CN111818030A - Rapid positioning processing method and system for malicious domain name request terminal - Google Patents
Rapid positioning processing method and system for malicious domain name request terminal Download PDFInfo
- Publication number
- CN111818030A CN111818030A CN202010606200.7A CN202010606200A CN111818030A CN 111818030 A CN111818030 A CN 111818030A CN 202010606200 A CN202010606200 A CN 202010606200A CN 111818030 A CN111818030 A CN 111818030A
- Authority
- CN
- China
- Prior art keywords
- domain name
- terminal
- malicious
- infected
- dns server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4505—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
- H04L61/4511—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Abstract
The invention relates to a rapid positioning disposal method and a rapid positioning disposal system for a malicious domain name request terminal, which comprise the following steps: step S1: establishing a database on a DNS server; step S2: acquiring a DNS server log and extracting a domain name of the DNS server log; step S3: if the current domain name is in the white list database, go to step S6, otherwise go to step S4; step S4: if the current domain name is in the blacklist database, locating the infected terminal IP corresponding to the domain name, and giving an alarm, otherwise, entering the step S5; step S5: if the current domain name is judged to be benign, adding the domain name into a white list database, and entering the step S6; if the current domain name is judged to be a malicious domain name, adding the domain name into a blacklist database, positioning an infected terminal IP corresponding to the domain name and host user information thereof, and giving an alarm; step S6: the DNS server log is deleted. The invention can quickly and accurately position the host IP address and the host user information for accessing the malicious domain name.
Description
Technical Field
The invention relates to the technical field of computer desktop terminal system security, in particular to a rapid positioning and processing method and system for a malicious domain name request terminal.
Background
With the continuous growth of the users of the global internet and the abundance of network applications, the technology threatening network security is continuously developed, the threats of property security and privacy security brought to netizens by malicious domain name websites are also rapidly increased, and meanwhile, the cost of network security protection construction is also increased for enterprises. Particularly, for some large enterprises, the number of desktop terminals is huge, once a host is infected, the hosts can be correlated with each other because the hosts are in a local area network, and malicious codes can be quickly infected among the hosts along with the calling of data.
However, in the prior art, it is difficult to quickly find a malicious domain name from a DNS server log, and an infected specific IP cannot be accurately found.
Disclosure of Invention
In view of the above, the present invention provides a method and a system for quickly positioning and handling a malicious domain name request terminal, which can quickly and accurately position a host IP address and host user information for accessing a malicious domain name, so that operation and maintenance personnel can quickly position an infected host, thereby achieving the effects of quickly warning and timely handling, and ensuring the safety and availability of an information system.
The invention is realized by adopting the following scheme: a rapid positioning processing method for a malicious domain name request terminal specifically comprises the following steps:
step S1: establishing a database on a DNS server, comprising: a domain name white list database, a domain name black list database and a system IP address division table;
step S2: acquiring a current DNS server log, analyzing a DNS message and extracting a domain name of the DNS message;
step S3: matching the extracted domain name with a white list database, if the current domain name is in the white list database, entering step S6, otherwise, entering step S4;
step S4: matching the extracted domain name with a blacklist database, if the current domain name is in the blacklist database, marking the domain name, positioning an infected terminal IP corresponding to the domain name and host user information thereof, and giving an alarm; otherwise, go to step S5;
step S5: detecting and judging the extracted domain name, if the current domain name is judged to be a benign domain name, adding the domain name into a white list database, and entering the step S6; if the current domain name is judged to be a malicious domain name, adding the domain name into a blacklist database, positioning an infected terminal IP corresponding to the domain name and host user information thereof, and giving an alarm;
step S6: the DNS server log is deleted to prevent the DNS server log from being too large, and the later retrieval workload is reduced.
Further, the step S4 and the step S5 of locating the infected terminal IP corresponding to the domain name specifically include: the method comprises the steps that the analysis of a malicious domain name is added on a DNS server, a request is directed to a designated terminal IP, the terminal is used for receiving and analyzing the malicious domain name, and the IP of an infected terminal is automatically positioned by running a preset script on the designated terminal; the preset script is used for monitoring the tcp80 port and analyzing the received request to obtain the IP of the requester, namely the IP of the infected terminal. Because the client infected with the malicious program obtains the IP of the appointed terminal after DNS resolution, the request IP received by the appointed terminal is the IP of the terminal infected with the malicious program, and the infected terminal IP can be accurately obtained no matter how many layers of DNS recursive resolution are carried out.
Further, according to the IP of the infected terminal obtained by positioning, corresponding address information is searched from a system IP address division table.
Further, the warning includes: and generating alarm information including the malicious domain name of the request, the last request time, the request times, the IP of the infected terminal, the department of the unit to which the infected terminal belongs and the user information.
Further, the warning includes: limiting the infected terminal to be externally associated, remotely controlling to carry out virus Trojan searching and killing on the infected terminal, and recovering the external association of the terminal after the virus Trojan searching and killing is successful; if the checking and killing fails or the terminal cannot be remotely controlled, the user of the infected terminal in the alarm information is contacted to carry out host computer checking or field checking.
Further, the detecting and determining the extracted domain name specifically includes: analyzing whether more than one characteristic in the behavior characteristic, the structure characteristic, the character characteristic and the analysis characteristic of the current domain name is consistent with the relevant characteristic of the malicious domain name or not, if so, judging the current domain name to be the malicious domain name, and otherwise, judging the current domain name to be the benign domain name.
The invention also provides a rapid positioning and handling system of the malicious domain name request terminal, which comprises a storage module, a processing module, a communication module and a computer program instruction which is stored on the storage module and can be run by the processing module; the processing module is in communication connection with the DNS server through the communication module; the method steps as described in any of the above are implemented when the computer program instructions are executed by a processing module.
Compared with the prior art, the invention has the following beneficial effects: according to the invention, the domain name is judged to be a malicious domain name or a benign domain name, the domain name white list database and the domain name black list database are continuously enlarged, and the subsequent detection time is reduced. And meanwhile, the infected terminal IP and the host user information are positioned, so that operation and maintenance personnel can quickly position the infected host, quick early warning is achieved, and timely treatment is achieved, the working efficiency of the operation and maintenance personnel is greatly increased, and the safety and the usability of an information system are guaranteed.
Drawings
FIG. 1 is a schematic flow chart of a method according to an embodiment of the present invention.
Detailed Description
The invention is further explained below with reference to the drawings and the embodiments.
It should be noted that the following detailed description is exemplary and is intended to provide further explanation of the disclosure. Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs.
It is noted that the terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of example embodiments according to the present application. As used herein, the singular forms "a", "an" and "the" are intended to include the plural forms as well, and it should be understood that when the terms "comprises" and/or "comprising" are used in this specification, they specify the presence of stated features, steps, operations, devices, components, and/or combinations thereof, unless the context clearly indicates otherwise.
As shown in fig. 1, the present embodiment provides a method for quickly locating and handling a malicious domain name request terminal, which specifically includes the following steps:
step S1: establishing a database on a DNS server, comprising: a domain name white list database, a domain name black list database and a system IP address division table;
step S2: acquiring a current DNS server log, analyzing a DNS message and extracting a domain name of the DNS message;
step S3: matching the extracted domain name with a white list database, if the current domain name is in the white list database, entering step S6, otherwise, entering step S4;
step S4: matching the extracted domain name with a blacklist database, if the current domain name is in the blacklist database, marking the domain name, positioning an infected terminal IP corresponding to the domain name and host user information thereof, and giving an alarm; otherwise, go to step S5;
step S5: detecting and judging the extracted domain name, if the current domain name is judged to be a benign domain name, adding the domain name into a white list database, and entering the step S6; if the current domain name is judged to be a malicious domain name, adding the domain name into a blacklist database, positioning an infected terminal IP corresponding to the domain name and host user information thereof, and giving an alarm;
step S6: the DNS server log is deleted to prevent the DNS server log from being too large, and the later retrieval workload is reduced.
In this embodiment, the step S4 and the step S5 of locating the infected terminal IP corresponding to the domain name specifically include: the method comprises the steps that the analysis of a malicious domain name is added on a DNS server, a request is directed to a designated terminal IP, the terminal is used for receiving and analyzing the malicious domain name, and the IP of an infected terminal is automatically positioned by running a preset script on the designated terminal; the preset script is used for monitoring the tcp80 port and analyzing the received request to obtain the IP of the requester, namely the IP of the infected terminal. Because the client infected with the malicious program obtains the IP of the appointed terminal after DNS resolution, the request IP received by the appointed terminal is the IP of the terminal infected with the malicious program, and the infected terminal IP can be accurately obtained no matter how many layers of DNS recursive resolution are carried out.
In this embodiment, according to the IP of the infected terminal obtained by positioning, the corresponding address information is looked up from the system IP address division table.
In this embodiment, the alarm includes: and generating alarm information including the malicious domain name of the request, the last request time, the request times, the IP of the infected terminal, the department of the unit to which the infected terminal belongs and the user information.
In this embodiment, the alarm includes: limiting the infected terminal to be externally associated, remotely controlling to carry out virus Trojan searching and killing on the infected terminal, and recovering the external association of the terminal after the virus Trojan searching and killing is successful; if the checking and killing fails or the terminal cannot be remotely controlled, the user of the infected terminal in the alarm information is contacted to carry out host computer checking or field checking.
In this embodiment, the detecting and determining the extracted domain name specifically includes: analyzing whether more than one characteristic in the behavior characteristic, the structure characteristic, the character characteristic and the analysis characteristic of the current domain name is consistent with the relevant characteristic of the malicious domain name or not, if so, judging the current domain name to be the malicious domain name, and otherwise, judging the current domain name to be the benign domain name.
The embodiment also provides a rapid positioning and handling system of the malicious domain name request terminal, which comprises a storage module, a processing module, a communication module and computer program instructions which are stored on the storage module and can be run by the processing module; the processing module is in communication connection with the DNS server through the communication module; the method steps as described in any of the above are implemented when the computer program instructions are executed by a processing module.
Preferably, in this implementation, the terminal is a host or a computer.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The foregoing is directed to preferred embodiments of the present invention, other and further embodiments of the invention may be devised without departing from the basic scope thereof, and the scope thereof is determined by the claims that follow. However, any simple modification, equivalent change and modification of the above embodiments according to the technical essence of the present invention are within the protection scope of the technical solution of the present invention.
Claims (7)
1. A rapid positioning processing method for a malicious domain name request terminal is characterized by comprising the following steps:
step S1: establishing a database on a DNS server, comprising: a domain name white list database, a domain name black list database and a system IP address division table;
step S2: acquiring a current DNS server log, analyzing a DNS message, and extracting a domain name in the DNS message;
step S3: matching the extracted domain name with a white list database, if the current domain name is in the white list database, entering step S6, otherwise, entering step S4;
step S4: matching the extracted domain name with a blacklist database, if the current domain name is in the blacklist database, marking the domain name, positioning an infected terminal IP corresponding to the domain name and host user information thereof, and giving an alarm; otherwise, go to step S5;
step S5: detecting and judging the extracted domain name, if the current domain name is judged to be a benign domain name, adding the domain name into a white list database, and entering the step S6; if the current domain name is judged to be a malicious domain name, adding the domain name into a blacklist database, marking the domain name, positioning an infected terminal IP corresponding to the domain name and host user information thereof, and giving an alarm;
step S6: the DNS server log is deleted to prevent the DNS server log from being too large, and the later retrieval workload is reduced.
2. The method as claimed in claim 1, wherein the infected terminal IP corresponding to the domain name located in steps S4 and S5 is specifically: the method comprises the steps that the analysis of a malicious domain name is added on a DNS server, a request is directed to a designated terminal IP, the terminal is used for receiving and analyzing the malicious domain name, and the IP of an infected terminal is automatically positioned by running a preset script on the designated terminal; the preset script is used for monitoring the tcp80 port and analyzing the received request to obtain the IP of the requester, namely the IP of the infected terminal.
3. The method according to claim 2, wherein the corresponding address information is looked up from a system IP address partition table according to the IP of the infected terminal obtained by location.
4. The method according to claim 1, wherein the warning comprises: and generating alarm information including the malicious domain name of the request, the last request time, the request times, the IP of the infected terminal, the department of the unit to which the infected terminal belongs and the user information.
5. The method according to claim 4, wherein the warning comprises: limiting the infected terminal to be externally associated, remotely controlling to carry out virus Trojan searching and killing on the infected terminal, and recovering the external association of the terminal after the virus Trojan searching and killing is successful; if the checking and killing fails or the terminal cannot be remotely controlled, the user of the infected terminal in the alarm information is contacted to carry out host computer checking or field checking.
6. The method according to claim 1, wherein the detecting and determining the extracted domain name specifically comprises: analyzing whether more than one characteristic in the behavior characteristic, the structure characteristic, the character characteristic and the analysis characteristic of the current domain name is consistent with the relevant characteristic of the malicious domain name or not, if so, judging the current domain name to be the malicious domain name, and otherwise, judging the current domain name to be the benign domain name.
7. A rapid positioning processing system of a malicious domain name request terminal is characterized by comprising a storage module, a processing module, a communication module and computer program instructions which are stored on the storage module and can be run by the processing module; the processing module is in communication connection with the DNS server through the communication module; the method steps as claimed in any of claims 1-6 are implemented when the computer program instructions are executed by a processing module.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010606200.7A CN111818030A (en) | 2020-06-29 | 2020-06-29 | Rapid positioning processing method and system for malicious domain name request terminal |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010606200.7A CN111818030A (en) | 2020-06-29 | 2020-06-29 | Rapid positioning processing method and system for malicious domain name request terminal |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111818030A true CN111818030A (en) | 2020-10-23 |
Family
ID=72855581
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010606200.7A Pending CN111818030A (en) | 2020-06-29 | 2020-06-29 | Rapid positioning processing method and system for malicious domain name request terminal |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111818030A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112910879A (en) * | 2021-01-28 | 2021-06-04 | 河北研云科技有限公司 | Malicious domain name analysis method and system |
| CN112953911A (en) * | 2021-01-28 | 2021-06-11 | 河北研云科技有限公司 | Network security analysis processing method and system |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106101104A (en) * | 2016-06-15 | 2016-11-09 | 国家计算机网络与信息安全管理中心 | A kind of malice domain name detection method based on domain name mapping and system |
| CN106657001A (en) * | 2016-11-10 | 2017-05-10 | 广州赛讯信息技术有限公司 | Botnet detection method based on Netflow and DNS blog |
| CN107566420A (en) * | 2017-10-27 | 2018-01-09 | 深信服科技股份有限公司 | The localization method and equipment of a kind of main frame by malicious code infections |
| US20180278633A1 (en) * | 2017-03-22 | 2018-09-27 | Microsoft Technology Licensing, Llc | Detecting domain name system (dns) tunneling based on dns logs and network data |
| CN110401632A (en) * | 2019-06-20 | 2019-11-01 | 国网辽宁省电力有限公司信息通信分公司 | A kind of malice domain name infection host source tracing method |
-
2020
- 2020-06-29 CN CN202010606200.7A patent/CN111818030A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106101104A (en) * | 2016-06-15 | 2016-11-09 | 国家计算机网络与信息安全管理中心 | A kind of malice domain name detection method based on domain name mapping and system |
| CN106657001A (en) * | 2016-11-10 | 2017-05-10 | 广州赛讯信息技术有限公司 | Botnet detection method based on Netflow and DNS blog |
| US20180278633A1 (en) * | 2017-03-22 | 2018-09-27 | Microsoft Technology Licensing, Llc | Detecting domain name system (dns) tunneling based on dns logs and network data |
| CN107566420A (en) * | 2017-10-27 | 2018-01-09 | 深信服科技股份有限公司 | The localization method and equipment of a kind of main frame by malicious code infections |
| CN110401632A (en) * | 2019-06-20 | 2019-11-01 | 国网辽宁省电力有限公司信息通信分公司 | A kind of malice domain name infection host source tracing method |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112910879A (en) * | 2021-01-28 | 2021-06-04 | 河北研云科技有限公司 | Malicious domain name analysis method and system |
| CN112953911A (en) * | 2021-01-28 | 2021-06-11 | 河北研云科技有限公司 | Network security analysis processing method and system |
| CN112910879B (en) * | 2021-01-28 | 2023-10-13 | 河北研云科技有限公司 | Malicious domain name analysis method and system |
| CN112953911B (en) * | 2021-01-28 | 2023-10-13 | 河北研云科技有限公司 | Network security analysis and disposal method and system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108763031B (en) | Log-based threat information detection method and device | |
| CN109743315B (en) | Behavior identification method, behavior identification device, behavior identification equipment and readable storage medium for website | |
| CN107196895B (en) | Network attack tracing implementation method and device | |
| CN110719291A (en) | Network threat identification method and identification system based on threat information | |
| CN107612924B (en) | Attacker positioning method and device based on wireless network intrusion | |
| CN111447215A (en) | Data detection method, device and storage medium | |
| CN111737696A (en) | Method, system and equipment for detecting malicious file and readable storage medium | |
| CN107347057B (en) | Intrusion detection method, detection rule generation method, device and system | |
| CN111460445B (en) | Sample program malicious degree automatic identification method and device | |
| CN105491053A (en) | Web malicious code detection method and system | |
| CN111221625B (en) | File detection method, device and equipment | |
| CN110401632B (en) | Malicious domain name infected host tracing method | |
| CN110717183B (en) | Virus checking and killing method, device, equipment and storage medium | |
| CN107302586B (en) | Webshell detection method and device, computer device and readable storage medium | |
| CN111786966A (en) | Method and device for browsing webpage | |
| CN107465702B (en) | Early warning method and device based on wireless network intrusion | |
| CN101901232A (en) | Method and device for processing webpage data | |
| CN111104579A (en) | Identification method and device for public network assets and storage medium | |
| US20160110544A1 (en) | Disabling and initiating nodes based on security issue | |
| CN112131577A (en) | Vulnerability detection method, device and equipment and computer readable storage medium | |
| CN111818030A (en) | Rapid positioning processing method and system for malicious domain name request terminal | |
| CN105959294B (en) | A kind of malice domain name discrimination method and device | |
| CN114465741B (en) | Abnormality detection method, abnormality detection device, computer equipment and storage medium | |
| CN113965419B (en) | Method and device for judging attack success through reverse connection | |
| CN110224975B (en) | APT information determination method and device, storage medium and electronic device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20201023 |