CN113630409A - Abnormal traffic identification method based on fusion analysis of DNS analysis traffic and IP traffic - Google Patents

Abnormal traffic identification method based on fusion analysis of DNS analysis traffic and IP traffic Download PDF

Info

Publication number
CN113630409A
CN113630409A CN202110895580.5A CN202110895580A CN113630409A CN 113630409 A CN113630409 A CN 113630409A CN 202110895580 A CN202110895580 A CN 202110895580A CN 113630409 A CN113630409 A CN 113630409A
Authority
CN
China
Prior art keywords
address
abnormal
traffic
domain name
communication
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202110895580.5A
Other languages
Chinese (zh)
Other versions
CN113630409B (en
Inventor
张兆心
常利婷
赵东
郭辉
陆柯羽
程亚楠
柴婷婷
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Harbin Institute of Technology Weihai
Original Assignee
Harbin Institute of Technology Weihai
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Harbin Institute of Technology Weihai filed Critical Harbin Institute of Technology Weihai
Priority to CN202110895580.5A priority Critical patent/CN113630409B/en
Publication of CN113630409A publication Critical patent/CN113630409A/en
Application granted granted Critical
Publication of CN113630409B publication Critical patent/CN113630409B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/10Mapping addresses of different types
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02PCLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
    • Y02P90/00Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
    • Y02P90/02Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides an abnormal traffic identification method based on fusion analysis of DNS analysis traffic and IP traffic, which comprises the following steps: step 1, discovering the assets of industrial control network communication equipment, acquiring a list of equipment for enterprises to participate in communication, and establishing an asset information base of the industrial control network communication equipment; step 2, DNS flow characteristic extraction; step 3, extracting IP flow characteristics; step 4, identifying abnormal communication behaviors; step 5, recognizing and protecting abnormal flow; step 6, obtaining abnormal flow image information; and 7, storing and submitting abnormal flow identification logs, abnormal flow feature groups and abnormal flow image information. The method combines the characteristics of the network to obtain the portrait information of abnormal flow, establishes a multilayer protective barrier of domain names, IP addresses, authorized behavior lists, portrait information and the like, can realize high-precision monitoring, and can provide more decision basis for safety management personnel.

Description

Abnormal traffic identification method based on fusion analysis of DNS analysis traffic and IP traffic
Technical Field
The invention relates to the field of information security of industrial control networks, in particular to an abnormal traffic identification method based on fusion analysis of DNS analysis traffic and IP traffic.
Background
China is a large country of manufacturing industry, and the manufacturing industry is an important part of the economy of China. At the present stage, the core technology of industrial software used by many manufacturing departments in China still depends on foreign countries. Due to the intervention of various industrial software, the industrial control network of an enterprise and the internal management network of the enterprise or even the internet generate wide communication behaviors, so that the originally controllable and reliable industrial control network faces more and more threats, viruses can be implanted, key information of the enterprise can be leaked, and the like, and potential risks are brought to the information security of the enterprise.
Normally, after purchasing the device from the device service provider, the enterprise acquires the control right of the device, and the device and the service provider should stop all communication activities which are not explicitly authorized. All devices accessed to the industrial control network, industrial software running on the devices and any instructions sent by the software are all resources controlled by the industrial control network, so that only domain names and IP addresses specified in advance should appear in the flow of the industrial control network. However, due to the importance of industrial control networks, equipment service providers or other illegal entities may invade industrial control networks, and perform illegal data communication through equipment or industrial software backdoor programs, so that privacy is invaded, and finally, the security of enterprises and countries is threatened. Therefore, the monitoring of abnormal flow of the industrial control network is an important prevention and control means, and the flow data records all activities and behaviors of the industrial control network, so that the attack can be found in time by monitoring the abnormal flow, and the economic loss is reduced.
At present, for abnormal traffic monitoring of an industrial control network, two solutions are mainly provided at the present stage, one is to collect field traffic and mainly identify abnormal traffic by using an IP address white list, and the other is to collect DNS resolution traffic of a DNS server and identify abnormal traffic by using DNS server resolution logs. Only collecting field traffic cannot identify abnormal communication performed by using a DNS server with the help of DNS messages, and similarly, only collecting DNS resolution traffic cannot identify abnormal communication outside the DNS system.
Disclosure of Invention
The invention aims at the technical problems that abnormal traffic monitoring of an industrial control network, abnormal communication carried out by using a DNS server by means of DNS messages can not be identified only by collecting field traffic, and abnormal communication outside a DNS system can not be identified only by collecting DNS analysis traffic, and provides an abnormal traffic identification method based on fusion analysis of DNS analysis traffic and IP traffic.
Therefore, the technical scheme of the invention is that the abnormal traffic identification method based on the fusion analysis of DNS analysis traffic and IP traffic comprises the following steps:
step 1, discovering industrial control network communication equipment assets, acquiring an equipment list of enterprises participating in communication, establishing an industrial control network communication equipment asset information base, establishing an industrial control network trusted network, establishing a communication domain name and IP address double white list and an authorized communication behavior list, and updating every day;
step 2, DNS flow characteristic extraction, namely acquiring an analysis log of an industrial control network DNS server in real time and constructing a DNS flow characteristic group;
step 3, extracting IP flow characteristics, acquiring industrial control network field flow in real time, and constructing an IP flow characteristic group;
and 4, identifying abnormal communication behaviors, wherein the identification of the abnormal communication behaviors comprises the following steps: according to DNS flow characteristics, identifying abnormal communication behaviors based on a domain name, an IP address white list and an industrial control network authorized communication behavior list; according to DNS flow characteristics, identifying abnormal communication behaviors based on a domain name, an IP address white list and an industrial control network authorized communication behavior list;
step 5, recognizing and protecting abnormal traffic, marking the traffic related to the abnormal communication behavior as the abnormal traffic, filtering the abnormal traffic, and blocking the abnormal communication behavior from continuing;
step 6, obtaining abnormal flow portrait information, and obtaining portrait information of abnormal domain names and abnormal IP addresses related to abnormal flow;
and 7, storing and submitting abnormal flow identification logs, abnormal flow feature groups and abnormal flow image information.
Preferably, the industrial control network DNS server uses a dedicated local DNS server instead of a public DNS server.
Preferably, the list of authorized communication actions includes: source IP address, source domain name, source port, destination IP address, destination domain name, destination port, allowed communication time.
Preferably, the DNS traffic feature set comprises: requesting a device IP address, requesting a domain name, requesting a DNS server, resolving an IP address, requesting time.
Preferably, the IP traffic feature set comprises: source IP address, source port, destination IP address, destination port, communication time.
Preferably, according to the DNS traffic characteristics, the method for identifying the abnormal communication behavior based on the domain name, the white list of the IP address, and the authorized communication behavior list of the industrial control network includes the following steps:
step s1, judging whether the IP address of the request device is in the IP address white list, if not, adding the IP address of the request device into the IP address black list and judging the IP address is abnormal communication behavior; otherwise, entering the next step;
step s2, judging whether the request IP address is in the authorized communication behavior list, if not, indicating that the non-external open device communicates with the external domain name authority server by using the DNS request and acquiring the response mode, and judging as abnormal communication behavior; otherwise, entering the next step;
step s3, judging whether the request domain name is in the domain name white list, if not, judging that the request domain name is abnormal communication behavior; otherwise, entering the next step;
step s4, judging whether the analyzed IP address is in the IP address white list, if not, adding the analyzed IP address into the IP address white list; otherwise, the communication behavior is determined to be normal.
Preferably, according to the IP traffic characteristics, the method for identifying the abnormal communication behavior based on the domain name, the white list of the IP address and the authorized communication behavior list of the industrial control network includes the following steps:
step s1, judging whether the source IP address is in the IP address white list, if not, adding the source IP address into the IP address black list and judging the source IP address to be abnormal communication behavior; otherwise, entering the next step;
step s2, judging whether the source IP address is in the authorized behavior list, if not, judging the source IP address is in the abnormal communication behavior list; otherwise, entering the next step;
step s3, judging whether the source port is in the authorized behavior list, if not, judging the source port is abnormal communication behavior; otherwise, entering the next step;
step s4, judging whether the destination IP address is in the IP address white list, if not, adding the destination IP address into the IP address black list and judging the destination IP address to be abnormal communication behavior; otherwise, entering the next step;
step s5, judging whether the destination IP address is in the authorized behavior list, if not, judging that the destination IP address is in the abnormal communication behavior list; otherwise, entering the next step;
step s6, judging whether the destination port is in the authorized behavior list, if not, judging that the destination port is in abnormal communication behavior; otherwise, entering the next step;
step s7, judging whether the communication time is in the allowable communication time range, if not, judging that the communication behavior is abnormal; otherwise, the communication behavior is determined to be normal.
Preferably, the obtaining of abnormal traffic profile information and the obtaining of profile information of abnormal domain name and abnormal IP address related to abnormal communication behavior includes the following steps:
step s1, obtaining abnormal domain name portrait information, specifically obtaining content and obtaining mode as follows:
(1) classifying the webpage contents based on a comprehensive classification system of a webpage text and a webpage snapshot of a transform according to the category to which the domain name webpage contents belong;
(2) the certificate used by the domain name is retrieved by utilizing crt.sh;
(3) the protocol used by the domain name is used for carrying out port protocol acquisition and verification and acquiring the protocol type used by the domain name;
(4) a common sub-domain name of the domain name is expanded by using a sub-domain name discovery tool subframer;
(5) sending an A record request of an abnormal domain name to an open DNS server which is stable in different regions of the world under the condition of the IP address obtained by domain name resolution, and obtaining the IP address obtained by the abnormal domain name resolution;
(6) the domain name registration information is obtained by using a WHOIS command based on a WHOIS information base, and comprises a domain name state, a domain name service provider name, a domain name registrant name, domain name creation time, domain name expiration time and a domain name registrant contact mode;
step s2, obtaining the image information of the abnormal IP address, specifically obtaining the following mode:
(1) carrying out port scanning to obtain the opening condition of a host port to which the IP address belongs;
(2) acquiring AS information of the IP address based on BGP declaration data;
(3) based on the WHOIS information base, the belonging information of the IP address is obtained by using a WHOIS command, wherein the belonging information comprises a belonging CIDR address block, a belonging network name, a belonging address field, a belonging autonomous domain, a belonging address, a registration mechanism, a mechanism mailbox, a mechanism telephone, an operator, an affiliate and a postal code.
The method has the beneficial effect that the abnormal traffic is identified based on the fusion analysis of the DNS analysis traffic and the IP traffic. A more comprehensive white list mechanism and an authorized communication behavior list are established, DNS analysis flow of a DNS server and field IP flow of an industrial control network are monitored, the monitoring coverage is wider, and the identified abnormal types are more comprehensive. And the portrait information of the IP address and the domain name related to the abnormal flow can provide more decision information and right-keeping evidence for security management personnel. The characteristics of an industrial control network and a domain name system are fully utilized, and multilayer protection barriers such as domain names, IP addresses, authorized behavior lists, portrait information and the like are established, so that high-precision monitoring can be realized.
Drawings
FIG. 1 is a schematic diagram of an abnormal traffic identification system based on the fusion analysis of DNS analysis traffic and IP traffic according to the present invention;
FIG. 2 is a schematic diagram of an industrial control network communication scenario simulated by the present invention;
FIG. 3 is a schematic diagram illustrating a process of identifying abnormal communication behavior based on DNS resolution traffic according to the present invention;
fig. 4 is a schematic process diagram for identifying abnormal communication behavior based on IP traffic according to the present invention.
Detailed Description
The invention is further described below with reference to the figures and examples. So that those skilled in the art to which the present invention pertains can easily implement the present invention. An abnormal traffic identification system based on the fusion analysis of DNS resolution traffic and IP traffic is shown in FIG. 1. The abnormal traffic identification method based on the fusion analysis of DNS analysis traffic and IP traffic comprises the following steps:
step 1, discovering assets of industrial control network communication equipment. And establishing a domain name white list and an IP address white list of industrial control network communication based on a mode of combining enterprise internal provision and network space regular active mapping. Based on the domain name and the IP address white list, establishing an industrial control network authorized communication behavior list according to the industrial control network communication scene simulated in the figure 2, wherein the list records comprise: source IP address, source domain name, source port, destination IP address, destination domain name, destination port, allowed communication time. As shown in fig. 2, the device types are mainly summarized in the following four categories:
(1) for an external open device: and the industrial control network internally allows the equipment to communicate with the external authorized equipment.
(2) Non-open to the outside device: and the equipment which is not allowed to communicate with the external equipment in the industrial control network.
(3) A management and control server: and the server is used for monitoring and managing other equipment of the industrial control network.
(4) A DNS server: DNS server special for industrial control network.
In fig. 2, a communication line is defined as a communication line whose abnormal communication behavior indicates that it is an illegal communication line, i.e., a communication that is not allowed to occur normally, and a communication line is defined as a communication line whose normal communication behavior indicates a legal communication line. The specific communication behavior is summarized as follows:
(1) communication line 1: the non-external open equipment and the external non-authorized equipment are communicated with each other and defined as abnormal communication behaviors;
(2) communication line 2: the non-external open equipment and the external authorization equipment are communicated with each other and defined as abnormal communication behaviors;
(3) communication line 3 and communication line 5: the non-external open equipment communicates with an external domain name authority server by means of a DNS message in a mode of utilizing a DNS request and acquiring a response, and is defined as abnormal communication behavior;
(4) communication line 4 and communication line 5: the method comprises the steps that an external open device is communicated with an external authorization device, under the condition that the domain name of the external authorization device is known and the IP address of the external authorization device is unknown, an A record request of the domain name is sent to a DNS server to acquire the IP address information of the external authorization device, and normal communication behavior is defined;
(5) communication line 6: under the premise that the IP address information of the external authorization equipment is known, the external open equipment and the external authorization equipment are communicated with each other, and a normal communication behavior is defined;
(6) communication line 7: the method comprises the following steps that an external open device and an external unauthorized device communicate with each other and are defined as abnormal communication behaviors;
(7) communication line 8: in view of the openness of the external open device, in order to ensure the security of the non-external open device, the external open device and the non-external open device inside the industrial control network communicate with each other, and are defined as abnormal communication behaviors;
(8) communication line 9 and communication line 10: and representing the communication behavior of the industrial control network management and control server and the industrial control network internal equipment, and defining the communication behavior as normal communication behavior.
And 2, extracting DNS flow characteristics. The method comprises the steps of obtaining an analysis log of a DNS server used by an industrial control network in real time, and constructing a DNS flow characteristic group, wherein the DNS flow characteristic group comprises the following steps: requesting a device IP address, requesting a domain name, requesting a DNS server, resolving an IP address, requesting time.
And 3, extracting IP flow characteristics. Acquiring industrial control network field flow in real time, and constructing an IP flow characteristic group, wherein the IP flow characteristic group comprises: source IP address, source port, destination IP address, destination port, communication time.
And 4, identifying abnormal communication behaviors.
(1) According to the DNS traffic characteristics (requesting device IP address, requesting domain name, requesting DNS server, resolving IP address, requesting time), based on the authorized communication behavior list (source IP address, source domain name, source port, destination IP address, destination domain name, destination port, allowed communication time) and the domain name, IP address white list, the abnormal communication behaviors represented by the communication lines 3 and 5 and the normal communication behaviors represented by the communication lines 4 and 5 are identified. As shown in fig. 3, a specific identification process is a method for identifying an abnormal communication behavior based on a domain name, an IP address white list, and an industrial control network authorized communication behavior list according to DNS traffic characteristics, and includes the following steps:
step s1, judging whether the IP address of the request device is in the IP address white list, if not, adding the IP address of the request device into the IP address black list and judging the IP address is abnormal communication behavior; otherwise, the next step is carried out.
Step s2, judging whether the request IP address is in the authorized communication behavior list, if not, indicating that the non-external open device communicates with the external domain name authority server by using the DNS request and acquiring the response mode, and judging as abnormal communication behavior; otherwise, go to the next step.
Step s3, judging whether the request domain name is in the domain name white list, if not, judging that the request domain name is abnormal communication behavior; otherwise, go to the next step.
Step s4, judging whether the analyzed IP address is in the IP address white list, if not, adding the analyzed IP address into the IP address white list; otherwise, the communication behavior is determined to be normal.
The abnormal communication behaviors shown by the communication lines 1, 2, 7, and 8 and the normal communication behaviors shown by the communication lines 6, 9, and 10 are identified based on the authorized communication behavior list (source IP address, source domain name, source port, destination IP address, destination domain name, destination port, communication time) and the IP address white list according to the IP traffic characteristics (source IP address, source port, destination IP address, destination port, communication time). As shown in fig. 4, the specific identification process is a method for identifying an abnormal communication behavior based on a domain name, an IP address white list and an industrial control network authorized communication behavior list according to IP traffic characteristics, and the method includes the following steps:
step s1, judging whether the source IP address is in the IP address white list, if not, adding the source IP address into the IP address black list and judging the source IP address to be abnormal communication behavior; otherwise, go to the next step.
Step s2, judging whether the source IP address is in the authorized behavior list, if not, judging the source IP address is in the abnormal communication behavior list; otherwise, go to the next step.
Step s3, judging whether the source port is in the authorized behavior list, if not, judging the source port is abnormal communication behavior; otherwise, go to the next step.
Step s4, judging whether the destination IP address is in the IP address white list, if not, adding the destination IP address into the IP address black list and judging the destination IP address to be abnormal communication behavior; otherwise, go to the next step.
Step s5, judging whether the destination IP address is in the authorized behavior list, if not, judging that the destination IP address is in the abnormal communication behavior list; otherwise, go to the next step.
Step s6, judging whether the destination port is in the authorized behavior list, if not, judging that the destination port is in abnormal communication behavior; otherwise, go to the next step.
Step s7, judging whether the communication time is in the allowable communication time range, if not, judging that the communication behavior is abnormal; otherwise, the communication behavior is determined to be normal.
And 5, identifying and protecting abnormal flow. And identifying the related traffic of the abnormal communication behavior as abnormal traffic, filtering the abnormal traffic, and blocking the abnormal communication behavior from continuing.
And 6, acquiring abnormal flow image information. And acquiring portrait information of abnormal domain names and abnormal IP addresses related to abnormal communication behaviors. The method comprises the following specific steps:
and step s1, obtaining abnormal domain name picture information. The specific acquisition content and acquisition mode are as follows:
(1) the domain name web page content belongs to a category. The comprehensive classification system of the webpage text and the webpage snapshot based on the transform carries out classification (such as pornography, gambling and the like) of webpage contents.
(2) A certificate for use by the domain name. Sh retrieves the certificate information used by the domain name using crt.
(3) The protocol used for the domain name. And carrying out port protocol acquisition and verification to obtain the protocol type used by the domain name. Such as the HTTP protocol or the HTTPs protocol.
(4) Common subdomain names of a domain name. And (4) carrying out sub-domain name expansion by using a sub-domain name discovery tool subframer.
(5) And (4) the IP address condition obtained by domain name resolution. And sending A record requests of abnormal domain names to stable open DNS servers in different regions of the world to acquire IP addresses resolved by the abnormal domain names.
(6) Domain name registration information. Based on the WHOIS information base, domain name registration information, such as domain name status, domain name service provider name, domain name registrar name, domain name creation time, domain name expiration time, and domain name registrar contact, is obtained using a WHOIS command.
Step s2, obtaining the image information of the abnormal IP address. The specific acquisition mode is as follows:
(1) and carrying out port scanning to obtain the opening condition of the host port to which the IP address belongs.
(2) And acquiring AS information of the IP address based on the BGP announcement data.
(3) And acquiring other affiliated information of the IP address by using a WHOIS command based on the WHOIS information base. Such as the address block of the affiliated CIDR, the name of the affiliated network, the address field of the affiliated network, the autonomous domain of the affiliated network, the address of the affiliated network, the registry, the organization's mailbox, the organization's telephone, the operator, the owner, the zip code, etc.
And 7, storing and submitting abnormal flow identification logs, abnormal flow feature groups and abnormal flow image information.
The invention identifies abnormal traffic based on the fusion analysis of DNS analysis traffic and IP traffic. A more comprehensive white list mechanism and an authorized communication behavior list are established, DNS analysis flow of a DNS server and field IP flow of an industrial control network are monitored, the monitoring coverage is wider, and the identified abnormal types are more comprehensive. And the portrait information of the IP address and the domain name related to the abnormal flow can provide more decision information and right-keeping evidence for security management personnel. The invention fully utilizes the characteristics of an industrial control network and a domain name system, establishes a plurality of layers of protective barriers such as domain names, IP addresses, authorized behavior lists, portrait information and the like, and thereby can realize high-precision monitoring.
However, the above description is only exemplary of the present invention, and the scope of the present invention should not be limited thereby, and the replacement of the equivalent components or the equivalent changes and modifications made according to the protection scope of the present invention should be covered by the claims of the present invention.

Claims (8)

1. An abnormal traffic identification method based on DNS analysis traffic and IP traffic fusion analysis is characterized in that: the method comprises the following steps:
step 1, discovering industrial control network communication equipment assets, acquiring an equipment list of enterprises participating in communication, establishing an industrial control network communication equipment asset information base, establishing an industrial control network trusted network, establishing a communication domain name and IP address double white list and an authorized communication behavior list, and updating every day;
step 2, DNS flow characteristic extraction, namely acquiring an analysis log of an industrial control network DNS server in real time and constructing a DNS flow characteristic group;
step 3, extracting IP flow characteristics, acquiring industrial control network field flow in real time, and constructing an IP flow characteristic group;
and 4, identifying abnormal communication behaviors, wherein the identification of the abnormal communication behaviors comprises the following steps: according to DNS flow characteristics, identifying abnormal communication behaviors based on a domain name, an IP address white list and an industrial control network authorized communication behavior list; according to DNS flow characteristics, identifying abnormal communication behaviors based on a domain name, an IP address white list and an industrial control network authorized communication behavior list;
step 5, recognizing and protecting abnormal traffic, marking the traffic related to the abnormal communication behavior as the abnormal traffic, filtering the abnormal traffic, and blocking the abnormal communication behavior from continuing;
step 6, obtaining abnormal flow portrait information, and obtaining portrait information of abnormal domain names and abnormal IP addresses related to abnormal flow;
and 7, storing and submitting abnormal flow identification logs, abnormal flow feature groups and abnormal flow image information.
2. The abnormal traffic identification method based on the fusion analysis of the DNS resolution traffic and the IP traffic, according to claim 1, is characterized in that: the industrial control network DNS server uses a special local DNS server instead of a public DNS server.
3. The abnormal traffic identification method based on the fusion analysis of the DNS resolution traffic and the IP traffic, according to claim 1, is characterized in that: the list of authorized communication activities includes: source IP address, source domain name, source port, destination IP address, destination domain name, destination port, allowed communication time.
4. The abnormal traffic identification method based on the fusion analysis of the DNS resolution traffic and the IP traffic, according to claim 1, is characterized in that: the DNS traffic feature set includes: requesting a device IP address, requesting a domain name, requesting a DNS server, resolving an IP address, requesting time.
5. The abnormal traffic identification method based on the fusion analysis of the DNS resolution traffic and the IP traffic, according to claim 1, is characterized in that: the set of IP traffic characteristics includes: source IP address, source port, destination IP address, destination port, communication time.
6. The abnormal traffic identification method based on the fusion analysis of the DNS resolution traffic and the IP traffic, according to claim 1, is characterized in that: the method for identifying the abnormal communication behavior based on the domain name, the IP address white list and the industrial control network authorized communication behavior list according to the DNS flow characteristics comprises the following steps:
step s1, judging whether the IP address of the request device is in the IP address white list, if not, adding the IP address of the request device into the IP address black list and judging the IP address is abnormal communication behavior; otherwise, entering the next step;
step s2, judging whether the request IP address is in the authorized communication behavior list, if not, indicating that the non-external open device communicates with the external domain name authority server by using the DNS request and acquiring the response mode, and judging as abnormal communication behavior; otherwise, entering the next step;
step s3, judging whether the request domain name is in the domain name white list, if not, judging that the request domain name is abnormal communication behavior; otherwise, entering the next step;
step s4, judging whether the analyzed IP address is in the IP address white list, if not, adding the analyzed IP address into the IP address white list; otherwise, the communication behavior is determined to be normal.
7. The abnormal traffic identification method based on the fusion analysis of the DNS resolution traffic and the IP traffic, according to claim 1, is characterized in that: the method for identifying the abnormal communication behavior based on the domain name, the IP address white list and the industrial control network authorized communication behavior list according to the IP flow characteristics comprises the following steps:
step s1, judging whether the source IP address is in the IP address white list, if not, adding the source IP address into the IP address black list and judging the source IP address to be abnormal communication behavior; otherwise, entering the next step;
step s2, judging whether the source IP address is in the authorized behavior list, if not, judging the source IP address is in the abnormal communication behavior list; otherwise, entering the next step;
step s3, judging whether the source port is in the authorized behavior list, if not, judging the source port is abnormal communication behavior; otherwise, entering the next step;
step s4, judging whether the destination IP address is in the IP address white list, if not, adding the destination IP address into the IP address black list and judging the destination IP address to be abnormal communication behavior; otherwise, entering the next step;
step s5, judging whether the destination IP address is in the authorized behavior list, if not, judging that the destination IP address is in the abnormal communication behavior list; otherwise, entering the next step;
step s6, judging whether the destination port is in the authorized behavior list, if not, judging the destination port to be abnormal communication behavior, otherwise, entering the next step;
step s7, judging whether the communication time is in the allowable communication time range, if not, judging that the communication behavior is abnormal; otherwise, the communication behavior is determined to be normal.
8. The abnormal traffic identification method based on the fusion analysis of the DNS resolution traffic and the IP traffic, according to claim 1, is characterized in that: the method for acquiring the abnormal traffic portrait information and acquiring the portrait information of the abnormal domain name and the abnormal IP address related to the abnormal communication behavior comprises the following steps of:
step s1, obtaining abnormal domain name portrait information, specifically obtaining content and obtaining mode as follows:
(1) classifying the webpage contents based on a comprehensive classification system of a webpage text and a webpage snapshot of a transform according to the category to which the domain name webpage contents belong;
(2) the certificate used by the domain name is retrieved by utilizing crt.sh;
(3) the protocol used by the domain name is used for carrying out port protocol acquisition and verification and acquiring the protocol type used by the domain name;
(4) a common sub-domain name of the domain name is expanded by using a sub-domain name discovery tool subframer;
(5) sending an A record request of an abnormal domain name to an open DNS server which is stable in different regions of the world under the condition of the IP address obtained by domain name resolution, and obtaining the IP address obtained by the abnormal domain name resolution;
(6) the domain name registration information is obtained by using a WHOIS command based on a WHOIS information base, and comprises a domain name state, a domain name service provider name, a domain name registrant name, domain name creation time, domain name expiration time and a domain name registrant contact mode;
step s2, obtaining the image information of the abnormal IP address, specifically obtaining the following mode:
(1) carrying out port scanning to obtain the opening condition of a host port to which the IP address belongs;
(2) acquiring AS information of the IP address based on BGP declaration data;
(3) based on the WHOIS information base, the belonging information of the IP address is obtained by using a WHOIS command, wherein the belonging information comprises a belonging CIDR address block, a belonging network name, a belonging address field, a belonging autonomous domain, a belonging address, a registration mechanism, a mechanism mailbox, a mechanism telephone, an operator, an affiliate and a postal code.
CN202110895580.5A 2021-08-05 2021-08-05 Abnormal flow identification method based on DNS analysis flow and IP flow fusion analysis Active CN113630409B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110895580.5A CN113630409B (en) 2021-08-05 2021-08-05 Abnormal flow identification method based on DNS analysis flow and IP flow fusion analysis

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110895580.5A CN113630409B (en) 2021-08-05 2021-08-05 Abnormal flow identification method based on DNS analysis flow and IP flow fusion analysis

Publications (2)

Publication Number Publication Date
CN113630409A true CN113630409A (en) 2021-11-09
CN113630409B CN113630409B (en) 2023-04-28

Family

ID=78382874

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110895580.5A Active CN113630409B (en) 2021-08-05 2021-08-05 Abnormal flow identification method based on DNS analysis flow and IP flow fusion analysis

Country Status (1)

Country Link
CN (1) CN113630409B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114301645A (en) * 2021-12-16 2022-04-08 北京六方云信息技术有限公司 Abnormal behavior detection method and device, terminal device and storage medium
CN115913614A (en) * 2022-09-19 2023-04-04 上海辰锐信息科技有限公司 Network access device and method

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2013123798A1 (en) * 2012-02-23 2013-08-29 汉柏科技有限公司 Dns protocol-based method and system for identifying p2p protocol
WO2018113732A1 (en) * 2016-12-21 2018-06-28 北京奇虎科技有限公司 Method and apparatus for detecting dns full traffic hijack risk
CN108737385A (en) * 2018-04-24 2018-11-02 杭州安恒信息技术股份有限公司 A kind of malice domain name matching method mapping IP based on DNS
CN110324273A (en) * 2018-03-28 2019-10-11 蓝盾信息安全技术有限公司 A kind of Botnet detection method combined based on DNS request behavior with domain name constitutive characteristic
CN110324327A (en) * 2019-06-20 2019-10-11 国家计算机网络与信息安全管理中心 User and server ip address caliberating device and method based on specific enterprise domain name data

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2013123798A1 (en) * 2012-02-23 2013-08-29 汉柏科技有限公司 Dns protocol-based method and system for identifying p2p protocol
WO2018113732A1 (en) * 2016-12-21 2018-06-28 北京奇虎科技有限公司 Method and apparatus for detecting dns full traffic hijack risk
CN110324273A (en) * 2018-03-28 2019-10-11 蓝盾信息安全技术有限公司 A kind of Botnet detection method combined based on DNS request behavior with domain name constitutive characteristic
CN108737385A (en) * 2018-04-24 2018-11-02 杭州安恒信息技术股份有限公司 A kind of malice domain name matching method mapping IP based on DNS
CN110324327A (en) * 2019-06-20 2019-10-11 国家计算机网络与信息安全管理中心 User and server ip address caliberating device and method based on specific enterprise domain name data

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114301645A (en) * 2021-12-16 2022-04-08 北京六方云信息技术有限公司 Abnormal behavior detection method and device, terminal device and storage medium
CN115913614A (en) * 2022-09-19 2023-04-04 上海辰锐信息科技有限公司 Network access device and method

Also Published As

Publication number Publication date
CN113630409B (en) 2023-04-28

Similar Documents

Publication Publication Date Title
CN109714174B (en) Internet of things equipment digital identity management system and method based on block chain
CN111600856B (en) Safety system of operation and maintenance of data center
CN101176331B (en) Computer network intrusion detection system and method
CN111800395A (en) Threat information defense method and system
CN100399750C (en) System and method of facilitating the identification of a computer on a network
US20030110392A1 (en) Detecting intrusions
CN113630409B (en) Abnormal flow identification method based on DNS analysis flow and IP flow fusion analysis
CN101005503A (en) Method and data processing system for intercepting communication between a client and a service
CN114598525A (en) IP automatic blocking method and device for network attack
CN111510463B (en) Abnormal behavior recognition system
CN113691566A (en) Mail server secret stealing detection method based on space mapping and network flow statistics
CN114553471A (en) Tenant safety management system
CN114339767A (en) Signaling detection method and device, electronic equipment and storage medium
CN118018300A (en) Terminal network access control system with network asset mapping function
CN113987508A (en) Vulnerability processing method, device, equipment and medium
CN117118703A (en) Mobile office security architecture based on Internet
CN112565202A (en) Internet of things access gateway for video network system
CN116894259A (en) Safety access control system of database
CN112261017A (en) Server abnormal behavior monitoring and management method oriented to cloud computing environment
KR100736205B1 (en) Security system through internet for web application service and providing method the same on internet
CN114401251A (en) Internet-based IP address database processing system and method thereof
US20090077227A1 (en) System and method for monitoring network communications originating in monitored jurisdictions
CN112637150B (en) Honey pot analysis method and system based on nginx
CN108809891B (en) Server intrusion detection method and device
Mora-Cruzatty et al. Security Mechanisms and Log Correlation Systems

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant