CN110912910A - DNS network data filtering method and device - Google Patents

DNS network data filtering method and device Download PDF

Info

Publication number
CN110912910A
CN110912910A CN201911197902.8A CN201911197902A CN110912910A CN 110912910 A CN110912910 A CN 110912910A CN 201911197902 A CN201911197902 A CN 201911197902A CN 110912910 A CN110912910 A CN 110912910A
Authority
CN
China
Prior art keywords
data
dns
classifier
classification
network data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201911197902.8A
Other languages
Chinese (zh)
Inventor
鄂新华
张思洋
潘恬
刘江
杨帆
黄韬
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing University of Technology
Original Assignee
Beijing University of Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing University of Technology filed Critical Beijing University of Technology
Priority to CN201911197902.8A priority Critical patent/CN110912910A/en
Publication of CN110912910A publication Critical patent/CN110912910A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/25Fusion techniques
    • G06F18/254Fusion techniques of classification results, e.g. of results related to same input data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/25Fusion techniques
    • G06F18/259Fusion by voting

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • Physics & Mathematics (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Artificial Intelligence (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Evolutionary Computation (AREA)
  • Evolutionary Biology (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本发明公开一种DNS网络数据过滤的方法及装置,包括以下步骤:(1)通过测量采集器采集DNS服务器中的网络数据;(2)提取DNS数据的特征值;(3)进行数据处理,根据选取得到的特征值对采集得到的每一条数据进行标注,得到相关特征向量,组成相应的特征矩阵;(4)通过多个分类器同时进行数据分类;(5)按分类器权重配比投票决定最终分类;(6)根据分类结果过滤恶意网络活动。

Figure 201911197902

The invention discloses a method and device for filtering DNS network data, comprising the following steps: (1) collecting network data in a DNS server through a measurement collector; (2) extracting characteristic values of the DNS data; (3) performing data processing, Label each piece of data collected according to the selected eigenvalues, obtain relevant eigenvectors, and form a corresponding feature matrix; (4) Simultaneously classify data through multiple classifiers; (5) Vote according to the weights of the classifiers Determine the final classification; (6) filter malicious network activities according to the classification results.

Figure 201911197902

Description

一种DNS网络数据过滤方法及装置A kind of DNS network data filtering method and device

技术领域technical field

本发明涉及网络通信技术领域,具体的,本发明涉及一种DNS网络数据过滤方法及装置。The present invention relates to the technical field of network communication, and in particular, the present invention relates to a method and device for filtering DNS network data.

背景技术Background technique

DNS网络是进行域名和与之相对应的IP地址转换的网络系统。DNS中保存了一张域名和与之相对应的IP地址(IP address)的表,以解析消息的域名。在域名注册查询域名并购买了主机服务后,你需要将域名解析到所购买的主机上,才能看到网站内容。目前,DNS网络中存在域名解析安全性问题。The DNS network is a network system that translates domain names and corresponding IP addresses. A table of domain names and corresponding IP addresses (IP addresses) is stored in the DNS to resolve the domain names of messages. After you have registered the domain name and purchased the hosting service, you need to resolve the domain name to the purchased hosting before you can see the website content. At present, there is a problem of domain name resolution security in the DNS network.

发明内容SUMMARY OF THE INVENTION

本发明的目的在于,为解决域名解析系统安全问题,提出一种DNS网络数据过滤装置及方法,能够通过该系统对DNS网络数据进行分类,过滤掉恶意网络数据,进一步提高域名解析系统的安全性。The purpose of the present invention is to provide a DNS network data filtering device and method in order to solve the security problem of the domain name resolution system, through which the DNS network data can be classified, malicious network data can be filtered out, and the security of the domain name resolution system can be further improved. .

一种DNS网络数据过滤方法,包括以下步骤:A method for filtering DNS network data, comprising the following steps:

通过测量采集器采集DNS服务器中的网络数据;Collect network data in DNS server through measurement collector;

提取DNS数据的特征值,计算特征影响权重,进行参数配置;Extract characteristic values of DNS data, calculate characteristic influence weights, and configure parameters;

根据特征值对数据进行处理;Process data according to eigenvalues;

通过多个分类器同时进行数据分类;Simultaneous data classification by multiple classifiers;

按分类器权重配比投票决定最终分类;The final classification is determined by voting according to the weight of the classifier;

根据分类结果过滤恶意网络活动。Filter malicious web activity based on classification results.

作为优选,所述网络数据包括:时间戳、DNS客户端IP、客户端端口号、DNS服务器端IP、DNS报文头部ID、资源记录类型、请求URL、请求类型、应答IP、TTL、跳数。Preferably, the network data includes: timestamp, DNS client IP, client port number, DNS server IP, DNS packet header ID, resource record type, request URL, request type, response IP, TTL, hop number.

作为优选,对多个分类器进行构造包括:Preferably, constructing the plurality of classifiers includes:

对多个分类器训练时采用无放回抽样,有放回的从训练集中抽取p个样本,无放回的从特征集中抽取k个特征,根据特征值影响权重的计算生成多个不同的分类器。When training multiple classifiers, non-replacement sampling is used. If there is replacement, p samples are extracted from the training set, and if there is no replacement, k features are extracted from the feature set, and multiple different classifications are generated according to the calculation of the influence weight of the feature value. device.

作为优选,根据特征值对数据进行处理包括:Preferably, processing the data according to the eigenvalues includes:

根据选取得到的特征值对采集得到的每一条数据进行处理,得到相关特征向量,组成相应的特征矩阵。According to the selected eigenvalues, each piece of data collected is processed to obtain the relevant eigenvectors and form the corresponding eigenmatrix.

作为优选,同时进行数据分类,分类器权重配比的计算是通过算法对每个分类器的分类结果的后验概率进行计算,得到每个分类器的权重配比,遵循正确程度优先兼顾公平的原则对每个分类器进行权重配比。As an option, data classification is performed at the same time, and the calculation of the classifier weight allocation ratio is to calculate the posterior probability of the classification result of each classifier through an algorithm to obtain the weight allocation ratio of each classifier. In principle, weights are assigned to each classifier.

作为优选,通过投票得到的结果,拦截数据中恶意结果,并将恶意结果加入黑名单中。Preferably, the result obtained by voting is used to intercept malicious results in the data, and add the malicious results to the blacklist.

一种DNS网络数据过滤装置,包括数据采集模块、数据处理模块、参数配置模块、分类模块和决策模块;其中,A DNS network data filtering device, comprising a data acquisition module, a data processing module, a parameter configuration module, a classification module and a decision-making module; wherein,

所述数据处理模块包括预先设定的黑名单比对、根据特征值的选取对数据进行处理;所述参数配置模块包括对特征值的提取、计算特征值的影响权重、对参数进行配置;所述分类模块由多个并行分类器组成,同时对数据进行分类;所述决策模块包括对分类器权重配比的计算、根据权重配比对分类器投票决策最终结果。The data processing module includes a preset blacklist comparison, and processes the data according to the selection of the characteristic value; the parameter configuration module includes the extraction of the characteristic value, the calculation of the influence weight of the characteristic value, and the configuration of parameters; The classification module is composed of a plurality of parallel classifiers, and classifies the data at the same time; the decision-making module includes the calculation of the weight allocation ratio of the classifiers, and the final result of the classifier voting decision according to the weight allocation ratio.

作为优选,所述预先设定的黑名单由系统预先采集得到的部分恶意网络活动数据以及运行过滤系统判断得到的组成。经过过滤系统判断得到的恶意网络活动数据会被加入到黑名单。Preferably, the preset blacklist is composed of some malicious network activity data collected in advance by the system and judged by running the filtering system. Malicious network activity data judged by the filtering system will be added to the blacklist.

作为优选,所述决策模块包括对分类器权重配比的计算是通过算法对每个分类器的分类结果的后验概率进行计算,得到每个分类器的权重配比,遵循正确程度优先兼顾公平的原则对每个分类器进行权重配比。Preferably, the decision-making module includes the calculation of the weight allocation ratio of the classifiers by calculating the posterior probability of the classification result of each classifier through an algorithm to obtain the weight allocation ratio of each classifier, and the degree of accuracy is given priority and fairness is considered. The principle of weight allocation for each classifier.

作为优选,所述特征值的选取包括对数据静态特征、动态特征的提取,静态特征包括二级域名的长度、域名中汉字构造、域名中数字个数、域名中字母个数等;动态特征的提取包括于查询每个查询器的时间。Preferably, the selection of the feature value includes the extraction of static features and dynamic features of the data, and the static features include the length of the second-level domain name, the structure of Chinese characters in the domain name, the number of numbers in the domain name, the number of letters in the domain name, etc.; Extract the time included in querying each querier.

通过本发明,提出一种DNS网络数据过滤系统,能够通过该系统对DNS网络数据进行分类,过滤掉恶意网络数据,进一步提高域名解析系统的安全性。。Through the present invention, a DNS network data filtering system is proposed, through which the DNS network data can be classified, malicious network data can be filtered out, and the security of the domain name resolution system can be further improved. .

附图说明Description of drawings

图1示出了依据本发明一实施方式的DNS数据过滤方法流程图;1 shows a flowchart of a DNS data filtering method according to an embodiment of the present invention;

图2示出了依据本发明一实施方式的DNS数据过滤装置结构图;2 shows a structural diagram of a DNS data filtering apparatus according to an embodiment of the present invention;

图3示出了依据本发明一实施方式的DNS数据过滤方法组织流程图。FIG. 3 shows an organizational flowchart of a DNS data filtering method according to an embodiment of the present invention.

具体实施方式Detailed ways

下文为对本发明实施方式的详细描述,所述实施方式在附图中已标示出,所有附图中以相同或者类似的标号表示相同或类似的组件或具有相同功能或类似功能的组件。下面通过参考附图描述的实施方式使示例性的,仅用于解释本发明,而不能解释为对本发明的限制。The following is a detailed description of the embodiments of the present invention, which are labeled in the accompanying drawings, and the same or similar reference numerals are used throughout the drawings to denote the same or similar components or components having the same or similar functions. The embodiments described below with reference to the accompanying drawings are exemplary, and are only used to explain the present invention, but not to be construed as a limitation of the present invention.

本技术领域技术人员可以理解,除非特意声明,这里使用的单数形式“一”、“一个”、“所述”和“该”也可包括复数形式。应该进一步理解的是,本发明的说明书中使用的措辞“包括”是指存在所述特征、整数、步骤、操作、元件和/或组件,但是并不排除存在或添加一个或多个其他特征、整数、步骤、操作、元件、组件和/或它们的组。应该理解,当我们称元件被“连接”或“耦接”到另一元件时,它可以直接连接或耦接到其他元件,或者也可以存在中间元件。此外,这里使用的“连接”或“耦接”可以包括无线连接或“耦接”。这里使用的措辞“和/或”包括一个或更多个相关联的列出项的任一单元和全部组合。It will be understood by those skilled in the art that the singular forms "a", "an", "the" and "the" as used herein can include the plural forms as well, unless expressly stated otherwise. It should be further understood that the word "comprising" used in the description of the present invention refers to the presence of stated features, integers, steps, operations, elements and/or components, but does not exclude the presence or addition of one or more other features, Integers, steps, operations, elements, components and/or groups thereof. It will be understood that when we refer to an element as being "connected" or "coupled" to another element, it can be directly connected or coupled to the other element or intervening elements may also be present. Furthermore, "connected" or "coupled" as used herein may include wirelessly connected or "coupled." As used herein, the term "and/or" includes any and all combinations of one or more of the associated listed items.

本技术领域技术人员可以理解,除非另外定义,这里使用的所有术语(包括技术术语和科学术语)具有与本发明所属领域中的普通技术人员的一般理解相同的意义。还应该理解的是,诸如通用字典中定义的那些术语应该被理解为具有与现有技术的上下文中的意义一致的意义,并且除非像这里一样定义,不会用理想化或过于正式的含义来解释。It will be understood by those skilled in the art that, unless otherwise defined, all terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. It should also be understood that terms such as those defined in general dictionaries should be understood to have meanings consistent with their meanings in the context of the prior art and, unless defined as herein, are not to be taken in an idealized or overly formal sense. explain.

如图1所示,本发明一实施方式的DNS数据过滤方法,包括以下步骤:As shown in Figure 1, a DNS data filtering method according to an embodiment of the present invention includes the following steps:

101,通过测量采集器采集DNS服务器中的网络数据。101. Collect network data in the DNS server through a measurement collector.

102,提取DNS数据的特征值,计算特征影响权重,进行参数配置。102. Extract characteristic values of DNS data, calculate characteristic influence weights, and configure parameters.

103,根据特征值对数据进行处理。103. Process the data according to the characteristic value.

104,通过多个分类器同时进行数据分类。104. Perform data classification by multiple classifiers at the same time.

105,按分类器权重配比投票决定最终分类。105. Vote to determine the final classification according to the weights of the classifiers.

106,根据分类结果过滤恶意网络活动。106. Filter malicious network activities according to the classification result.

在步骤101中,DNS网络中采集的网络数据包括:In step 101, the network data collected in the DNS network includes:

网络数据主要来源于DNS服务器中缓存的DNS请求数据;The network data mainly comes from the DNS request data cached in the DNS server;

网络数据包括但不限于时间戳、DNS客户端IP、客户端端口号、DNS服务器端IP、DNS报文头部ID、资源记录类型、请求URL、请求类型、应答IP、TTL、跳数等。Network data includes but is not limited to timestamp, DNS client IP, client port number, DNS server IP, DNS packet header ID, resource record type, request URL, request type, response IP, TTL, hop count, etc.

在步骤102中,所述特征值的选取包括:In step 102, the selection of the feature value includes:

特征值的选取包括但不限于对数据静态特征、动态特征的提取,静态特征包括但不限于二级域名的长度、域名中汉字构造、域名中数字个数、域名中字母个数等;动态特征的提取包括但不限于查询每个查询器的时间。The selection of feature values includes but is not limited to the extraction of static features and dynamic features of data. Static features include but are not limited to the length of the second-level domain name, the structure of Chinese characters in the domain name, the number of numbers in the domain name, the number of letters in the domain name, etc.; dynamic features The extraction includes, but is not limited to, the time to query each querier.

在步骤103中,根据特征值对数据进行处理包括:In step 103, processing the data according to the characteristic value includes:

根据选取得到的特征值对采集得到的每一条数据进行处理,得到相关特征向量,组成相应的特征矩阵。According to the selected eigenvalues, each piece of data collected is processed to obtain the relevant eigenvectors and form the corresponding eigenmatrix.

在步骤104中,多个分类器包括:In step 104, the plurality of classifiers include:

根据特征值影响权重的计算生成多个不同的分类器。A number of different classifiers are generated according to the calculation of the eigenvalues affecting the weights.

在步骤105中,所述决策模块包括:In step 105, the decision-making module includes:

对分类器权重配比的计算是通过算法对每个分类器的分类结果的后验概率进行计算,得到每个分类器的权重配比,遵循正确程度优先兼顾公平的原则对每个分类器进行权重配比。The calculation of the weight allocation ratio of the classifier is to calculate the posterior probability of the classification result of each classifier through the algorithm to obtain the weight allocation ratio of each classifier, and follow the principle of correctness and fairness. weight ratio.

图2为本发明一实施方式的DNS数据过滤装置结构图。其中本方法适用于域名解析系统的网络数据解析场景,首先利用测量采集器在域名解析系统的服务器上对数据进行采集,即图中的采集DNS服务器数据模块。在参数配置模块对数据的特征值进行提取,并计算特征值的影响权重,进行相关参数配置。将数据传送给数据处理模块,数据处理模块在得到DNS网络数据后,首先根据系统内预置的黑名单进行比对,将与黑名单内相同的进行过滤,随后根据特征值对数据进行处理并将处理得到的特征向量传递到分类模块。在分类模块中根据特征值影响权重的计算生成多个不同的分类器,各个分类器同时对数据进行分类,将分类结果传递到决策模块,决策模块首先通过算法对每个分类器的分类结果的后验概率进行计算,得到每个分类器的权重配比,遵循正确程度优先兼顾公平的原则对每个分类器进行权重配比,然后根据权重对各个分类器结果进行投票产生最终的结果,将分类结果中的恶意网络数据进行过滤并加入到预置黑名单中。FIG. 2 is a structural diagram of an apparatus for filtering DNS data according to an embodiment of the present invention. The method is suitable for the network data analysis scene of the domain name resolution system. First, the measurement collector is used to collect data on the server of the domain name resolution system, that is, the collecting DNS server data module in the figure. In the parameter configuration module, the eigenvalues of the data are extracted, the influence weights of the eigenvalues are calculated, and the relevant parameters are configured. The data is sent to the data processing module. After the data processing module obtains the DNS network data, it first compares according to the blacklist preset in the system, filters the same as the blacklist, and then processes the data according to the characteristic value. Pass the processed feature vector to the classification module. In the classification module, a number of different classifiers are generated according to the calculation of the influence weight of the feature value. Each classifier classifies the data at the same time, and transmits the classification result to the decision-making module. The posterior probability is calculated to obtain the weight allocation ratio of each classifier, and the weight allocation ratio of each classifier is carried out according to the principle of giving priority to the correctness and fairness, and then voting on the results of each classifier according to the weight produces the final result, Malicious network data in the classification results are filtered and added to the preset blacklist.

图3为本发明一实施方式的DNS数据过滤方法组织流程图。FIG. 3 is an organizational flowchart of a method for filtering DNS data according to an embodiment of the present invention.

首先利用测量采集器在域名解析系统的服务器上对数据进行采集,对采集得到的数据进行特征值提取,并计算特征值的影响权重,根据提取得到的特征值对数据进行处理,得到相关特征向量,组成相应的特征矩阵。随后根据特征值的影响权重对参数进行相关配置。根据特征值影响权重的计算生成多个不同的分类器,将数据输入到分类器中,各个分类器同时对数据进行分类,随后通过算法对每个分类器的分类结果的后验概率进行计算,得到每个分类器的权重配比,遵循正确程度优先兼顾公平的原则对每个分类器进行权重配比,然后根据权重对各个分类器结果进行投票产生最终的结果,将分类结果中的恶意网络数据进行过滤并加入到预置黑名单中。First, use the measurement collector to collect the data on the server of the domain name resolution system, extract the eigenvalues of the collected data, calculate the influence weight of the eigenvalues, process the data according to the extracted eigenvalues, and obtain the relevant eigenvectors , forming the corresponding feature matrix. The parameters are then configured according to the influence weights of the eigenvalues. According to the calculation of the influence weight of the feature value, a number of different classifiers are generated, the data is input into the classifier, each classifier simultaneously classifies the data, and then the posterior probability of the classification result of each classifier is calculated by an algorithm, Obtain the weight allocation ratio of each classifier, follow the principle of correctness priority and fairness, and then perform a weight allocation ratio for each classifier, and then vote on the results of each classifier according to the weight to generate the final result, and classify the malicious network in the result. The data is filtered and added to the preset blacklist.

通过本发明所提出的技术方案,能够通过该系统对DNS网络数据进行分类,过滤掉恶意网络数据,进一步提高域名解析系统的安全性。Through the technical scheme proposed by the present invention, the DNS network data can be classified through the system, malicious network data can be filtered out, and the security of the domain name resolution system can be further improved.

本技术领域技术人员可以理解,本发明可以涉及用于执行本申请中所述操作中的一项或多项操作的设备。所述设备可以为所需的目的而专门设计和制造,或者也可以包括通用计算机中的已知设备,所述通用计算机有存储在其内的程序选择性地激活或重构。As will be appreciated by those skilled in the art, the present invention may relate to apparatus for performing one or more of the operations described in this application. The apparatus may be specially designed and manufactured for the required purposes, or it may comprise known apparatuses in a general-purpose computer selectively activated or reconfigured with a program stored therein.

本技术领域技术人员可以理解,可以用计算机程序指令来实现这些结构图和/或框图和/或流图中的每个框以及这些结构图和/或框图和/或流图中的框的组合。可以将这些计算机程序指令提供给通用计算机、专业计算机或其他可编程数据处理方法的处理器来生成机器,从而通过计算机或其他可编程数据处理方法的处理器来执行的指令创建了用于实现结构图和/或框图和/或流图的框或多个框中指定的方法。Those skilled in the art will understand that computer program instructions can be used to implement each block of these structural diagrams and/or block diagrams and/or flow diagrams, and combinations of blocks in these structural diagrams and/or block diagrams and/or flow diagrams . These computer program instructions may be provided to a processor of a general purpose computer, specialized computer or other programmable data processing method to create a machine whereby the instructions executed by the processor of the computer or other programmable data processing method create a structure for implementing A method specified in a block or blocks of a diagram and/or block diagram and/or flow diagram.

本技术领域技术人员可以理解,本发明中已经讨论过的各种操作、方法、流程中的步骤、措施、方案可以被交替、更改、组合或删除。进一步地,具有本发明中已经讨论过的各种操作、方法、流程中的其他步骤、措施、方案也可以被交替、更改、重排、分解、组合或删除。进一步地,现有技术中的具有与本发明中公开的各种操作、方法、流程中的步骤、措施、方案也可以被交替、更改、重排、分解、组合或删除。Those skilled in the art can understand that the various operations, methods, steps, measures, and solutions discussed in the present invention may be alternated, modified, combined or deleted. Further, other steps, measures, and solutions in the various operations, methods, and processes that have been discussed in the present invention may also be alternated, modified, rearranged, decomposed, combined, or deleted. Further, steps, measures and solutions in the prior art with various operations, methods, and processes disclosed in the present invention may also be alternated, modified, rearranged, decomposed, combined or deleted.

以上所述仅是本发明的部分实施方式,应当指出,对于本技术领域的普通技术人员来说,在不脱离本发明原理的前提下,还可以做出若干改进和润饰,这些改进和润饰也应视为本发明的保护范围。The above are only some embodiments of the present invention. It should be pointed out that for those skilled in the art, without departing from the principles of the present invention, several improvements and modifications can be made. It should be regarded as the protection scope of the present invention.

Claims (10)

1.一种DNS网络数据过滤方法,其特征在于,包括以下步骤:1. a DNS network data filtering method, is characterized in that, comprises the following steps: 通过测量采集器采集DNS服务器中的网络数据;Collect network data in DNS server through measurement collector; 提取DNS数据的特征值,计算特征影响权重,进行参数配置;Extract characteristic values of DNS data, calculate characteristic influence weights, and configure parameters; 根据特征值对数据进行处理;Process data according to eigenvalues; 通过多个分类器同时进行数据分类;Simultaneous data classification by multiple classifiers; 按分类器权重配比投票决定最终分类;The final classification is determined by voting according to the weight of the classifier; 根据分类结果过滤恶意网络活动。Filter malicious web activity based on classification results. 2.根据权利要求1所述方法,其特征在于,所述网络数据包括:时间戳、DNS客户端IP、客户端端口号、DNS服务器端IP、DNS报文头部ID、资源记录类型、请求URL、请求类型、应答IP、TTL、跳数。2. method according to claim 1 is characterized in that, described network data comprises: time stamp, DNS client IP, client port number, DNS server IP, DNS message header ID, resource record type, request URL, request type, response IP, TTL, hop count. 3.根据权利要求1所述方法,其特征在于,对多个分类器进行构造包括:3. The method according to claim 1, wherein constructing a plurality of classifiers comprises: 对多个分类器训练时采用无放回抽样,有放回的从训练集中抽取p个样本,无放回的从特征集中抽取k个特征,根据特征值影响权重的计算生成多个不同的分类器。When training multiple classifiers, non-replacement sampling is used. If there is replacement, p samples are extracted from the training set, and if there is no replacement, k features are extracted from the feature set, and multiple different classifications are generated according to the calculation of the influence weight of the feature value. device. 4.根据权利要求1所述方法,其特征在于,根据特征值对数据进行处理包括:4. The method according to claim 1, wherein processing the data according to the characteristic value comprises: 根据选取得到的特征值对采集得到的每一条数据进行处理,得到相关特征向量,组成相应的特征矩阵。According to the selected eigenvalues, each piece of data collected is processed to obtain the relevant eigenvectors and form the corresponding eigenmatrix. 5.根据权利要求1所述方法,其特征在于,同时进行数据分类,分类器权重配比的计算是通过算法对每个分类器的分类结果的后验概率进行计算,得到每个分类器的权重配比,遵循正确程度优先兼顾公平的原则对每个分类器进行权重配比。5. method according to claim 1, is characterized in that, carry out data classification simultaneously, and the calculation of classifier weight allocation ratio is to calculate the posterior probability of the classification result of each classifier by algorithm, obtain each classifier's posterior probability. Weight allocation ratio, follow the principle of correctness and fairness to carry out weight allocation ratio for each classifier. 6.根据权利要求1所述方法,其特征在于,通过投票得到的结果,拦截数据中恶意结果,并将恶意结果加入黑名单中。6 . The method according to claim 1 , wherein the results obtained by voting are used to intercept malicious results in the data, and add the malicious results to the blacklist. 7 . 7.一种DNS网络数据过滤装置,包括数据采集模块、数据处理模块、参数配置模块、分类模块和决策模块;其中,7. A DNS network data filtering device, comprising a data acquisition module, a data processing module, a parameter configuration module, a classification module and a decision-making module; wherein, 所述数据处理模块包括预先设定的黑名单比对、根据特征值的选取对数据进行处理;所述参数配置模块包括对特征值的提取、计算特征值的影响权重、对参数进行配置;所述分类模块由多个并行分类器组成,同时对数据进行分类;所述决策模块包括对分类器权重配比的计算、根据权重配比对分类器投票决策最终结果。The data processing module includes a preset blacklist comparison, and processes the data according to the selection of the characteristic value; the parameter configuration module includes the extraction of the characteristic value, the calculation of the influence weight of the characteristic value, and the configuration of parameters; The classification module is composed of a plurality of parallel classifiers, and classifies the data at the same time; the decision-making module includes the calculation of the weight allocation ratio of the classifiers, and the final result of the classifier voting decision according to the weight allocation ratio. 8.根据权利要求7所述的一种DNS网络数据过滤装置,其特征在于:8. a kind of DNS network data filtering device according to claim 7, is characterized in that: 所述预先设定的黑名单由系统预先采集得到的部分恶意网络活动数据以及运行过滤系统判断得到的组成。经过过滤系统判断得到的恶意网络活动数据会被加入到黑名单。The preset blacklist is composed of some malicious network activity data collected in advance by the system and judged by running the filtering system. Malicious network activity data judged by the filtering system will be added to the blacklist. 9.根据权利要求7所述的一种DNS网络数据过滤装置,其特征在于:9. a kind of DNS network data filtering device according to claim 7, is characterized in that: 所述决策模块包括对分类器权重配比的计算是通过算法对每个分类器的分类结果的后验概率进行计算,得到每个分类器的权重配比,遵循正确程度优先兼顾公平的原则对每个分类器进行权重配比。The decision-making module includes the calculation of the weight allocation ratio of the classifier, which is to calculate the posterior probability of the classification result of each classifier through an algorithm, and obtain the weight allocation ratio of each classifier. Each classifier is weighted. 10.根据权利要求7所述的一种DNS网络数据过滤装置,其特征在于:10. a kind of DNS network data filtering device according to claim 7, is characterized in that: 所述特征值的选取包括对数据静态特征、动态特征的提取,静态特征包括二级域名的长度、域名中汉字构造、域名中数字个数、域名中字母个数等;动态特征的提取包括于查询每个查询器的时间。The selection of the feature value includes the extraction of static features and dynamic features of the data, and the static features include the length of the second-level domain name, the structure of Chinese characters in the domain name, the number of numbers in the domain name, the number of letters in the domain name, etc.; the extraction of dynamic features includes: The time to query each querier.
CN201911197902.8A 2019-11-29 2019-11-29 DNS network data filtering method and device Pending CN110912910A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911197902.8A CN110912910A (en) 2019-11-29 2019-11-29 DNS network data filtering method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911197902.8A CN110912910A (en) 2019-11-29 2019-11-29 DNS network data filtering method and device

Publications (1)

Publication Number Publication Date
CN110912910A true CN110912910A (en) 2020-03-24

Family

ID=69820401

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911197902.8A Pending CN110912910A (en) 2019-11-29 2019-11-29 DNS network data filtering method and device

Country Status (1)

Country Link
CN (1) CN110912910A (en)

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103001825A (en) * 2012-11-15 2013-03-27 中国科学院计算机网络信息中心 Method and system for detecting abnormal DNS traffic
CN105184316A (en) * 2015-08-28 2015-12-23 国网智能电网研究院 Support vector machine power grid business classification method based on feature weight learning
US20160294859A1 (en) * 2015-03-30 2016-10-06 Electronics And Telecommunications Research Institute Apparatus and method for detecting malicious domain cluster
CN107786575A (en) * 2017-11-11 2018-03-09 北京信息科技大学 A kind of adaptive malice domain name detection method based on DNS flows
CN108777674A (en) * 2018-04-24 2018-11-09 东南大学 A kind of detection method for phishing site based on multi-feature fusion
CN108965245A (en) * 2018-05-31 2018-12-07 国家计算机网络与信息安全管理中心 Detection method for phishing site and system based on the more disaggregated models of adaptive isomery
CN110266647A (en) * 2019-05-22 2019-09-20 北京金睛云华科技有限公司 It is a kind of to order and control communication check method and system
CN110417810A (en) * 2019-08-20 2019-11-05 西安电子科技大学 Malicious encrypted traffic detection method based on enhanced model of logistic regression

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103001825A (en) * 2012-11-15 2013-03-27 中国科学院计算机网络信息中心 Method and system for detecting abnormal DNS traffic
US20160294859A1 (en) * 2015-03-30 2016-10-06 Electronics And Telecommunications Research Institute Apparatus and method for detecting malicious domain cluster
CN105184316A (en) * 2015-08-28 2015-12-23 国网智能电网研究院 Support vector machine power grid business classification method based on feature weight learning
CN107786575A (en) * 2017-11-11 2018-03-09 北京信息科技大学 A kind of adaptive malice domain name detection method based on DNS flows
CN108777674A (en) * 2018-04-24 2018-11-09 东南大学 A kind of detection method for phishing site based on multi-feature fusion
CN108965245A (en) * 2018-05-31 2018-12-07 国家计算机网络与信息安全管理中心 Detection method for phishing site and system based on the more disaggregated models of adaptive isomery
CN110266647A (en) * 2019-05-22 2019-09-20 北京金睛云华科技有限公司 It is a kind of to order and control communication check method and system
CN110417810A (en) * 2019-08-20 2019-11-05 西安电子科技大学 Malicious encrypted traffic detection method based on enhanced model of logistic regression

Similar Documents

Publication Publication Date Title
CN102811162B (en) Method and apparatus for detecting network attacks using a flow based technique
CN106649831B (en) Data filtering method and device
CN113206860B (en) A DRDoS attack detection method based on machine learning and feature selection
CN112422531A (en) A network traffic abnormal behavior detection method based on CNN and XGBoost
CN113259313A (en) Malicious HTTPS flow intelligent analysis method based on online training algorithm
CN107222511B (en) Malicious software detection method and device, computer device and readable storage medium
CN105281973A (en) Webpage fingerprint identification method aiming at specific website category
CN101883023A (en) Firewall stress testing method
CN104092588B (en) A kind of exception flow of network detection method combined based on SNMP with NetFlow
CN105141455A (en) A Noisy Network Traffic Classification Modeling Method Based on Statistical Features
CN115941555B (en) A method and system for detecting APP personal information collection behavior based on traffic fingerprint
CN106843941A (en) Information processing method, device and computer equipment
CN114338600A (en) Equipment fingerprint selection method and device, electronic equipment and medium
CN112019449A (en) Traffic identification packet capturing method and device
CN109768936B (en) Refined shunting system and shunting method
Wang et al. A smart automated signature extraction scheme for mobile phone number in human-centered smart home systems
CN107404398A (en) A kind of networks congestion control judgement system
CN104021348B (en) Real-time detection method and system of dormant P2P (Peer to Peer) programs
CN111209959B (en) Encrypted webpage flow division point identification method based on data packet time sequence
US20150150132A1 (en) Intrusion detection system false positive detection apparatus and method
CN108199878B (en) Personal identification information identification system and method in high-performance IP network
CN111224998A (en) A botnet identification method based on extreme learning machine
CN112565259B (en) Method and device for filtering DNS tunnel Trojan communication data
CN110912910A (en) DNS network data filtering method and device
WO2016201876A1 (en) Service identification method and device for encrypted traffic, and computer storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20200324

WD01 Invention patent application deemed withdrawn after publication