CN113347139B - Method, device, system and medium for identifying safety information - Google Patents

Method, device, system and medium for identifying safety information Download PDF

Info

Publication number
CN113347139B
CN113347139B CN202010136555.4A CN202010136555A CN113347139B CN 113347139 B CN113347139 B CN 113347139B CN 202010136555 A CN202010136555 A CN 202010136555A CN 113347139 B CN113347139 B CN 113347139B
Authority
CN
China
Prior art keywords
data
domain name
type
records
target
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010136555.4A
Other languages
Chinese (zh)
Other versions
CN113347139A (en
Inventor
孟翔
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sangfor Technologies Co Ltd
Original Assignee
Sangfor Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sangfor Technologies Co Ltd filed Critical Sangfor Technologies Co Ltd
Priority to CN202010136555.4A priority Critical patent/CN113347139B/en
Publication of CN113347139A publication Critical patent/CN113347139A/en
Application granted granted Critical
Publication of CN113347139B publication Critical patent/CN113347139B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/10Mapping addresses of different types
    • H04L61/103Mapping addresses of different types across network layers, e.g. resolution of network layer into physical layer addresses or address resolution protocol [ARP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The embodiment of the invention discloses a method, a device, a system and a medium for identifying safety information, which are used for reading analytic data in a pDNS library in a preset time period; the analytic data comprises various types of data records, and a first type data group and a second type data group are screened out from the analytic data according to a preset data type; according to a pre-established safety database and a verification rule, performing safety verification on each data record in the first type of data group; the security database comprises common security information, the verification rule comprises a detection mode of data records meeting the security requirement, and the first type of data records passing the security verification are marked as security information. Counting the analysis times of all data records in the second type data group; and marking the second type data records with the analysis times meeting the preset analysis requirements as safety information. According to the mode, batch security verification can be carried out on the data records generated in the pDNS library, and the efficiency of data security identification is improved.

Description

Method, device, system and medium for identifying safety information
Technical Field
The present invention relates to the field of network security technologies, and in particular, to a method, an apparatus, a system, and a computer-readable storage medium for identifying security information.
Background
In the field of threat intelligence, domain names and IP are two important tactical base intelligence. The domain name and IP of a Content Delivery Network (CDN) and the IP of an Internet Data Center (IDC) category play a great role in threat information construction. On one hand, the method can enrich the information content and can reduce the misjudgment of some safety problems caused by the lack of the information. Such as: if an IP is found to have an attack on the open Web service, but the IP belongs to the IP of the IDC farm, the IP may not be blocked, or a large number of normal domain names may come out of the IP outlet but cannot communicate.
The CDN and the IDC are services that are open to the outside, and take less cost in order to make own data more centralized, or respond faster. However, for the security research, if the services are not known, the judgment of the security problem is interfered to a certain extent.
In the prior art, a mode based on Windows commands is adopted to identify whether the domain name and the IP are safe or not. Such as ping command and nslookup command, if the returned information meets certain characteristics: for example, an extra domain name is returned in the ping command, and the nslookup command returns address with conditions such as two IPs, which indicate that the CDN service is, and the domain name and the IP belong to security information. The method is simple and effective, but cannot be generated in batch, and the user can only input commands one by one to carry out security verification on the domain name and the IP, so that the time consumption is long, and the efficiency of security identification is low.
Therefore, how to improve the efficiency of data security identification is a problem to be solved by those skilled in the art.
Disclosure of Invention
Embodiments of the present invention provide a method, an apparatus, a system, and a computer-readable storage medium for identifying security information, which can improve the efficiency of data security identification.
To solve the foregoing technical problem, an embodiment of the present invention provides a method for identifying security information, including:
reading analytical data in a pDNS library within a preset time period;
screening a first type data group and a second type data group from the analytic data according to a preset data type;
performing security verification on each data record in the first type data group according to a pre-established security database and verification rules; marking the first type of data record passing the security verification as security information;
counting the analysis times of all data records in the second type data group; and marking the second type of data records with the analysis times meeting the preset analysis requirement as safety information.
Optionally, the security verification is performed on each data record in the first type data group according to a pre-established security database and a verification rule; marking the first type of data record that passes the security verification as the security information includes:
judging whether each data record in the first type data group is matched with address information in a pre-established safety database;
when a data record matched with the address information in the safety database exists, marking the domain name and the IP in the matched data record as safety information;
when data records which are not matched with the address information in the safety database exist, the domain name and the IP which meet the analysis requirement in the unmatched data records are marked as safety information; and marking the domain name and the IP which do not meet the resolution requirement in the unmatched data records as non-safety information.
Optionally, before the determining whether each data record in the first type data group matches with address information in a pre-established secure database, the method further includes:
and filtering each data record in the first type data group according to a preset filtering rule.
Optionally, the domain name and the IP meeting the resolution requirement in the unmatched data records are marked as security information; marking the domain name and the IP which do not meet the resolution requirement in the unmatched data records as non-safety information comprises the following steps:
judging whether the resolution records of the first domain name in the resolution data are the first type data; the target data record is any one of all unmatched data records; the target data record comprises a first domain name, a second domain name and an IP;
if not, determining that a second domain name and an IP corresponding to the first domain name are non-safety information;
if yes, judging whether the number of the resolution domain names corresponding to the target IP in the first domain name is larger than or equal to a first threshold value; the target IP is any one of all the IPs corresponding to the first domain name in all the unmatched data records;
when the number of the resolved domain names is larger than or equal to the first threshold value, judging that the resolved domain names and the target IP are safety information;
and when the number of the resolved domain names is smaller than the first threshold value, judging that the resolved domain names and the target IP are non-safety information.
Optionally, the number of times of parsing of all data records in the second type data group is counted; marking the second type of data records with the analysis times meeting the preset analysis requirements as safety information comprises the following steps:
counting the resolving times of the second domain names of all data records in the second data group and the resolving times of the corresponding second IP;
and when the resolution times of the second-class domain name meet the preset domain name resolution requirement and the resolution times of the second-class IP meet the preset IP resolution requirement, marking the second-class IP as safety information.
Optionally, the first type data set is a CNAME data record set; the second type data set is an A data record set.
The embodiment of the invention also provides a device for identifying the safety information, which comprises a reading unit, a screening unit, a verification unit and a statistic unit;
the reading unit is used for reading the analytic data in the pDNS library in the preset time period;
the screening unit is used for screening a first-class data group and a second-class data group from the analytic data according to a preset data type;
the verification unit is used for performing security verification on each data record in the first type data group according to a pre-established security database and a verification rule; marking the first type of data record passing the security verification as security information;
the statistical unit is used for counting the analysis times of all data records in the second type data group; and marking the second type data records with the analysis times meeting the preset analysis requirements as safety information.
Optionally, the verification unit includes a judgment subunit, a first marking subunit, and a second marking subunit;
the judging subunit is used for judging whether each data record in the first type data group is matched with address information in a pre-established safety database;
the first marking subunit is used for marking the domain name and the IP in the matched data record as the safety information when the data record matched with the address information in the safety database exists;
the second marking subunit is used for marking the domain name and the IP which meet the analysis requirement in the unmatched data records as the safety information when the data records which are unmatched with the address information in the safety database exist; and marking the domain name and the IP which do not meet the resolution requirement in the unmatched data records as non-safety information.
Optionally, a filtration unit is further included;
the filtering unit is configured to filter each data record in the first type data group according to a preset filtering rule before determining whether each data record in the first type data group matches address information in a pre-established security database.
Optionally, the second tagging subunit is specifically configured to determine whether the resolution records of the first domain name in the resolution data are all first-class data; the target data record is any one of all unmatched data records; the target data record comprises a first domain name, a second domain name and an IP;
if not, determining that a second domain name and an IP corresponding to the first domain name are non-safety information;
if yes, judging whether the number of the resolved domain names corresponding to the target IP in the first domain name is larger than or equal to a first threshold value; the target IP is any one of all the IPs corresponding to the first domain name in all the unmatched data records;
when the number of the resolved domain names is larger than or equal to the first threshold value, judging that the resolved domain names and the target IP are safety information;
and when the number of the resolved domain names is smaller than the first threshold value, judging that the resolved domain names and the target IP are both non-safety information.
Optionally, the counting unit is specifically configured to count the number of times of resolving the second-class domain name of all data records in the second-class data group and the number of times of resolving the corresponding second-class IP; and when the resolution times of the second-class domain name meet the preset domain name resolution requirement and the resolution times of the second-class IP meet the preset IP resolution requirement, marking the second-class IP as safety information.
Optionally, the first type data set is a CNAME data record set; the second type data group is an A data record group.
The embodiment of the invention also provides a system for identifying the safety information, which comprises the following steps:
a memory for storing a computer program;
a processor for executing the computer program to carry out the steps of the method of identifying security information as claimed in any one of the preceding claims.
An embodiment of the present invention further provides a computer-readable storage medium, where a computer program is stored on the computer-readable storage medium, and when the computer program is executed by a processor, the computer program implements the steps of the method for identifying security information according to any one of the above-mentioned items.
According to the technical scheme, the analytic data in the pDNS library in the preset time period are read; the analytic data comprises a plurality of types of data records, and the safety identification modes of the data records of different types are different. Screening a first class data set and a second class data set from the analytic data according to a preset data type; performing security verification on each data record in the first-class data group according to a pre-established security database and verification rules; the security database contains common security information, the verification rule contains a detection mode of data records meeting the security requirement, and the first type of data records passing the security verification can be marked as security information. Counting the analysis times of all data records in the second type data group; and marking the second type data records with the analysis times meeting the preset analysis requirements as safety information. According to the mode, batch security verification can be carried out on the data records generated in the pDNS library, and the efficiency of data security identification is improved.
Drawings
In order to illustrate the embodiments of the present invention more clearly, the drawings that are needed in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and that other drawings can be obtained by those skilled in the art without inventive effort.
Fig. 1 is a flowchart of a method for identifying security information according to an embodiment of the present invention;
fig. 2 is a flowchart of a method for identifying a domain name and an IP according to an embodiment of the present invention;
FIG. 3 is a schematic structural diagram of an apparatus for identifying security information according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of a system for identifying security information according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments of the present invention without any creative work belong to the protection scope of the present invention.
In order that those skilled in the art will better understand the disclosure, the invention will be described in further detail with reference to the accompanying drawings and specific embodiments.
Next, a method for identifying security information according to an embodiment of the present invention will be described in detail. Fig. 1 is a flowchart of a method for identifying security information according to an embodiment of the present invention, where the method includes:
s101: and reading the analytic data in the pDNS library within the preset time period.
pDNS (Passive DNS) refers to a set of resolution relationships between domain names and IP.
Data records in the pDNS library may be generated based on network behavior. At present, a plurality of websites allow access to the Passive DNS system thereof, and the resolution data in the pDNS library can be acquired by accessing the Passive DNS system.
The value of the preset time period can be set according to actual requirements, and is not limited herein. For example, the preset time period may be set to 30 days.
S102: and screening out a first type data group and a second type data group from the analytic data according to a preset data type.
In the embodiment of the present invention, security analysis is mainly performed on two types of data records, and in a specific implementation, the data records belonging to the two types of data records may be respectively referred to as a first type data group and a second type data group.
The method for identifying the safety information is suitable for safely identifying the domain name and the IP in the CDN network and the IDC network, the CNAME data record group is a data record generated based on the network behavior of the CDN, and the A data record group is a data record generated based on the network behavior of the IDC. Correspondingly, the first type data set may be a CNAME data record set; the second type data set may be an a data record set. For convenience of subsequent description, in the embodiments of the present invention, the CNAME data record and the a data record are used as examples for explanation.
S103: according to a pre-established safety database and a verification rule, performing safety verification on each data record in the first type of data group; and marking the first type of data record passing the security verification as the security information.
The security database contains the usual security information. In practical application, domain names of some known vendors providing CDN services may be written into the security database, and keyword information belonging to the CDN domain names may also be written into the security database.
The validation rules include the manner of detection of data records that meet the security requirements.
In the embodiment of the present invention, security verification may be performed on data records in the first type data group by relying on the security database, and specifically, it may be determined whether each data record in the first type data group matches address information in the security database established in advance.
When there is a data record that matches the address information in the secure database, the domain name and IP in the matching data record may be marked as secure information.
When data records which do not match with the address information in the security database exist, the domain name and the IP which meet the analysis requirement in the unmatched data records can be marked as security information; and marking the domain name and the IP which do not meet the resolution requirement in the unmatched data records as non-safety information.
The analysis requirement includes the domain name and the rule that the IP conforms to the safety information. A possible implementation way to satisfy the parsing requirement can be seen in fig. 2, which is not described herein again.
S104: counting the analysis times of all data records in the second type data group; and marking the second type data records with the analysis times meeting the preset analysis requirements as safety information.
The second type of data records contain the corresponding relationship between the domain name and the IP, and in the embodiment of the present invention, the security of the second type of data records can be evaluated based on the number of times of domain name resolution and the number of times of IP resolution.
Specifically, the number of times of resolving the second-class domain name and the number of times of resolving the corresponding second-class IP recorded in all data in the second-class data group may be counted; and when the resolution times of the second-class domain name meet the preset domain name resolution requirement and the resolution times of the second-class IP meet the preset IP resolution requirement, marking the second-class IP as safety information.
The second-class data group comprises a plurality of second-class data records, and each second-class data record comprises a second-class domain name and a second-class IP corresponding to the second-class domain name.
The security verification method of each second-class IP is similar, and taking a second-class IP as an example, it may be counted whether the number of resolved domain names of the second-class IP per day is greater than or equal to a first threshold, and whether the total number of resolved domain names of the second-class IP within a preset time period is greater than or equal to a second threshold.
The total resolved domain name number refers to the total domain name number after removing duplicate domain names. For example, the IP is 1.1.1.1, and the resolution domain name corresponding to the IP on the first day is domain name B; the resolution domain name corresponding to the IP is still the domain name B in the next day, and the total resolution domain name number is only counted for 1 time.
When the number of domain names analyzed by the second type of IP every day is larger than or equal to the first threshold value, and the total number of domain names analyzed by the second type of IP in a preset time period is larger than or equal to the second threshold value, it is proved that a plurality of domain names are hung under the second type of IP and are analyzed to the same IP for a plurality of times.
After the number of the resolved domain names of the second class of IPs is determined, each second class of domain name corresponding to the second class of IPs may be further determined, specifically, it may be determined whether the total resolved IP number of the second class of domain names in a preset time period is less than a third threshold, and the number of the resolved IP names corresponding to the second class of domain names every day is less than a fourth threshold; if the total number of the analyzed IPs of the second domain name in the preset time period is smaller than the third threshold value, and the number of the analyzed IPs corresponding to the second domain name every day is smaller than the fourth threshold value, the second domain name is proved to be relatively stable and can be analyzed to a small number of IPs.
When the number of the resolved domain names of the second type of IP per day is larger than or equal to a first threshold value, and the total resolved domain name number of the second type of IP in a preset time period is larger than or equal to a second threshold value; and meanwhile, if the total number of the analyzed IPs of the second domain name in the preset time period is smaller than a third threshold value and the number of the analyzed IPs corresponding to the second domain name every day is smaller than a fourth threshold value, the second domain name belongs to the safety information.
According to the embodiment of the invention, the data relation among the data records in the pDNS library is analyzed, so that the safety of the domain name and the IP can be accurately identified, the identification accuracy is better, and the data coverage is more comprehensive.
According to the technical scheme, the analytic data in the pDNS library in the preset time period are read; the analytic data comprises a plurality of types of data records, and the safety identification modes of the data records of different types are different. Screening a first class data set and a second class data set from the analytic data according to a preset data type; performing security verification on each data record in the first-class data group according to a pre-established security database and verification rules; the security database contains common security information, the verification rule contains a detection mode of data records meeting the security requirement, and the first type of data records passing the security verification can be marked as security information. Counting the analysis times of all data records in the second type data group; and marking the second type data records with the analysis times meeting the preset analysis requirements as safety information. According to the mode, batch security verification can be carried out on the data records generated in the pDNS library, and the efficiency of data security identification is improved.
Fig. 2 is a flowchart of a method for identifying a domain name and an IP according to an embodiment of the present invention, where the method includes:
s201: and judging whether the resolution records of the first domain name in the resolution data are the first type data.
As can be seen from the description of S103, when there is a data record that does not match the address information in the secure database, further security analysis may be performed on the data record that does not match the address information according to the parsing requirement.
There are often a plurality of unmatched data records, and in the embodiment of the present invention, any one of all unmatched data records, that is, the target data record, may be taken as an example for description. The target data record includes a first domain name, a second domain name, and an IP according to a format of the data record. The specific form of the first domain name is different in different data records; similarly, the specific form of the second domain name is different in different data records; the specific form of IP varies from data record to record.
Taking the first domain name in the target data record as an example, the resolution record of the first domain name may be obtained from all resolution data within a preset time period.
When there is a data record of the first domain name to which the second domain name is not mapped, it indicates that the resolution records of the first domain name are not all the first type of data, and then S202 may be executed.
The data record corresponding to the first domain name has multiple data records, and when each data record of the first domain name has a second domain name mapped by the data record, it indicates that the resolution records of the first domain name are the first class data, and the first domain name meets the security requirement, and at this time, the security of the IP corresponding to the first domain name and the security of the second domain name can be judged, that is, S203 is executed.
S202: and judging that the second domain name corresponding to the first domain name and the IP are non-safety information.
S203: and judging whether the number of the resolution domain names corresponding to the target IP in the first domain name is larger than or equal to a first threshold value.
In practical applications, there are often multiple data records containing the first domain name. The IP contained in each data record may be different.
In the embodiment of the present invention, an example of any one of all IPs corresponding to the first domain name, that is, a target IP, is described.
For data records belonging to the first type of data, each data record includes a first domain name, a second domain name, and an IP. The resolved domain name corresponding to the target IP refers to each second domain name included in all data records including the target IP.
When the number of resolved domain names corresponding to the target IP is greater than or equal to the first threshold, it indicates that the target IP is accessed by multiple different domain names, and the access rule conforms to the network behavior of the CDN, and at this time, S204 may be executed.
When the number of resolved domain names corresponding to the target IP is smaller than the first threshold, it indicates that the target IP is at risk of being visited by the same domain name for multiple times, and at this time, S205 may be executed.
S204: and judging that the resolved domain name and the target IP are safety information.
S205: and judging that the resolved domain name and the target IP are non-safety information.
By analyzing the network behavior reflected by the data record according to the resolution record of the domain name and the number of resolution domain names corresponding to the IP, whether the data record conforms to the network behavior of the CDN can be accurately identified, and therefore whether the domain name and the IP in the data record belong to safety information or not can be effectively identified.
In view that the data records included in the first type data group may include data records that do not have an association with the CDN, in addition to the data records associated with the CDN, in order to improve accuracy of the security analysis, in the embodiment of the present invention, each data record in the first type data group may be filtered according to a preset filtering rule.
The sibling domain names do not belong to the data records generated by the CDN network behavior. In particular implementations, filtering may be performed for sibling domain names in the first class data set.
The sibling domain names refer to the same secondary domain names, and correspondingly, the filtering rule may be to filter out the data records with the same secondary domain names. For example, domain name a: www.baidu.com, domain name B: mail. And if the secondary domain names of the domain name A and the domain name B are both baidu, the domain name A and the domain name B belong to brother domain names, and at the moment, the data records corresponding to the domain name A and the domain name B can be filtered out.
By filtering the data records in the first type of data group, the data analysis amount is reduced, the interference of irrelevant information is avoided, and the data security analysis efficiency is further improved while the data security analysis accuracy is improved.
Fig. 3 is a schematic structural diagram of an apparatus for identifying security information according to an embodiment of the present invention, including a reading unit 21, a screening unit 22, an authentication unit 23, and a statistics unit 24;
a reading unit 21, configured to read analysis data in a pDNS library within a preset time period;
a screening unit 22, configured to screen out a first type data group and a second type data group from the analysis data according to a preset data type;
the verification unit 23 is configured to perform security verification on each data record in the first type data set according to a pre-established security database and a verification rule; marking the first type of data record passing the security verification as security information;
a counting unit 24, configured to count the number of times of parsing all data records in the second type data group; and marking the second type of data records with the analysis times meeting the preset analysis requirement as safety information.
Optionally, the verification unit includes an over-judgment subunit, a first marking subunit and a second marking subunit;
the judging subunit is used for judging whether each data record in the first type data group is matched with address information in a pre-established safety database;
the first marking subunit is used for marking the domain name and the IP in the matched data record as the safety information when the data record matched with the address information in the safety database exists;
the second marking subunit is used for marking the domain name and the IP which meet the analysis requirement in the unmatched data records as the safety information when the data records which are unmatched with the address information in the safety database exist; and marking the domain name and the IP which do not meet the resolution requirement in the unmatched data records as non-safety information.
Optionally, a filtration unit is further included;
and the filtering unit is used for filtering each data record in the first-class data group according to a preset filtering rule before judging whether each data record in the first-class data group is matched with the address information in the pre-established safety database.
Optionally, the second tagging subunit is specifically configured to determine whether the resolution records of the first domain name in the resolution data are all first-class data; the target data record is any one of all unmatched data records; the target data record comprises a first domain name, a second domain name and an IP;
if not, determining that a second domain name corresponding to the first domain name and the IP are non-safety information;
if yes, judging whether the number of the resolved domain names corresponding to the target IP in the first domain name is larger than or equal to a first threshold value; the target IP is any one of all the IPs corresponding to the first domain name in all the unmatched data records;
when the number of the analyzed domain names is larger than or equal to a first threshold value, judging that the analyzed domain names and the target IP are safety information;
and when the number of the resolved domain names is smaller than a first threshold value, judging that the resolved domain names and the target IP are non-safety information.
Optionally, the counting unit is specifically configured to count the number of times of resolution of the second-class domain name and the number of times of resolution of the corresponding second-class IP of all data records in the second-class data group; and when the resolution times of the second-class domain name meet the preset domain name resolution requirement and the resolution times of the second-class IP meet the preset IP resolution requirement, marking the second-class IP as safety information.
Optionally, the first type data set is a CNAME data record set; the second type of data set is an A data record set.
For the description of the features in the embodiment corresponding to fig. 3, reference may be made to the related description of the embodiments corresponding to fig. 1 and fig. 2, which is not repeated here.
According to the technical scheme, the analytic data in the pDNS library in the preset time period is read; the analytic data comprises a plurality of types of data records, and the safety identification modes of the data records of different types are different. Screening a first class data set and a second class data set from the analytic data according to a preset data type; performing security verification on each data record in the first-class data group according to a pre-established security database and verification rules; the security database contains common security information, the verification rule contains a detection mode of data records meeting the security requirement, and the first type of data records passing the security verification can be marked as security information. Counting the analysis times of all data records in the second type data group; and marking the second type data records with the analysis times meeting the preset analysis requirements as safety information. According to the mode, batch security verification can be carried out on the data records generated in the pDNS library, and the efficiency of data security identification is improved.
Fig. 4 is a schematic structural diagram of a system 40 for identifying security information according to an embodiment of the present invention, including:
a memory 41 for storing a computer program;
a processor 42 for executing the computer program to carry out the steps of any of the methods of identifying security information as described above.
An embodiment of the present invention further provides a computer-readable storage medium, where a computer program is stored on the computer-readable storage medium, and when the computer program is executed by a processor, the steps of the method for identifying security information according to any of the above embodiments are implemented.
The method, the apparatus, the system and the computer-readable storage medium for identifying security information according to the embodiments of the present invention are described in detail above. The embodiments are described in a progressive mode in the specification, the emphasis of each embodiment is on the difference from the other embodiments, and the same and similar parts among the embodiments can be referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description. It should be noted that, for those skilled in the art, it is possible to make various improvements and modifications to the present invention without departing from the principle of the present invention, and those improvements and modifications also fall within the scope of the claims of the present invention.
Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative components and steps have been described above generally in terms of their functionality in order to clearly illustrate this interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in Random Access Memory (RAM), memory, read-only memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.

Claims (6)

1. A method of identifying security information, comprising:
reading analytical data in a pDNS library within a preset time period;
screening a first class data set and a second class data set from the analysis data according to a preset data type; the first type of data group is a CNAME data record group; the second type data group is an A data record group;
judging whether each data record in the first type data group is matched with address information in a pre-established safety database;
when a data record matched with the address information in the safety database exists, marking the domain name and the IP in the matched data record as safety information;
when data records which are not matched with the address information in the safety database exist, judging whether the resolution records of the first domain name in the target data records all have the second domain name mapped by the first domain name; the target data record is any one of all unmatched data records; the target data record comprises a first domain name, a second domain name and an IP;
when a second domain name which is not mapped exists in the resolution record of the first domain name, judging that the second domain name corresponding to the first domain name and the IP are non-safety information;
when the resolution records of the first domain name all have the second domain names mapped by the first domain name, judging whether the number of the resolution domain names corresponding to the target IP of the first domain name is larger than or equal to a first threshold value; the target IP is any one of all the IPs corresponding to the first domain name in all the unmatched data records; the resolution domain name corresponding to the target IP refers to each second domain name contained in all data records containing the target IP;
when the number of the resolved domain names is larger than or equal to the first threshold value, judging that the resolved domain names and the target IP are safety information;
when the number of the resolved domain names is smaller than the first threshold value, judging that the resolved domain names and the target IP are non-safety information;
counting the analysis times of all data records in the second type data group; and marking the second type data records with the analysis times meeting the preset analysis requirements as safety information.
2. The method of claim 1, further comprising, before said determining whether each data record in the first type data set matches address information in a pre-established secure database:
and filtering each data record in the first type data group according to a preset filtering rule.
3. The method according to claim 1, wherein the number of times of resolving all data records in the second type data group is counted; marking the second type of data records with the analysis times meeting the preset analysis requirements as safety information comprises the following steps:
counting the resolving times of the second domain names of all data records in the second data group and the resolving times of the corresponding second IP;
and when the resolution times of the second-class domain name meet the preset domain name resolution requirement and the resolution times of the second-class IP meet the preset IP resolution requirement, marking the second-class IP as safety information.
4. The device for identifying the safety information is characterized by comprising a reading unit, a screening unit, a verification unit and a statistic unit;
the reading unit is used for reading the analytic data in the pDNS library in the preset time period;
the screening unit is used for screening a first type data group and a second type data group from the analytic data according to a preset data type; the first type of data group is a CNAME data record group; the second type data group is an A data record group;
the verification unit is used for performing security verification on each data record in the first type data group according to a pre-established security database and a verification rule; marking the first type of data record passing the security verification as security information;
the statistical unit is used for counting the analysis times of all data records in the second type data group; marking the second type data records with the analysis times meeting the preset analysis requirements as safety information;
the verification unit comprises a judgment subunit, a first marking subunit and a second marking subunit;
the judging subunit is used for judging whether each data record in the first-class data group is matched with address information in a pre-established safety database;
the first marking subunit is used for marking the domain name and the IP in the matched data record as the safety information when the data record matched with the address information in the safety database exists;
the second marking subunit is used for marking the domain name and the IP which meet the analysis requirement in the unmatched data records as the safety information when the data records which are unmatched with the address information in the safety database exist; marking the domain name and the IP which do not meet the analysis requirement in the unmatched data records as non-safety information;
the second marking subunit is specifically configured to determine whether all the resolution records of the first domain name in the target data record have a second domain name mapped by the first domain name; the target data record is any one of all unmatched data records; the target data record comprises a first domain name, a second domain name and an IP;
when a second domain name which is not mapped exists in the resolution record of the first domain name, judging that the second domain name corresponding to the first domain name and the IP are non-safety information;
when the resolution records of the first domain name all have the second domain names mapped by the first domain name, judging whether the number of the resolution domain names corresponding to the target IP of the first domain name is larger than or equal to a first threshold value; the target IP is any one of all the IPs corresponding to the first domain name in all the unmatched data records; the resolution domain name corresponding to the target IP refers to each second domain name contained in all data records containing the target IP;
when the number of the resolved domain names is larger than or equal to the first threshold value, judging that the resolved domain names and the target IP are safety information;
and when the number of the resolved domain names is smaller than the first threshold value, judging that the resolved domain names and the target IP are both non-safety information.
5. A system for identifying security information, comprising:
a memory for storing a computer program;
a processor for executing the computer program for carrying out the steps of the method of identifying security information according to any one of claims 1 to 3.
6. A computer-readable storage medium, characterized in that a computer program is stored on the computer-readable storage medium, which computer program, when being executed by a processor, carries out the steps of the method of identifying security information according to any one of claims 1 to 3.
CN202010136555.4A 2020-03-02 2020-03-02 Method, device, system and medium for identifying safety information Active CN113347139B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010136555.4A CN113347139B (en) 2020-03-02 2020-03-02 Method, device, system and medium for identifying safety information

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010136555.4A CN113347139B (en) 2020-03-02 2020-03-02 Method, device, system and medium for identifying safety information

Publications (2)

Publication Number Publication Date
CN113347139A CN113347139A (en) 2021-09-03
CN113347139B true CN113347139B (en) 2022-11-22

Family

ID=77467248

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010136555.4A Active CN113347139B (en) 2020-03-02 2020-03-02 Method, device, system and medium for identifying safety information

Country Status (1)

Country Link
CN (1) CN113347139B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114143332B (en) * 2021-11-03 2024-06-11 阿里巴巴(中国)有限公司 Processing method, electronic equipment and medium based on content delivery network CDN

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109165334A (en) * 2018-09-20 2019-01-08 恒安嘉新(北京)科技股份公司 A method of establishing CDN producer primary knowledge base
CN109413220A (en) * 2018-09-03 2019-03-01 中新网络信息安全股份有限公司 A method of it is accessed in a manner of alias in DDOS cloud guard system and DNS is avoided to propagate
CN109818821A (en) * 2018-12-28 2019-05-28 大唐软件技术股份有限公司 A kind of detection method and device of website CDN framework

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104468860B (en) * 2014-12-04 2018-06-26 北京奇虎科技有限公司 The recognition methods of domain name resolution server danger and device
CN107517193A (en) * 2016-06-17 2017-12-26 百度在线网络技术(北京)有限公司 Malicious websites recognition methods and device
CN106453436B (en) * 2016-12-21 2019-05-31 北京奇虎科技有限公司 A kind of detection method and device of network security
CN106411965B (en) * 2016-12-22 2019-05-03 北京知道创宇信息技术有限公司 It determines the method that the network server of counterfeit service is provided, equipment and calculates equipment
CN109040052B (en) * 2018-07-26 2021-06-15 平安科技(深圳)有限公司 Information processing method, terminal and computer readable medium
CN110855636B (en) * 2019-10-25 2020-12-08 武汉绿色网络信息服务有限责任公司 DNS hijacking detection method and device

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109413220A (en) * 2018-09-03 2019-03-01 中新网络信息安全股份有限公司 A method of it is accessed in a manner of alias in DDOS cloud guard system and DNS is avoided to propagate
CN109165334A (en) * 2018-09-20 2019-01-08 恒安嘉新(北京)科技股份公司 A method of establishing CDN producer primary knowledge base
CN109818821A (en) * 2018-12-28 2019-05-28 大唐软件技术股份有限公司 A kind of detection method and device of website CDN framework

Also Published As

Publication number Publication date
CN113347139A (en) 2021-09-03

Similar Documents

Publication Publication Date Title
US20200013065A1 (en) Method and Apparatus of Identifying a Transaction Risk
CN110602029A (en) Method and system for identifying network attack
CN107666490A (en) A kind of suspicious domain name detection method and device
CN107302547A (en) A kind of web service exceptions detection method and device
CN111541702B (en) Network threat security detection method and device
CN109495521B (en) Abnormal flow detection method and device
CN105634855B (en) The abnormality recognition method and device of network address
CN110351248B (en) Safety protection method and device based on intelligent analysis and intelligent current limiting
CN111866196B (en) Domain name traffic characteristic extraction method, device and equipment and readable storage medium
CN107483381B (en) Monitoring method and device of associated account
CN111885086B (en) Malicious software heartbeat detection method, device and equipment and readable storage medium
CN111552570B (en) Self-adaptive distribution method of data processing resources of Internet of things and cloud computing server
WO2023093100A1 (en) Method and apparatus for identifying abnormal calling of api gateway, device, and product
CN107888602A (en) A kind of method and device for detecting abnormal user
EP3329640A1 (en) Network operation
CN113132311A (en) Abnormal access detection method, device and equipment
CN110717551A (en) Training method and device of flow identification model and electronic equipment
CN110191097B (en) Method, system, equipment and storage medium for detecting security of login page
CN113347139B (en) Method, device, system and medium for identifying safety information
US20180248900A1 (en) Multi-dimensional data samples representing anomalous entities
CN107465686A (en) IP credit worthinesses computational methods and device based on the heterogeneous big data of network
CN111625700B (en) Anti-grabbing method, device, equipment and computer storage medium
CN114579636A (en) Data security risk prediction method, device, computer equipment and medium
CN111861733B (en) Fraud prevention and control system and method based on address fuzzy matching
CN112769739B (en) Database operation violation processing method, device and equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant