CN110535719B - Game plug-in behavior monitoring method based on DNS flow characteristics - Google Patents
Game plug-in behavior monitoring method based on DNS flow characteristics Download PDFInfo
- Publication number
- CN110535719B CN110535719B CN201910765987.9A CN201910765987A CN110535719B CN 110535719 B CN110535719 B CN 110535719B CN 201910765987 A CN201910765987 A CN 201910765987A CN 110535719 B CN110535719 B CN 110535719B
- Authority
- CN
- China
- Prior art keywords
- domain name
- data
- address
- data packet
- character string
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
- H04L43/0876—Network utilisation, e.g. volume of load or congestion level
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4505—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
- H04L61/4511—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
Abstract
The invention provides a game plug-in behavior monitoring method based on DNS traffic characteristics, which comprises the following steps: step S1, the client of the Windows system application layer creates a network filter driver in the driver layer; step S2, establishing a domain name blacklist; step S3, the network filtering driver captures all UDP data packets in the data cladding, and compares the domain name parameter requested to be analyzed by the UDP data packets with the domain name blacklist for judgment, if the domain name parameter is any domain name character string contained in the domain name blacklist, the game player is judged to have plug-in using behavior, and the domain name blacklist stores the domain name character string requested to be analyzed by the plug-in; the invention can efficiently monitor the plug-in use behavior of the known DNS traffic characteristics.
Description
Technical Field
The invention relates to the technical field of computer system communication, software safety and game plug-in detection, in particular to a game plug-in behavior monitoring method based on DNS flow characteristics.
Background
The existing plug-in behavior monitoring module usually uses a detection method based on process memory scanning, for example, a memory space of a scanning process judges whether a plug-in feature code is included, and the like.
The existing game plug-in behavior monitoring scheme can be bypassed by plug-in using process hiding technology, memory multi-state and other methods. The scheme described in the patent can monitor the use behavior of the plug-in. In addition, the method is accurate and efficient in monitoring the plug-in use scene with DNS flow characteristics.
Interpretation of professional terms:
the WFP filtering framework provided by microsoft defines many layers in the network packet transmission process, such as: a FWPM _ LAYER _ ALE _ FLOW _ ESTABLISHED _ V4 LAYER (i.e., DATA FLOW establishment LAYER), a FWPM _ LAYER _ STREAM _ V4 LAYER (i.e., DATA FLOW LAYER), and a FWPM _ LAYER _ DATA _ V4 LAYER (i.e., DATA wrap LAYER); because the data packets need to be encapsulated at the bottom layer of the system according to different network protocols, the data content captured at different layers is different. The present patent scheme mentions that the FWPM _ LAYER _ DATAGRAM _ DATA _ V4 LAYER (DATA packet LAYER) can capture all UDP packets without IP headers.
Wfp (Windows Filter platform), computer terminology, is a Windows filtering platform used to Filter network packets.
The basic filtering engine BFE is a user mode service of the Windows operating system, coordinates WFP components, and executes the main tasks of adding or removing filters to the system, storing filter configurations and strengthening WFP configuration security. The communication between the application program and the basic filtering engine BFE is carried out through WFP management functions of FwpmEngineopen and the like.
Disclosure of Invention
In order to overcome the problems, the invention aims to provide a game plug-in behavior monitoring method based on DNS flow characteristics, which is a hidden plug-in behavior monitoring means and can efficiently monitor the use behavior of plug-ins with known DNS flow characteristics.
The invention is realized by adopting the following scheme: a game plug-in behavior monitoring method based on DNS traffic characteristics comprises the following steps: step S1, the client of the Windows system application layer creates a network filter driver in the driver layer;
step S2, establishing a domain name blacklist;
step S3, the network filtering driver captures all UDP data packets in the data cladding, compares the domain name parameters requested to be analyzed by the UDP data packets with the domain name blacklist, judges that the game player has a plug-in use behavior if the domain name parameters include any domain name character string in the domain name blacklist, and the domain name blacklist stores the domain name character string requested to be analyzed by the plug-in.
Further, the step S2 is further specifically: in the process of creating the network filtering driver, writing the domain name analyzed by the plug-in request into a file of the network filtering driver, and loading and starting the network filtering driver by the application program of the Windows system; and after the network filtering driver is successfully started, initializing a domain name blacklist, and inserting all domain names written in the file into the domain name blacklist by the network filtering driver in the process of initializing the blacklist.
Further, between the step S2 and the step S3, the method further includes: step S21, the network filtering driver uses the FwpmEngineopen function to obtain the basic filtering engine BFE handle as the parameter of the subsequent operation;
step S22, the network filter driver registers a callback function in the data cladding monitoring data by using a FwpsCalloutRegister function;
step S23, the network filtering driver uses the FwpmCalloutAdd function to apply for adding the callback function registered before to the basic filtering engine BFE;
step S24, the network filtering driver uses the FwpmSubLayerARD function to create a sub-layer in the data cladding for capturing data;
step S25, the network filtering driver uses the FwpmFilterAdd function, creates a filter in the data envelope layer through the basic filtering engine BFE, and associates the callback function with the sub-layer; after the association is completed, when the sub-layer captures the network data packet, the system calls a callback function corresponding to the sub-layer to process the network data packet; and the callback function of the data cladding is used for processing the UDP data packet.
Further, the step S3 is further specifically: step S31, when the callback function of the data cladding is called, judging whether the transceiving attribute of the network data packet is the data packet sent to the far end by the local computer, if so, entering step S32, otherwise, ending the execution of the callback function;
step S32, the callback function judges whether the far-end IP of the data packet is 53, if yes, the far-end IP is a DNS data packet, and the step S33 is entered; otherwise, the execution of the callback function is finished;
and step S33, the callback function analyzes the content of the data packet according to the DNS message format, extracts the domain name to be analyzed in the DNS message from the data packet, then traverses the domain name blacklist, compares the blacklist item in the domain name blacklist with the analyzed domain name by using a character string matching algorithm, and judges that the player has a plug-in use behavior if the analyzed domain name contains the domain name character string stored in any blacklist item.
Further, the callback function analyzes the content of the data packet according to the format of the DNS packet, and the step of extracting the domain name to be analyzed from the data packet specifically includes the following steps:
step 1, checking whether the DNS message conforms to the format specification, if so, judging that the DNS message is not an abnormal data packet, and entering step 2; if not, ending the analysis;
step 2, analyzing the text of the request data from the address offset by 12 bytes relative to the start address of the data packet, wherein the domain name requested to be analyzed in the DNS data packet is stored in the form of a character string, and an end character '\ 0' is arranged at the end of the character string, so that in the space from the start address of the text of the request data to the end address of the data packet, the character '\ 0' is searched in a traversing manner by using a character comparison method, and if the character '\ 0' does not exist in the memory space, the content of the DNS data packet is judged to be abnormal, and the process is exited; otherwise, recording the memory address of '0' appearing for the first time as the end address pEnd of the request domain name;
step 3, character data stored in the section of the memory from the initial address of the text of the request data to the end address pEnd of the request domain name is the unextracted character string of the domain name requested by the DNS data packet;
step 4, applying for a section of memory area Buffer with the same size as the character string not extracted for storing the extracted character string; and using a first pointer p to point to the initial address of the character string which is not extracted, using a second pointer q to point to the initial address of the Buffer in the memory area, and circularly extracting the character string from the first bit of the character string which is not extracted.
Further, the checking whether the DNS packet meets the format specification is specifically to first extract flag bit information of 2 bytes in size from an address offset by 2 bytes with respect to the start address of the data packet, then extract quantity information of a query domain name of 2 bytes in size from an address offset by 4 bytes with respect to the start address of the data packet, and if the flag bit information is equal to the number 0x1000 in the 16-ary system and the quantity information of the query domain name is equal to the number 1 in the decimal system, determine that the data packet meets the specification of the DNS packet.
Further, the step 4 of circularly extracting the character string from the first bit of the unextracted character string further includes: step 4.1, reading the data with the size of 1 byte stored by the memory address pointed by the first pointer according to the format of UINT8, and setting the length of the data with the size of 1 byte stored by the memory address as length;
step 4.2, judging whether the memory address p + length exceeds the size range of the character string which is not extracted, if so, judging that the memory address is abnormal data, and ending the analysis; otherwise, entering a flow step 4.3;
step 4.3, copying data stored in the memory segment with the starting address of the first pointer p and the length into the memory segment with the starting address of the second pointer q and the ending address of q + length-1 byte by byte;
step 4.4, p i +1 is p i + length; i.e., the size of the first pointer is changed to a value of p i + length; q i +1 ═ qi + length, i.e., the size of the second pointer changed to a value of q i + length;
step 4.5, judging whether the data stored in the memory address pointed by the first pointer p is the end character '\ 0', if so, writing the data '\ 0' of one byte in the memory address pointed by the second pointer q, wherein the data stored from the initial address of the memory area Buffer to the address storing the '\ 0' byte is the domain name needing to be analyzed in the DNS message, successfully extracting, and exiting the whole extraction process; if not, a byte of data '\ 0' is written at the memory address pointed to by the second pointer, and then qi +1 ═ qi +1, i.e., the size of the second pointer is changed to the value of the second pointer +1, completing a loop, and then jumping to step 4.1.
Further, the DNS message format is: the identifier + the zone bits + the number of query domain names + the number of response results + the number of certification authorities + the number of additional information + the body of the request data + the body of the corresponding data + the domain name authority data + the additional information data.
The invention has the beneficial effects that: 1. by using a behavior blacklist mechanism, the use behavior of the plug-in with known DNS traffic characteristics can be efficiently monitored.
2. By using the network filtering technology of the kernel layer, plug-ins cannot bypass the detection through the traditional application layer API hooking technology, so that the anti-detection and anti-monitoring difficulty of plug-ins is greatly increased.
3. Most of the plug-ins are charged and comprise login modules, so that the scheme has a wide application range and can be applied to detection of a large number of plug-ins.
4. The game cheating behavior monitoring method is a concealed cheating behavior monitoring means, and monitoring capability is improved.
5. The invention provides a scheme for extracting the domain name to be analyzed in the DNS message at the kernel layer, thereby improving the monitoring accuracy.
Drawings
FIG. 1 is a schematic flow diagram of the process of the present invention.
Fig. 2 is a schematic flow chart of extracting a domain name to be resolved in a DNS message according to the present invention.
Detailed Description
The invention is further described below with reference to the accompanying drawings.
Referring to fig. 1 and fig. 2, in the game plug-in behavior monitoring method based on DNS traffic characteristics according to the present invention, a network filter is installed at a system bottom layer based on a WFP network filter driver framework of microsoft to capture a plug-in network request behavior. The method comprises the following steps: step S1, the client of the Windows system application layer creates a network filter driver in the driver layer;
step S2, establishing a domain name blacklist; the step S2 further includes: in the process of creating the network filtering driver, writing the domain name analyzed by the plug-in request into a file of the network filtering driver, and loading and starting the network filtering driver by the application program of the Windows system; and after the network filtering driver is successfully started, initializing a domain name blacklist, and inserting all domain names written in the file into the domain name blacklist by the network filtering driver in the process of initializing the blacklist. In addition, the blacklist items stored in the blacklist are required to be the characteristic of plug-in, namely, other programs except the plug-in have no network access behavior, or the probability is extremely low, otherwise, the risk of false alarm exists.
Step S3, the network filter driver captures all UDP packets in the DATA cladding (i.e., FWPM _ LAYER _ DATAGRAM _ DATA _ V4 LAYER), and compares the domain name parameters requested to be resolved by the UDP packets with the domain name blacklist, if the domain name parameters include any domain name character string in the domain name blacklist, it is determined that the game player has a cheating action, and the domain name blacklist stores the domain name character string requested to be resolved by the cheating.
In the present invention, the step S2 and the step S3 further include: step S21, the network filtering driver uses the FwpmEngineopen function to obtain the basic filtering engine BFE handle as the parameter of the subsequent operation;
step S22, the network filter driver registers a callback function in the data cladding monitoring data by using a FwpsCalloutRegister function;
step S23, the network filtering driver uses the FwpmCalloutAdd function to apply for adding the callback function registered before to the basic filtering engine BFE;
step S24, the network filtering driver uses the FwpmSubLayerARD function to create a sub-layer in the data cladding for capturing data;
step S25, the network filtering driver uses the FwpmFilterAdd function, creates a filter in the data envelope layer through the basic filtering engine BFE, and associates the callback function with the sub-layer; after the association is completed, when the network data packet is captured by the sublayer filter, the system calls a callback function corresponding to the sublayer to process the network data packet; and the callback function of the data cladding is used for processing the UDP data packet.
In the present invention, the step S3 further includes: step S31, when the callback function of the data cladding is called, judging whether the transceiving attribute of the network data packet is the data packet sent to the far end by the local computer, if so, entering step S32, otherwise, ending the execution of the callback function;
step S32, the callback function judges whether the far-end IP of the data packet is 53, if yes, the far-end IP is a DNS data packet, and the step S33 is entered; otherwise, the execution of the callback function is finished;
and step S33, the callback function analyzes the content of the data packet according to the DNS message format, extracts the domain name to be analyzed in the DNS message from the data packet, then traverses the domain name blacklist, compares the blacklist item in the domain name blacklist with the analyzed domain name by using a character string matching algorithm, and judges that the player has a plug-in use behavior if the analyzed domain name contains the domain name character string stored in any blacklist item. The string matching algorithm may adopt a KMP algorithm, or may adopt other algorithms in practical application.
The DNS message format is as follows: the identifier + the zone bits + the number of query domain names + the number of response results + the number of certification authorities + the number of additional information + the body of the request data + the body of the corresponding data + the domain name authority data + the additional information data. The callback function analyzes the data packet content according to the DNS message format, and the step of extracting the domain name to be analyzed from the data packet specifically comprises the following steps:
step 1, checking whether the DNS message conforms to a format specification, firstly, taking out flag bit information uFlags with the size of 2 bytes from an address which is 2 bytes offset relative to the initial address of the data packet, then taking out quantity information uQuestions with the size of 2 bytes from an address which is 4 bytes offset relative to the initial address of the data packet, if the uFlags is equal to the number 0x1000 of a 16-system number and the uQuestions is equal to the number 1 of a decimal number, judging that the data packet conforms to the specification of the DNS data packet, is not an abnormal data packet, and entering step 2; otherwise, the analysis is finished.
And 2, analyzing text pRequestBuffer of the request data from an address which is offset by 12 bytes relative to the starting address of the data packet, wherein the domain name requested to be analyzed in the DNS data packet is stored in a character string form, and an end character '\ 0' is arranged at the end of the character string, so that in the space from the starting address of the pRequestBuffer to the end address of the data packet, the character '\ 0' is searched in a traversing manner by using a character comparison method, and if the character '\ 0' does not exist in the memory space, the DNS data packet is judged to be abnormal in content, and the process is exited. Otherwise, recording the memory address of the first occurrence of '\ 0' as the end address pEnd of the request domain name.
And 3, character data stored in the section of the memory from the starting address of the text pRequestbuffer of the request data to the ending address pEnd of the requested domain name is the unextracted character string of the domain name requested by the DNS data packet.
Step 4, applying for a section of memory area Buffer with the same size as the character string not extracted for storing the extracted character string; and using a first pointer p to point to the initial address of the character string which is not extracted, using a second pointer q to point to the initial address of the Buffer in the memory area, and circularly extracting the character string from the first bit of the character string which is not extracted.
In the present invention, the step 4 is to cyclically extract the character string from the first bit of the unextracted character string, and further specifically includes: step 4.1, reading the data with the size of 1 byte stored by the memory address pointed by the first pointer according to the format of UINT8, and setting the length of the data with the size of 1 byte stored by the memory address as length;
step 4.2, judging whether the memory address p + length exceeds the size range of the character string which is not extracted, if so, judging that the memory address is abnormal data, and ending the analysis; otherwise, entering a flow step 4.3;
step 4.3, copying data stored in the memory segment with the starting address of the first pointer p and the length into the memory segment with the starting address of the second pointer q and the ending address of q + length-1 byte by byte;
step 4.4, p i +1 is p i + length; i.e., the size of the first pointer is changed to a value of p i + length; q i +1 ═ qi + length, i.e., the size of the second pointer changed to a value of q i + length;
step 4.5, judging whether the data stored in the memory address pointed by the first pointer p is the end character '\ 0', if so, writing the data '\ 0' of one byte in the memory address pointed by the second pointer q, wherein the data stored from the initial address of the memory area Buffer to the address storing the '\ 0' byte is the domain name needing to be analyzed in the DNS message, successfully extracting, and exiting the whole extraction process; if not, a byte of data '\ 0' is written at the memory address pointed to by the second pointer, and then qi +1 ═ qi +1, i.e., the size of the second pointer is changed to the value of the second pointer +1, completing a loop, and then jumping to step 4.1.
The character string before conversion is as shown in Table 1 below
TABLE 1
| a | Character string of length a without end character | b | Length b endless character string | ...... | n | Length n endlessly signed character string | ‘\0’ |
The converted character string is shown in Table 2 below
TABLE 2
| Character string of length a without end character | ‘’ | Length b endless character string | ...... | ‘’ | Length n endlessly signed character string | ‘\0’ |
The following describes a specific implementation manner of the patent scheme in combination with a specific embodiment:
1. suppose that the game plug-in a is plug-in software for destroying the network game client C produced by the game company B. The cheating A can access' tools.
2. The game company B uses a network filtering driver D developed based on the scheme to detect whether the cheater A is operated during the game of the player, and the game client C is protected by the scheme.
3. After the player runs the game client C, the game client C automatically loads the network filtering driver D, the network filtering driver D initializes the domain name blacklist after the loading is successful, and a blacklist item' chat.
4. The network filtering driver D starts to exert the network packet filtering function after the FWPM _ LAYER _ DATA _ V4 LAYER (DATA packet LAYER) completes a series of operations such as registering a callback function, creating a sub-LAYER, turning on a filter, and the like.
5. Suppose that during the running of the game client C, the player starts running the game plug-in a. When the game plug-in A is started successfully, the user tries to access the' tools. The system process svchost. exe of the Windows system sends a DNS packet to the domain name resolution server for requesting resolution of the IP address of "tools.
After the filter of FWPM _ LAYER _ DATA _ V4 sublayer captures the packet, it determines that the transceiving attribute of the network request is FWP _ DIRECTION _ bound and the remote port is 53, so it determines that the packet is a DNS packet.
7. The callback function analyzes the content of the data packet according to the DNS message format, extracts a domain name character string 'tools.chet.com' requested to be analyzed by the DNS data packet, then traverses a domain name blacklist, compares the domain name character string 'tools.chet.com' with each blacklist item, and when the blacklist item 'chet.com' is compared, the domain name character string 'tools.chet.com' contains the character string stored by the blacklist item, so that the DNS data packet is judged to accord with the domain name blacklist rule, and the action of using the game plug-in A by the player is judged.
The above description is only a preferred embodiment of the present invention, and all equivalent changes and modifications made in accordance with the claims of the present invention should be covered by the present invention.
Claims (6)
1. A game plug-in behavior monitoring method based on DNS traffic characteristics is characterized in that: the method comprises the following steps: step S1, the client of the Windows system application layer creates a network filter driver in the driver layer;
step S2, establishing a domain name blacklist; the step S2 further includes: in the process of creating the network filtering driver, writing the domain name analyzed by the plug-in request into a file of the network filtering driver, and loading and starting the network filtering driver by the application program of the Windows system; after the network filtering driver is successfully started, initializing a domain name blacklist, and in the process of initializing the blacklist, inserting all domain names written in a file into the domain name blacklist by the network filtering driver;
step S21, the network filtering driver uses the FwpmEngineopen function to obtain the basic filtering engine BFE handle as the parameter of the subsequent operation;
step S22, the network filter driver registers a callback function in the data cladding monitoring data by using a FwpsCalloutRegister function;
step S23, the network filtering driver uses the FwpmCalloutAdd function to apply for adding the callback function registered before to the basic filtering engine BFE;
step S24, the network filtering driver uses the FwpmSubLayerARD function to create a sub-layer in the data cladding for capturing data;
step S25, the network filtering driver uses the FwpmFilterAdd function, creates a filter in the data envelope layer through the basic filtering engine BFE, and associates the callback function with the sub-layer; after the association is completed, when the sub-layer captures the network data packet, the system calls a callback function corresponding to the sub-layer to process the network data packet; the callback function of the data cladding is used for processing the UDP data packet;
step S3, the network filtering driver captures all UDP data packets in the data cladding, compares the domain name parameters requested to be analyzed by the UDP data packets with the domain name blacklist, judges that the game player has a plug-in use behavior if the domain name parameters include any domain name character string in the domain name blacklist, and the domain name blacklist stores the domain name character string requested to be analyzed by the plug-in.
2. The game cheating behavior monitoring method based on DNS traffic characteristics, according to claim 1, is characterized in that: the step S3 further includes: step S31, when the callback function of the data cladding is called, judging whether the transceiving attribute of the network data packet is the data packet sent to the far end by the local computer, if so, entering step S32, otherwise, ending the execution of the callback function;
step S32, the callback function judges whether the far-end IP of the data packet is 53, if yes, the step S33 is entered; otherwise, the execution of the callback function is finished;
and step S33, the callback function analyzes the content of the data packet according to the DNS message format, extracts the domain name to be analyzed in the DNS message from the data packet, then traverses the domain name blacklist, compares the blacklist item in the domain name blacklist with the analyzed domain name by using a character string matching algorithm, and judges that the player has a plug-in use behavior if the analyzed domain name contains the domain name character string stored in any blacklist item.
3. The game cheating behavior monitoring method based on DNS traffic characteristics, according to claim 2, is characterized in that: the callback function analyzes the data packet content according to the DNS message format, and the step of extracting the domain name to be analyzed from the data packet specifically comprises the following steps:
step 1, checking whether the DNS message conforms to the format specification, if so, judging that the DNS message is not an abnormal data packet, and entering step 2; if not, ending the analysis;
step 2, analyzing the text of the request data from the address offset by 12 bytes relative to the start address of the data packet, wherein the domain name requested to be analyzed in the DNS data packet is stored in the form of a character string, and an end character '\ 0' is arranged at the end of the character string, so that in the space from the start address of the text of the request data to the end address of the data packet, the character '\ 0' is searched in a traversing manner in a character comparison manner, and if the character '\ 0' does not exist in the space, the content of the DNS data packet is judged to be abnormal, and the process is exited; otherwise, recording the memory address of '0' appearing for the first time as the end address pEnd of the request domain name;
step 3, character data stored in the section of the memory from the initial address of the text of the request data to the end address pEnd of the request domain name is the unextracted character string of the domain name requested by the DNS data packet;
step 4, applying for a section of memory area Buffer with the same size as the character string not extracted for storing the extracted character string; and using a first pointer p to point to the initial address of the character string which is not extracted, using a second pointer q to point to the initial address of the Buffer in the memory area, and circularly extracting the character string from the first bit of the character string which is not extracted.
4. The game cheating behavior monitoring method based on DNS traffic characteristics, according to claim 3, is characterized in that: the method for checking whether the DNS message meets the format specification specifically includes that firstly, 2-byte zone bit information is taken out from an address which is 2 bytes offset relative to the initial address of the data packet, then 2-byte quantity information of the query domain name is taken out from an address which is 4 bytes offset relative to the initial address of the data packet, and if the zone bit information is equal to the number 0x1000 in the 16-system and the quantity information of the query domain name is equal to the decimal number 1, the data packet is judged to meet the specification of the DNS data packet.
5. The game cheating behavior monitoring method based on DNS traffic characteristics, according to claim 3, is characterized in that: in the step 4, the operation of extracting the character string is performed circularly from the first position of the character string which is not extracted, and the method further includes: step 4.1, reading the data with the size of 1 byte stored by the memory address pointed by the first pointer according to the format of UINT8, and setting the length of the data with the size of 1 byte stored by the memory address as length;
step 4.2, judging whether the memory address p + length exceeds the size range of the character string which is not extracted, if so, judging that the memory address is abnormal data, and ending the analysis; otherwise, entering a flow step 4.3;
step 4.3, copying data stored in the memory segment with the starting address of the first pointer p and the length into the memory segment with the starting address of the second pointer q and the ending address of q + length-1 byte by byte;
step 4.4, p i+1=p i+ length; i.e. the size of the first pointer is changed to p iA value of + length; q. q.s i+1=q i+ length, i.e. the size of the second pointer is changed to q iA value of + length;
step 4.5, judging whether the data stored in the memory address pointed by the first pointer p is the end character '\ 0', if so, writing the data '\ 0' of one byte in the memory address pointed by the second pointer q, wherein the data stored from the initial address of the memory area Buffer to the address storing the '\ 0' byte is the domain name needing to be analyzed in the DNS message, successfully extracting, and exiting the whole extraction process; if not, a byte of data '\ 0' is written at the memory address pointed to by the second pointer, followed by qi+1=qi+1, i.e. the size of the second pointer changes to the value of the second pointer +1, completing a round of the loop and then jumping to step 4.1.
6. The game cheating behavior monitoring method based on DNS traffic characteristics, according to claim 3, is characterized in that: the DNS message format is as follows: the identifier + the zone bits + the number of query domain names + the number of response results + the number of certification authorities + the number of additional information + the body of the request data + the body of the corresponding data + the domain name authority data + the additional information data.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910765987.9A CN110535719B (en) | 2019-08-19 | 2019-08-19 | Game plug-in behavior monitoring method based on DNS flow characteristics |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910765987.9A CN110535719B (en) | 2019-08-19 | 2019-08-19 | Game plug-in behavior monitoring method based on DNS flow characteristics |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110535719A CN110535719A (en) | 2019-12-03 |
| CN110535719B true CN110535719B (en) | 2021-07-27 |
Family
ID=68663666
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910765987.9A Active CN110535719B (en) | 2019-08-19 | 2019-08-19 | Game plug-in behavior monitoring method based on DNS flow characteristics |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110535719B (en) |
Family Cites Families (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101110871A (en) * | 2007-08-20 | 2008-01-23 | 中兴通讯股份有限公司 | E.164 domain name analyzing method and DNS server |
| US8763090B2 (en) * | 2009-08-11 | 2014-06-24 | Sony Computer Entertainment America Llc | Management of ancillary content delivery and presentation |
| CN102780588B (en) * | 2012-05-22 | 2014-12-03 | 华为技术有限公司 | Deep message detection method, device, network equipment and system |
| CN104219200B (en) * | 2013-05-30 | 2017-10-17 | 杭州迪普科技股份有限公司 | A kind of apparatus and method for taking precautions against DNS cache attack |
| CN105117644B (en) * | 2015-08-26 | 2018-08-28 | 福建天晴数码有限公司 | Acquire Android plug-in program method and system |
| CN107019916A (en) * | 2017-04-18 | 2017-08-08 | 蒙生福 | The method and system of the anti-cheating of strange land monitoring game |
| CN107395564A (en) * | 2017-06-15 | 2017-11-24 | 公安部交通管理科学研究所 | Internet preselects the anti-snatch method and system of automotive number plate |
| CN108176053A (en) * | 2018-01-04 | 2018-06-19 | 网易(杭州)网络有限公司 | It plays plug-in detection method, device, server, client and storage medium |
| CN109260711A (en) * | 2018-08-15 | 2019-01-25 | 宏诚盛世(天津)网络科技有限公司 | A kind of network game external store detection system and method |
| CN109347817B (en) * | 2018-10-12 | 2021-06-25 | 厦门安胜网络科技有限公司 | Method and device for network security redirection |
| CN109889511B (en) * | 2019-01-31 | 2021-10-01 | 中国人民解放军61660部队 | Process DNS activity monitoring method, equipment and medium |
-
2019
- 2019-08-19 CN CN201910765987.9A patent/CN110535719B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN110535719A (en) | 2019-12-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109951500B (en) | Network attack detection method and device | |
| US10218733B1 (en) | System and method for detecting a malicious activity in a computing environment | |
| CN112468520B (en) | Data detection method, device and equipment and readable storage medium | |
| CN107657174B (en) | Database intrusion detection method based on protocol fingerprint | |
| CN101686239B (en) | Trojan discovery system | |
| CN106453438B (en) | Network attack identification method and device | |
| JP4979812B2 (en) | Security system and security method using one-time execution code | |
| CN112134893B (en) | Internet of things safety protection method and device, electronic equipment and storage medium | |
| CN112600852B (en) | Vulnerability attack processing method, device, equipment and storage medium | |
| CN110768875A (en) | Application identification method and system based on DNS learning | |
| CN106911640A (en) | Cyberthreat treating method and apparatus | |
| CN106911665B (en) | Method and system for identifying malicious code weak password intrusion behavior | |
| CN115695031A (en) | Host computer sink-loss detection method, device and equipment | |
| CN102035847B (en) | User access behavior processing method and system and client | |
| CN105939328A (en) | Method and device for updating network attack feature library | |
| US20090070601A1 (en) | Method and apparatus for recursively analyzing log file data in a network | |
| TWI671655B (en) | System and method for program security protection | |
| JP4309102B2 (en) | Illegal command / data detection method, illegal command / data detection method, and illegal command / data detection program | |
| CN110535719B (en) | Game plug-in behavior monitoring method based on DNS flow characteristics | |
| US10237287B1 (en) | System and method for detecting a malicious activity in a computing environment | |
| CN110404267A (en) | A kind of plug-in detection method of game based on HTTP flow HOST field feature | |
| CN110368695A (en) | A kind of plug-in detection method of game based on HTTP flow URI feature | |
| CN113992443B (en) | Cloud sandbox flow processing method and device | |
| CN113364780B (en) | Network attack victim determination method, equipment, storage medium and device | |
| KR101188307B1 (en) | System and method of network activity monitoring to particular process |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |