CN110855632A - Message detection method, device, network equipment and computer readable storage medium - Google Patents

Message detection method, device, network equipment and computer readable storage medium Download PDF

Info

Publication number
CN110855632A
CN110855632A CN201911018931.3A CN201911018931A CN110855632A CN 110855632 A CN110855632 A CN 110855632A CN 201911018931 A CN201911018931 A CN 201911018931A CN 110855632 A CN110855632 A CN 110855632A
Authority
CN
China
Prior art keywords
message
domain name
dns
detected
hidden channel
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201911018931.3A
Other languages
Chinese (zh)
Other versions
CN110855632B (en
Inventor
施瑞瑞
李鲲程
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Security Technologies Co Ltd
Original Assignee
New H3C Security Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by New H3C Security Technologies Co Ltd filed Critical New H3C Security Technologies Co Ltd
Priority to CN201911018931.3A priority Critical patent/CN110855632B/en
Publication of CN110855632A publication Critical patent/CN110855632A/en
Application granted granted Critical
Publication of CN110855632B publication Critical patent/CN110855632B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]

Landscapes

  • Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • General Health & Medical Sciences (AREA)
  • Mathematical Physics (AREA)
  • Data Mining & Analysis (AREA)
  • Molecular Biology (AREA)
  • Computational Linguistics (AREA)
  • Biophysics (AREA)
  • General Physics & Mathematics (AREA)
  • Evolutionary Computation (AREA)
  • Software Systems (AREA)
  • Biomedical Technology (AREA)
  • Artificial Intelligence (AREA)
  • Computer Hardware Design (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the invention provides a message detection method, a message detection device, network equipment and a computer readable storage medium, and relates to the field of network security. The method comprises the steps of obtaining a request domain name corresponding to a DNS message to be detected, removing a registered domain name in the request domain name to obtain a domain name to be processed, extracting at least two message characteristics of the DNS message to be detected, wherein the at least two message characteristics comprise the domain name characteristics of the domain name to be processed, and obtaining a detection result of whether the DNS message to be detected belongs to a DNS hidden channel message or not according to the at least two message characteristics and a pre-trained message detection model. Therefore, the embodiment of the invention eliminates the interference of the registered domain name in the request domain name to the detection result by removing the registered domain name in the request domain name, and detects whether the DNS message to be detected belongs to the DNS hidden channel message by taking at least two message characteristics of the DNS message to be detected as detection indexes, so that the detection precision can be effectively improved, and the false alarm rate is reduced.

Description

Message detection method, device, network equipment and computer readable storage medium
Technical Field
The present invention relates to the field of network security, and in particular, to a method and an apparatus for packet detection, a network device, and a computer-readable storage medium.
Background
A covert channel refers to a communication channel that allows a process to transmit information in a manner that compromises the security policy of the system. The hidden channel adopts a special coding mode under the covering of the public channel to transmit illegal or private information without being discovered by people, and the hidden channel is widely existed in an operating system, a network system and an application system.
The DNS (Domain Name System) hidden channel is a hidden channel based on a DNS protocol, and the DNS protocol is the most critical basic protocol on the Internet and is also the basis for normal operation and implementation of most services and applications on the Internet, so that most network security devices such as network firewalls and IDSs (Intrusion Detection Systems) adopt a release mode on DNS messages, so that malicious attackers can build the hidden channel and execute illegal operations based on the DNS protocol, and the security of a network information System is seriously threatened.
Therefore, how to detect whether there is a DNS hidden channel to transmit a DNS packet, that is, how to detect whether the DNS packet belongs to a DNS hidden channel packet, becomes a problem that needs to be solved by those skilled in the art.
Disclosure of Invention
In view of this, the present invention provides a message detection method, an apparatus, a network device and a computer-readable storage medium, which can implement accurate detection of whether a DNS message to be detected belongs to a DNS hidden channel message.
In order to achieve the above purpose, the embodiment of the present invention adopts the following technical solutions:
in a first aspect, an embodiment of the present invention provides a packet detection method, where the method includes:
acquiring a request domain name corresponding to a DNS message to be detected;
removing the registered domain name in the request domain name to obtain a domain name to be processed;
extracting at least two message characteristics of the DNS message to be detected; wherein the at least two message characteristics comprise domain name characteristics of the domain name to be processed;
and obtaining a detection result of whether the DNS message to be detected belongs to the DNS hidden channel message or not according to the at least two message characteristics and a pre-trained message detection model.
In a second aspect, an embodiment of the present invention provides a packet detection apparatus, where the apparatus includes:
the request domain name acquisition module is used for acquiring a request domain name corresponding to the DNS message to be detected;
the registered domain name removing module is used for removing the registered domain name in the request domain name to obtain a domain name to be processed;
the message feature extraction module is used for extracting at least two message features of the DNS message to be detected; wherein the at least two message characteristics comprise domain name characteristics of the domain name to be processed;
and the detection module is used for obtaining a detection result of whether the DNS message to be detected belongs to the DNS hidden channel message or not according to the at least two message characteristics and the pre-trained message detection model.
In a third aspect, an embodiment of the present invention provides a network device, including a memory storing a computer program and a processor, where the computer program is read by the processor and executed to implement the method according to any one of the foregoing embodiments.
In a fourth aspect, an embodiment of the present invention provides a computer-readable storage medium, on which a computer program is stored, and when the computer program is read and executed by a processor, the computer program implements the method according to any one of the foregoing embodiments.
According to the message detection method, the device, the network equipment and the computer readable storage medium provided by the embodiment of the invention, the request domain name corresponding to the DNS message to be detected is obtained, the registered domain name in the request domain name is removed, the domain name to be processed is obtained, at least two message characteristics of the DNS message to be detected are extracted, wherein the at least two message characteristics comprise the domain name characteristics of the domain name to be processed, and the detection result of whether the DNS message to be detected belongs to the DNS hidden channel message can be obtained according to the at least two message characteristics and a pre-trained message detection model. Therefore, the embodiment of the invention eliminates the interference of the registered domain name in the request domain name to the detection result by removing the registered domain name in the request domain name, and detects whether the DNS message to be detected belongs to the DNS hidden channel message by taking at least two message characteristics of the DNS message to be detected as detection indexes, so that the detection precision and accuracy can be effectively improved, and the false alarm rate is reduced.
In order to make the aforementioned and other objects, features and advantages of the present invention comprehensible, preferred embodiments accompanied with figures are described in detail below.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the embodiments will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present invention and therefore should not be considered as limiting the scope, and for those skilled in the art, other related drawings can be obtained according to the drawings without inventive efforts.
Fig. 1 is a block diagram of a network device according to an embodiment of the present invention;
FIG. 2 shows a schematic diagram of a built DNS covert channel environment;
FIG. 3 shows a network architecture diagram of a message inspection model;
fig. 4 is a flowchart illustrating a message detection method according to an embodiment of the present invention;
fig. 5 shows a schematic diagram of a DNS message to be detected;
fig. 6 is a schematic flow chart illustrating a message detection method according to an embodiment of the present invention;
fig. 7 is a schematic flowchart illustrating a message detection method according to an embodiment of the present invention;
fig. 8 is a schematic flowchart illustrating a message detection method according to an embodiment of the present invention;
fig. 9 is a functional block diagram of a message detection apparatus according to an embodiment of the present invention;
fig. 10 is a functional block diagram of a message detection apparatus according to an embodiment of the present invention.
Icon: 100-a network device; 600-a message detection device; 110-a memory; 120-a processor; 130-a communication module; 610-request domain name obtaining module; 620-register domain name removal module; 630-message feature extraction module; 640-a detection module; 650-domain name matching module; 660-a counting module; 670-ratio calculation module.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. The components of embodiments of the present invention generally described and illustrated in the figures herein may be arranged and designed in a wide variety of different configurations.
Thus, the following detailed description of the embodiments of the present invention, presented in the figures, is not intended to limit the scope of the invention, as claimed, but is merely representative of selected embodiments of the invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments of the present invention without making any creative effort, shall fall within the protection scope of the present invention.
It is noted that relational terms such as "first" and "second," and the like, may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
In the process of implementing the technical scheme of the embodiment of the invention, the inventor researches and discovers that because the length of a DNS data packet is limited by the specification of a DNS protocol, more data cannot be carried, and if the requirements of file transmission, remote desktop control and the like are met, a large amount of DNS message transmission is required. Thus, current DNS covert channel detection techniques can be broadly divided into two broad categories: DNS payload analysis and statistical analysis. The DNS payload analysis comprises the following detection modes: detecting the length of a host Name, detecting the entropy value of a Domain Name, detecting the number ratio and the word frequency in the Domain Name, detecting the type of an atypical record of downloaded data, detecting an FQDN (Fully Qualified Domain Name) in a DNS channel, detecting a characteristic character string by using a DPI (deep packet Inspection) technology, and the like; the statistical analysis method comprises the following detection modes: detecting the total DNS traffic of different IP addresses, detecting the total DNS traffic of different domain names, detecting the rate and duration of the DNS traffic, detecting that no associated DNS request exists, detecting the record type of the requested domain name, and the like.
In the current DNS hidden channel message detection scheme, a single feature of a DNS message to be detected is usually detected to determine whether the DNS message to be detected is a DNS hidden channel message, thereby determining whether a DNS hidden channel is in data transmission. Because the characteristics of different DNS messages are different, for example, the host name length of the message A is more consistent with the characteristics of the DNS hidden channel message, and the record type of the request domain name of the message B is more consistent with the characteristics of the DNS hidden channel message, only a single characteristic is used as a detection index, false alarm is easily caused, and the detection accuracy is low.
Based on the research on the defects, the embodiment of the invention provides a scheme for detecting whether the DNS message to be detected belongs to the DNS hidden channel message by removing the interference of the registered domain name and taking at least two message characteristics of the DNS message to be detected as detection indexes, so that the detection precision and accuracy of the DNS hidden channel message are improved, and the false alarm rate is reduced. The technical solutions provided by the embodiments of the present invention will be described in detail below with reference to the accompanying drawings.
Fig. 1 is a block diagram of a network device 100 according to the present embodiment. The network device 100 includes a memory 110, a processor 120, and a communication module 130. The memory 110, the processor 120, and the communication module 130 are electrically connected to each other directly or indirectly to enable data transmission or interaction. For example, the components may be electrically connected to each other via one or more communication buses or signal lines.
The memory 110 is used to store programs or data. The Memory 110 may be, but is not limited to, a Random Access Memory (RAM), a Read Only Memory (ROM), a Programmable Read-Only Memory (PROM), an erasable Read-Only Memory (EPROM), an electrically erasable Read-Only Memory (EEPROM), and the like.
The processor 120 is used to read/write data or programs stored in the memory 110 and perform corresponding functions. For example, the computer program stored in the memory 110, when executed by the processor 120, can implement the message detection method disclosed in the embodiments of the present invention.
The communication module 130 is used for establishing a communication connection between the network device 100 and another communication terminal through a network, and for transceiving data through the network. For example, the network device 100 may obtain the DNS packet to be detected from another communication terminal through the communication module 130.
It should be understood that the configuration shown in fig. 1 is merely a schematic diagram of the configuration of network device 100, and that network device 100 may include more or fewer components than shown in fig. 1, or have a different configuration than shown in fig. 1. The components shown in fig. 1 may be implemented in hardware, software, or a combination thereof. Optionally, the network device 100 in the embodiment of the present invention may be a network security device such as a gateway, a firewall, or other devices, which is determined according to the actual situation.
The embodiment of the present invention further provides a computer-readable storage medium, on which a computer program is stored, and when the computer program is executed by the processor 120, the computer program implements the message detection method disclosed in the embodiments of the present invention.
Because the embodiment of the invention needs to utilize a plurality of detection indexes to detect whether the DNS message belongs to the DNS hidden channel message, a reasonable proportion coefficient (weight) needs to be set for each detection index (message characteristic) to realize better weight distribution, thereby ensuring the detection accuracy. Based on this, the embodiment of the invention trains the weight corresponding to each detection index by using a deep learning algorithm to obtain a message detection model, and then the message detection model can be used to accurately detect whether the DNS message to be detected belongs to the DNS hidden channel message. Next, the training process of the message detection model is described in detail.
In this embodiment, in order to facilitate capturing of a large number of training samples, the training samples include DNS hidden channel message samples and non-DNS hidden channel message samples, a DNS hidden channel environment shown in fig. 2 may be set up, and the registered domain name of the target server is string.com, the training samples may be obtained by using bidirectional communication between the host a or the host B and the target server, and data marking is performed on the training samples, that is, a label belonging to the DNS hidden channel message sample or the non-DNS hidden channel message sample is marked on each training sample, so as to obtain a marking result corresponding to each training sample. After data marking is carried out on collected training samples, the training samples are analyzed into a text format, a request domain name is obtained from text information according to each training sample, a registered domain name in the request domain name is removed, a domain name to be processed is obtained, and then at least two message characteristics of the training samples are extracted, wherein the at least two message characteristics comprise the domain name characteristics of the domain name to be processed.
In this embodiment, by separating the registered domain name from the requested domain name and reserving the special encoding part (i.e., the domain name to be processed) caused by the DNS tunneling tool, the influence of the registered domain name on the subsequent training result can be eliminated. For example, assume that the acquired request domain name is: and (3) removing the registered domain name string.lxw if the M56BgAABADE5NEVGOTMyRUIwRjhBODlEOTVzZEMDdDQkFBRDlEODI4NTg4ODk, wherein the reserved part is as follows: M56BgAABADE5NEVGOTMyRUIwRjhBODlEOTVCNzZEMDdDQkFBRDlEODI4NTg4ODk.: auth.ns, and the reserved part is the domain name to be processed. It should be noted that, in this embodiment, the registered domain name is a first-level domain name of the requested domain name; in other embodiments, the registered domain name may also be a second-level domain name, a third-level domain name, and the like, and therefore, the first-level domain name, the second-level domain name, the third-level domain name, and the like in the requested domain name may be removed according to the actual application requirements.
After at least two message features of a training sample are extracted, inputting the at least two message features into a pre-established message detection model, performing feature extraction and data training by using a deep learning algorithm to obtain a prediction result corresponding to the training sample, then updating model parameters of the message detection model according to the prediction result and a marking result corresponding to the training sample, wherein the model parameters comprise weights of all neurons in the message detection model, weights corresponding to the at least two message features and the like, and obtaining the trained message detection model after repeated iterative computation and parameter updating.
Specifically, the loss function may be calculated according to the prediction result and the labeling result corresponding to the training sample, then the model parameter is updated according to the loss function, and when the message detection model reaches the convergence state, the update of the model parameter is stopped, so that the weight distribution is effectively performed on the message features, and the trained message detection model is obtained. The loss function is used for measuring the degree of inconsistency between the prediction result and the labeling result corresponding to the training sample, the smaller the loss function is, the smaller the difference between the prediction result and the labeling result is, the better the performance of the message detection model is, and when the loss function reaches a set value or the iteration number reaches a set upper limit value, the message detection model is shown to reach a convergence state.
In this embodiment, the deep learning algorithm may include a CNN (convolutional Neural Networks) algorithm, an RNN (Recurrent Neural Networks) algorithm, and a random forest algorithm, and in this embodiment, the CNN algorithm is taken as an example to describe a Network structure of the message detection model. As shown in fig. 3, the network structure of the message detection model includes a feature processing network and a model prediction network, the feature processing network is used to encode data of the input message detection model and convert the data into a corresponding message feature matrix, and the model prediction network is used to predict the message feature matrix obtained by encoding the feature processing network to obtain a prediction result.
Optionally, the feature processing network includes an embedding layer (embedding layer), which is a word embedding layer in nature, and is mainly used for encoding data of the input message detection model, so as to obtain a message feature matrix. The model prediction network comprises a convolutional layer, a pooling layer, a random loss (dropout) layer, a full connection layer and a logistic regression (softmax) layer, wherein the convolutional layer is mainly used for feature extraction and comprises shallow feature extraction and deep feature extraction. The shallow feature extraction is mainly to perform feature learning according to a message feature matrix input by an embedded layer and extract some simple shallow features; the deep feature extraction comprises learning the association degree between the extracted shallow features and learning the special characters in the domain name to be processed, so as to extract the special character features in the domain name to be processed. The pooling layer is mainly used for sampling the features extracted from the convolutional layer so as to reduce the number of parameters; the dropout layer is mainly used for preventing overfitting in the training process. And the full connection layer is used for performing dimensionality reduction on the features obtained by processing the convolution layer, the pooling layer and the dropout layer to obtain one-dimensional vectors, inputting the one-dimensional vectors into the logistic regression layer for classification, and outputting the prediction result of the training sample.
It can be understood that, when the message detection model is trained, the prediction result of the training sample is continuously obtained in an iterative computation mode, and the weights of each neuron in the convolutional layer, the pooling layer, the random loss layer, the full-link layer and the logistic regression layer and the weights corresponding to the at least two message features are updated according to the prediction result and the corresponding labeling result until the message detection model reaches a convergence state, so as to finally obtain the trained message detection model.
It should be noted that the model parameters of the message detection model change before and after training, but the network structure of the message detection model does not change before and after training. In the training stage of the message detection model, the types of at least two message characteristics of the input message detection model can be selected according to actual requirements, and the identification accuracy of the message detection model is favorably improved by increasing the types of the message characteristics of the input message detection model. It can be understood that when the types of the message features of the input message detection models are different, the weights of the trained neurons and the weights corresponding to the message features are different, so that the finally obtained message detection models are different.
When a trained message detection model is used for predicting a DNS message to be detected subsequently, at least two message features of the DNS message to be detected are extracted (the type of the at least two message features of the extracted training sample is the same), the at least two message features are used as the input of the message detection model, the feature processing network is used for coding the at least two message features of the DNS message to be detected to obtain a message feature matrix, after the message feature matrix is input into the trained model prediction network, the model prediction network predicts according to the weight of each trained neuron and the weight corresponding to each of the at least two message features, and then outputs the detection result whether the DNS message to be detected belongs to a DNS hidden channel message. Next, a detailed description is given of a detection process of the DNS packet to be detected.
Fig. 4 is a schematic flow chart of a message detection method according to an embodiment of the present invention. It should be noted that, the message detection method provided in the embodiment of the present invention is not limited by fig. 4 and the following specific sequence, and it should be understood that, in other embodiments, the sequence of some steps in the message detection method provided in the embodiment of the present invention may be interchanged according to actual needs, or some steps in the message detection method may be omitted or deleted. The message detection method may be applied to the network device 100 shown in fig. 1, and the specific flow shown in fig. 4 will be described in detail below.
Step S201, a request domain name corresponding to the DNS packet to be detected is obtained.
In this embodiment, when acquiring the DNS packet to be detected, the network device 100 first parses the DNS packet into a text format, and then acquires the corresponding request domain name from the parsed text information. For example, if the network device 100 acquires a DNS packet to be detected (including two parts, a request and a response) as shown in fig. 5, a request domain name corresponding to the DNS packet to be detected is M54/xa6lagh0dha.
Step S202, removing the registered domain name in the request domain name to obtain the domain name to be processed.
For example, after removing the registration domain name string.lxw from the request domain name M54/xa6lag0dha. -, the domain name to be processed is obtained as: m54/xa6lag0dha. -. connect.
Step S203, extracting at least two message characteristics of the DNS message to be detected; wherein the at least two message characteristics include domain name characteristics of the domain name to be processed.
In the DNS hidden channel message, the domain name feature of the requested domain name after the domain name is registered is generally removed, which is more obvious than other message features of the DNS hidden channel message, and in order to avoid detection interference caused by the registered domain name, the domain name feature of the domain name to be processed of the DNS message to be detected is used as the message feature to participate in detection, which can effectively improve the detection accuracy.
And step S204, obtaining a detection result of whether the DNS message to be detected belongs to the DNS hidden channel message or not according to at least two message characteristics and a pre-trained message detection model.
In this embodiment, after acquiring at least two message characteristics of the DNS message to be detected, the network device 100 uses the at least two message characteristics as inputs of a pre-trained message detection model, and then can know whether the DNS message to be detected belongs to a DNS hidden channel message according to a detection result output by the message detection model.
It can be seen that the message detection method provided in the embodiment of the present invention eliminates the interference of the registration domain name to the detection result by removing the registration domain name in the request domain name, uses at least two message features of the DNS message to be detected as the input of the pre-trained message detection model, and determines whether the DNS message to be detected belongs to the DNS hidden channel message according to the detection result output by the message detection model, thereby effectively improving the detection precision and accuracy and reducing the false alarm rate.
Optionally, the message detection model includes a feature processing network and a model prediction network, and the detection result may include a first probability value that the DNS message to be detected belongs to the DNS hidden channel message and a second probability value that the DNS message to be detected belongs to the non-DNS hidden channel message, as shown in fig. 6, the step S204 specifically includes the following sub-steps:
and a substep S2041 of encoding at least two message characteristics by using a characteristic processing network to obtain a message characteristic matrix.
In this embodiment, after the at least two message features are input into the message detection model, the at least two message features are encoded by the embedded layer and then combined into a message feature matrix.
And a substep S2042 of inputting the message characteristic matrix into the model prediction network to obtain a first probability value and a second probability value, and determining that the DNS message to be detected belongs to the DNS hidden channel message when the first probability value is greater than the second probability value.
In this embodiment, a message feature matrix obtained through embedded layer coding processing is input into a model prediction network, the message feature matrix is sequentially processed by a convolutional layer, a pooling layer, a dropout layer, a full-link layer and a logistic regression layer, and then the logistic regression layer finally outputs a first probability value that a DNS message to be detected belongs to a DNS hidden channel message and a second probability value that the DNS message to be detected belongs to a non-DNS hidden channel message, and when the first probability value is greater than the second probability value, it is determined that the DNS message to be detected belongs to the DNS hidden channel message.
For example, when the detection result output by the logistic regression layer is [0.985462,0.254868], it is known that the first probability value of the DNS packet to be detected belonging to the DNS hidden channel packet is 0.985462, the second probability value of the DNS packet to be detected belonging to the non-DNS hidden channel packet is 0.254868, and the first probability value is greater than the second probability value, so that it is determined that the DNS packet to be detected belongs to the DNS hidden channel packet.
Optionally, the domain name feature of the domain name to be processed may include a domain name length of the domain name to be processed, and/or a domain name character list of the domain name to be processed, where the domain name length may be obtained by performing length counting on the domain name to be processed, and the domain name character list may be obtained by performing mapping processing on characters of the domain name to be processed.
The mapping process refers to representing characters in the domain name to be processed by using numbers, so the domain name character list in the embodiment is formed by converting each character in the domain name to be processed into a corresponding number according to a preset correspondence between the characters and the numbers. For example, the correspondence relationship between characters and numbers may be set in advance as follows: '+': 1,'-': 2,'/': 3,'.': 4,'1': 5,'0': 6,'3': 7,'2': 8,'5': 9,'4': 10, '7': 11, '6': 12, '9': 13, '8': 14,': 15,' \\ \ Λ: 16, 'a': 17, 'c': 18 'b': 19, 'e': 20,'d': 21, 'g': 22, 'f': 23, 'i': 24, 'h': 25, 'k': 26, 'j': 27,'m': 28, 'l': 29, 'o': 30, 'n': 31, 'q': 32, 'p': 33,'s': 34, 'r': 35, 'u': 36,'t': 37, 'w': 38, 'v': 39, 'y': 40, 'x': 41, 'z': 42.
in one example, the domain name to be processed M54/xa6lag0dha. -. connect.ns is subjected to length counting, and the domain name length of the domain name to be processed is obtained to be 27; after mapping the domain name M54/xa6lag0dha to be processed according to the preset corresponding relationship between characters and numbers, the obtained domain name character list is as follows: [28,9,10,3,41,17,12,29,17,22,25,6,21,25,17,4,15,18,30,31,31,20,18,37,4,31,34].
In this embodiment, the at least two packet characteristics may include, in addition to the domain name length and/or the domain name character list, at least one of a domain name record type of the DNS packet to be detected, a request and response time interval, a transmission rate of the DNS packet to be detected, a total number of packets having an IP address of the DNS packet to be detected, and a total number of packets having a requested domain name. The DNS message to be detected includes two parts of content, i.e., a request and a response, and the request and the response constitute a session, so the time interval between the request and the response can be understood as the session duration of the session, and the domain name record types of the DNS message to be detected generally include a, AAAA, TXT, CNAME, NM, NULL, and the like.
For example, according to the DNS packet to be detected shown in fig. 5, it can be extracted that the domain name record type of the DNS packet to be detected is TXT, and the time interval between the request and the response is 0.005966-0.003278 ═ 0.002688 s.
In the following, the detection process of the DNS packet to be detected is explained in detail by taking four packet characteristics of the domain name length, the domain name character list, the time interval between the request and the response, and the domain name record type as examples. After four message characteristics of the domain name length, the domain name character list, the request and response time interval and the domain name record type of the DNS message to be detected are extracted, the four message characteristics are input into a message detection model, the input domain name length, the domain name character list, the request and response time interval and the domain name record type are coded through a characteristic processing network to obtain a message characteristic matrix, then the message characteristic matrix is input into a model prediction network, the model prediction network predicts according to the trained weights of all neurons and the weights corresponding to the four message characteristics, and finally a detection result of whether the DNS message to be detected belongs to a DNS hidden channel message is output.
It can be understood that, in the training stage and the prediction stage of the message detection model, the processing flows of the model prediction network for the input message feature matrix are basically consistent, and the difference lies in that the training stage needs to continuously iterate and calculate and update the weight of the neuron and the weight of the message feature until the message detection model reaches the convergence state, and in the prediction stage, because the weight of the neuron and the weight of the message feature in the model prediction network are determined, the model prediction network can obtain the detection result directly according to the trained weight of the neuron and the trained weight of the message feature, and iterative calculation is not performed.
Optionally, in order to determine whether the request domain name of the DNS packet to be detected belongs to a malicious domain name, information matching needs to be performed on the registration domain name corresponding to the DNS packet to be detected, which belongs to the DNS hidden channel packet. Based on this, referring to fig. 7, on the basis of fig. 4, the message detection method further includes:
step S401, when the detection result is that the DNS message to be detected belongs to the DNS hidden channel message, the registered domain name is matched with a pre-stored domain name information library.
When the DNS message to be detected belongs to the DNS hidden channel message, in order to determine whether the request domain name of the DNS message to be detected belongs to the malicious domain name, the registration domain name in the request domain name can be matched with the malicious domain name in the domain name information library.
Optionally, after the DNS packet to be detected is acquired, when the registered domain name is acquired, the registered domain name may be matched with a pre-stored domain name information base, and then step S402 is executed.
Step S402, when the domain name matched with the registered domain name exists in the domain name intelligence library, determining that the request domain name of the DNS message to be detected is a malicious domain name.
In this embodiment, when the detection result is that the DNS packet to be detected belongs to the DNS hidden channel packet, and a domain name matching the registered domain name of the DNS packet to be detected also exists in the domain name information base, it can be determined that the requested domain name of the DNS packet to be detected is a malicious domain name, which is convenient for predicting a deeper attack. In addition, when the registered domain name of the DNS packet to be detected does not match with the corresponding domain name in the domain name intelligence library, it can be determined whether the requested domain name of the DNS packet to be detected is a malicious domain name in a tracing manner. After the request domain name of the DNS message to be detected is determined to be a malicious domain name based on a tracing mode, the domain name information base can be updated according to the request domain name of the DNS message to be detected, and therefore malicious domain name detection efficiency can be improved.
Optionally, on the basis of fig. 4, please refer to fig. 8, where the message detection method further includes:
step S501, a first count value of a packet having a registered domain name is determined.
For example, the network device 100 may perform a counting operation on DNS messages to be detected received all the time, and count DNS messages to be detected of different registered domain names, respectively, if a DNS message to be detected carrying a new registered domain name is received for the first time, the first count value of the new registered domain name is marked as 1, and after a DNS message to be detected carrying the new registered domain name is received next time, the first count value is updated to be 2, and so on. After receiving a DNS message to be detected, finding that a registered domain name corresponding to the DNS message to be detected is string.com, and finding that a first count value corresponding to the message with the registered domain name of string.com is 2, performing a first counting operation on the DNS message to be detected to obtain a first count value of the message with the registered domain name of string.com, which is 3; when the network device 100 receives the to-be-detected DNS packet with the registered domain name of string.com again, and finds that the first count value corresponding to the packet with the registered domain name of string.com is 3, the network device performs a first counting operation on the to-be-detected DNS packet to obtain the first count value of the packet with the registered domain name of string.com is 4. Thus, the network device 100 counts messages for different registered domain names.
It should be noted that, performing the first counting operation on the DNS packet to be detected may be performed after obtaining a detection result of whether the DNS packet to be detected belongs to the DNS hidden channel packet, or may be performed after obtaining the request domain name, which is not limited in this embodiment.
Step S502, when the detection result is that the DNS message to be detected belongs to the DNS hidden channel message, determining a second count value of the message which belongs to the DNS hidden channel message and has the registered domain name.
The counting method in this step is similar to the counting method in step S501, for example, assuming that the detection result indicates that there are 7 DNS hidden channel messages in the messages with the registration domain name string.com recorded in the network device 100 before, when the detection result indicates that the to-be-detected DNS message with the registration domain name string.com belongs to the DNS hidden channel message, a second counting operation is performed on the to-be-detected DNS message to obtain a second count value "8" of the messages with the registration domain name and belonging to the DNS hidden channel message, that is, there are 8 DNS hidden channel messages in the messages with the registration domain name string.com at this time.
Step S503, calculating a ratio of the first count value to the second count value to determine a probability that the packet with the registered domain name belongs to the DNS hidden channel packet.
In specific implementation, with reference to steps S501 and S502, assuming that the first counted number of the messages having the registered domain name string.com is 10, and the second counted number of the messages having the registered domain name string.com belonging to the DNS hidden channel message is 8, it is determined that the probability that the message having the registered domain name string.com belongs to the DNS hidden channel message is 8/10, so as to facilitate determining the possibility that the message having the same registered domain name belongs to the DNS hidden channel message. If the possibility that the message with the registration domain name belongs to the DNS hidden channel message is judged to be high, and the registration domain name is detected to be a malicious domain name through the intelligence matching of the registration domain names in the steps S401 to S402, it can be determined that the possibility that the DNS hidden channel message transmits the malicious domain name is high, and thus it is determined that the DNS hidden channel itself may have a problem.
In order to execute the corresponding steps in the above embodiments and various possible manners, an implementation manner of the message detection apparatus is given below. Referring to fig. 9, fig. 9 is a functional block diagram of a message detection apparatus 600 according to an embodiment of the present invention. It should be noted that the basic principle and the generated technical effect of the message detection apparatus 600 provided in the present embodiment are the same as those of the foregoing embodiments, and for the sake of brief description, no part of the present embodiment is mentioned, and reference may be made to the corresponding contents in the foregoing embodiments. The packet detection apparatus 600 includes a request domain name obtaining module 610, a registered domain name removing module 620, a packet feature extracting module 630, and a detection module 640.
Alternatively, the modules may be stored in the memory 110 shown in fig. 1 in the form of software or Firmware (Firmware) or be fixed in an Operating System (OS) of the network device 100, and may be executed by the processor 120 in fig. 1. Meanwhile, data, codes of programs, and the like required to execute the above-described modules may be stored in the memory 110.
The request domain name obtaining module 610 is configured to obtain a request domain name corresponding to the DNS packet to be detected.
It is understood that the request domain name obtaining module 610 may execute the step S201.
The registered domain name removing module 620 is configured to remove the registered domain name from the requested domain name to obtain the domain name to be processed.
It is understood that the registered domain name removing module 620 may perform the step S202.
The message feature extraction module 630 is configured to extract at least two message features of the DNS message to be detected; wherein the at least two message characteristics include domain name characteristics of the domain name to be processed.
Optionally, the domain name characteristics of the domain name to be processed include a domain name length of the domain name to be processed, and/or a domain name character list of the domain name to be processed, where the domain name character list is formed by converting each character in the domain name to be processed into a corresponding number according to a preset correspondence between the character and the number.
It is understood that the message feature extraction module 630 may execute the step S203.
The detection module 640 is configured to obtain a detection result of whether the DNS packet to be detected belongs to the DNS hidden channel packet according to at least two packet features and the pre-trained packet detection model.
Optionally, the message detection model includes a feature processing network and a model prediction network, the detection result may include a first probability value that the DNS message to be detected belongs to the DNS hidden channel message and a second probability value that the DNS message to be detected belongs to the non-DNS hidden channel message, the detection module 640 is configured to encode at least two message features by using the feature processing network to obtain a message feature matrix, input the message feature matrix into the model prediction network to obtain a first probability value and a second probability value, and determine that the DNS message to be detected belongs to the DNS hidden channel message when the first probability value is greater than the second probability value.
It is understood that the detecting module 640 can perform the sub-steps S2041, S2042 and S204.
Optionally, as shown in fig. 10, the message detection apparatus 600 may further include a domain name matching module 650, where the domain name matching module 650 is configured to match the registered domain name with a pre-stored domain name information library when the detection result indicates that the DNS message to be detected belongs to the DNS hidden channel message, and determine that the requested domain name of the DNS message to be detected is a malicious domain name when the domain name matched with the registered domain name exists in the domain name information library.
It is understood that the domain name matching module 650 may perform the steps S401 and S402.
Optionally, the message detection apparatus 600 may further include a counting module 660 and a ratio calculation module 670.
The counting module 660 is configured to determine a first count value of a packet with a registered domain name, and determine a second count value of a packet with a registered domain name and belonging to a DNS hidden channel packet when the detection result indicates that the DNS packet to be detected belongs to the DNS hidden channel packet.
It is understood that the counting module 660 can perform the steps S501 and S502.
The ratio calculation module 670 is configured to calculate a ratio of the first count value to the second count value to determine a probability that the packet with the registered domain name belongs to the DNS hidden channel packet.
It is understood that the ratio calculation module 670 may perform the above step S503.
In summary, the message detection method, the device, the network device, and the computer-readable storage medium provided in the embodiments of the present invention obtain a domain name to be processed by obtaining a request domain name corresponding to a DNS message to be detected and removing a registration domain name in the request domain name, and obtain a detection result of whether the DNS message to be detected belongs to a DNS hidden channel message by extracting at least two message features of the DNS message to be detected, where the at least two message features include a domain name feature of the domain name to be processed, according to the at least two message features and a pre-trained message detection model. Therefore, the embodiment of the invention inputs a plurality of message characteristics, such as the domain name length, the domain name character list, the time interval of request and response, the domain name record type and the like corresponding to the DNS message to be detected, as detection indexes into the message detection model by removing the interference of the registered domain name, so as to obtain the detection result of whether the DNS message to be detected belongs to the DNS hidden channel message, thereby effectively improving the detection precision and accuracy and reducing the false alarm rate.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method can be implemented in other ways. The apparatus embodiments described above are merely illustrative, and for example, the flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In addition, the functional modules in the embodiments of the present invention may be integrated together to form an independent part, or each module may exist separately, or two or more modules may be integrated to form an independent part.
The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
The above description is only a preferred embodiment of the present invention and is not intended to limit the present invention, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.

Claims (10)

1. A method for detecting a packet, the method comprising:
acquiring a request domain name corresponding to a DNS message to be detected;
removing the registered domain name in the request domain name to obtain a domain name to be processed;
extracting at least two message characteristics of the DNS message to be detected; wherein the at least two message characteristics comprise domain name characteristics of the domain name to be processed;
and obtaining a detection result of whether the DNS message to be detected belongs to the DNS hidden channel message or not according to the at least two message characteristics and a pre-trained message detection model.
2. The method according to claim 1, wherein the domain name features of the domain name to be processed include a domain name length of the domain name to be processed, and/or a domain name character list of the domain name to be processed, wherein the domain name character list is formed by converting each character in the domain name to be processed into a corresponding number according to a preset correspondence between the character and the number.
3. The method according to claim 1, wherein the message detection model includes a feature processing network and a model prediction network, the detection result includes a first probability value that the DNS message to be detected belongs to the DNS hidden channel message and a second probability value that the DNS message to be detected belongs to the non-DNS hidden channel message, and the step of obtaining the detection result of whether the DNS message to be detected belongs to the DNS hidden channel message according to the at least two message features and the pre-trained message detection model includes:
encoding the at least two message characteristics by using the characteristic processing network to obtain a message characteristic matrix;
and inputting the message characteristic matrix into the model prediction network to obtain the first probability value and the second probability value, and determining that the DNS message to be detected belongs to the DNS hidden channel message when the first probability value is greater than the second probability value.
4. The method according to any of claims 1-3, wherein the at least two message characteristics further comprise at least one of a domain name record type of the DNS message to be detected, a time interval of request and response, a transmission rate of the DNS message to be detected, a total number of messages having the IP address of the DNS message to be detected, and a total number of messages having the requested domain name.
5. The method of claim 1, further comprising:
when the detection result is that the DNS message to be detected belongs to the DNS hidden channel message, matching the registered domain name with a pre-stored domain name information library;
and when the domain name matched with the registered domain name exists in the domain name information library, determining that the request domain name of the DNS message to be detected is a malicious domain name.
6. The method of claim 1, further comprising:
determining a first count value of the message with the registered domain name;
when the detection result is that the DNS message to be detected belongs to the DNS hidden channel message, determining a second count value of the message which belongs to the DNS hidden channel message and has the registered domain name;
and calculating the ratio of the first count value to the second count value to determine the probability that the message with the registered domain name belongs to the DNS hidden channel message.
7. A packet inspection device, the device comprising:
the request domain name acquisition module is used for acquiring a request domain name corresponding to the DNS message to be detected;
the registered domain name removing module is used for removing the registered domain name in the request domain name to obtain a domain name to be processed;
the message feature extraction module is used for extracting at least two message features of the DNS message to be detected; wherein the at least two message characteristics comprise domain name characteristics of the domain name to be processed;
and the detection module is used for obtaining a detection result of whether the DNS message to be detected belongs to the DNS hidden channel message or not according to the at least two message characteristics and the pre-trained message detection model.
8. The apparatus of claim 7, wherein the message detection model comprises a feature processing network and a model prediction network, and the detection result comprises a first probability value that the DNS message to be detected belongs to the DNS hidden channel message and a second probability value that the DNS message to be detected belongs to a non-DNS hidden channel message;
the detection module is configured to encode the at least two message features by using the feature processing network to obtain a message feature matrix, input the message feature matrix into the model prediction network to obtain the first probability value and the second probability value, and determine that the DNS message to be detected belongs to the DNS hidden channel message when the first probability value is greater than the second probability value.
9. A network device comprising a memory storing a computer program and a processor, the computer program being read and executed by the processor to implement the method according to any of claims 1-6.
10. A computer-readable storage medium, on which a computer program is stored which, when read and executed by a processor, implements the method of any one of claims 1-6.
CN201911018931.3A 2019-10-24 2019-10-24 Message detection method, device, network equipment and computer readable storage medium Active CN110855632B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911018931.3A CN110855632B (en) 2019-10-24 2019-10-24 Message detection method, device, network equipment and computer readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911018931.3A CN110855632B (en) 2019-10-24 2019-10-24 Message detection method, device, network equipment and computer readable storage medium

Publications (2)

Publication Number Publication Date
CN110855632A true CN110855632A (en) 2020-02-28
CN110855632B CN110855632B (en) 2022-03-11

Family

ID=69596962

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911018931.3A Active CN110855632B (en) 2019-10-24 2019-10-24 Message detection method, device, network equipment and computer readable storage medium

Country Status (1)

Country Link
CN (1) CN110855632B (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111683096A (en) * 2020-06-10 2020-09-18 北京天融信网络安全技术有限公司 Data processing method based on domain name service protocol and electronic equipment
CN112351018A (en) * 2020-10-28 2021-02-09 东巽科技(北京)有限公司 DNS hidden channel detection method, device and equipment
CN112822223A (en) * 2021-04-19 2021-05-18 北京智源人工智能研究院 DNS hidden tunnel event automatic detection method and device and electronic equipment
CN112953916A (en) * 2021-01-29 2021-06-11 丁牛信息安全科技(江苏)有限公司 Anomaly detection method and device
CN113743106A (en) * 2021-09-23 2021-12-03 贵州电网有限责任公司 SV message repeated filtering method, device, computer equipment and storage medium
CN115022283A (en) * 2022-05-24 2022-09-06 中国科学院计算技术研究所 Programmable switch supporting domain name resolution and network message processing method

Citations (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120054860A1 (en) * 2010-09-01 2012-03-01 Raytheon Bbn Technologies Corp. Systems and methods for detecting covert dns tunnels
CN102624706A (en) * 2012-02-22 2012-08-01 上海交通大学 Method for detecting DNS (domain name system) covert channels
CN103428041A (en) * 2012-05-22 2013-12-04 同方股份有限公司 Cloud-based end-to-end flow content detection system and method
CN106101104A (en) * 2016-06-15 2016-11-09 国家计算机网络与信息安全管理中心 A kind of malice domain name detection method based on domain name mapping and system
CN107547488A (en) * 2016-06-29 2018-01-05 华为技术有限公司 A kind of DNS tunnel detection methods and DNS tunnel detectors
US20180063162A1 (en) * 2016-08-25 2018-03-01 International Business Machines Corporation Dns tunneling prevention
CN107786575A (en) * 2017-11-11 2018-03-09 北京信息科技大学 A kind of adaptive malice domain name detection method based on DNS flows
CN108600200A (en) * 2018-04-08 2018-09-28 腾讯科技(深圳)有限公司 Domain name detection method, device, computer equipment and storage medium
CN109218124A (en) * 2017-07-06 2019-01-15 杨连群 DNS tunnel transmission detection method and device
CN109495475A (en) * 2018-11-19 2019-03-19 中国联合网络通信集团有限公司 Domain name detection method and device
CN109639744A (en) * 2019-02-27 2019-04-16 深信服科技股份有限公司 A kind of detection method and relevant device in the tunnel DNS
CN110113327A (en) * 2019-04-26 2019-08-09 北京奇安信科技有限公司 A kind of method and device detecting DGA domain name
CN110266739A (en) * 2019-08-06 2019-09-20 杭州安恒信息技术股份有限公司 In conjunction with the detection method for the Fast-Flux Botnet for threatening information
CN110321430A (en) * 2019-04-16 2019-10-11 中国银行股份有限公司 Domain name identification and domain name identification model generation method, device and storage medium

Patent Citations (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120054860A1 (en) * 2010-09-01 2012-03-01 Raytheon Bbn Technologies Corp. Systems and methods for detecting covert dns tunnels
CN102624706A (en) * 2012-02-22 2012-08-01 上海交通大学 Method for detecting DNS (domain name system) covert channels
CN103428041A (en) * 2012-05-22 2013-12-04 同方股份有限公司 Cloud-based end-to-end flow content detection system and method
CN106101104A (en) * 2016-06-15 2016-11-09 国家计算机网络与信息安全管理中心 A kind of malice domain name detection method based on domain name mapping and system
CN107547488A (en) * 2016-06-29 2018-01-05 华为技术有限公司 A kind of DNS tunnel detection methods and DNS tunnel detectors
US20180063162A1 (en) * 2016-08-25 2018-03-01 International Business Machines Corporation Dns tunneling prevention
CN109218124A (en) * 2017-07-06 2019-01-15 杨连群 DNS tunnel transmission detection method and device
CN107786575A (en) * 2017-11-11 2018-03-09 北京信息科技大学 A kind of adaptive malice domain name detection method based on DNS flows
CN108600200A (en) * 2018-04-08 2018-09-28 腾讯科技(深圳)有限公司 Domain name detection method, device, computer equipment and storage medium
CN109495475A (en) * 2018-11-19 2019-03-19 中国联合网络通信集团有限公司 Domain name detection method and device
CN109639744A (en) * 2019-02-27 2019-04-16 深信服科技股份有限公司 A kind of detection method and relevant device in the tunnel DNS
CN110321430A (en) * 2019-04-16 2019-10-11 中国银行股份有限公司 Domain name identification and domain name identification model generation method, device and storage medium
CN110113327A (en) * 2019-04-26 2019-08-09 北京奇安信科技有限公司 A kind of method and device detecting DGA domain name
CN110266739A (en) * 2019-08-06 2019-09-20 杭州安恒信息技术股份有限公司 In conjunction with the detection method for the Fast-Flux Botnet for threatening information

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111683096A (en) * 2020-06-10 2020-09-18 北京天融信网络安全技术有限公司 Data processing method based on domain name service protocol and electronic equipment
CN112351018A (en) * 2020-10-28 2021-02-09 东巽科技(北京)有限公司 DNS hidden channel detection method, device and equipment
CN112953916A (en) * 2021-01-29 2021-06-11 丁牛信息安全科技(江苏)有限公司 Anomaly detection method and device
CN112822223A (en) * 2021-04-19 2021-05-18 北京智源人工智能研究院 DNS hidden tunnel event automatic detection method and device and electronic equipment
CN113743106A (en) * 2021-09-23 2021-12-03 贵州电网有限责任公司 SV message repeated filtering method, device, computer equipment and storage medium
CN115022283A (en) * 2022-05-24 2022-09-06 中国科学院计算技术研究所 Programmable switch supporting domain name resolution and network message processing method

Also Published As

Publication number Publication date
CN110855632B (en) 2022-03-11

Similar Documents

Publication Publication Date Title
CN110855632B (en) Message detection method, device, network equipment and computer readable storage medium
CN112398779B (en) Network traffic data analysis method and system
CN109450842B (en) Network malicious behavior recognition method based on neural network
CN112839034B (en) Network intrusion detection method based on CNN-GRU hierarchical neural network
US20200349430A1 (en) System and method for predicting domain reputation
CN111355697B (en) Detection method, device, equipment and storage medium for botnet domain name family
CN112910929B (en) Malicious domain name detection method and device based on heterogeneous graph representation learning
CN108629183B (en) Multi-model malicious code detection method based on credibility probability interval
CN110611640A (en) DNS protocol hidden channel detection method based on random forest
EP3336739B1 (en) A method for classifying attack sources in cyber-attack sensor systems
US20140380466A1 (en) Method and apparatus for providing hierarchical pattern recognition of communication network data
CN112165484B (en) Network encryption traffic identification method and device based on deep learning and side channel analysis
CN113935426A (en) Method and device for detecting abnormal data traffic of power internet of things
CN110162958B (en) Method, apparatus and recording medium for calculating comprehensive credit score of device
CN112039997A (en) Triple-feature-based Internet of things terminal identification method
CN111464510B (en) Network real-time intrusion detection method based on rapid gradient lifting tree classification model
CN110602020A (en) Botnet detection technology based on DGA domain name and periodic network connection session behavior
CN110162973B (en) Webshell file detection method and device
CN116846690A (en) IPv6 network space mapping method based on industry classification and probability model
CN111447169B (en) Method and system for identifying malicious webpage in real time on gateway
CN110472410B (en) Method and device for identifying data and data processing method
CN111291078A (en) Domain name matching detection method and device
Altuncu et al. Deep learning based DNS tunneling detection and blocking system
CN113746804B (en) DNS hidden channel detection method, device, equipment and storage medium
KR102526935B1 (en) Network intrusion detection system and network intrusion detection method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant