CN113660212B - Method and device for detecting DNS tunnel flow in real time - Google Patents
Method and device for detecting DNS tunnel flow in real time Download PDFInfo
- Publication number
- CN113660212B CN113660212B CN202110844470.6A CN202110844470A CN113660212B CN 113660212 B CN113660212 B CN 113660212B CN 202110844470 A CN202110844470 A CN 202110844470A CN 113660212 B CN113660212 B CN 113660212B
- Authority
- CN
- China
- Prior art keywords
- dns
- feature
- discrete
- training
- characteristic
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4505—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
- H04L61/4511—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a method and a device for detecting DNS tunnel flow in real time, wherein the method comprises the following steps: collecting DNS traffic, and analyzing and acquiring DNS Queries Name field content in the DNS traffic; generating a feature vector based on the obtained DNS Queries Name field content; discretizing the feature data in the feature vector to generate a discrete feature file; and inputting the discrete feature files into a pre-trained detection model for calculation and detection, and outputting a DNS flow detection result. The invention only extracts the characteristic vector from the Name field of the DNSQuees data packet of the single DNS flow and inputs the characteristic vector into the model for inference prediction without waiting for collecting other DNS Queries and DNS Answers data packets, thereby detecting the DNS flow in real time without storing other DNS flow data except the current flow and reducing the storage cost of equipment. In addition, differences among different tunnel tool data are eliminated through characteristic discretization, DNS flow data characteristic value distribution generated by different tunnel tools tends to be consistent, and the generalization capability of the model is improved.
Description
Technical Field
The invention relates to the technical field of DNS (domain name system) traffic detection, in particular to a method and a device for detecting DNS tunnel traffic in real time.
Background
The DNS protocol provides services for converting domain names and IP addresses, is one of indispensable network communication protocols, and is also the basis for running the whole Internet, so that the traditional traffic detection equipment rarely carries out deep analysis and filtration on data transmitted by the DNS protocol, and malicious software just utilizes the mechanisms and constructs a hidden DNS tunnel through the DNS protocol for command control, data outgoing and the like.
DNS tunnel detection attracts many researchers all the time, DNS tunnel detection methods can be divided into two types, one type is load analysis capable of realizing real-time detection, and the method mainly focuses on randomness, character frequency and the like of DNS loads; another type is traffic analysis based on time windows, which focuses on statistical characteristics of requests or responses over time, mainly using characteristics of the number of host names per domain name within a time window, type frequency of a, AAAA, TXT, etc., subdomain N-Gram mean and variance, mean and variance of request and response time intervals, etc.
The existing DNS tunnel detection method based on machine learning generally adopts a classification algorithm, and the method needs to collect DNS traffic in a specific time window at a DNS Server end, count the proportion of the content of a specific field of the DNS traffic, such as TXT type proportion, specific domain name proportion and the like, and then use a related characteristic training model; second, such methods require training the model using multiple categories of tunnel data so that the model can detect more tunnel tools.
The existing scheme has the following defects:
because the existing scheme needs to use the statistical characteristics of fields of multiple DNS flows in a time window, such as DNS Queries Name, DNS Queries Type, DNS Answers Name, DNS Answers Type, TTL and the like, for the flow to be predicted, the scheme needs to wait for a period of time until all DNS flows in the period of time are collected to extract the characteristic vector of the flow to be predicted, and therefore real-time detection cannot be realized.
Because the existing scheme counts the characteristics of the relevant fields of a plurality of pieces of DNS traffic in the time window, the data analyzed by all the DNS traffic in the current time window needs to be stored in the process, and therefore the storage cost is high.
Because the generalization performance of the existing scheme is poor, the tunnel tool which does not participate in model training cannot be detected, that is, the unknown tunnel tool cannot be found, under the condition that the used characteristics are fixed, in order to detect DNS tunnel tools of more types, more types of tunnel data training models are required.
Disclosure of Invention
The invention provides a method and a device for detecting DNS tunnel flow in real time, aiming at solving the technical problems of realizing the real-time detection of DNS tunnels, reducing the storage cost of DNS tunnel detection and improving the generalization capability of models.
The method for detecting the DNS tunnel flow in real time according to the embodiment of the invention comprises the following steps:
collecting DNS flow, and analyzing and obtaining DNS query Name field content in the DNS flow;
generating a feature vector based on the obtained DNS Queries Name field content;
discretizing the feature data in the feature vector to generate a discrete feature file;
and inputting the discrete feature file into a pre-trained detection model for calculation detection, and outputting a DNS flow detection result.
According to some embodiments of the invention, the generating a feature vector based on the obtained DNS Queries Name field content comprises:
and respectively calculating five characteristic values of letter proportion, sub-domain Name length, sub-domain Name 1-gram entropy, sub-domain Name 2-gram entropy and sub-domain Name character transfer probability according to the obtained DNS query Name field content of each DNS flow, and generating the characteristic vector through the five characteristic values.
In some embodiments of the present invention, the discretizing the feature data in the feature vector to generate a discrete feature file includes:
respectively setting a plurality of discrete intervals and corresponding numbers for each eigenvalue of the eigenvector;
setting the number corresponding to the discrete interval to which the characteristic value belongs as the discrete value of the characteristic value;
and generating the discrete characteristic file according to the discrete value of each characteristic value.
According to some embodiments of the invention, training the detection model comprises:
simulating DNS tunnel flow by using a tunnel tool, and analyzing and acquiring DNS query Name field content in the DNS tunnel flow;
generating a training feature vector based on the DNS Queries Name field content obtained by analysis;
discretizing the feature data in the training feature vector to generate a discrete feature training file;
and training a detection model through the discrete feature training file.
In some embodiments of the invention, the detection model employs a gradient-lifting tree model.
The device for detecting the DNS tunnel flow in real time according to the embodiment of the invention comprises the following steps:
the DNS traffic data acquisition and processing module is used for acquiring DNS traffic and analyzing and acquiring DNS query Name field content in the DNS traffic;
the characteristic extraction module is used for generating a characteristic vector based on the acquired DNS Queries Name field content;
the characteristic optimization module is used for carrying out discretization processing on the characteristic data in the characteristic vector to generate a discrete characteristic file;
and the model reasoning module is used for inputting the discrete feature file into a pre-trained detection model for calculation detection and outputting a detection result of the DNS flow.
According to some embodiments of the invention, the feature extraction module is specifically configured to:
and respectively calculating five characteristic values of letter ratio, sub domain Name length, sub domain Name 1-gram entropy, sub domain Name 2-gram entropy and sub domain Name character transfer probability according to the obtained DNS query Name field content of each DNS flow, and generating the characteristic vector through the five characteristic values.
In some embodiments of the present invention, the feature optimization module is specifically configured to:
respectively setting a plurality of discrete intervals and corresponding numbers for each eigenvalue of the eigenvector;
setting the number corresponding to the discrete interval to which the characteristic value belongs as the discrete value of the characteristic value;
and generating the discrete characteristic file according to the discrete value of each characteristic value.
According to some embodiments of the invention, the detection device further comprises: a model training module for training the detection model, the model training module training the detection model, comprising:
simulating DNS tunnel flow by using a tunnel tool, and analyzing and acquiring DNS query Name field content in the DNS tunnel flow;
generating a training feature vector based on the obtained DNS Queries Name field content;
discretizing the feature data in the training feature vector to generate a discrete feature training file;
and training a detection model through the discrete feature training file.
In some embodiments of the invention, the detection model employs a gradient-lifting tree model.
The DNS tunnel detection method and device provided by the invention have the following advantages:
according to the method and the device for detecting the DNS tunnel flow in real time, only the character proportion, the sub-domain Name length, the sub-domain Name 1-gram entropy, the sub-domain Name 2-gram entropy and the sub-domain Name character transfer probability feature extracted from the Name field of the DNS query data packet of a single DNS flow are used as the feature vector of the flow, the model is input for inference prediction, and other DNS Queries and DNS Answers data packets sent from the DNS client do not need to be collected in a waiting mode.
Secondly, DNS traffic generated by all tunnel tools is greatly different from normal DNS traffic, but DNS traffic data generated by different tunnel tools is also greatly different in extracted features, such as domain name length, letter proportion and the like, so that for each feature, the feature values of all samples in the same interval are set to be the same value by a feature discretization method, so that the difference among different tunnel tool data is eliminated, the distribution of the DNS traffic data feature values generated by different tunnel tools tends to be consistent, the generalization capability of the model is improved, and other tunnel tools which do not participate in model training can be detected by only using one tunnel tool data training model.
Drawings
Fig. 1 is a flowchart of a method for detecting DNS tunnel traffic in real time according to an embodiment of the present invention;
fig. 2 is a data flow diagram in a method for detecting DNS tunnel traffic in real time according to an embodiment of the present invention;
fig. 3 is a flowchart of a discrete profile generation method in a method for detecting DNS tunnel traffic in real time according to an embodiment of the present invention;
fig. 4 is a flowchart of a detection model training method in the method for detecting DNS tunnel traffic in real time according to the embodiment of the present invention;
fig. 5 is a schematic diagram illustrating a detection apparatus for detecting DNS tunnel traffic in real time according to an embodiment of the present invention.
Reference numerals are as follows:
the detection device (100) is provided with a detection device,
the system comprises a DNS flow data acquisition and processing module 10, a feature extraction module 20, a feature optimization module 30, a model reasoning module 40 and a model training module 50.
Detailed Description
To further illustrate the technical means and effects of the present invention adopted to achieve the predetermined purposes, the present invention is described in detail below with reference to the accompanying drawings and preferred embodiments.
The description of the method flow in the present specification and the steps of the flow chart in the drawings of the present specification are not necessarily strictly performed by the step numbers, and the execution order of the method steps may be changed. Moreover, certain steps may be omitted, multiple steps combined into one step execution, and/or a step broken into multiple step executions.
As shown in fig. 1, a method for detecting DNS tunnel traffic in real time according to an embodiment of the present invention includes:
s100, collecting DNS traffic, and analyzing and obtaining DNS Queries Name field content in the DNS traffic;
s200, generating a feature vector based on the acquired DNS Queries Name field content;
s300, discretizing the feature data in the feature vector to generate a discrete feature file;
and S400, inputting the discrete feature files into a pre-trained detection model for calculation and detection, and outputting a DNS flow detection result.
According to some embodiments of the invention, step S200 comprises:
according to the obtained DNS query Name field content of each DNS flow, five characteristic values of letter proportion, sub-domain Name length, sub-domain Name 1-gram entropy, sub-domain Name 2-gram entropy and sub-domain Name character transfer probability are respectively calculated, and a characteristic vector is generated through the five characteristic values.
In some embodiments of the present invention, as shown in fig. 3, step S300 includes:
s310, respectively setting a plurality of discrete intervals and corresponding numbers for each characteristic value of the characteristic vector;
s320, setting the number corresponding to the discrete interval to which the characteristic value belongs as the discrete value of the characteristic value;
s330, generating a discrete feature file according to the discrete values of the feature values.
According to some embodiments of the present invention, as shown in fig. 4, the training of the detection model in step S400 includes:
s401, simulating DNS tunnel flow by using a tunnel tool, and analyzing and acquiring DNS query Name field content in the DNS tunnel flow;
s402, generating a training feature vector based on the DNS Queries Name field content obtained by analysis;
s403, discretizing the feature data in the training feature vector to generate a discrete feature training file;
and S404, training the detection model through the discrete feature training file.
In some embodiments of the invention, the detection model employs a gradient-lifting tree model.
As shown in fig. 5, a device 100 for detecting DNS tunnel traffic in real time according to an embodiment of the present invention includes: the system comprises a DNS flow data acquisition and processing module 10, a feature extraction module 20, a feature optimization module 30 and a model reasoning module 40.
The DNS traffic data acquisition and processing module 10 is used for acquiring DNS traffic and analyzing and acquiring DNS Queries Name field contents in the DNS traffic;
the feature extraction module 20 is configured to generate a feature vector based on the obtained DNS Queries Name field content;
the feature optimization module 30 is configured to perform discretization processing on feature data in the feature vector to generate a discrete feature file;
the model inference module 40 is configured to input the discrete feature file into a pre-trained detection model for computation detection, and output a detection result of the DNS traffic.
According to some embodiments of the invention, the feature extraction module 20 is specifically configured to:
according to the obtained DNS query Name field content of each DNS flow, five characteristic values of letter proportion, sub-domain Name length, sub-domain Name 1-gram entropy, sub-domain Name 2-gram entropy and sub-domain Name character transfer probability are respectively calculated, and a characteristic vector is generated through the five characteristic values.
In some embodiments of the present invention, as shown in fig. 3, the feature optimization module 30 is specifically configured to:
s310, respectively setting a plurality of discrete intervals and corresponding numbers for each characteristic value of the characteristic vector;
s320, setting the number corresponding to the discrete interval to which the characteristic value belongs as the discrete value of the characteristic value;
s330, generating a discrete feature file according to the discrete values of the feature values.
According to some embodiments of the invention, as shown in fig. 5, the detection apparatus 100 further comprises: the model training module 50 is configured to train the detection model, and as shown in fig. 4, the model training module 50 trains the detection model, including:
s401, simulating DNS tunnel flow by using a tunnel tool, and analyzing and acquiring DNS query Name field content in the DNS tunnel flow;
s402, generating a training feature vector based on the acquired DNS Queries Name field content;
s403, discretizing the feature data in the training feature vector to generate a discrete feature training file;
and S404, training the detection model through the discrete feature training file.
In some embodiments of the invention, the detection model employs a gradient-lifting tree model.
The following describes a method and an apparatus for detecting DNS tunnel traffic in real time according to the present invention in detail with reference to the accompanying drawings. It is to be understood that the following description is only exemplary in nature and should not be taken as a specific limitation on the invention.
The DNS tunnel detection apparatus 100 according to the present invention includes 5 modules, which are: the system comprises a DNS flow data acquisition and processing module 10, a feature extraction module 20, a feature optimization module 30, a model training module 50 and a model reasoning module 40, wherein the functions of the modules are as follows:
the DNS traffic data collecting and processing module 10:
collecting DNS traffic at a local DNS server through traffic collection equipment, analyzing and extracting subdomain information of a DNS query Name field Full Qualified Domain Name (FQDN) of each piece of DNS traffic, and outputting each piece of information as a record to a file with a specific format.
And simulating DNS tunnel traffic by using a DNS tunnel tool DNS2tcp, and resolving subdomain information of a DNS query Name field of each piece of DNS tunnel traffic, and saving the subdomain information into a file in the same format.
The feature extraction module 20:
calculating the letter ratio, the length of a sub-domain name, the entropy of the sub-domain name 1-gram, the entropy of the sub-domain name 2-gram and the character transfer probability of the sub-domain name of each piece of data in the record file respectively, and taking five calculated values as the feature vector of each piece of data and writing the five calculated values into a feature file with a specific format.
The feature optimization module 30:
and carrying out discretization processing on each characteristic of each piece of data in the characteristic file. And respectively setting a plurality of discrete intervals and numbers corresponding to the discrete intervals for each characteristic, setting the characteristic value as the number corresponding to the discrete interval if the characteristic value is in the discrete interval, carrying out discretization treatment on each characteristic value by adopting a similar method, and writing the discretized characteristic value into a discrete characteristic file.
Model training module 50:
a Gradient Boosting Decision Tree (Gradient Boosting Decision Tree) is a long-standing model in machine learning, the main idea is to obtain an optimal model by using a weak classifier, namely CART Tree iterative training, and the model has the advantages of good training effect, difficulty in overfitting and the like.
The gradient lifting tree model can be expressed as follows, if h t (x) Representing the t CART tree, the model is defined as follows:
the training of the gradient lifting tree model adopts a forward step-by-step algorithm, the model in the t step is determined by the model in the t-1 step, each CART tree fits the negative gradient of the loss function in the current model, the final lifting tree model is linear addition of a plurality of CART numbers, and the model in the t step is expressed as:
f t (x)=f t-1 (x)+h t (x)
the module firstly labels each piece of data of a discrete feature file, a normal DNS flow data label is set to be 0, a DNS tunnel flow data label is set to be 1, a gradient lifting tree model (GBDT) is trained by using the labeled data, a histogram acceleration algorithm is used for node splitting in the training process of each CART tree, namely, all samples are firstly traversed, a histogram is established for each feature, the histogram comprises the gradient sum of the samples in each bin and the number of the samples, then each bin is traversed to find the feature with the maximum gain and the feature value thereof, and the feature is used as a split node to establish the CART tree. And after the model is trained and adjusted, the optimal model is persisted and stored in a device disk.
The model inference module 40:
for unknown DNS traffic data, discrete features are extracted through a DNS traffic data acquisition and processing module 10, a feature extraction module 20 and a feature optimization module 30, the module loads a model from an equipment disk, inputs feature vectors of data to be predicted into the model for inference prediction, outputs the probability p that a sample belongs to a DNS tunnel, and judges that the sample is the DNS tunnel if p is greater than k for a manually set threshold k (default k = 0.5), otherwise, the sample is normal DNS traffic.
In summary, the method and the device for detecting DNS tunnel traffic in real time provided by the present invention only use the character proportion, the sub-domain length, the sub-domain 1-gram entropy, the sub-domain 2-gram entropy, and the sub-domain character transfer probability feature extracted from the Name field of the DNS query packet of a single DNS traffic as the feature vector of the traffic, and input the model for inference prediction, and do not need to wait for collecting other DNS Queries and DNS Answers packets sent from the DNS client, so that each DNS traffic can be detected in real time, and other DNS traffic data except the current traffic does not need to be stored, thereby reducing the storage cost of the device.
Secondly, the DNS traffic generated by all the tunnel tools is greatly different from the normal DNS traffic, but DNS traffic data generated by different tunnel tools is also greatly different in extracted features, such as domain name length, letter proportion and the like, so that for each feature, the feature values of all samples in the same interval are set to be the same value through a feature discretization method, so that the difference among different tunnel tool data is eliminated, the distribution of the DNS traffic data feature values generated by different tunnel tools tends to be consistent, the generalization capability of the model is improved, and other tunnel tools which do not participate in model training can be detected by only using one tunnel tool data training model.
While the invention has been described in connection with specific embodiments thereof, it is to be understood that it is intended by the appended drawings and description that the invention may be embodied in other specific forms without departing from the spirit or scope of the invention.
Claims (10)
1. A method for detecting DNS tunnel traffic in real time is characterized by comprising the following steps:
collecting DNS traffic, and analyzing and acquiring DNS Queries Name field content in the DNS traffic;
generating a feature vector based on the obtained DNS Queries Name field content;
discretizing the feature data in the feature vector to generate a discrete feature file;
and inputting the discrete feature file into a pre-trained detection model for calculation detection, and outputting a DNS flow detection result.
2. The method for detecting DNS tunnel traffic in real time according to claim 1, wherein the generating a feature vector based on the obtained DNS Queries Name field content includes:
and respectively calculating five characteristic values of letter proportion, sub-domain Name length, sub-domain Name 1-gram entropy, sub-domain Name 2-gram entropy and sub-domain Name character transfer probability according to the obtained DNS query Name field content of each DNS flow, and generating the characteristic vector through the five characteristic values.
3. The method according to claim 1, wherein the discretizing the feature data in the feature vector to generate a discrete feature file includes:
respectively setting a plurality of discrete intervals and corresponding numbers for each eigenvalue of the eigenvector;
setting the number corresponding to the discrete interval to which the characteristic value belongs as the discrete value of the characteristic value;
and generating the discrete feature file according to the discrete value of each feature value.
4. The method for detecting DNS tunnel traffic in real time according to claim 1, wherein training the detection model comprises:
simulating DNS tunnel flow by using a tunnel tool, and analyzing and acquiring DNS query Name field content in the DNS tunnel flow;
generating a training feature vector based on the DNS Queries Name field content obtained by analysis;
discretizing the feature data in the training feature vector to generate a discrete feature training file;
and training a detection model through the discrete feature training file.
5. The method for detecting DNS tunnel traffic in real time according to any one of claims 1-4, wherein the detection model adopts a gradient lifting tree model.
6. An apparatus for detecting DNS tunnel traffic in real time, comprising:
the DNS traffic data acquisition and processing module is used for acquiring DNS traffic and analyzing and acquiring DNS query Name field content in the DNS traffic;
the characteristic extraction module is used for generating a characteristic vector based on the acquired DNS Queries Name field content;
the characteristic optimization module is used for carrying out discretization processing on the characteristic data in the characteristic vector to generate a discretization characteristic file;
and the model reasoning module is used for inputting the discrete feature files into a pre-trained detection model for calculation detection and outputting a DNS flow detection result.
7. The device for detecting DNS tunnel traffic in real time according to claim 6, wherein the feature extraction module is specifically configured to:
and respectively calculating five characteristic values of letter ratio, sub domain Name length, sub domain Name 1-gram entropy, sub domain Name 2-gram entropy and sub domain Name character transfer probability according to the obtained DNS query Name field content of each DNS flow, and generating the characteristic vector through the five characteristic values.
8. The device for detecting DNS tunnel traffic in real time according to claim 6, wherein the feature optimization module is specifically configured to:
respectively setting a plurality of discrete intervals and corresponding numbers for each eigenvalue of the eigenvector;
setting the number corresponding to the discrete interval to which the characteristic value belongs as the discrete value of the characteristic value;
and generating the discrete feature file according to the discrete value of each feature value.
9. The apparatus for detecting DNS tunnel traffic in real time according to claim 6, wherein the detecting means further comprises: a model training module for training the detection model, the model training module training the detection model, comprising:
simulating DNS tunnel flow by using a tunnel tool, and analyzing and acquiring DNS query Name field content in the DNS tunnel flow;
generating a training feature vector based on the obtained DNS Queries Name field content;
discretizing the feature data in the training feature vector to generate a discrete feature training file;
and training a detection model through the discrete feature training file.
10. The device for detecting DNS tunnel traffic in real time according to any one of claims 6-9, wherein the detection model adopts a gradient lifting tree model.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110844470.6A CN113660212B (en) | 2021-07-26 | 2021-07-26 | Method and device for detecting DNS tunnel flow in real time |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110844470.6A CN113660212B (en) | 2021-07-26 | 2021-07-26 | Method and device for detecting DNS tunnel flow in real time |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113660212A CN113660212A (en) | 2021-11-16 |
| CN113660212B true CN113660212B (en) | 2022-11-29 |
Family
ID=78490248
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110844470.6A Active CN113660212B (en) | 2021-07-26 | 2021-07-26 | Method and device for detecting DNS tunnel flow in real time |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113660212B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20230388322A1 (en) * | 2022-05-26 | 2023-11-30 | Blackberry Limited | Domain name system tunneling detection |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108200054A (en) * | 2017-12-29 | 2018-06-22 | 北京奇安信科技有限公司 | A kind of malice domain name detection method and device based on dns resolution |
| CN108737439A (en) * | 2018-06-04 | 2018-11-02 | 上海交通大学 | A kind of large-scale malicious domain name detecting system and method based on self feed back study |
| CN110071829A (en) * | 2019-04-12 | 2019-07-30 | 腾讯科技(深圳)有限公司 | DNS tunnel detection method, device and computer readable storage medium |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10075458B2 (en) * | 2016-04-29 | 2018-09-11 | International Business Machines Corporation | Cognitive and contextual detection of malicious DNS |
-
2021
- 2021-07-26 CN CN202110844470.6A patent/CN113660212B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108200054A (en) * | 2017-12-29 | 2018-06-22 | 北京奇安信科技有限公司 | A kind of malice domain name detection method and device based on dns resolution |
| CN108737439A (en) * | 2018-06-04 | 2018-11-02 | 上海交通大学 | A kind of large-scale malicious domain name detecting system and method based on self feed back study |
| CN110071829A (en) * | 2019-04-12 | 2019-07-30 | 腾讯科技(深圳)有限公司 | DNS tunnel detection method, device and computer readable storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113660212A (en) | 2021-11-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108520780B (en) | Medical data processing and system based on transfer learning | |
| CN110311829B (en) | Network traffic classification method based on machine learning acceleration | |
| CN110784481A (en) | DDoS detection method and system based on neural network in SDN network | |
| WO2022257436A1 (en) | Data warehouse construction method and system based on wireless communication network, and device and medium | |
| CN109698798B (en) | Application identification method and device, server and storage medium | |
| WO2019144728A1 (en) | Data processing | |
| CN111835763B (en) | DNS tunnel traffic detection method and device and electronic equipment | |
| CN110868404B (en) | Industrial control equipment automatic identification method based on TCP/IP fingerprint | |
| CN113206860B (en) | DRDoS attack detection method based on machine learning and feature selection | |
| CN113660212B (en) | Method and device for detecting DNS tunnel flow in real time | |
| CN111224998B (en) | Botnet identification method based on extreme learning machine | |
| CN112039997A (en) | Triple-feature-based Internet of things terminal identification method | |
| CN115100532B (en) | Small sample remote sensing image target detection method and system | |
| CN113378899A (en) | Abnormal account identification method, device, equipment and storage medium | |
| CN113746804B (en) | DNS hidden channel detection method, device, equipment and storage medium | |
| CN111400617B (en) | Social robot detection data set extension method and system based on active learning | |
| KR102580364B1 (en) | Apparatus and Method for Fuzzing Preprocessing for Automating Smart Network Fuzzing | |
| CN112711693A (en) | Litigation clue mining method and system based on multi-feature fusion | |
| CN114189350A (en) | LightGBM-based train communication network intrusion detection method | |
| CN116846690B (en) | IPv6 network space mapping method based on industry classification and probability model | |
| CN115801455B (en) | Method and device for detecting counterfeit website based on website fingerprint | |
| KR102014234B1 (en) | Method and Apparatus for automatic analysis for Wireless protocol | |
| CN116405261A (en) | Malicious flow detection method, system and storage medium based on deep learning | |
| CN115051850A (en) | Intelligent detection method and detection system for global hidden network threat clues | |
| CN114238738A (en) | Rumor detection method based on attention mechanism and bidirectional GRU |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |