CN108076017A (en) The protocol analysis method and device of a kind of data packet
CN109889511A (en) Process DNS activity monitoring method, equipment and medium
CN108234345A (en) A kind of traffic characteristic recognition methods of terminal network application, device and system
CN109727027A (en) Account recognition methods, device, equipment and storage medium
CN100493065C (en) Method for using immediate information software by data detection network address switching equipment
IL176551A (en) Apparatus and method for monitoring and auditing activity of a legacy environment
CN110404267A (en) A kind of plug-in detection method of game based on HTTP flow HOST field feature
CN112422515B (en) Protocol vulnerability testing method and device and storage medium
CN110368695A (en) A kind of plug-in detection method of game based on HTTP flow URI feature
CN110535719A (en) A kind of plug-in behavior monitoring method of game based on DNS traffic characteristic
JP2008192122A (en) Malicious mail detector, detecting method and program
CN105610639A (en) Total log grabbing method and device
CN110465094A (en) A kind of plug-in detection method of game based on IP port diagnostic

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant