CN113572719A - Domain name detection method, device, equipment and readable storage medium - Google Patents
Domain name detection method, device, equipment and readable storage medium Download PDFInfo
- Publication number
- CN113572719A CN113572719A CN202010355503.6A CN202010355503A CN113572719A CN 113572719 A CN113572719 A CN 113572719A CN 202010355503 A CN202010355503 A CN 202010355503A CN 113572719 A CN113572719 A CN 113572719A
- Authority
- CN
- China
- Prior art keywords
- domain name
- malicious
- directed
- domain
- directed edge
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/142—Network analysis or design using statistical or mathematical methods
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4505—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
- H04L61/4511—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Abstract
The invention discloses a domain name detection method, a domain name detection device, domain name detection equipment and a readable storage medium. In the method, a directed graph is constructed by using domain name sequences, the behaviors of the domain name sequences, the relation between the sequences and the relation between hosts are mined, and malicious domain name activity detection is carried out. Specifically, a directed domain name connection graph is constructed based on domain name access sequences of a plurality of hosts. At least one connected branch is then derived based on the directed domain name connection graph. And carrying out malicious domain name detection aiming at each connected branch. Therefore, the problem that domain name sequences cannot be connected due to the random domain name countermeasure technology can be solved, the false alarm missing is reduced, and the detection accuracy can be improved.
Description
Technical Field
The present invention relates to the field of information technologies, and in particular, to a domain name detection method, apparatus, device, and readable storage medium.
Background
The malicious domain name is used as a popular network attack method to commonly imitate other standard websites, help viruses and trojans to spread faster, steal user sensitive information, acquire hacking instructions and the like, and bring serious influence to normal use of the network by users.
At present, in various methods for detecting malicious domain names, domain name co-occurrence is a relatively common and effective detection feature, and most of domain name co-occurrence detection methods are used for mining malicious domain name sequences through the relation between the known malicious domain names before and after the domain names, and defining all the domain names in the malicious domain name sequences as malicious domain names. However, the problem that the malicious domain name detection method in the related technology has low accuracy rate is found in practical application.
In summary, how to effectively improve the accuracy rate of malicious domain name detection and the like is a technical problem that needs to be solved urgently by those skilled in the art at present.
Disclosure of Invention
The invention aims to provide a domain name detection method, a domain name detection device, domain name detection equipment and a readable storage medium, so that the accuracy of malicious domain name detection is improved, namely the false alarm and the false negative of the malicious domain name detection are reduced.
In order to solve the technical problems, the invention provides the following technical scheme:
a method of domain name detection, the method comprising:
obtaining a plurality of domain name access sequences of at least one host, wherein the plurality of domain name access sequences comprise at least two domain names;
constructing an directed domain name connection graph according to the domain name access sequences, wherein the directed domain name connection graph comprises at least two nodes and at least two directed edges, one node in the at least two nodes corresponds to one domain name in the at least two domain names, each directed edge is connected with two nodes in the at least two nodes, and the direction of each directed edge represents the sequence of accessing the two nodes by a host in the at least one host;
determining at least one connected branch according to the directed domain name connection graph, wherein each connected branch is a subgraph of the directed domain name connection graph;
detecting a malicious domain name in the at least one connected branch.
In the method, a directed graph is constructed by using domain name sequences, the behaviors of the domain name sequences, the relation between the sequences and the relation between hosts are mined, and malicious domain name activity detection is carried out. Specifically, a directed domain name connection graph is constructed based on domain name access sequences of a plurality of hosts. At least one connected branch is then derived based on the directed domain name connection graph. And carrying out malicious domain name detection aiming at each connected branch. Therefore, the problem that domain name sequences cannot be connected due to the random domain name countermeasure technology can be solved, the false alarm missing is reduced, and the detection accuracy can be improved.
Preferably, determining at least one connected branch according to the directed domain name connection graph includes:
determining attribute values of the at least two directed edges;
screening a target directed edge according to the attribute values of the at least two directed edges;
and disconnecting the target directed edge in the directed domain name connection graph to obtain the at least one connected branch.
In the preferred mode, the directed domain name connection image is screened in an attribute value mode, different attribute values and corresponding screening conditions can be set, a target directed edge which meets the expectation is screened, and a connected branch which meets the expectation is further obtained.
Preferably, the attribute value of each directed edge includes one or more of the following three values: the number of hosts, the similarity of the hosts and the total number of accesses; the number of hosts of each directed edge is the number of hosts of which the directed edge appears in the access domain name sequence in the at least one host; the host similarity of each directed edge is the ratio of the number of hosts accessing two domain names connected by the directed edge to the number of hosts accessing one or two of the domain names connected by the directed edge in the at least one host; the total access times of each directed edge are the times of the directed edge appearing in the domain name access sequences;
screening the target directed edge according to the attribute values of the at least two directed edges, comprising:
and determining the directed edge of which the attribute value is smaller than the threshold value in the at least two directed edges as the target directed edge.
In the preferred mode, a certain regularity can be experienced in the access sequence due to malicious attacks, for example, a large number of hosts simultaneously access the domain name access sequence including the malicious domain name, or similar hosts all access the domain name access sequence including the malicious domain name; the total times of accessing the domain name access sequence containing the malicious domain name is higher; based on this, specific attribute values are provided: the number of hosts, the similarity of the hosts and the total number of accesses are selected and set, and the connected branches meeting malicious attacks can be further obtained.
Preferably, detecting a malicious domain name in the at least one connected branch comprises:
detecting whether the domain name in the at least one connected branch is a known domain name in a black domain name library;
obtaining at least one branch detection result of the domain name of the at least one connected branch according to the result of the domain name detection in the at least one connected branch;
and determining a malicious subgraph from the at least one connected branch by using the at least one branch detection result, and determining a domain name in the malicious subgraph as the malicious domain name.
In the preferred mode, the generated connected branches are screened to obtain the malicious subgraph. And determining the domain name in the malicious subgraph as a malicious domain name, so that the malicious domain name can be effectively mined. In addition, after the malicious subgraph is detected, all the domain names in the malicious subgraph are regarded as malicious domain names, so that a large number of malicious domain names can be detected, the domain name detection time can be shortened, and meanwhile, the malicious subgraph also provides clues for further identification and associated domain names.
Preferably, the determining a malicious subgraph from the at least one connected branch by using the at least one branch detection result includes: determining a connected branch corresponding to a branch detection result matched with the malicious situation as a malicious subgraph; the malicious condition comprises at least one condition that the ratio of suspected malicious domain names is greater than a ratio threshold, the number of suspected malicious domain names is greater than a malicious threshold, and the number of suspected non-malicious domain names is less than a safety threshold, wherein the suspected malicious domain names are known domain names in the black domain name library, and the suspected non-malicious domain names are not known domain names in the black domain name library.
In the preferred mode, how to determine the malicious subgraph is specifically provided, and the malicious subgraph containing the malicious domain name can be effectively detected.
Preferably, the black domain name library is an advanced sustainable threat attack domain name library, and the malicious subgraph corresponds to an advanced sustainable threat attack activity.
In the preferred mode, domain name detection is performed based on the high-level sustainable threat attack domain name library, and high-level sustainable threat attack activity can be detected.
A domain name detecting apparatus comprising:
the domain name access sequence acquisition module is used for acquiring a plurality of domain name access sequences of at least one host, wherein the domain name access sequences comprise at least two domain names;
a domain name connection graph constructing module, configured to construct an directed domain name connection graph according to the domain name access sequences, where the directed domain name connection graph includes at least two nodes and at least two directed edges, one node in the at least two nodes corresponds to one domain name in the at least two domain names, each directed edge connects two nodes in the at least two nodes, and a direction of each directed edge indicates an order in which a host in the at least one host accesses the two nodes;
a connected branch determining module, configured to determine at least one connected branch according to the directed domain name connection graph, where each connected branch is a subgraph of the directed domain name connection graph;
and the malicious domain name detection module is used for detecting a malicious domain name in the at least one connected branch.
In the device, a directed graph is constructed by using domain name sequences, the behaviors of the domain name sequences, the relation between the sequences and the relation between hosts are mined, and malicious domain name activity detection is carried out. Specifically, a directed domain name connection graph is constructed based on domain name access sequences of a plurality of hosts. At least one connected branch is then derived based on the directed domain name connection graph. And carrying out malicious domain name detection aiming at each connected branch. Therefore, the problem that domain name sequences cannot be connected due to the random domain name countermeasure technology can be solved, the false alarm missing is reduced, and the detection accuracy can be improved.
Preferably, the connected branch determining module specifically includes:
an attribute value determination unit, configured to determine attribute values of the at least two directed edges;
the target directed edge screening unit is used for screening the target directed edges according to the attribute values of the at least two directed edges;
and the cutting unit is used for disconnecting the target directed edge in the directed domain name connection graph to obtain the at least one connected branch.
In the preferred mode, the directed domain name connection image is screened in an attribute value mode, different attribute values and corresponding screening conditions can be set, a target directed edge which meets the expectation is screened, and a connected branch which meets the expectation is further obtained.
Preferably, the attribute value of each directed edge includes one or more of the following three values: the number of hosts, the similarity of the hosts and the total number of accesses; the number of hosts of each directed edge is the number of hosts of which the directed edge appears in the access domain name sequence in the at least one host; the host similarity of each directed edge is the ratio of the number of hosts accessing two domain names connected by the directed edge to the number of hosts accessing one or two of the domain names connected by the directed edge in the at least one host; the total access times of each directed edge are the times of the directed edge appearing in the domain name access sequences;
the target directed edge screening unit is specifically configured to determine, as the target directed edge, a directed edge of the at least two directed edges whose attribute values are smaller than a threshold.
In the preferred mode, a certain regularity can be experienced in the access sequence due to malicious attacks, for example, a large number of hosts simultaneously access the domain name access sequence including the malicious domain name, or similar hosts all access the domain name access sequence including the malicious domain name; the total times of accessing the domain name access sequence containing the malicious domain name is higher; based on this, specific attribute values are provided: the number of hosts, the similarity of the hosts and the total number of accesses are selected and set, and the connected branches meeting malicious attacks can be further obtained.
Preferably, the malicious domain name detection module specifically includes:
the black domain name comparison unit is used for detecting whether the domain name in the at least one connected branch is a known domain name in a black domain name library or not;
the branch detection result acquisition unit is used for acquiring at least one branch detection result of the at least one connected branch domain name according to the result of domain name detection in the at least one connected branch;
a malicious subgraph determining unit, configured to determine a malicious subgraph from the at least one connected branch by using the at least one branch detection result;
and the malicious domain name determining unit is used for determining the domain name in the malicious subgraph as the malicious domain name.
In the preferred mode, the generated connected branches are screened to obtain the malicious subgraph. And determining the domain name in the malicious subgraph as a malicious domain name, so that the malicious domain name can be effectively mined. In addition, after the malicious subgraph is detected, all the domain names in the malicious subgraph are regarded as malicious domain names, so that a large number of malicious domain names can be detected, the domain name detection time can be shortened, and meanwhile, the malicious subgraph also provides clues for further identification and associated domain names.
Preferably, the malicious subgraph determining unit is specifically configured to determine a connected branch corresponding to a branch detection result matched with a malicious situation as a malicious subgraph; the malicious condition comprises at least one condition that the ratio of suspected malicious domain names is greater than a ratio threshold, the number of suspected malicious domain names is greater than a malicious threshold, and the number of suspected non-malicious domain names is less than a safety threshold, wherein the suspected malicious domain names are known domain names in the black domain name library, and the suspected non-malicious domain names are not known domain names in the black domain name library.
In the preferred mode, how to determine the malicious subgraph is specifically provided, and the malicious subgraph containing the malicious domain name can be effectively detected.
Preferably, the black domain name library is an advanced sustainable threat attack domain name library, and the malicious subgraph corresponds to an advanced sustainable threat attack activity.
In the preferred mode, domain name detection is performed based on the high-level sustainable threat attack domain name library, and high-level sustainable threat attack activity can be detected.
A domain name detecting apparatus comprising:
a memory for storing a computer program;
a processor for implementing the steps of the above domain name detection method when executing the computer program.
Since the domain name detection device can implement the steps of the domain name detection method, the domain name detection device has the technical effect corresponding to the domain name detection method, and the description is omitted here.
A readable storage medium, having stored thereon a computer program which, when being executed by a processor, carries out the steps of the domain name detection method as described above.
Since the steps of the domain name detection method can be implemented when the computer program in the readable storage medium is executed, the readable storage medium has the technical effect corresponding to the domain name detection method, and is not described in detail herein.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
FIG. 1 is a flowchart illustrating an implementation of a domain name detection method according to an embodiment of the present invention;
FIG. 2 is a simplified directed domain name connection diagram according to an embodiment of the present invention;
FIG. 3 is a schematic diagram of a communication branch according to an embodiment of the present invention;
FIG. 4 is a schematic structural diagram of a domain name detection apparatus according to an embodiment of the present invention;
FIG. 5 is a schematic structural diagram of a domain name detection apparatus according to an embodiment of the present invention;
fig. 6 is a schematic structural diagram of a domain name detection device in an embodiment of the present invention.
Detailed Description
In order that those skilled in the art will better understand the disclosure, the invention will be described in further detail with reference to the accompanying drawings and specific embodiments. It is to be understood that the described embodiments are merely exemplary of the invention, and not restrictive of the full scope of the invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
One embodiment is as follows:
referring to fig. 1, fig. 1 is a flowchart illustrating a domain name detection method according to an embodiment of the present invention, the method including the following steps:
s101, obtaining a plurality of domain name access sequences of at least one host, wherein the plurality of domain name access sequences comprise at least two domain names.
The domain name access sequence is a domain name sequence obtained by arranging domain names accessed by one host according to time sequence, and the domain name access sequence at least comprises two domain names.
S102, constructing a directed domain name connection graph according to the domain name access sequences.
The directed domain name connection graph comprises at least two nodes and at least two directed edges, one node in the at least two nodes corresponds to one domain name in the at least two domain names, each directed edge is connected with two nodes in the at least two nodes, and the direction of each directed edge represents the sequence of accessing the two corresponding nodes by a host in at least one host.
After obtaining a plurality of domain name access sequences of at least one host, the directed domain name connection graph can be constructed by directly utilizing each domain name access sequence.
The specific composition mode is as follows: each domain name in the domain name access sequence corresponds to a node, a connection line is formed between every two nodes corresponding to the front domain name and the back domain name in the domain name access sequence, the connection line is called as an edge, the front sequence and the back sequence of the domain names are used as the direction of the edge, and the direction of the edge can be represented by an arrow. For example, if the domain name access sequence sequentially includes A, B, C domain names, the three domain names A, B, C correspond to 3 nodes, such as a, b, and c, and the node a is connected to the node b by an edge, the node b is connected to the node c by an edge, and the direction of the edge connecting the node a to the node b is pointed to the node b by the node a; the direction of the edge connecting node b and node c is pointed by node b to node c.
And corresponding the domain names in the domain name access sequence to the nodes, connecting the front domain name and the rear domain name as edges, composing the graph, and marking the directions of the front domain name and the rear domain name according to the access time. The composition mode solves the problem that domain names cannot be connected together due to the fact that domain name sequences are randomly generated by means of DGA (domain name generation algorithm) and each host accesses random number of domain names, and the problem of opposition of malicious sequence deletion is caused.
Referring to fig. 2, a domain name directed connection graph constructed in the above-described construction manner will be described in detail.
Each of the nodes with sequence numbers 1-17 is involved in building a domain name in the directed domain name connection graph, for example, node 1 may correspond to domain name F, and node 2 may correspond to domain name G. The serial numbers are labeled for convenience of description only, and may not be labeled in the actual application node.
For each two nodes in the directed domain name connection graph, there may be no edge connection (i.e., two corresponding domain names, where there is no case of front-back adjacency in the obtained multiple domain name access sequences), there may also be one edge connection (i.e., two corresponding domain names, where there is only a case of front-back adjacency in one access direction in the obtained multiple domain name access sequences), or there may also be two edge connections (i.e., two corresponding domain names, where there is a case of front-back adjacency in two access directions in the obtained multiple domain name access sequences). For example, for a connection between the node 15 and the node 16 without edges (i.e. in the case that none of the domain names corresponding to the node 15 and the node 16 in the obtained domain name access sequences are adjacent in the front and back); the node 15 and the node 17 have an edge connection in a direction from the node 15 to the node 17 (that is, the domain names corresponding to the node 15 and the node 17 in the obtained multiple domain name access sequences only appear in a case where the domain name corresponding to the node 15 is accessed first and then the domain name corresponding to the node 17 is accessed); two edges exist between the node 1 and the node 2, the direction of one edge is pointed to the node 2 by the node 1, and the direction of the other edge is pointed to the node 1 by the node 2 (i.e. in the obtained domain name access sequences, domain names corresponding to the node 1 and the node 2 occur, since the domain name corresponding to the node 1 is accessed first and then the domain name corresponding to the node 2 is accessed first, and the domain name corresponding to the node 1 is accessed first).
It should be noted that, for the convenience of understanding, in fig. 2, only 17 nodes and edges between the 17 nodes are drawn, and directions of the edges are labeled. However, in practical applications, directional domain name connection can be drawn for a large number of domain name access sequences for domain name detection, and therefore, the number of drawn nodes is more complex and the side connection structure is larger in scale.
S103, determining at least one connected branch according to the directed domain name connection graph, wherein each connected branch is a subgraph of the directed domain name connection graph.
As can be seen from fig. 2, in the constructed directed domain name connection graph, it can be seen only from the topological relation that there are nodes with zeros (which are not closely associated with other nodes, such as only one or two nodes connected to them), and nodes with relative clusters (which are closely associated with each other within the nodes with relative clusters, and are not closely associated with other nodes). In this embodiment, the corresponding partial directed domain name connection graph between the nodes that are relatively aggregated is referred to as a connected branch.
Generally speaking, domain names with closer association are similar to corresponding security attributes, that is, domain names with closer association with malicious domain names are also likely to be malicious domain names; the domain name that is more closely associated with the secure domain name is also most likely to be a secure domain name.
Therefore, in this embodiment, after the construction of the directed domain name connection graph is completed, the domain names of one pattern (e.g., normal domain name access is one pattern, and malicious domain name access is another pattern) can be grouped in one connected branch by segmentation. And a connected branch is considered as a domain name activity or as a domain name access sequence.
That is, at least one connected branch may be determined from the directed domain name connection graph. The specific determination mode can be used for segmenting or screening the directed domain name connection graph to obtain at least connected branches. The segmentation can be specifically cutting the opposite sides, the screening can be performed on the number of the connecting sides of each node and the number of the sides of the adjacent nodes connected with each node based on the set screening threshold, and finally, the reserved directed domain name connection graph is used as a connected branch.
For example, from the directed domain name connectivity graph shown in FIG. 2, the connectivity branches shown in FIG. 3 can be determined.
Preferably, in order to ensure that the domain names corresponding to the nodes inside the determined connected branch are managed closely, namely, the domain names corresponding to the nodes inside the connected branch are the domain names in the same mode. And based on the attribute of the edge, disconnecting the edge in the directed domain name connected graph to obtain at least one connected branch. The step S103 may specifically include:
step one, determining attribute values of at least two directed edges;
step two, screening target directed edges according to the attribute values of at least two directed edges;
and step three, breaking the target directed edge in the directed domain name connection graph to obtain at least one connected branch.
For convenience of description, the above three steps will be described in combination.
In order to divide the directed domain name connection graph according to the pattern, in this embodiment, the target directed edge in the directed domain name connection graph may be filtered and disconnected to obtain at least one connected branch, and each connected branch may be regarded as a directed domain name connection subgraph.
The target directed edge can be specifically an edge with an untight incidence relation between two connected domain names, and can be regarded as a weak connection relation edge, the correlation between the two domain names is low, and the effect of searching and deducing unknown malicious domain names according to the connection relation of the edge is small. The closeness of the association relationship can be represented by an access condition, such as the number of accesses of sequentially accessing two domain names according to the direction of an edge, and the coincidence condition between accessed hosts. For example, two domain names corresponding to two nodes connected by a target directed edge may be sequentially accessed by only one host for multiple times, for example, 10 times, according to the direction of the edge, but are not sequentially accessed by other hosts according to the direction of the edge; or the number of times that two domain names corresponding to two nodes connected by the target directed edge are successively accessed by a plurality of different hosts according to the direction of the edge is less, for example, 12 hosts only access once.
Wherein, the attribute value is a numerical value representing the tightness degree between two nodes connected by the edge. In this embodiment, each directed edge has a corresponding attribute, and the attribute may be a unit attribute (a specific attribute category) or a multi-attribute (multiple specific attribute categories). The attribute of the directed edge may specifically be a statistical relationship between two connected domain names, such as the number of hosts accessed by the same host, the similarity between hosts accessing two connected domain names, and the like.
Because the attribute value of the directed edge represents the closeness degree between two connected nodes, the target directed edge can be screened out from at least two directed edges through the attribute value. The target directed edge may be one or more. Specifically, after the attribute values of at least two directed edges are sorted, a plurality of edges with the minimum attribute values are directly determined as target directed edges; and setting corresponding threshold values, and determining the directed edges with the attribute values smaller than the corresponding threshold values as target directed edges.
Specifically, the attribute value of each directed edge includes one or more of the following three values: the number of hosts, the similarity of the hosts and the total number of accesses; the number of hosts of each directed edge is the number of hosts of which the directed edge appears in the access domain name sequence in at least one host; the host similarity of each directed edge is the ratio of the number of hosts accessing two domain names connected by the directed edge in at least one host to the number of hosts accessing one or two domain names connected by the directed edge; the total access times of each directed edge are the times of the directed edge appearing in a plurality of domain name access sequences;
screening the target directed edge according to the attribute values of at least two directed edges, comprising:
and determining at least two directed edges with the attribute values smaller than the threshold value as target directed edges.
That is, the attribute value may correspond to the number of hosts, the host similarity, or the total number of accesses, the host number and the host similarity, the host number and the total number of accesses, the host similarity, or the total number of accesses, or the host number, the host similarity, or the total number of accesses.
Taking the number of hosts corresponding to the attribute value, the host similarity and the total number of accesses as examples, the attribute value is explained in detail:
the attribute of the directed edge may be specifically a triple attribute (machine _ count, machine _ jaccard, sequence _ frequency). Wherein, the machine _ count is the number of hosts in which the domain name access sequence appears: representing how many hosts have occurred in the sequence; the similarity of the hosts of each directed edge is the ratio of the number of hosts accessing two domain names connected by the directed edge to the number of hosts accessing one or two of the domain names connected by the directed edge in at least one host, namely representing the similarity of the hosts accessing between the two corresponding domain names, wherein the higher the similarity is, the higher the dependency between the domain names is, the more the corresponding domain name access sequence is a domain name activity; sequence _ frequency, total number of visits, represents the total number of occurrences of the two domain names in the direction indicated by the directed edge.
The specific value of the attribute value can be obtained by performing statistical analysis on a plurality of domain name access sequences.
There are many optional ways to obtain the connected branch based on the attribute corresponding to the attribute value, so in practical applications, reference may be made to the following specific embodiments including but not limited to:
mode 1: the attribute of the directed edge comprises the number of hosts and the similarity of the hosts; determining at least two directed edges with the attribute values smaller than a threshold value as target directed edges, including:
step one, finding out a type of directed edges of which the number of hosts and the similarity of the hosts are lower than corresponding thresholds, and determining the type of directed edges as target directed edges;
and step two, disconnecting the target directed edge to obtain at least one connected branch.
For convenience of description, the above two steps will be described in combination.
And cutting the directed domain name connection graph by using the machine _ count and the machine _ jaccard, disconnecting the directed edges lower than the specified threshold value, and generating connected branches meeting the conditions. This approach is mainly directed to highly modal domain activity such as viruses. The threshold value selection method comprises the following steps: traversing various threshold combinations, selecting a combination with more known malicious domain names of connected branches, similar to Grid Search, such as machine _ count >5 and machine _ jaccard > 0.8.
Mode 2: the attributes of the directed edge include: total number of visits; accordingly, a process for generating connected branches, comprising:
step one, finding out a type of directed edge with the total number of accesses smaller than a total number threshold, and determining the type of directed edge as a target directed edge;
and step two, disconnecting the target directed edge to obtain at least one connected branch.
For convenience of description, the above two steps will be described in combination.
In this embodiment, the sequence _ frequency may be used to cut the directed domain name connection graph, and the directed edges lower than the total number of accesses threshold are disconnected, so as to generate connected branches meeting the condition. This approach is primarily directed to polling-nature domain activity such as mining. The selection method of the threshold value comprises the following steps: it is also possible to traverse the possibility of multiple thresholds, selecting a combination of connected branches with known malicious domain names accounting for a relatively large number, similar to Grid Search.
Mode 3: the attributes of the directed edge include: the number of hosts; a process for generating a connected branch, comprising:
step one, searching a type of directed edges with the number of hosts lower than a threshold value of the number of hosts, and determining the type of directed edges as target directed edges;
and step two, disconnecting the target directed edge to obtain at least two connected branches.
For convenience of description, the above two steps will be described in combination.
In the method, the directed domain name connection graph is cut by using the machine _ jaccard, directed edges lower than the host number threshold are cut off, and connected branches meeting the conditions are generated. The method mainly excavates the domain name sequence of a specific virus, such as APT (Advanced Persistent Threat attack, customized attack for enterprises by hacker organization, high Threat degree) attack sequence excavation. Wherein, the host number threshold can be set as: the Jaccard similarity of the machine _ Jaccard is 0.7 (namely the similarity of the Jaccard of the hosts corresponding to the two domain names before and after the sequence is greater than 0.7.
For example, there is a calculation process of the host jaccard similarity between two domain names in this sequence, for example, there is a domain name access sequence: a- > B, wherein A is accessed by three hosts, namely a, B and c, and B is accessed by three hosts, namely B, c and d. The jaccard similarity is the intersection element quantity of A and B/the union element quantity of A and B, namely 2/4 is 0.5.
And S104, detecting the malicious domain name in at least one connected branch.
Because the connection branches have close association relationship between domain names, traversal detection or spot check can be performed on the domain name in each connection branch. When the domain name is traversed or sampled, if the detected domain names are all black domain names, the unknown domain name in the connected branch is directly judged as the black domain name, otherwise, the unknown domain name in the connected branch is also judged as the white domain name.
In the domain name detection method provided by this embodiment, a directed graph is constructed by using domain name sequences, and the behavior of the domain name sequences, the relationship between the sequences, and the relationship between hosts are mined to perform malicious domain name activity detection. Specifically, a directed domain name connection graph is constructed based on domain name access sequences of a plurality of hosts. At least one connected branch is then derived based on the directed domain name connection graph. And carrying out malicious domain name detection aiming at each connected branch. Therefore, the problem that domain name sequences cannot be connected due to the random domain name countermeasure technology can be solved, the false alarm missing is reduced, and the detection accuracy can be improved.
It should be noted that, based on the above embodiments, the embodiments of the present invention also provide corresponding improvements. In the preferred/improved embodiment, the same steps as those in the above embodiment or corresponding steps may be referred to each other, and corresponding advantageous effects may also be referred to each other, which are not described in detail in the preferred/improved embodiment herein.
Preferably, after obtaining the plurality of connected branches, a process of detecting a malicious domain name in at least one connected branch may specifically include:
step one, detecting whether the domain name in at least one connected branch is a known domain name in a black domain name library;
step two, obtaining at least one branch detection result of at least one connected branch domain name according to the result of domain name detection in at least one connected branch;
and step three, determining a malicious subgraph from at least one connected branch by using at least one branch detection result, and determining the domain name in the malicious subgraph as a malicious domain name.
That is, after getting several connected branches, it can be detected whether the domain name in the connected branch is a known domain name in the black domain name library. And taking one connected branch as a statistical range, and performing statistics on the detection result matched with the black domain name library to obtain the detection result of each branch. And determining a malicious subgraph from the plurality of connected branches based on the branch detection result. And then, determining the domain name in the malicious subgraph as the malicious domain name.
The black domain name repository may be a UTM (unifiedthread Management) black repository.
Preferably, the black domain name library may also be specifically an APT domain name library, that is, the domain names of connected branches are detected based on the advanced sustainable threat attack domain name library. And if the black domain name library is an advanced sustainable threat attack domain name library, the malicious subgraph corresponds to an advanced sustainable threat attack activity. Namely, each domain name in the connected branches is detected by using the black domain name library, namely, whether each domain name is a known domain name in the black domain name library is determined, and if yes, the corresponding domain name is a malicious domain name.
And if the detection result of the connected branch meets the preset judgment condition of the malicious subgraph, the connected branch can be determined to be the malicious subgraph.
And counting the domain name detection results in each connected branch, wherein the purpose is to determine the possibility that the domain names in the connected branches are all malicious domain name activities. That is, the malicious subgraph is determined, that is, the detection result is compared with the judgment condition of the malicious subgraph, and the connected branch meeting the judgment condition is found out. The manner of determining whether the sub-graph is a malicious sub-graph may specifically be: determining a connected branch corresponding to a branch detection result matched with the malicious situation as a malicious subgraph; the malicious condition comprises at least one condition that the ratio of the suspected malicious domain names is greater than the ratio threshold, the number of the suspected malicious domain names is greater than the malicious threshold, and the number of the suspected non-malicious domain names is less than the safety threshold, wherein the suspected malicious domain names are known domain names in a black domain name library, and the suspected non-malicious domain names are not known domain names in the black domain name library.
The suspected malicious domain name proportion can correspond to the proportion of all domain names of the detected black domain name in the connected branch; the number of suspected malicious domain names is the number of black domain names detected in the connected branches; the number of suspected non-malicious domain names, namely the number of known white domain names in the connected branches. In practical application, the suspected malicious domain name ratio, the suspected malicious domain name number and the suspected non-malicious domain name number can be judged in one, two or three ways to determine the malicious subgraph.
Wherein, each threshold value can be set or adjusted according to the actual detection requirement.
For example, the following steps are carried out: if the black domain name library is a UTM black library, if the ratio of suspected malicious domain names in a certain connected branch is more than or equal to a ratio threshold, and the number of known black domain names in the connected branch is more than a designated malicious threshold (for reducing the influence of false alarm in the UTM black library), and there is no known white domain name in the connected branch, it can be determined that the connected branch is a malicious subgraph, and a malicious domain name activity (sequence) is represented. And further judging the virus family corresponding to the detected domain name according to the family information of the black domain name in the connected branch. Specifically, the virus family can be determined by the family information of the black domain name, that is, if the black domain names existing in the malicious subgraph are all of a family, other domain names in the subgraph are the major events belonging to the family.
In another embodiment:
corresponding to the above method embodiments, the embodiments of the present invention further provide a domain name detection apparatus, and the domain name detection apparatus described below and the domain name detection method described above may be referred to in correspondence.
Referring to fig. 4, the apparatus includes the following modules:
a domain name access sequence obtaining module 101, configured to obtain a plurality of domain name access sequences of at least one host, where the plurality of domain name access sequences include at least two domain names;
the domain name connection graph constructing module 102 is configured to construct an directed domain name connection graph according to a plurality of domain name access sequences, where the directed domain name connection graph includes at least two nodes and at least two directed edges, one node in the at least two nodes corresponds to one domain name in the at least two domain names, each directed edge connects two nodes in the at least two nodes, and the direction of each directed edge indicates the sequence in which a host in at least one host accesses the corresponding two nodes;
the connected branch determining module 103 is configured to determine at least one connected branch according to the directed domain name connected graph, where each connected branch is a subgraph of the directed domain name connected graph;
a malicious domain name detection module 104 configured to detect a malicious domain name in at least one connected branch.
In the device, a directed graph is constructed by using domain name sequences, the behaviors of the domain name sequences, the relation between the sequences and the relation between hosts are mined, and malicious domain name activity detection is carried out. Specifically, a directed domain name connection graph is constructed based on domain name access sequences of a plurality of hosts. At least one connected branch is then derived based on the directed domain name connection graph. And carrying out malicious domain name detection aiming at each connected branch. Therefore, the problem that domain name sequences cannot be connected due to the random domain name countermeasure technology can be solved, the false alarm missing is reduced, and the detection accuracy can be improved.
Preferably, the connected branch determining module specifically includes:
an attribute value determination unit, configured to determine attribute values of at least two directed edges;
the target directed edge screening unit is used for screening the target directed edges according to the attribute values of the at least two directed edges;
and the cutting unit is used for cutting the target directed edge in the directed domain name connection graph to obtain at least one connected branch.
In the preferred mode, the directed domain name connection image is screened in an attribute value mode, different attribute values and corresponding screening conditions can be set, a target directed edge which meets the expectation is screened, and a connected branch which meets the expectation is further obtained.
Preferably, the attribute value of each directed edge includes one or more of the following three values: the number of hosts, the similarity of the hosts and the total number of accesses; the number of hosts of each directed edge is the number of hosts of which the directed edge appears in the access domain name sequence in at least one host; the host similarity of each directed edge is the ratio of the number of hosts accessing two domain names connected by the directed edge in at least one host to the number of hosts accessing one or two domain names connected by the directed edge; the total access times of each directed edge are the times of the directed edge appearing in a plurality of domain name access sequences;
and the target directed edge screening unit is specifically used for determining directed edges of at least two directed edges, of which the attribute values are smaller than the threshold, as target directed edges.
In the preferred mode, a certain regularity can be experienced in the access sequence due to malicious attacks, for example, a large number of hosts simultaneously access the domain name access sequence including the malicious domain name, or similar hosts all access the domain name access sequence including the malicious domain name; the total times of accessing the domain name access sequence containing the malicious domain name is higher; based on this, specific attribute values are provided: the number of hosts, the similarity of the hosts and the total number of accesses are selected and set, and the connected branches meeting malicious attacks can be further obtained.
Preferably, the malicious domain name detection module specifically includes:
the black domain name comparison unit is used for detecting whether the domain name in at least one connected branch is a known domain name in a black domain name library or not;
the branch detection result acquisition unit is used for acquiring at least one branch detection result of at least one connected branch domain name according to the result of domain name detection in at least one connected branch;
the malicious subgraph determining unit is used for determining a malicious subgraph from at least one connected branch by using at least one branch detection result;
and the malicious domain name determining unit is used for determining the domain name in the malicious subgraph as the malicious domain name.
In the preferred mode, the generated connected branches are screened to obtain the malicious subgraph. And determining the domain name in the malicious subgraph as a malicious domain name, so that the malicious domain name can be effectively mined. In addition, after the malicious subgraph is detected, all the domain names in the malicious subgraph are regarded as malicious domain names, so that a large number of malicious domain names can be detected, the domain name detection time can be shortened, and meanwhile, the malicious subgraph also provides clues for further identification and associated domain names.
Preferably, the malicious subgraph determining unit is specifically configured to determine a connected branch corresponding to a branch detection result matched with a malicious situation as a malicious subgraph; the malicious condition comprises at least one condition that the ratio of the suspected malicious domain names is greater than the ratio threshold, the number of the suspected malicious domain names is greater than the malicious threshold, and the number of the suspected non-malicious domain names is less than the safety threshold, wherein the suspected malicious domain names are known domain names in a black domain name library, and the suspected non-malicious domain names are not known domain names in the black domain name library.
In the preferred mode, how to determine the malicious subgraph is specifically provided, and the malicious subgraph containing the malicious domain name can be effectively detected.
Preferably, the black domain name library is an advanced sustainable threat attack domain name library, and the malicious subgraph corresponds to an advanced sustainable threat attack activity.
In the preferred mode, domain name detection is performed based on the high-level sustainable threat attack domain name library, and high-level sustainable threat attack activity can be detected.
In another embodiment:
corresponding to the above method embodiment, an embodiment of the present invention further provides a domain name detection device, and a domain name detection device described below and a domain name detection method described above may be referred to in a corresponding manner.
Referring to fig. 5, the domain name detecting apparatus includes:
a memory 332 for storing a computer program;
a processor 322, configured to implement the steps of the domain name detection method of the above-described method embodiments when executing the computer program.
Specifically, referring to fig. 6, a specific structural diagram of a domain name detecting device provided in this embodiment is shown, where the domain name detecting device may generate a relatively large difference due to different configurations or performances, and may include one or more processors (CPUs) 322 (e.g., one or more processors) and a memory 332 (e.g., one or more mass storage devices), where the memory 332 stores a computer program 342 (at least one computer program is executed to implement the steps of the domain name detecting method of the method embodiment) or data 344. Memory 332 may be, among other things, transient or persistent storage. The computer program stored in the memory may include one or more modules (not shown), each of which may include a sequence of instructions operating on the data processing apparatus. Still further, the central processor 322 may be configured to communicate with the memory 332 to execute a series of instruction operations in the memory 332 on the domain name detecting device 301.
The domain name detection device 301 may also include one or more power supplies 326, one or more wired or wireless network interfaces 350, one or more input-output interfaces 358, and/or one or more operating systems 341. Such as Windows Server, Mac OS XTM, UnixTM, LinuxTM, FreeBSDTM, etc.
The steps in the domain name detection method described above may be implemented by the structure of the domain name detection device.
In another embodiment:
corresponding to the above method embodiment, an embodiment of the present invention further provides a readable storage medium, and a readable storage medium described below and a domain name detection method described above may be referred to in correspondence with each other.
A readable storage medium, on which a computer program is stored, which, when being executed by a processor, implements the steps of the domain name detection method of the above-mentioned method embodiments.
The readable storage medium may be a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and various other readable storage media capable of storing program codes.
Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative components and steps have been described above generally in terms of their functionality in order to clearly illustrate this interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
Claims (14)
1. A method of domain name detection, the method comprising:
obtaining a plurality of domain name access sequences of at least one host, wherein the plurality of domain name access sequences comprise at least two domain names;
constructing an directed domain name connection graph according to the domain name access sequences, wherein the directed domain name connection graph comprises at least two nodes and at least two directed edges, one node in the at least two nodes corresponds to one domain name in the at least two domain names, each directed edge is connected with two nodes in the at least two nodes, and the direction of each directed edge represents the sequence of accessing the two nodes by a host in the at least one host;
determining at least one connected branch according to the directed domain name connection graph, wherein each connected branch is a subgraph of the directed domain name connection graph;
detecting a malicious domain name in the at least one connected branch.
2. The method of domain name detection according to claim 1, wherein determining at least one connected branch from the directed domain name connection graph comprises:
determining attribute values of the at least two directed edges;
screening a target directed edge according to the attribute values of the at least two directed edges;
and disconnecting the target directed edge in the directed domain name connection graph to obtain the at least one connected branch.
3. The method of domain name detection according to claim 2, wherein the attribute value of each directed edge comprises one or more of the following three values: the number of hosts, the similarity of the hosts and the total number of accesses; the number of hosts of each directed edge is the number of hosts of which the directed edge appears in the access domain name sequence in the at least one host; the host similarity of each directed edge is the ratio of the number of hosts accessing two domain names connected by the directed edge to the number of hosts accessing one or two of the domain names connected by the directed edge in the at least one host; the total access times of each directed edge are the times of the directed edge appearing in the domain name access sequences;
screening the target directed edge according to the attribute values of the at least two directed edges, comprising:
and determining the directed edge of which the attribute value is smaller than the threshold value in the at least two directed edges as the target directed edge.
4. The domain name detection method according to claim 1, wherein detecting a malicious domain name in the at least one connected branch comprises:
detecting whether the domain name in the at least one connected branch is a known domain name in a black domain name library;
obtaining at least one branch detection result of the domain name of the at least one connected branch according to the result of the domain name detection in the at least one connected branch;
and determining a malicious subgraph from the at least one connected branch by using the at least one branch detection result, and determining a domain name in the malicious subgraph as the malicious domain name.
5. The domain name detection method according to claim 4, wherein the determining a malicious subgraph from the at least one connected branch by using the at least one branch detection result comprises:
determining a connected branch corresponding to a branch detection result matched with the malicious situation as a malicious subgraph; the malicious condition comprises at least one condition that the ratio of suspected malicious domain names is greater than a ratio threshold, the number of suspected malicious domain names is greater than a malicious threshold, and the number of suspected non-malicious domain names is less than a safety threshold, wherein the suspected malicious domain names are known domain names in the black domain name library, and the suspected non-malicious domain names are not known domain names in the black domain name library.
6. The domain name detection method according to claim 4, wherein the black domain name library is an advanced sustainable threat attack domain name library, and the malicious subgraph corresponds to an advanced sustainable threat attack activity.
7. A domain name detecting apparatus, comprising:
the domain name access sequence acquisition module is used for acquiring a plurality of domain name access sequences of at least one host, wherein the domain name access sequences comprise at least two domain names;
a domain name connection graph constructing module, configured to construct an directed domain name connection graph according to the domain name access sequences, where the directed domain name connection graph includes at least two nodes and at least two directed edges, one node in the at least two nodes corresponds to one domain name in the at least two domain names, each directed edge connects two nodes in the at least two nodes, and a direction of each directed edge indicates an order in which a host in the at least one host accesses the two nodes;
a connected branch determining module, configured to determine at least one connected branch according to the directed domain name connection graph, where each connected branch is a subgraph of the directed domain name connection graph;
and the malicious domain name detection module is used for detecting a malicious domain name in the at least one connected branch.
8. The domain name detection device according to claim 7, wherein the connected branch determining module specifically includes:
an attribute value determination unit, configured to determine attribute values of the at least two directed edges;
the target directed edge screening unit is used for screening the target directed edges according to the attribute values of the at least two directed edges;
and the cutting unit is used for disconnecting the target directed edge in the directed domain name connection graph to obtain the at least one connected branch.
9. The domain name detection device according to claim 8, wherein the attribute value of each directed edge includes one or more of the following three values: the number of hosts, the similarity of the hosts and the total number of accesses; the number of hosts of each directed edge is the number of hosts of which the directed edge appears in the access domain name sequence in the at least one host; the host similarity of each directed edge is the ratio of the number of hosts accessing two domain names connected by the directed edge to the number of hosts accessing one or two of the domain names connected by the directed edge in the at least one host; the total access times of each directed edge are the times of the directed edge appearing in the domain name access sequences;
the target directed edge screening unit is specifically configured to determine, as the target directed edge, a directed edge of the at least two directed edges whose attribute values are smaller than a threshold.
10. The domain name detection device according to claim 7, wherein the malicious domain name detection module specifically includes:
the black domain name comparison unit is used for detecting whether the domain name in the at least one connected branch is a known domain name in a black domain name library or not;
the branch detection result acquisition unit is used for acquiring at least one branch detection result of the at least one connected branch domain name according to the result of domain name detection in the at least one connected branch;
a malicious subgraph determining unit, configured to determine a malicious subgraph from the at least one connected branch by using the at least one branch detection result;
and the malicious domain name determining unit is used for determining the domain name in the malicious subgraph as the malicious domain name.
11. The domain name detection device according to claim 8, wherein the malicious subgraph determining unit is specifically configured to determine a connected branch corresponding to a branch detection result matching a malicious situation as a malicious subgraph; the malicious condition comprises at least one condition that the ratio of suspected malicious domain names is greater than a ratio threshold, the number of suspected malicious domain names is greater than a malicious threshold, and the number of suspected non-malicious domain names is less than a safety threshold, wherein the suspected malicious domain names are known domain names in the black domain name library, and the suspected non-malicious domain names are not known domain names in the black domain name library.
12. The domain name detection device according to claim 10, wherein the black domain name repository is an advanced sustainable threat attack domain name repository, and the malicious subgraph corresponds to an advanced sustainable threat attack activity.
13. A domain name detecting apparatus, comprising:
a memory for storing a computer program;
a processor for implementing the steps of the domain name detection method according to any one of claims 1 to 6 when executing the computer program.
14. A readable storage medium, having stored thereon a computer program which, when being executed by a processor, carries out the steps of the domain name detection method according to any one of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010355503.6A CN113572719B (en) | 2020-04-29 | 2020-04-29 | Domain name detection method, device, equipment and readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010355503.6A CN113572719B (en) | 2020-04-29 | 2020-04-29 | Domain name detection method, device, equipment and readable storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113572719A true CN113572719A (en) | 2021-10-29 |
| CN113572719B CN113572719B (en) | 2023-03-24 |
Family
ID=78158494
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010355503.6A Active CN113572719B (en) | 2020-04-29 | 2020-04-29 | Domain name detection method, device, equipment and readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113572719B (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114650187A (en) * | 2022-04-29 | 2022-06-21 | 深信服科技股份有限公司 | Abnormal access detection method and device, electronic equipment and storage medium |
| CN114726623A (en) * | 2022-04-08 | 2022-07-08 | 北京天融信网络安全技术有限公司 | Advanced threat attack evaluation method and device, electronic equipment and storage medium |
| CN114760113A (en) * | 2022-03-30 | 2022-07-15 | 深信服科技股份有限公司 | Abnormal alarm detection method and device, electronic equipment and storage medium |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106101104A (en) * | 2016-06-15 | 2016-11-09 | 国家计算机网络与信息安全管理中心 | A kind of malice domain name detection method based on domain name mapping and system |
| US9942252B1 (en) * | 2015-09-08 | 2018-04-10 | EMC IP Holding Co. LLC | Graph-based techniques for detecting coordinated network attacks |
| US20180343272A1 (en) * | 2017-05-26 | 2018-11-29 | Qatar Foundation | Method to identify malicious web domain names thanks to their dynamics |
| CN109698820A (en) * | 2018-09-03 | 2019-04-30 | 长安通信科技有限责任公司 | A kind of domain name Similarity measures and classification method and system |
| CN110324273A (en) * | 2018-03-28 | 2019-10-11 | 蓝盾信息安全技术有限公司 | A kind of Botnet detection method combined based on DNS request behavior with domain name constitutive characteristic |
| CN110557382A (en) * | 2019-08-08 | 2019-12-10 | 中国科学院信息工程研究所 | Malicious domain name detection method and system by utilizing domain name co-occurrence relation |
-
2020
- 2020-04-29 CN CN202010355503.6A patent/CN113572719B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9942252B1 (en) * | 2015-09-08 | 2018-04-10 | EMC IP Holding Co. LLC | Graph-based techniques for detecting coordinated network attacks |
| CN106101104A (en) * | 2016-06-15 | 2016-11-09 | 国家计算机网络与信息安全管理中心 | A kind of malice domain name detection method based on domain name mapping and system |
| US20180343272A1 (en) * | 2017-05-26 | 2018-11-29 | Qatar Foundation | Method to identify malicious web domain names thanks to their dynamics |
| CN110324273A (en) * | 2018-03-28 | 2019-10-11 | 蓝盾信息安全技术有限公司 | A kind of Botnet detection method combined based on DNS request behavior with domain name constitutive characteristic |
| CN109698820A (en) * | 2018-09-03 | 2019-04-30 | 长安通信科技有限责任公司 | A kind of domain name Similarity measures and classification method and system |
| CN110557382A (en) * | 2019-08-08 | 2019-12-10 | 中国科学院信息工程研究所 | Malicious domain name detection method and system by utilizing domain name co-occurrence relation |
Non-Patent Citations (2)
| Title |
|---|
| 张奕等: "基于知识图谱的恶意域名检测方法", 《通信技术》 * |
| 李梦玉等: "基于URL的恶意访问检测方法", 《通信学报》 * |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114760113A (en) * | 2022-03-30 | 2022-07-15 | 深信服科技股份有限公司 | Abnormal alarm detection method and device, electronic equipment and storage medium |
| CN114760113B (en) * | 2022-03-30 | 2024-02-23 | 深信服科技股份有限公司 | Abnormality alarm detection method and device, electronic equipment and storage medium |
| CN114726623A (en) * | 2022-04-08 | 2022-07-08 | 北京天融信网络安全技术有限公司 | Advanced threat attack evaluation method and device, electronic equipment and storage medium |
| CN114726623B (en) * | 2022-04-08 | 2023-11-28 | 北京天融信网络安全技术有限公司 | Advanced threat attack assessment method and device, electronic equipment and storage medium |
| CN114650187A (en) * | 2022-04-29 | 2022-06-21 | 深信服科技股份有限公司 | Abnormal access detection method and device, electronic equipment and storage medium |
| CN114650187B (en) * | 2022-04-29 | 2024-02-23 | 深信服科技股份有限公司 | Abnormal access detection method and device, electronic equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113572719B (en) | 2023-03-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN113572719B (en) | Domain name detection method, device, equipment and readable storage medium | |
| CN110958220B (en) | Network space security threat detection method and system based on heterogeneous graph embedding | |
| Xie et al. | Evaluating host-based anomaly detection systems: A preliminary analysis of adfa-ld | |
| US11194906B2 (en) | Automated threat alert triage via data provenance | |
| CN111355697B (en) | Detection method, device, equipment and storage medium for botnet domain name family | |
| WO2016147944A1 (en) | Device for detecting terminal infected by malware, system for detecting terminal infected by malware, method for detecting terminal infected by malware, and program for detecting terminal infected by malware | |
| CN112269316B (en) | High-robustness threat hunting system and method based on graph neural network | |
| CN112541022A (en) | Abnormal object detection method, abnormal object detection device, storage medium and electronic equipment | |
| US11431792B2 (en) | Determining contextual information for alerts | |
| US20180219911A1 (en) | Responding to alerts | |
| Xiao et al. | From patching delays to infection symptoms: Using risk profiles for an early discovery of vulnerabilities exploited in the wild | |
| US11244043B2 (en) | Aggregating anomaly scores from anomaly detectors | |
| WO2017152877A1 (en) | Network threat event evaluation method and apparatus | |
| JP7069399B2 (en) | Systems and methods for reporting computer security incidents | |
| EP4080842A1 (en) | Method and apparatus for obtaining malicious event information, and electronic device | |
| CN114637892A (en) | Overview map generation method of system log dependency map for attack investigation and recovery | |
| CN113132311A (en) | Abnormal access detection method, device and equipment | |
| CN104871171A (en) | Distributed pattern discovery | |
| CN114915475A (en) | Method, device, equipment and storage medium for determining attack path | |
| EP4044057A1 (en) | Method and system for identifying security vulnerabilities | |
| Zhai et al. | Integrating IDS alert correlation and OS-level dependency tracking | |
| CN113098852A (en) | Log processing method and device | |
| Ianni et al. | Scout: Security by computing outliers on activity logs | |
| Jaafar et al. | A systematic approach for privilege escalation prevention | |
| Li et al. | LogKernel: A threat hunting approach based on behaviour provenance graph and graph kernel clustering |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |