CN110535719A - A kind of plug-in behavior monitoring method of game based on DNS traffic characteristic - Google Patents
A kind of plug-in behavior monitoring method of game based on DNS traffic characteristic Download PDFInfo
- Publication number
- CN110535719A CN110535719A CN201910765987.9A CN201910765987A CN110535719A CN 110535719 A CN110535719 A CN 110535719A CN 201910765987 A CN201910765987 A CN 201910765987A CN 110535719 A CN110535719 A CN 110535719A
- Authority
- CN
- China
- Prior art keywords
- domain name
- data
- data packet
- plug
- address
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
- H04L43/0876—Network utilisation, e.g. volume of load or congestion level
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4505—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
- H04L61/4511—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Environmental & Geological Engineering (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention provides a kind of plug-in behavior monitoring methods of game based on DNS traffic characteristic, and described method includes following steps: step S1, the client of Windows system application layer creates networks filter driver in driving layer;Step S2, a domain name blacklist is established;Step S3, networks filter driver captures all UDP message packets in layer data packet, and judgement is compared with domain name blacklist in the domain name parameters of UDP message packet request analysis, if domain name parameters are included in any one domain name character string in domain name blacklist, then determine that game player has plug-in usage behavior, domain name blacklist stores the domain name character string of plug-in meeting request analysis;The present invention can efficiently monitor the plug-in usage behavior of known DNS traffic characteristic.
Description
Technical field
The present invention relates to computer system field of communication technology, software security, the plug-in detection fields of game, especially a kind of
The plug-in behavior monitoring method of game based on DNS traffic characteristic.
Background technique
Existing plug-in behavior monitoring module is usually using the detection method based on proceeding internal memory scanning, such as scan procedure
Memory headroom judges whether comprising plug-in condition code etc., temporarily without disclosed based on DNS traffic characteristic, for the plug-in behavior of game
Inner nuclear layer monitoring means.
The above-mentioned existing plug-in behavior monitoring scheme of game may use hidden process, memory polymorphicization etc. by plug-in
Method is around detection.The scheme of this patent description can monitor such plug-in usage behavior.In addition this patent is being applied to
It monitors in the plug-in usage scenario for having DNS traffic characteristic and shows to obtain precise and high efficiency.
Technical term is explained:
The WFP filter frame that Microsoft provides delimit many layers in network packet transmission process, such as: FWPM_
LAYER_ALE_FLOW_ESTABLISHED_V4 layers (i.e. data flow foundation layer), FWPM_LAYER_STREAM_V4 layers of (i.e. data
Fluid layer) and FWPM_LAYER_DATAGRAM_DATA_V4 layers (i.e. layer data packet);Since data packet needs basis in system bottom
Different network protocols are packaged, therefore the data content that different layers capture is different.This patent scheme mentions FWPM_
LAYER_DATAGRAM_DATA_V4 layers (layer data packet) can capture all UDP message packets for being free of IP.
WFP (Windows Filter Platform), computerese are a kind of Windows filter stages, were used for
Filter network packet.
Basic filtering engine BFE is the included user mode services of a Windows operating system, coordinates WFP component, base
The main task that this filter engine BFE is executed is to add or remove filter, the configuration of stored filter device into system and strengthen
WFP configures safety.The communication of application program and basic filtering engine BFE pass through the WFP management functions such as FwpmEngineOpen
It carries out.
Summary of the invention
In order to overcome the problems referred above, the object of the present invention is to provide a kind of plug-in behavior prisons of game based on DNS traffic characteristic
Prosecutor method is a kind of hidden plug-in behavior monitoring means, can efficiently monitor the plug-in use row of known DNS traffic characteristic
For.
The present invention is realized using following scheme: a kind of plug-in behavior monitoring method of game based on DNS traffic characteristic, described
Method includes the following steps: the client of step S1, Windows system application layer in driving layer creation networks filter driver;
Step S2, a domain name blacklist is established;
Step S3, networks filter driver captures all UDP message packets in layer data packet, and by UDP message packet request analysis
Domain name parameters judgement is compared with domain name blacklist, if domain name parameters are to include any one in domain name blacklist
Domain name character string then determines that game player has plug-in usage behavior, and domain name blacklist stores the domain of plug-in meeting request analysis
Name character string.
Further, the step S2 is further specifically: during creation networks filter driver, please solve plug-in
The domain name of analysis is written in the file of networks filter driver, the load of Windows system application and opening network filtration drive;
After networks filter driver is opened successfully, domain name blacklist is initialized, during initializing blacklist, networks filter driver will
All domain names in write-in file are inserted into domain name blacklist.
Further, between the step S2 and step S3 further include: step S21, networks filter driver uses
FwpmEngineOpen function obtains basic filtering engine BFE handle, the parameter as subsequent operation;
Step S22, networks filter driver is using FwpsCalloutRegister function registration in layer data packet monitoring data
Call back function;
Step S23, networks filter driver uses FwpmCalloutAdd function to basic filtering engine BFE application addition
The call back function of preceding registration;
Step S24, networks filter driver uses FwpmSubLayerAdd function, sublayer is created in layer data packet, for catching
Obtain data;
Step S25, networks filter driver uses FwpmFilterAdd function, by basic filtering engine BFE in data packet
Layer creation filter, and call back function is associated with sublayer;After completing association, when sublayer captures network packet, system
The corresponding call back function network data packet of sublayer can be called;The call back function of the layer data packet is for handling UDP message
Packet.
Further, the step S3 is further specifically: when step S31, the call back function of layer data packet is called, meeting
Whether the transmitting-receiving attribute for judging network packet is otherwise the machine is returned to the data packet that distal end is sent if then entering step S32
The execution of letter of transfer number terminates;
Step S32, call back function judges whether the far-end IP of data packet is 53, if then explanation is DNS data packet, enters
Step S33;Otherwise call back function execution terminates;
Step S33, call back function parses packet content according to DNS message format, and DNS message is extracted from data packet
It is middle to need the domain name that parses, domain name blacklist is then traversed, using string matching algorithm by the blacklist in domain name blacklist
Item and the domain name of parsing make character string comparison, sentence if the domain name character string comprising the storage of any blacklist item in the domain name of parsing
Determining player has plug-in usage behavior.
Further, the call back function parses packet content according to DNS message format, extracts from data packet
The domain name for needing to parse in DNS message specifically comprises the following steps:
Whether step 1, verification DNS message meet format specification, meet, are not then abnormal data packets, enter step 2;No
Meet, then terminates to parse;
Step 2, since the address that relative data packages 12 byte of beginning address offset analysis request data text, due to
In DNS data packet the domain name of request analysis be in the form of character string store, the end of character string have an end mark ' 0 ',
So the text from request data initial address into this section of space of data packet end address, use the method for charactor comparison
Traversal search character ' 0 ', if do not have in this section of memory headroom character ' 0 ', determine that DNS data packet content is abnormal, exit
Process;Otherwise record first appear ' 0 ' memory address be request domain name end address pEnd;
Step 3, the initial address from the text of request data, this section among the end address pEnd of request domain name
The character data of memory storage is exactly that the domain name of this DNS data packet request does not extract character string;
Step 4, one section of application and the memory field Buffer for not extracting character string same size, for storing the word after extracting
Symbol string;It is directed toward the initial address for not extracting character string using a first pointer p, is directed toward memory field using a second pointer q
The initial address of Buffer, never first of extraction character string, which starts the cycle over, extracts string operation.
Further, whether the verification DNS message meets format specification, specially originates first from relative to data packet
The zone bit information that size is 2 bytes is taken out in the address of 2 byte of address offset, then deviates from relative to data packet initial address
The quantity information for the nslookup that size is 2 bytes is taken out in the addresses of 4 bytes, if meet simultaneously zone bit information equal to 16 into
The digital 0x1000 of system and the quantity information of nslookup are equal to metric digital 1, then determine that this data packet meets DNS data
The specification of packet.
Further, first of character string never extracted in the step 4 start the cycle over extract string operation,
Further specifically: step 4.1, the size for the memory address storage being directed toward according to format the first pointer of reading of UINT8 are 1 word
The data of section, the size that setting memory address stores are that the data length of 1 byte is length;
Step 4.2 judges whether this memory address of p+length exceeds the magnitude range for not extracting character string, if exceeding
Then it is determined as abnormal data, terminates parsing;Otherwise enter process step 4.3;
Step 4.3, be by initial address the memory segment storage that the first pointer p, length are length data, it is byte-by-byte
Copy that initial address is the second pointer q, termination address is in the application heap of q+length-1 to;
Step 4.4, p i+1=p i+length;That is the size of the first pointer changes into the value of p i+length;q i+1
=qi+length, the i.e. size of the second pointer change into the value of q i+length;
Step 4.5, judge the first pointer p be directed toward memory address storage data whether be end mark ' 0 ', if so,
Be written on the memory address that the second pointer q is directed toward a byte data ' 0 ', from the initial address of memory field Buffer to
The data for storing the address storage of 0 ' byte of ‘ are the domain name for needing to parse in DNS message, extract successfully, exit entire extraction
Process;If not end mark ' 0 ', then the data ' ' of a byte are written on the memory address that the second pointer is directed toward, then
Qi+1=qi+1, the i.e. size of the second pointer change into the value of the second pointer+1, complete a wheel circulation, then branch to step
4.1。
Further, the DNS message format are as follows: identifier+flag bit+nslookup quantity+response results number
Amount+certification authority quantity+additional information quantity+request data text+corresponding data text+domain name authority's number
According to+additional information data.
The beneficial effects of the present invention are: it is special can efficiently to monitor known DNS flow for 1. usage behavior blacklist mechanisms
The plug-in usage behavior of sign.
2. plug-in to bypass this by traditional application layer API hook technology using the network filtering technology of inner nuclear layer
Detection greatly increases plug-in reverse-examination and surveys and instead monitor difficulty.
Include login module, therefore this programme application surface is extremely wide 3. plug-in major part is all charge, can be applied to big
Measure plug-in detection.
4. the plug-in behavior monitoring method of the game of this patent is a kind of hidden plug-in behavior monitoring means, monitoring is improved
Ability.
5. improving prison the present invention provides a kind of scheme for extracting the domain name for needing to parse in DNS message in inner nuclear layer
The accuracy of control.
Detailed description of the invention
Fig. 1 is method flow schematic diagram of the invention.
Fig. 2 is the flow diagram that the present invention extracts the domain name for needing to parse in DNS message.
Specific embodiment
The present invention will be further described with reference to the accompanying drawing.
It please refers to shown in Fig. 1 and Fig. 2, a kind of plug-in behavior monitoring method of game based on DNS traffic characteristic of the invention,
The present invention is based on the WFP networks filter driver frames of Microsoft to capture plug-in net by installing network filter in system bottom
Network requests behavior.Described method includes following steps: step S1, the client of Windows system application layer is in driving layer creation
Networks filter driver;
Step S2, a domain name blacklist is established;The step S2 is further specifically: creates the process of networks filter driver
In, the domain name of plug-in request analysis is written in the file of networks filter driver, Windows system application is loaded and opened
Open networks filter driver;After networks filter driver is opened successfully, domain name blacklist is initialized, in the process of initialization blacklist
In, all domain names being written in file are inserted into domain name blacklist by networks filter driver.In addition, what is stored in blacklist is black
Name individual event must be plug-in distinctive feature, i.e., in addition to this remaining plug-in program does not have the access behavior of this network, or
Probability is extremely low, otherwise there is wrong report risk.
Step S3, networks filter driver is in (i.e. FWPM_LAYER_DATAGRAM_DATA_V4 layers) capture institute of layer data packet
There is UDP message packet, and judgement is compared with domain name blacklist in the domain name parameters of UDP message packet request analysis, if
Domain name parameters be include any one domain name character string in domain name blacklist, then determine that game player has plug-in usage behavior, institute
State the domain name character string that domain name blacklist stores plug-in meeting request analysis.
In the present invention, between the step S2 and step S3 further include: step S21, networks filter driver uses
FwpmEngineOpen function obtains basic filtering engine BFE handle, the parameter as subsequent operation;
Step S22, networks filter driver is using FwpsCalloutRegister function registration in layer data packet monitoring data
Call back function;
Step S23, networks filter driver uses FwpmCalloutAdd function to basic filtering engine BFE application addition
The call back function of preceding registration;
Step S24, networks filter driver uses FwpmSubLayerAdd function, sublayer is created in layer data packet, for catching
Obtain data;
Step S25, networks filter driver uses FwpmFilterAdd function, by basic filtering engine BFE in data packet
Layer creation filter, and call back function is associated with sublayer;After completing association, when sublayer filter captures network packet
When, system can call the corresponding call back function network data packet of sublayer;The call back function of the layer data packet is for handling
UDP message packet.
In the present invention, the step S3 is further specifically: when step S31, the call back function of layer data packet is called,
Whether the transmitting-receiving attribute for judging network packet is data packet of the machine to distal end transmission, if then entering step S32, otherwise
Call back function execution terminates;
Step S32, call back function judges whether the far-end IP of data packet is 53, if then explanation is DNS data packet, enters
Step S33;Otherwise call back function execution terminates;
Step S33, call back function parses packet content according to DNS message format, and DNS message is extracted from data packet
It is middle to need the domain name that parses, domain name blacklist is then traversed, using string matching algorithm by the blacklist in domain name blacklist
Item and the domain name of parsing make character string comparison, sentence if the domain name character string comprising the storage of any blacklist item in the domain name of parsing
Determining player has plug-in usage behavior.Wherein, string matching algorithm can use KMP algorithm, can also use in practical application
Other algorithms.
The DNS message format are as follows: identifier+flag bit+nslookup quantity+response results quantity+certification machine
Quantity+additional information quantity+request data text+corresponding data text+domain name authority's data of structure+additional letter
Cease data.The call back function parses packet content according to DNS message format, needs from being extracted in DNS message in data packet
The domain name to be parsed specifically comprises the following steps:
Whether step 1, verification DNS message meet format specification, deviate 2 bytes from relative to data packet initial address first
Address take out the zone bit information uFlags that size is 2 bytes, then deviate 4 bytes from relative to data packet initial address
Address take out size be 2 bytes nslookup quantity information uQuestions, if meet simultaneously uFlags equal to 16 into
The digital 0x1000 and uQuestions of system are equal to metric digital 1, then determine that this data packet meets the rule of DNS data packet
Model is not abnormal data packet, enters step 2;Otherwise terminate to parse.
Step 2, since the address that relative data packages 12 byte of beginning address offset analysis request data text
PRequestBuffer, since the domain name of request analysis in DNS data packet is stored in the form of character string, at the end of character string
Tail have an end mark ' 0 ', so in the initial address from pRequestBuffer to this section of space of data packet end address
In, using charactor comparison method traversal search character ' 0 ', if do not have in this section of memory headroom character ' 0 ', determine
DNS data packet content is abnormal, exits process.Otherwise record first appear ' 0 ' memory address be request domain name end address
pEnd。
Step 3, the initial address from the text pRequestBuffer of request data, to the end address of request domain name
The character data of this section of memory storage among pEnd is exactly that the domain name of this DNS data packet request does not extract character string.
Step 4, one section of application and the memory field Buffer for not extracting character string same size, for storing the word after extracting
Symbol string;It is directed toward the initial address for not extracting character string using a first pointer p, is directed toward memory field using a second pointer q
The initial address of Buffer, never first of extraction character string, which starts the cycle over, extracts string operation.
In the present invention, first of character string is never extracted in the step 4 start the cycle over extract character string behaviour
Make, further specifically: step 4.1, the size that the memory address storage that the first pointer is directed toward is read according to the format of UINT8 are
The data of 1 byte, the size that setting memory address stores are that the data length of 1 byte is length;
Step 4.2 judges whether this memory address of p+length exceeds the magnitude range for not extracting character string, if exceeding
Then it is determined as abnormal data, terminates parsing;Otherwise enter process step 4.3;
Step 4.3, be by initial address the memory segment storage that the first pointer p, length are length data, it is byte-by-byte
Copy that initial address is the second pointer q, termination address is in the application heap of q+length-1 to;
Step 4.4, p i+1=p i+length;That is the size of the first pointer changes into the value of p i+length;q i+1
=qi+length, the i.e. size of the second pointer change into the value of q i+length;
Step 4.5, judge the first pointer p be directed toward memory address storage data whether be end mark ' 0 ', if so,
Be written on the memory address that the second pointer q is directed toward a byte data ' 0 ', from the initial address of memory field Buffer to
The data for storing the address storage of 0 ' byte of ‘ are the domain name for needing to parse in DNS message, extract successfully, exit entire extraction
Process;If not end mark ' 0 ', then the data ' ' of a byte are written on the memory address that the second pointer is directed toward, then
Qi+1=qi+1, the i.e. size of the second pointer change into the value of the second pointer+1, complete a wheel circulation, then branch to step
4.1。
Character string such as the following table 1 before conversion
Table 1
a | Length is a without end mark character string | b | Length is b without end mark character string | ...... | n | Length is n without end mark character string | ‘\0’ |
Character string such as the following table 2 after conversion
Table 2
Length is a without end mark character string | ‘’ | Length is b without end mark character string | ...... | ‘’ | Length is n without end mark character string | ‘\0’ |
Below with reference to a specific embodiment, to further describe the specific implementation of this patent scheme:
1. assuming that the plug-in A of game is the externally hung software for destroying the network game client C of game company B product.Outside
" tools.cheat.com " can be accessed after process initiation by hanging A, and in addition to the plug-in A of game, other processes not will do it identical
Network request.
Whether run during the networks filter driver D detection player developed based on this programme 2. game company B is used
Plug-in A, and scheme protects game client C whereby.
3. after player's running game client C, game client C can automatic load networks filtration drive D, network filtering drives
Dynamic D initializes domain name blacklist after loading successfully, and is inserted into domain name blacklist dedicated for the black of the detection plug-in A of game
Name individual event " cheat.com ".
4. networks filter driver D is in FWPM_LAYER_DATAGRAM_DATA_V4 layers (layer data packet) completion registered callbacks
Start to play network data packet filtering function after the sequence of operations such as function, creation sublayer, opening filter.
5. assuming in game client C operational process, player brings into operation the plug-in A of game.Game plug-in A starting at
Access " tools.cheat.com " is attempted after function, needs first to parse domain name before access, obtains the corresponding IP of domain name.Windows
The system process svchost.exe of system can send a DNS data packet to domain name resolution server, be used for request analysis
The IP address of " tools.cheat.com ".
After the filters trap of 6.FWPM_LAYER_DATAGRAM_DATA_V4 sublayer to this data packet, judgement is this time
The transmitting-receiving attribute of network request is FWP_DIRECTION_INBOUND, and remote port is 53, it is determined that this data packet is
DNS data packet.
7. call back function parses packet content according to DNS message format, DNS data packet request analysis is therefrom extracted
Domain name character string " tools.cheat.com " then traverses domain name blacklist, by domain name character string " tools.cheat.com "
Character string comparison is carried out with each blacklist item, when blacklist item " cheat.com " is arrived in comparison, domain name character string
" tools.cheat.com " includes the character string of this blacklist item storage, therefore, it is determined that this DNS data packet meets domain name blacklist
Thus rule determines that player has the behavior using the plug-in A of game.
The foregoing is merely presently preferred embodiments of the present invention, all equivalent changes done according to scope of the present invention patent with
Modification, is all covered by the present invention.
Claims (8)
1. a kind of plug-in behavior monitoring method of game based on DNS traffic characteristic, it is characterised in that: the method includes walking as follows
Rapid: step S1, the client of Windows system application layer creates networks filter driver in driving layer;
Step S2, a domain name blacklist is established;
Step S3, networks filter driver captures all UDP message packets in layer data packet, and by the domain of UDP message packet request analysis
Judgement is compared with domain name blacklist in name parameter, if domain name parameters are to include any one domain name in domain name blacklist
Character string then determines that game player has plug-in usage behavior, and domain name blacklist stores the domain name word of plug-in meeting request analysis
Symbol string.
2. a kind of plug-in behavior monitoring method of game based on DNS traffic characteristic according to claim 1, feature exist
In: the step S2 is further specifically: during creation networks filter driver, the domain name of plug-in request analysis is written to
In the file of networks filter driver, the load of Windows system application and opening network filtration drive;Networks filter driver is opened
After opening successfully, domain name blacklist is initialized, during initializing blacklist, the institute in file will be written in networks filter driver
There is domain name to be inserted into domain name blacklist.
3. a kind of plug-in behavior monitoring method of game based on DNS traffic characteristic according to claim 1, feature exist
In: between the step S2 and step S3 further include: step S21, networks filter driver is obtained using FwpmEngineOpen function
Take basic filtering engine BFE handle, the parameter as subsequent operation;
Step S22, networks filter driver uses FwpsCalloutRegister function registration returning in layer data packet monitoring data
Letter of transfer number;
Step S23, networks filter driver is infused using FwpmCalloutAdd function to basic filtering engine BFE application addition before
The call back function of volume;
Step S24, networks filter driver uses FwpmSubLayerAdd function, sublayer is created in layer data packet, for capturing number
According to;
Step S25, networks filter driver uses FwpmFilterAdd function, is created by basic filtering engine BFE in layer data packet
Filter is built, and call back function is associated with sublayer;After completing association, when sublayer captures network packet, system can be adjusted
With the corresponding call back function network data packet of sublayer;The call back function of the layer data packet is for handling UDP message packet.
4. a kind of plug-in behavior monitoring method of game based on DNS traffic characteristic according to claim 3, feature exist
In: the step S3 is further specifically: when step S31, the call back function of layer data packet is called, judges network packet
The transmitting-receiving attribute data packet whether be the machine send to distal end, if then entering step S32, otherwise call back function executes knot
Beam;
Step S32, call back function judges whether the far-end IP of data packet is 53, is to enter step S33;Otherwise call back function is held
Row terminates;
Step S33, call back function parses packet content according to DNS message format, needs from being extracted in DNS message in data packet
The domain name to be parsed, then traverse domain name blacklist, using string matching algorithm by domain name blacklist blacklist item with
The domain name of parsing makees character string comparison, determines to play if the domain name character string comprising the storage of any blacklist item in the domain name of parsing
There is plug-in usage behavior in family.
5. a kind of plug-in behavior monitoring method of game based on DNS traffic characteristic according to claim 4, feature exist
In: the call back function parses packet content according to DNS message format, needs to solve from extracting in data packet in DNS message
The domain name of analysis specifically comprises the following steps:
Whether step 1, verification DNS message meet format specification, meet, are not then abnormal data packets, enter step 2;It does not meet,
Then terminate to parse;
Step 2, since the address that relative data packages 12 byte of beginning address offset analysis request data text, due to DNS
In data packet the domain name of request analysis be in the form of character string store, the end of character string have an end mark ' 0 ', institute
, into this section of space of data packet end address, to use the mode time of charactor comparison in the initial address of the text from request data
Go through search character ' 0 ', if do not have in this section of memory headroom character ' 0 ', determine that DNS data packet content is abnormal, exit stream
Journey;Otherwise record first appear ' 0 ' memory address be request domain name end address pEnd;
Step 3, the initial address from the text of request data, this section of memory among the end address pEnd of request domain name
The character data of storage is exactly that the domain name of this DNS data packet request does not extract character string;
Step 4, one section of application and the memory field Buffer for not extracting character string same size, for storing the character after extracting
String;It is directed toward the initial address for not extracting character string using a first pointer p, is directed toward memory field using a second pointer q
The initial address of Buffer, never first of extraction character string, which starts the cycle over, extracts string operation.
6. a kind of plug-in behavior monitoring method of game based on DNS traffic characteristic according to claim 5, feature exist
In: whether the verification DNS message meets format specification, specially deviates 2 bytes from relative to data packet initial address first
Address take out size be 2 bytes zone bit information, then from relative to data packet initial address deviate 4 bytes address take
Size is the quantity information of the nslookup of 2 bytes out, if meeting the number that zone bit information is equal to 16 systems simultaneously
The quantity information of 0x1000 and nslookup is equal to metric digital 1, then determines that this data packet meets the rule of DNS data packet
Model.
7. a kind of plug-in behavior monitoring method of game based on DNS traffic characteristic according to claim 5, feature exist
In: first of character string is never extracted in the step 4 start the cycle over and extract string operation, further specifically:
Step 4.1, the data that the size that the memory address storage that the first pointer is directed toward is read according to the format of UINT8 is 1 byte, setting
The size of memory address storage is that the data length of 1 byte is length;
Step 4.2 judges whether this memory address of p+length exceeds the magnitude range for not extracting character string, sentences if exceeding
It is set to abnormal data, terminates parsing;Otherwise enter process step 4.3;
Step 4.3, be by initial address the memory segment storage that the first pointer p, length are length data, byte-by-byte copy
To initial address be the second pointer q, termination address is in the application heap of q+length-1;
Step 4.4, pi+1=pi+length;That is the size of the first pointer changes into piThe value of+length;qi+1=qi+ length,
That is the size of the second pointer changes into qiThe value of+length;
Step 4.5, judge the memory address storage that the first pointer p is directed toward data whether be end mark ' 0 ', if so, the
Two pointer q be directed toward memory address on be written a byte data ' 0 ', from the initial address of memory field Buffer to storage
The data of the address storage of 0 ' byte of ‘ are the domain name for needing to parse in DNS message, are extracted successfully, exit entire extract and flow
Journey;If not end mark ' 0 ', then the data ' ' of a byte are written on the memory address that the second pointer is directed toward, then qi+1
=qi+ 1, i.e. the size of the second pointer changes into the value of the second pointer+1, completes a wheel circulation, then branches to step 4.1.
8. a kind of plug-in behavior monitoring method of game based on DNS traffic characteristic according to claim 5, feature exist
In: the DNS message format are as follows: identifier+flag bit+nslookup quantity+response results quantity+certification authority number
Amount+additional information quantity+request data text+corresponding data text+domain name authority's data+additional information number
According to.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910765987.9A CN110535719B (en) | 2019-08-19 | 2019-08-19 | Game plug-in behavior monitoring method based on DNS flow characteristics |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910765987.9A CN110535719B (en) | 2019-08-19 | 2019-08-19 | Game plug-in behavior monitoring method based on DNS flow characteristics |
Publications (2)
Publication Number | Publication Date |
---|---|
CN110535719A true CN110535719A (en) | 2019-12-03 |
CN110535719B CN110535719B (en) | 2021-07-27 |
Family
ID=68663666
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910765987.9A Active CN110535719B (en) | 2019-08-19 | 2019-08-19 | Game plug-in behavior monitoring method based on DNS flow characteristics |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110535719B (en) |
Citations (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101110871A (en) * | 2007-08-20 | 2008-01-23 | 中兴通讯股份有限公司 | E.164 domain name analyzing method and DNS server |
CN102780588A (en) * | 2012-05-22 | 2012-11-14 | 华为技术有限公司 | Deep message detection method, device, network equipment and system |
US20140304328A1 (en) * | 2009-08-11 | 2014-10-09 | Sony Computer Entertainment America Llc | Management of ancillary content delivery and presentation |
CN104219200A (en) * | 2013-05-30 | 2014-12-17 | 杭州迪普科技有限公司 | Device and method for protection from DNS cache attack |
CN105117644A (en) * | 2015-08-26 | 2015-12-02 | 福建天晴数码有限公司 | Method and system for acquiring Android plug-in program |
CN107019916A (en) * | 2017-04-18 | 2017-08-08 | 蒙生福 | The method and system of the anti-cheating of strange land monitoring game |
CN107395564A (en) * | 2017-06-15 | 2017-11-24 | 公安部交通管理科学研究所 | Internet preselects the anti-snatch method and system of automotive number plate |
CN108176053A (en) * | 2018-01-04 | 2018-06-19 | 网易(杭州)网络有限公司 | It plays plug-in detection method, device, server, client and storage medium |
CN109260711A (en) * | 2018-08-15 | 2019-01-25 | 宏诚盛世(天津)网络科技有限公司 | A kind of network game external store detection system and method |
CN109347817A (en) * | 2018-10-12 | 2019-02-15 | 厦门安胜网络科技有限公司 | A kind of method and device that network security redirects |
CN109889511A (en) * | 2019-01-31 | 2019-06-14 | 中国人民解放军61660部队 | Process DNS activity monitoring method, equipment and medium |
-
2019
- 2019-08-19 CN CN201910765987.9A patent/CN110535719B/en active Active
Patent Citations (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101110871A (en) * | 2007-08-20 | 2008-01-23 | 中兴通讯股份有限公司 | E.164 domain name analyzing method and DNS server |
US20140304328A1 (en) * | 2009-08-11 | 2014-10-09 | Sony Computer Entertainment America Llc | Management of ancillary content delivery and presentation |
CN102780588A (en) * | 2012-05-22 | 2012-11-14 | 华为技术有限公司 | Deep message detection method, device, network equipment and system |
CN104219200A (en) * | 2013-05-30 | 2014-12-17 | 杭州迪普科技有限公司 | Device and method for protection from DNS cache attack |
CN105117644A (en) * | 2015-08-26 | 2015-12-02 | 福建天晴数码有限公司 | Method and system for acquiring Android plug-in program |
CN107019916A (en) * | 2017-04-18 | 2017-08-08 | 蒙生福 | The method and system of the anti-cheating of strange land monitoring game |
CN107395564A (en) * | 2017-06-15 | 2017-11-24 | 公安部交通管理科学研究所 | Internet preselects the anti-snatch method and system of automotive number plate |
CN108176053A (en) * | 2018-01-04 | 2018-06-19 | 网易(杭州)网络有限公司 | It plays plug-in detection method, device, server, client and storage medium |
CN109260711A (en) * | 2018-08-15 | 2019-01-25 | 宏诚盛世(天津)网络科技有限公司 | A kind of network game external store detection system and method |
CN109347817A (en) * | 2018-10-12 | 2019-02-15 | 厦门安胜网络科技有限公司 | A kind of method and device that network security redirects |
CN109889511A (en) * | 2019-01-31 | 2019-06-14 | 中国人民解放军61660部队 | Process DNS activity monitoring method, equipment and medium |
Also Published As
Publication number | Publication date |
---|---|
CN110535719B (en) | 2021-07-27 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109951500A (en) | Network attack detecting method and device | |
US7831703B2 (en) | Apparatus and method for monitoring and auditing activity of a legacy environment | |
CN109347827B (en) | Method, device, equipment and storage medium for predicting network attack behavior | |
CN107465651A (en) | Network attack detecting method and device | |
EP2244418A1 (en) | Database security monitoring method, device and system | |
CN110768875A (en) | Application identification method and system based on DNS learning | |
CN105991628A (en) | Network attack identification method and network attack identification device | |
CN106911637A (en) | Cyberthreat treating method and apparatus | |
CN109818970A (en) | A kind of data processing method and device | |
CN101997700A (en) | Internet protocol version 6 (IPv6) monitoring equipment based on deep packet inspection and deep flow inspection | |
US8505098B2 (en) | Method for recording, recovering, and replaying real traffic | |
CN109525587A (en) | A kind of recognition methods of data packet and device | |
CN108076017A (en) | The protocol analysis method and device of a kind of data packet | |
CN109889511A (en) | Process DNS activity monitoring method, equipment and medium | |
CN108234345A (en) | A kind of traffic characteristic recognition methods of terminal network application, device and system | |
CN109727027A (en) | Account recognition methods, device, equipment and storage medium | |
CN100493065C (en) | Method for using immediate information software by data detection network address switching equipment | |
IL176551A (en) | Apparatus and method for monitoring and auditing activity of a legacy environment | |
CN110404267A (en) | A kind of plug-in detection method of game based on HTTP flow HOST field feature | |
CN112422515B (en) | Protocol vulnerability testing method and device and storage medium | |
CN110368695A (en) | A kind of plug-in detection method of game based on HTTP flow URI feature | |
CN110535719A (en) | A kind of plug-in behavior monitoring method of game based on DNS traffic characteristic | |
JP2008192122A (en) | Malicious mail detector, detecting method and program | |
CN105610639A (en) | Total log grabbing method and device | |
CN110465094A (en) | A kind of plug-in detection method of game based on IP port diagnostic |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |