CN113014582A - Distributed DNS traffic monitoring method, system, electronic device and medium - Google Patents
Distributed DNS traffic monitoring method, system, electronic device and medium Download PDFInfo
- Publication number
- CN113014582A CN113014582A CN202110214237.XA CN202110214237A CN113014582A CN 113014582 A CN113014582 A CN 113014582A CN 202110214237 A CN202110214237 A CN 202110214237A CN 113014582 A CN113014582 A CN 113014582A
- Authority
- CN
- China
- Prior art keywords
- domain name
- domain
- detected
- names
- coefficient
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4505—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
- H04L61/4511—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a distributed DNS flow monitoring method, a system, electronic equipment and a medium, which relate to the technical field of network security and are used for solving the problems of large quantity of detectors and low detection efficiency caused by detecting all domain names one by one in the related technology, wherein the method mainly comprises the following steps: acquiring an actual measurement domain name set, wherein the actual measurement domain name set comprises more than one actual measurement domain name; grouping the actually measured domain name sets based on N-level domain names to obtain a plurality of first domain name groups, and recording N-level domain names corresponding to the first domain name groups as domain names to be detected, wherein N is more than or equal to 2; inputting the domain name to be detected into a multi-classifier detection model to obtain an actual measurement risk coefficient for judging whether the domain name to be detected is a malicious domain name. The invention has the advantages of small detection amount and high detection efficiency.
Description
Technical Field
The present invention relates to the field of network security technologies, and in particular, to a distributed DNS traffic monitoring method, system, electronic device, and medium.
Background
The Domain Name System (DNS) is one of the basic systems of the entire internet service, and is responsible for converting internet Domain names accessed by people into IP addresses, and the conversion process is called "Domain Name resolution", so the DNS is also called "Domain Name resolution System". Since the DNS has the characteristics of important business and low security, in recent years, more and more attacks aim at the DNS, and accordingly, how to identify malicious domain names becomes an important work of network services.
In the related art, in the process of processing DNS data, all domain names are detected one by one to determine whether the domain names are malicious domain names, but the method does not limit the level of the domain names, which results in a large amount of detection and low detection efficiency.
At present, no effective solution is provided for the problem of large quantity of detectors and low detection efficiency caused by detecting all domain names one by one in the related art.
Disclosure of Invention
In order to overcome the defects of the related art, the invention aims to provide a distributed DNS traffic monitoring method, system, electronic device and medium, which have the advantages of small quantity of detectors and high detection efficiency.
One of the purposes of the invention is realized by adopting the following technical scheme:
a distributed DNS traffic monitoring method comprises the following steps:
acquiring an actual measurement domain name set, wherein the actual measurement domain name set comprises more than one actual measurement domain name;
grouping the actually measured domain name sets based on N-level domain names to obtain a plurality of first domain name groups, and recording N-level domain names corresponding to the first domain name groups as domain names to be detected, wherein N is more than or equal to 2;
inputting the domain name to be detected into a multi-classifier detection model to obtain an actual measurement risk coefficient for judging whether the domain name to be detected is a malicious domain name.
In some embodiments, when N > 2, after grouping the measured domain name sets based on level N domain names, the method further comprises:
grouping the residual actually measured domain names after the actually measured domain names are grouped in a concentrated manner based on the second-level domain names to obtain a plurality of second domain name groups, and recording the second-level domain names corresponding to the second domain name groups as the domain names to be detected.
In some embodiments, when N > 2, after grouping the measured domain name sets based on level N domain names, the method further comprises:
and respectively taking the residual actual measurement domain names after the actual measurement domain names are grouped in a concentrated manner as a third domain name group, and recording the maximum level domain name corresponding to the third domain name group as the domain name to be detected.
In some embodiments, before the inputting the domain name to be detected into the multi-classifier detection model, the method further comprises:
and judging whether the domain name to be detected comprises the characteristic words related to a preset word bank or not, and if not, deleting the domain name to be detected and the corresponding domain name group.
In some embodiments, prior to the obtaining the measured domain name set, the method further comprises:
acquiring a sample domain name, wherein the sample domain name carries a sample risk coefficient for judging whether the sample domain name is a malicious domain name;
and training the multi-classifier detection model, taking the sample domain name as the input of the multi-classifier detection model, and taking the sample danger coefficient as the output of the multi-classifier detection model.
In some embodiments, the risk coefficient includes a first coefficient and a second coefficient, wherein the first coefficient is obtained based on the dependency of the domain name, and the second coefficient is obtained based on the usage location relationship between the domain name and the malicious domain name.
In some embodiments, after obtaining the measured risk coefficient for judging whether the domain name to be detected is a malicious domain name, the method further includes:
fusing the first coefficient and the second coefficient to obtain a total danger value;
and judging whether the total dangerous value accords with a safety range, if not, marking the corresponding domain name to be detected as a dangerous domain name and storing the dangerous domain name into a dangerous database.
The second purpose of the invention is realized by adopting the following technical scheme:
a distributed DNS flow monitoring system comprises a root node and more than one sub-node, wherein the root node and each sub-node are arranged in a distributed manner;
for any subnode, the subnode comprises a QGS DNS collector, and the QGS DNS collector is used for collecting DNS data and uploading the DNS data according to a corresponding connection line; the root node receives the DNS data according to a connection line and summarizes the DNS data to obtain a measured domain name set, and the root node further comprises a QGS DNS analyzer, the QGS DNS analyzer being configured to perform the method according to any one of claims 1 to 7.
It is a further object of the invention to provide an electronic device performing one of the objects of the invention, comprising a memory in which a computer program is stored and a processor arranged to carry out the method described above when executing the computer program.
It is a fourth object of the present invention to provide a computer readable storage medium storing one of the objects of the invention, having stored thereon a computer program which, when executed by a processor, implements the method described above.
Compared with the related technology, the invention has the beneficial effects that: after acquiring an actual measurement domain name set, grouping the actual measurement domain name set to obtain a domain name to be detected, and detecting the domain name to be detected by using a multi-classifier detection model to provide a basis for judging whether the domain name to be detected is a malicious domain name; by grouping operation, the whole number of the domain names to be detected is reduced, and accordingly, the detection efficiency can be improved.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:
fig. 1 is a flowchart of a distributed DNS traffic monitoring method according to an embodiment of the present application;
fig. 2 is a block diagram of a distributed DNS traffic monitoring system according to the fourth embodiment of the present application,
fig. 3 is a flowchart of a distributed DNS traffic monitoring method according to a third embodiment of the present application;
fig. 4 is a block diagram of an electronic device according to a fifth embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application will be described and illustrated below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments provided in the present application without any inventive step are within the scope of protection of the present application.
It will be appreciated that such a development effort might be complex and tedious, but would nevertheless be a routine undertaking of design, fabrication, and manufacture for those of ordinary skill having the benefit of this disclosure, and is not intended to limit the scope of this disclosure.
Example one
The embodiment provides a distributed DNS traffic monitoring method, and aims to solve the problems that the detection quantity is large and the detection efficiency is low due to the fact that all domain names are detected one by one in the related art.
Fig. 1 is a flowchart of a distributed DNS traffic monitoring method according to an embodiment of the present application, and referring to fig. 1, the method may specifically include step S101 to step S103. It should be noted that the steps of the method are performed based on an execution device, and specifically, the execution device may be a server, a cloud server, a client, a processor, and the like, but the execution device is not limited to the above type.
Step S101, acquiring an actually measured domain name set, wherein the actually measured domain name set comprises more than one actually measured domain name. It will be appreciated that the measured domain name in the set of measured domain names should be unique. The actually measured domain name is the domain name to be detected, and the source and the maximum domain name level of the actually measured domain name are not limited in the process.
Step S102, grouping the actually measured domain name sets based on N-level domain names to obtain a plurality of first domain name groups, and recording the N-level domain names corresponding to the first domain name groups as domain names to be detected, wherein N is more than or equal to 2. The grouping operation may be implemented based on a clustering algorithm, such as a K-Means clustering algorithm.
It can be understood that, under the condition that the value of the value N is 2, all the actually measured domain names in the actually measured domain name set can complete grouping, and under the condition that the value of the value N is greater than 2, the actually measured domain names in the actually measured domain name set have residue.
Here, an example is given: there are two measured domain names: ftp.
Step S103, inputting the domain name to be detected into a multi-classifier detection model to obtain an actual measurement risk coefficient for judging whether the domain name to be detected is a malicious domain name. It will be appreciated that the multi-classifier detection model has been trained and, accordingly, employs a supervised machine learning model. It should be noted that the risk coefficient may include more than one value, or may directly include a detection result of whether the domain name is a malicious domain name, which is not limited herein.
In summary, after an actual measurement domain name set is obtained, grouping the actual measurement domain name set to obtain a domain name to be detected, and then detecting the domain name to be detected by using a multi-classifier detection model to provide a basis for judging whether the domain name to be detected is a malicious domain name; by grouping operation, the whole number of the domain names to be detected is reduced, and accordingly, the detection efficiency can be improved.
It will be appreciated that the steps illustrated in the flowcharts described above or in the flowcharts of the figures may be performed in a computer system such as a set of computer-executable instructions and that, although a logical order is illustrated in the flowcharts, in some cases, the steps illustrated or described may be performed in an order different than here.
Example two
The second embodiment provides a distributed DNS traffic monitoring method, and the second embodiment is performed on the basis of the first embodiment.
Fig. 3 is a flowchart of a distributed DNS traffic monitoring method according to a third embodiment of the present application, where step S301, step S302, and step S305 in fig. 3 may specifically refer to relevant descriptions in fig. 1, and details are not described herein again.
Referring to fig. 3, the method may further include step S303 and step S304.
Step S303, judging whether the domain name to be detected comprises a characteristic word related to a preset word bank, if so, executing step S305; if not, go to step S304. It should be noted that the predetermined word library can be created with reference to an english dictionary.
And S304, deleting the domain name to be detected and the corresponding domain name group. It can be understood that when there are letters in the domain name to be detected, but the letter combination cannot be used as the feature word, the letter combination is meaningless, and therefore the corresponding detection meaning is not great, and the detection is not required.
In summary, the domain name to be detected is used as the measure, and the redundant measure and the measure with unobvious features are eliminated, so that the number of packets can be reduced as much as possible on the premise of ensuring the packet correctness. Thereby reducing computational complexity and system overhead.
As an alternative embodiment, referring to fig. 3, in the case that N > 2, after step S302, the measured domain name set further includes the measured domain names remaining after grouping, and accordingly, a supplementary step may be included between step S302 and step S303.
The supplementing step may include: grouping the residual actually measured domain names after the actually measured domain names are grouped in a concentrated manner based on the second-level domain names to obtain a plurality of second domain name groups, and recording the second-level domain names corresponding to the second domain name groups as the domain names to be detected.
The step may specifically refer to the relevant description of step S302 (i.e., step S102), and it can be understood that the domain name to be detected corresponding to the second domain name group may all perform step S303 and subsequent steps.
By the technical scheme, the actually measured domain names in the actually measured domain name set can be grouped, detection of the actually measured domain names in the missing part is avoided, and accordingly, the consistency of the domain names to be detected in the form can be improved by adopting the secondary domain names in the supplementing step.
As a further alternative embodiment, reference is made to the description of the supplementary step above, with the difference that it takes the following form, in particular it comprises: and respectively taking the residual actual measurement domain names after the actual measurement domain names are grouped in a concentrated manner as a third domain name group, and recording the maximum level domain name corresponding to the third domain name group as the domain name to be detected.
By the technical scheme, the actually measured domain names in the actually measured domain name set can be grouped, detection of the actually measured domain names in the missing part is avoided, and correspondingly, the maximum-level domain name is adopted in the method so as to reduce the difference in form between the domain name to be detected corresponding to the first domain name group and the domain name to be detected corresponding to the third domain name group.
EXAMPLE III
The third embodiment provides a distributed DNS traffic monitoring method, which is performed on the basis of the first embodiment and/or the second embodiment.
Referring to fig. 1, before step S101, the method may further include a multi-classifier detection model establishing step, which may include the following steps.
And acquiring a sample domain name, wherein the sample domain name carries a sample risk coefficient for judging whether the sample domain name is a malicious domain name. The sample risk factor may be set manually, the sample domain name being obtained from a sample domain name set. It is to be understood that the sample domain names in the sample set of domain names are not limited to the level of domain names, but preferably have the greatest percentage of secondary domain names in the sample set of domain names.
And training a multi-classifier detection model, taking the sample domain name as the input of the multi-classifier detection model, and taking the sample risk coefficient as the output of the multi-classifier detection model.
It should be noted that, when a domain name to be detected is determined as a malicious domain name, the domain name to be detected may be used as a sample domain name for the multi-classifier detection model to perform learning adjustment.
As an alternative embodiment, the risk factor may comprise a first factor and a second factor, it being understood that both the measured risk factor and the sample risk factor are set as described above.
The first coefficient is obtained based on the dependency of the domain name, for any domain name to be detected, the domain name dependency range can be determined by using a DNS recursive resolver, and correspondingly, the dependency range is small, the higher the dependency is, namely the larger the first coefficient can be; the second coefficient is obtained based on the use position relationship between the domain name and the malicious domain name, specifically, the use position of the domain name can be obtained through tracing, and the second coefficient can be larger if the use position is closer to the use position of the malicious domain name.
According to the technical scheme, the malicious domain name is determined according to the dependency and the using position, so that the accuracy of the judgment result is improved.
Further, after obtaining the actually measured risk coefficient for judging whether the domain name to be detected is the malicious domain name, the method may further include the following steps.
And fusing the first coefficient and the second coefficient to obtain a total danger value. For example: a weighting algorithm can be used for the first coefficient and the second coefficient, the respective weights can be adjusted according to specific conditions, and accordingly, the higher the total danger value is, the higher the possibility that the corresponding domain name to be detected is a malicious domain name is.
And judging whether the total danger value accords with a safety range, if not, marking the corresponding domain name to be detected as a dangerous domain name and storing the dangerous domain name into a dangerous database. The safety range may also be adjusted on a case-by-case basis, for example in the example of the weighting algorithm described above, the safety range assumes a setting greater than a threshold.
It is worth to be noted that after the domain name to be detected is stored in the danger database, the danger database can be directly regarded as a malicious database; or the domain name can be regarded as being independent of the malicious database, and then the dangerous domain name in the malicious database is extracted by a worker and is manually judged. By the technical scheme, the dangerous domain name can be determined, and the accuracy of the dangerous domain name is improved.
Example four
The fourth embodiment provides a distributed DNS traffic monitoring system. Fig. 2 is a block diagram of a structure of a distributed DNS traffic monitoring system according to a fourth embodiment of the present application, and as shown in fig. 2, platforms of the distributed DNS traffic monitoring system are in a distributed configuration.
Specifically, the system comprises a root node and more than one sub-node, wherein the root node and each sub-node are arranged in a distributed manner, and for any sub-node, the sub-node comprises a QGS DNS collector, and the QGS DNS collector is used for collecting DNS data and uploading the DNS data according to a corresponding connection line; the root node receives the DNS data according to a connection line, and summarizes the DNS data to obtain an actually measured domain name set, and the root node further includes a QGS DNS analyzer, and the QGS DNS analyzer is configured to execute the method in any embodiment or embodiment group described above.
It can be understood that the distributed DNS traffic monitoring system is not limited to the type shown in fig. 2, and certainly, the distributed DNS traffic monitoring system is not limited to this, and it is sufficient to mainly determine that the monitoring center is the root node.
In the distributed DNS flow monitoring method, whether the corresponding domain name to be detected is a malicious domain name can be judged by a monitoring center or manually according to the actual measurement risk coefficient, if so, the monitoring center stores the domain name to be detected in a malicious domain name library and feeds the domain name back to each sub-node to perform early warning.
It is worth to be noted that, in the distributed DNS traffic monitoring system, DNS data is used for circulation to perform traffic monitoring, so that illegal traffic related to a malicious domain name is quickly determined, and timely measures are taken conveniently. Compared with full message network data, the DNS data has relatively small data volume and is not encrypted, and the performance pressure of safety monitoring can be low.
The above modules may be functional modules or program modules, and may be implemented by software or hardware. For a module implemented by hardware, the modules may be located in the same processor; or the modules can be respectively positioned in different processors in any combination.
EXAMPLE five
In a fifth embodiment, an electronic device is provided, fig. 4 is a block diagram of a structure of the electronic device shown in the fifth embodiment of the present application, and as shown in fig. 4, the electronic device includes a memory and a processor, where the memory stores a computer program, and the processor is configured to run the computer program to execute any one of the methods for implementing distributed DNS traffic monitoring in the foregoing embodiments.
Optionally, the electronic device may further include a transmission device and an input/output device, wherein the transmission device is connected to the processor, and the input/output device is connected to the processor.
In addition, in combination with the distributed DNS traffic monitoring method in the foregoing embodiment, a fifth embodiment of the present application may provide a storage medium to implement. The storage medium having stored thereon a computer program; when executed by a processor, the computer program implements a method for distributed DNS traffic monitoring in any of the above embodiments, the method comprising:
acquiring an actual measurement domain name set, wherein the actual measurement domain name set comprises more than one actual measurement domain name;
grouping the actually measured domain name sets based on N-level domain names to obtain a plurality of first domain name groups, and recording N-level domain names corresponding to the first domain name groups as domain names to be detected, wherein N is more than or equal to 2;
inputting the domain name to be detected into a multi-classifier detection model to obtain an actual measurement risk coefficient for judging whether the domain name to be detected is a malicious domain name.
As shown in fig. 4, taking a processor as an example, the processor, the memory, the input device and the output device in the electronic device may be connected by a bus or other means, and fig. 4 takes the connection by the bus as an example.
The memory, which is a computer-readable storage medium, may include a high-speed random access memory, a non-volatile memory, and the like, and may be used to store an operating system, a software program, a computer-executable program, and a database, such as program instructions/modules corresponding to the distributed DNS traffic monitoring method according to the embodiment of the present invention, and may further include a memory, which may be used to provide an operating environment for the operating system and the computer program. In some examples, the memory may further include memory located remotely from the processor, and these remote memories may be connected to the electronic device through a network.
The processor, which is used to provide computing and control capabilities, may include a Central Processing Unit (CPU), or A Specific Integrated Circuit (ASIC), or may be configured to implement one or more Integrated circuits of embodiments of the present Application. The processor executes various functional applications and data processing of the electronic device by running the computer-executable program, the software program, the instructions and the modules stored in the memory, that is, the distributed DNS traffic monitoring method according to the first embodiment is implemented.
The output device of the electronic equipment can be a liquid crystal display screen or an electronic ink display screen, and the input device of the electronic equipment can be a touch layer covered on the display screen, a key, a track ball or a touch pad arranged on a shell of the computer equipment, an external keyboard, a touch pad or a mouse and the like.
The electronic device may further include a network interface/communication interface, the network interface of the electronic device being for communicating with an external terminal through a network connection. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
Those skilled in the art will appreciate that the structure shown in fig. 4 is a block diagram of only a portion of the structure relevant to the present application, and does not constitute a limitation on the electronic device to which the present application is applied, and a particular electronic device may include more or less components than those shown in the drawings, or combine certain components, or have a different arrangement of components.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by hardware instructions of a computer program, which can be stored in a non-volatile computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. Any reference to memory, storage, database, or other medium used in the embodiments provided herein may include non-volatile and/or volatile memory, among others. Non-volatile memory can include read-only memory (ROM), Programmable ROM (PROM), Electrically Programmable ROM (EPROM), Electrically Erasable Programmable ROM (EEPROM), or flash memory. Volatile memory can include Random Access Memory (RAM) or external cache memory. By way of illustration and not limitation, RAM is available in a variety of forms such as Static RAM (SRAM), Dynamic RAM (DRAM), Synchronous DRAM (SDRAM), Double Data Rate SDRAM (DDRSDRAM), Enhanced SDRAM (ESDRAM), synchronous link (Synchlink), DRAM (SLDRAM), Rambus Direct RAM (RDRAM), direct bus dynamic RAM (DRDRAM), and memory bus dynamic RAM (RDRAM).
It is to be noted that, in the embodiment of the distributed DNS traffic monitoring method, each included unit and module are only divided according to functional logic, but are not limited to the above division, as long as the corresponding function can be implemented; in addition, specific names of the functional units are only for convenience of distinguishing from each other, and are not used for limiting the protection scope of the present invention.
Unless defined otherwise, technical or scientific terms referred to herein shall have the ordinary meaning as understood by those of ordinary skill in the art to which this application belongs. Reference to "a," "an," "the," and similar words throughout this application are not to be construed as limiting in number, and may refer to the singular or the plural. The terms "comprises," "comprising," "including," "has," "having," and any variations thereof, as referred to herein, are intended to cover a non-exclusive inclusion. Reference to "connected," "coupled," and the like in this application is not intended to be limited to physical or mechanical connections, but may include electrical connections, whether direct or indirect. The term "plurality" as referred to herein means two or more. "and/or" describe the association relationship of the associated objects, meaning that three relationships may exist. The character "/" generally indicates that the former and latter associated objects are in an "or" relationship. Reference herein to the terms "first," "second," "third," and the like, are merely to distinguish similar objects and do not denote a particular ordering for the objects.
The above examples only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present patent shall be subject to the appended claims.
Claims (10)
1. A distributed DNS traffic monitoring method, the method comprising:
acquiring an actual measurement domain name set, wherein the actual measurement domain name set comprises more than one actual measurement domain name;
grouping the actually measured domain name sets based on N-level domain names to obtain a plurality of first domain name groups, and recording N-level domain names corresponding to the first domain name groups as domain names to be detected, wherein N is more than or equal to 2;
inputting the domain name to be detected into a multi-classifier detection model to obtain an actual measurement risk coefficient for judging whether the domain name to be detected is a malicious domain name.
2. The method of claim 1, wherein when N > 2, after the grouping the set of measured domain names based on level N domain names, the method further comprises:
grouping the residual actually measured domain names after the actually measured domain names are grouped in a concentrated manner based on the second-level domain names to obtain a plurality of second domain name groups, and recording the second-level domain names corresponding to the second domain name groups as the domain names to be detected.
3. The method of claim 1, wherein when N > 2, after the grouping the set of measured domain names based on level N domain names, the method further comprises:
and respectively taking the residual actual measurement domain names after the actual measurement domain names are grouped in a concentrated manner as a third domain name group, and recording the maximum level domain name corresponding to the third domain name group as the domain name to be detected.
4. The method according to any of claims 1 to 3, wherein prior to said inputting the domain name to be detected into a multi-classifier detection model, the method further comprises:
and judging whether the domain name to be detected comprises the characteristic words related to a preset word bank or not, and if not, deleting the domain name to be detected and the corresponding domain name group.
5. The method of claim 1, wherein prior to said obtaining the measured domain name set, the method further comprises:
acquiring a sample domain name, wherein the sample domain name carries a sample risk coefficient for judging whether the sample domain name is a malicious domain name;
and training the multi-classifier detection model, taking the sample domain name as the input of the multi-classifier detection model, and taking the sample danger coefficient as the output of the multi-classifier detection model.
6. The method according to any one of claims 1 to 3, wherein the risk coefficients comprise a first coefficient and a second coefficient, wherein the first coefficient is obtained based on the dependency of the domain name, and the second coefficient is obtained based on the usage location relationship between the domain name and the malicious domain name.
7. The method according to claim 6, wherein after obtaining the measured risk factor for judging whether the domain name to be detected is a malicious domain name, the method further comprises:
fusing the first coefficient and the second coefficient to obtain a total danger value;
and judging whether the total dangerous value accords with a safety range, if not, marking the corresponding domain name to be detected as a dangerous domain name and storing the dangerous domain name into a dangerous database.
8. A distributed DNS flow monitoring system is characterized by comprising a root node and more than one sub-node, wherein the root node and each sub-node are distributed;
for any subnode, the subnode comprises a QGS DNS collector, and the QGS DNS collector is used for collecting DNS data and uploading the DNS data according to a corresponding connection line; the root node receives the DNS data according to a connection line and summarizes the DNS data to obtain a measured domain name set, and the root node further comprises a QGSDNS analyzer, and the QGSDNS analyzer is configured to perform the method according to any one of claims 1 to 7.
9. An electronic device comprising a memory and a processor, wherein the memory has stored therein a computer program, and wherein the processor is arranged to carry out the method of any one of claims 1 to 7 when the computer program is executed.
10. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the method of any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110214237.XA CN113014582B (en) | 2021-02-25 | 2021-02-25 | Distributed DNS traffic monitoring method, system, electronic device and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110214237.XA CN113014582B (en) | 2021-02-25 | 2021-02-25 | Distributed DNS traffic monitoring method, system, electronic device and medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113014582A true CN113014582A (en) | 2021-06-22 |
| CN113014582B CN113014582B (en) | 2023-04-07 |
Family
ID=76386048
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110214237.XA Active CN113014582B (en) | 2021-02-25 | 2021-02-25 | Distributed DNS traffic monitoring method, system, electronic device and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113014582B (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108683686A (en) * | 2018-06-21 | 2018-10-19 | 中国科学院信息工程研究所 | A kind of Stochastic subspace name ddos attack detection method |
| CN110336789A (en) * | 2019-05-28 | 2019-10-15 | 北京邮电大学 | Domain-flux Botnet detection method based on blended learning |
| CN110474872A (en) * | 2019-07-05 | 2019-11-19 | 中国科学院信息工程研究所 | A kind of domain name service methods of risk assessment and system based on dns resolution dependence |
| US20200236120A1 (en) * | 2019-01-17 | 2020-07-23 | International Business Machines Corporation | Detecting and mitigating risk in a transport network |
-
2021
- 2021-02-25 CN CN202110214237.XA patent/CN113014582B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108683686A (en) * | 2018-06-21 | 2018-10-19 | 中国科学院信息工程研究所 | A kind of Stochastic subspace name ddos attack detection method |
| US20200236120A1 (en) * | 2019-01-17 | 2020-07-23 | International Business Machines Corporation | Detecting and mitigating risk in a transport network |
| CN110336789A (en) * | 2019-05-28 | 2019-10-15 | 北京邮电大学 | Domain-flux Botnet detection method based on blended learning |
| CN110474872A (en) * | 2019-07-05 | 2019-11-19 | 中国科学院信息工程研究所 | A kind of domain name service methods of risk assessment and system based on dns resolution dependence |
Non-Patent Citations (3)
| Title |
|---|
| SANDEEP YADAV ETAL: "《Detecting algorithmically generated malicious domain names》", 《IMC’10》 * |
| 张维维 等: "《基于词素特征的轻量级域名检测算法》", 《软件学报》 * |
| 盛剑涛等: "基于组合分类器的恶意域名检测技术", 《电信科学》 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113014582B (en) | 2023-04-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109768992B (en) | Webpage malicious scanning processing method and device, terminal device and readable storage medium | |
| CN112866023B (en) | Network detection method, model training method, device, equipment and storage medium | |
| CN110347561B (en) | Monitoring alarm method and terminal equipment | |
| CN110888911A (en) | Sample data processing method and device, computer equipment and storage medium | |
| CN112989348A (en) | Attack detection method, model training method, device, server and storage medium | |
| Li et al. | Street-Level Landmarks Acquisition Based on SVM Classifiers. | |
| CN113014582B (en) | Distributed DNS traffic monitoring method, system, electronic device and medium | |
| CN113176968A (en) | Safety test method, device and storage medium based on interface parameter classification | |
| CN116628554B (en) | Industrial Internet data anomaly detection method, system and equipment | |
| CN115865486B (en) | Network intrusion detection method and system based on multi-layer perception convolutional neural network | |
| WO2023093017A1 (en) | Method and apparatus for identifying web service device | |
| CN114205146B (en) | Processing method and device for multi-source heterogeneous security log | |
| CN113489773B (en) | Data access method, device, equipment and medium | |
| CN112085589B (en) | Method and device for determining safety of rule model and server | |
| CN114970694A (en) | Network security situation assessment method and model training method thereof | |
| CN114866338A (en) | Network security detection method and device and electronic equipment | |
| CN112711574A (en) | Database security detection method and device, electronic equipment and medium | |
| CN114564349A (en) | Server monitoring method and device, electronic equipment and storage medium | |
| CN112866271B (en) | Attack tracing-based sensitive file protection method, device and system | |
| CN110719260B (en) | Intelligent network security analysis method and device and computer readable storage medium | |
| CN114022317B (en) | Legal public opinion prediction method, device, computer equipment and storage medium | |
| CN113535444B (en) | Abnormal motion detection method, device, computing equipment and computer storage medium | |
| CN114095081B (en) | Method and device for determining health degree of optical module and computer readable storage medium | |
| CN114339843B (en) | Anchor point problem identification method and device based on network coverage | |
| He et al. | Research on Network Configuration Verification Based on Association Analysis |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |