CN113660256A - DNS water criminal attack detection model construction method and flow cleaning method - Google Patents

DNS water criminal attack detection model construction method and flow cleaning method Download PDF

Info

Publication number
CN113660256A
CN113660256A CN202110930732.0A CN202110930732A CN113660256A CN 113660256 A CN113660256 A CN 113660256A CN 202110930732 A CN202110930732 A CN 202110930732A CN 113660256 A CN113660256 A CN 113660256A
Authority
CN
China
Prior art keywords
dns
water
dns request
flow
detection model
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202110930732.0A
Other languages
Chinese (zh)
Other versions
CN113660256B (en
Inventor
钱珂翔
张道娟
武宏斌
房磊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Global Energy Interconnection Research Institute
Original Assignee
Global Energy Interconnection Research Institute
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Global Energy Interconnection Research Institute filed Critical Global Energy Interconnection Research Institute
Priority to CN202110930732.0A priority Critical patent/CN113660256B/en
Publication of CN113660256A publication Critical patent/CN113660256A/en
Application granted granted Critical
Publication of CN113660256B publication Critical patent/CN113660256B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/145Network analysis or design involving simulating, designing, planning or modelling of a network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application provides a DNS water criminal attack detection model construction method and a flow cleaning method, wherein the DNS water criminal attack detection model construction method comprises the following steps: monitoring DNS request flow to obtain a DNS request flow set of a target secondary domain name; judging whether DNS water criminal attack exists in the target secondary domain name according to the DNS request distribution condition of the DNS request traffic set of the target secondary domain name; if yes, determining the DNS request traffic in the DNS request traffic set of the target secondary domain name as abnormal traffic; and training the initial DNS water criminal attack detection model by using the abnormal flow to obtain a target DNS water criminal attack detection model. The target DNS water criminal attack detection model obtained by the scheme can detect the attack of a disposable domain, and lays a foundation for comprehensively guaranteeing the safety of the DNS server.

Description

DNS water criminal attack detection model construction method and flow cleaning method
Technical Field
The application relates to the technical field of network security, in particular to a DNS water criminal attack detection model construction method and a flow cleaning method.
Background
A Domain Name System (DNS) is a distributed database that maps Domain names and IP addresses to each other, and a DNS water criminal attack is a distributed denial of service (DDoS) attack directed to a DNS server, and aims to exhaust resources of an authoritative server to which a target Domain Name belongs, resulting in service interruption and the like.
In the prior art, a white list mechanism is usually adopted to filter out prefixes which are not in an effective subdomain list, or a black list mechanism is adopted to prevent a water criminal attack request from entering a recursive resolution stage so as to defend DNS water criminal attacks.
However, the prior art is only suitable for detecting attacks against conventional domains, and is difficult to detect attacks against disposable domains composed of a large number of random subdomains, so that the security of the DNS server cannot be fully guaranteed.
Disclosure of Invention
The application provides a DNS water criminal attack detection model construction method and a flow cleaning method, and aims to overcome the defects that the safety of a DNS server cannot be comprehensively guaranteed due to the fact that the attack of a disposable domain consisting of a large number of random sub-domains is difficult to detect in the prior art.
The first aspect of the application provides a method for constructing a DNS water criminal attack detection model, which comprises the following steps:
monitoring DNS request flow to obtain a DNS request flow set of a target secondary domain name;
judging whether the target second-level domain name has DNS water criminal attack according to the DNS request distribution condition of the DNS request traffic set of the target second-level domain name;
if yes, determining the DNS request traffic in the DNS request traffic set of the target secondary domain name as abnormal traffic;
and training the initial DNS water criminal attack detection model by using the abnormal flow to obtain a target DNS water criminal attack detection model.
Optionally, the determining, according to the DNS request distribution condition of the DNS request traffic set of the target secondary domain name, whether the DNS water criminal attack exists on the target secondary domain name includes:
detecting a query subdomain corresponding to each DNS request flow in the DNS request flow set so as to obtain a subdomain query diversity index of the DNS request flow set;
and when the subdomain query diversity index of the DNS request traffic set reaches a preset subdomain query diversity index threshold value, determining that the target secondary domain name has DNS water criminal attack.
Optionally, the determining, according to the DNS request distribution condition of the DNS request traffic set of the target secondary domain name, whether the DNS water criminal attack exists on the target secondary domain name includes:
detecting a source IP address of each DNS request flow in the DNS request flow set to obtain a source IP address diversity index of the DNS request flow set;
and when the source IP address diversity index of the DNS request traffic set reaches a preset source IP address diversity index threshold value, determining that the target secondary domain name has DNS water criminal attack.
Optionally, the training of the initial DNS water criminal attack detection model by using the abnormal traffic to obtain a target DNS water criminal attack detection model includes:
acquiring normal flow equal to the abnormal flow;
respectively coding the sub domain names of the query subdomains corresponding to the abnormal flow and the normal flow according to a preset coding rule to obtain an abnormal vector characteristic corresponding to the abnormal flow and a normal vector characteristic corresponding to the normal flow;
and inputting the abnormal vector characteristics and the normal flow characteristics into the initial DNS water criminal attack detection model so as to train the initial DNS water criminal attack detection model.
Optionally, the method further includes:
and when the target secondary domain name is determined to have no DNS water criminal attack according to the DNS request distribution condition of the DNS request traffic set of the target secondary domain name, storing the DNS request traffic in the DNS request traffic set of the target secondary domain name as normal traffic in a preset historical database.
In a second aspect, the present application provides a flow cleaning method, including:
acquiring DNS request flow;
inputting the DNS request traffic into a target DNS water criminal attack detection model constructed by the DNS water criminal attack detection model construction method according to the first aspect and various possible designs of the first aspect;
judging whether the DNS request flow is abnormal flow by using the target DNS water criminal attack detection model;
and if so, cleaning the DNS request flow.
The third aspect of the present application provides a DNS water criminal attack detection model construction device, including:
the monitoring module is used for monitoring DNS request flow to obtain a DNS request flow set of a target secondary domain name;
the first judgment module is used for judging whether the target second-level domain name has DNS water criminal attack according to the DNS request distribution condition of the DNS request traffic set of the target second-level domain name;
a determining module, configured to determine, if yes, DNS request traffic in the DNS request traffic set of the target secondary domain name as abnormal traffic;
and the training module is used for training the initial DNS water criminal attack detection model by using the abnormal flow so as to obtain a target DNS water criminal attack detection model.
A fourth aspect of the present application provides a flow cleaning device, comprising:
the acquisition module is used for acquiring DNS request flow;
a detection module, configured to input the DNS request traffic into a target DNS water criminal attack detection model constructed by the DNS water criminal attack detection model construction apparatus according to the third aspect and various possible designs of the third aspect;
the second judgment module is used for judging whether the DNS request flow is abnormal flow by using the target DNS water criminal attack detection model;
and the cleaning module is used for cleaning the DNS request flow if the DNS request flow is the same as the DNS request flow.
A fifth aspect of the present application provides an electronic device, comprising: at least one processor and memory;
the memory stores computer-executable instructions;
the at least one processor executes the computer-executable instructions stored in the memory, so that the at least one processor executes the DNS watercriminal attack detection model construction method according to the first aspect and various possible designs of the first aspect or the traffic cleansing method according to the second aspect and various possible designs of the second aspect.
A fourth aspect of the present application provides a computer-readable storage medium, in which computer-executable instructions are stored, and when a processor executes the computer-executable instructions, the method for constructing a DNS water criminal attack detection model according to the above first aspect and various possible designs of the first aspect or the method for cleaning a flow rate according to the above second aspect and various possible designs of the second aspect is implemented.
This application technical scheme has following advantage:
the application provides a DNS water criminal attack detection model construction method and a flow cleaning method, wherein the DNS water criminal attack detection model construction method comprises the following steps: monitoring DNS request flow to obtain a DNS request flow set of a target secondary domain name; judging whether DNS water criminal attack exists in the target secondary domain name according to the DNS request distribution condition of the DNS request traffic set of the target secondary domain name; if yes, determining the DNS request traffic in the DNS request traffic set of the target secondary domain name as abnormal traffic; and training the initial DNS water criminal attack detection model by using the abnormal flow to obtain a target DNS water criminal attack detection model. According to the method provided by the scheme, whether the DNS request flow set is attacked by the disposable domain is analyzed according to the DNS request distribution condition in the DNS request flow set, and the DNS request flow set is used as a positive sample to be put into model training, so that the obtained target DNS water criminal attack detection model can perform security detection on the DNS request flow set according to the semantic information of the DNS request, namely the target DNS water criminal attack detection model obtained by the scheme can detect the attack of the disposable domain, and a foundation is laid for comprehensively guaranteeing the security of the DNS server.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present application, and other drawings can be obtained by those skilled in the art according to these drawings.
Fig. 1 is a schematic structural diagram of a DNS water criminal attack detection model construction system based on an embodiment of the present application;
FIG. 2 is a schematic structural diagram of a flow cleaning system according to an embodiment of the present disclosure;
fig. 3 is a schematic flow chart of a method for constructing a DNS water criminal attack detection model according to an embodiment of the present application;
fig. 4 is a schematic structural diagram of an exemplary DNS server system provided in an embodiment of the present application;
fig. 5 is a schematic structural diagram of an exemplary DNS water criminal attack detection model construction system provided in an embodiment of the present application;
FIG. 6 is a schematic diagram of an exemplary Huffman encoding process provided by an embodiment of the present application;
FIG. 7 is a schematic diagram of an exemplary model training process provided by an embodiment of the present application;
fig. 8 is a schematic flow chart of a flow cleaning method according to an embodiment of the present disclosure;
fig. 9 is a schematic structural diagram of a DNS water criminal attack detection model construction device according to an embodiment of the present application;
FIG. 10 is a schematic structural diagram of a flow cleaning apparatus according to an embodiment of the present disclosure;
fig. 11 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
With the above figures, there are shown specific embodiments of the present application, which will be described in more detail below. These drawings and written description are not intended to limit the scope of the disclosed concepts in any way, but rather to illustrate the concepts of the disclosure to those skilled in the art by reference to specific embodiments.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are some embodiments of the present application, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
The terms referred to in this application are explained first:
disposable domain: the subdomains of a one-time domain are typically used to transmit certain signals of certain specific services, such as addressing information or file transfers, etc., and are generated in large quantities on demand. The one-time domain is generally applied to infrastructure, such as a CDN, a cloud service, an anti-virus service, and the like, and if the one-time domain is attacked, the one-time domain is highly destructive and seriously affected.
Furthermore, the terms "first", "second", etc. are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. In the description of the following examples, "plurality" means two or more unless specifically limited otherwise.
The following several specific embodiments may be combined with each other, and details of the same or similar concepts or processes may not be repeated in some embodiments. Embodiments of the present invention will be described below with reference to the accompanying drawings.
First, a structure of a DNS water criminal attack detection model construction system based on the present application will be explained:
the DNS water criminal attack detection model construction method is suitable for constructing the DNS water criminal attack detection model capable of detecting DNS water criminal attack. As shown in fig. 1, the system for constructing a DNS water criminal attack detection model according to the embodiment of the present application mainly includes a data acquisition device and a DNS water criminal attack detection model construction device, where the data acquisition device may be a flow monitoring and collecting tool. Specifically, the data acquisition device is used for acquiring DNS request flow, and then sending the acquired DNS request flow to the DNS water criminal attack detection model construction device, and the DNS water criminal attack detection model construction device performs model training by using the received DNS request flow.
Next, a structure of a flow rate cleaning system based on the present application will be described:
the flow cleaning method provided by the embodiment of the application is suitable for detecting DNS water criminal attacks and carrying out corresponding flow cleaning. Fig. 2 is a schematic structural diagram of a flow cleaning system according to an embodiment of the present disclosure, which mainly includes a data acquisition device and a flow cleaning device. Specifically, the data acquisition device is used for acquiring DNS request traffic, then performing safety detection on the DNS request traffic by using the traffic cleaning device, and performing traffic cleaning on abnormal traffic.
The embodiment of the application provides a DNS water criminal attack detection model construction method, which is used for constructing a DNS water criminal attack detection model capable of detecting DNS water criminal attacks. The execution subject of the embodiment of the present application is an electronic device, such as a server, a desktop computer, a notebook computer, a tablet computer, and other electronic devices that can be used to build a machine learning model.
As shown in fig. 3, a schematic flow chart of a method for constructing a DNS water criminal attack detection model provided in an embodiment of the present application is shown, where the method includes:
step 301, monitoring DNS request traffic to obtain a DNS request traffic set of the target secondary domain name.
Specifically, the capacity of the DNS request traffic set may be preset, for example, m (for example, m is 10k) DNS request traffic, that is, the DNS request traffic of m target secondary domain names may be detected at a time, so as to implement fast detection.
Step 302, according to the DNS request distribution condition of the DNS request traffic set of the target secondary domain name, determining whether the target secondary domain name has a DNS watermark attack.
It should be noted that the DNS request distribution situation can be mainly embodied by a destination sub-domain of the DNS request and a source IP address of the DNS request.
Fig. 4 is a schematic structural diagram of an exemplary DNS server system provided in an embodiment of the present application. The attack principle of DNS water criminal attack is that invalid random prefixes are attached to a target domain to bypass DNS cache, and are dynamically forwarded to a related authoritative server by a DNS resolver, and finally the purpose of exhausting authoritative server resources is achieved.
Com, the general attack flow is as follows: com, the attacker controls a large number of zombie machines to generate a large number of random subdomains for abc.com and send them to a parser (resolver). The resolver may be any device with DNS forwarding features, such as a recursive DNS server or a gateway router. Since the random subdomain does not exist, the resolver first requests the root server for the IP address of the com server, then the com server responds to the IP address of the authoritative server containing abc. For each query, the authoritative server returns a nxdmoin (where the domain name does not exist) record to the resolver, which then forwards the record to the client IP address (which is typically forged by the attacker). After the authoritative server is overwhelmed, the resolver will wait for the full failure response time for each of the remaining attacks. In this case, the resources of the parser will also be exhausted quickly.
Step 303, if yes, determining the DNS request traffic in the DNS request traffic set of the target secondary domain name as the abnormal traffic.
In contrast, in an embodiment, when it is determined that the target secondary domain name does not have the DNS flood attack according to the DNS request distribution condition of the DNS request traffic set of the target secondary domain name, the DNS request traffic in the DNS request traffic set of the target secondary domain name is stored as normal traffic in a preset history database.
It should be noted that the history database may specifically refer to a passive DNS database, which is a history database storing a large amount of DNS resolution data.
And step 304, training the initial DNS water criminal attack detection model by using the abnormal flow to obtain a target DNS water criminal attack detection model.
It should be noted that the subdomain values of the one-time domain for a class of services are typically in a fixed format (e.g., all MD5 values), and the combination of subdomains reflects some semantics of the corresponding service, and thus may be modeled using natural language processing techniques.
Specifically, the DNS water criminal attack detection model provided in the embodiment of the present application may be constructed based on an LSTM network or other neural networks, and a specific training process thereof may refer to the prior art, which is not limited in the embodiment of the present application.
On the basis of the above embodiment, in order to improve the reliability of the model training sample and ensure the accuracy of the target DNS water criminal attack detection model, as an implementable manner, in an embodiment, according to the DNS request distribution condition of the DNS request traffic set of the target secondary domain name, determining whether the DNS water criminal attack exists in the target secondary domain name includes:
step 3021, detecting query subdomains corresponding to the DNS request traffic in the DNS request traffic set to obtain subdomain query diversity indicators of the DNS request traffic set;
step 3022, when the sub-domain query diversity index of the DNS request traffic set reaches a preset sub-domain query diversity index threshold, determining that the DNS watercriminal attack exists on the target secondary domain name.
Specifically, since the effectiveness of the DNS watermark attack is determined by different subdomain query ratios (subdomain query diversity indicators), it can be determined whether the current target secondary domain name has the DNS watermark attack by detecting the diversity of subdomain queries.
Experiments show that when the query proportion of different sub-domains exceeds 70%, the query request can effectively bypass the DNS cache, and further the purpose of attack is achieved, so that the sub-domain query diversity index threshold in the embodiment of the application can be set to 70%.
Specifically, the subdomain query diversity index may be calculated according to the following formula:
Figure BDA0003210560100000081
wherein n isdistinct-domainRepresenting the number of queries of different sub-domains, ntotalRepresenting the total number of queries for the target secondary domain name. If Pdis-domain>Tdis-domainThen judging that DNS water criminal attack, T, occursdis-domainRepresenting a subdomain query diversity index threshold.
Similarly, in an embodiment, the source IP address of each DNS request traffic in the DNS request traffic set may also be detected to obtain a source IP address diversity index of the DNS request traffic set; and when the source IP address diversity index of the DNS request traffic set reaches a preset source IP address diversity index threshold value, determining that the DNS water criminal attack exists in the target secondary domain name.
It should be noted that, when an attacker launches a DNS flood attack, a large number of source IP addresses are usually forged, and the ratio of different source IP addresses (source IP address diversity index) is much higher than that of normal requests, so DNS flood attack detection can be performed according to the diversity of the source IP addresses of DNS requests.
Experiments show that the ratio of different source IP addresses is about 10% in normal access, and generally reaches 95% in attack, so the source IP address diversity index in the embodiment of the present application can be set to 90%.
Specifically, the source IP address diversity index may be calculated according to the following formula:
Figure BDA0003210560100000082
wherein n isdistinct-IPRepresenting the number of different source IP addresses, ntotalRepresenting the total number of queries for the target secondary domain name. If Pdis-sourceIP>Tdis-sourceIPIf yes, the attack is determined to occur, Tdis-sourceIPIndicating a source IP address diversity index threshold.
Specifically, in an embodiment, training an initial DNS water criminal attack detection model by using abnormal traffic to obtain a target DNS water criminal attack detection model includes:
step 3041, acquiring a normal flow equal to the abnormal flow;
step 3042, according to the preset encoding rule, encoding the sub domain names of the query sub domains corresponding to the abnormal traffic and the normal traffic respectively to obtain the abnormal vector features corresponding to the abnormal traffic and the normal vector features corresponding to the normal traffic;
step 3043, inputting the abnormal vector features and the normal flow features into the initial DNS water criminal attack detection model to train the initial DNS water criminal detection model.
Exemplarily, as shown in fig. 5, a schematic structural diagram of a system for constructing an exemplary DNS water criminal attack detection model provided in an embodiment of the present application is shown. Com domain, the attack traffic does not enter the passive DNS library any more, but the forwarder forwards the first m attack samples to the cache space. The encoder is used for performing feature representation on a subdomain of a domain name in the cache flow and outputting an encoding result, namely abnormal vector features (a group of vectors); com subdomains of the target secondary domain name abc.com with the same quantity are randomly selected from a passive DNS library for feature representation, and an encoding result, namely a normal vector feature (a group of vectors), is output.
For example, in the embodiment of the present application, an encoding process is described by taking huffman encoding as an example, if domain name samples are fjfk.abc.com, euijk.abc.com, and sfjie.abc.com, sub-domains to be encoded are fjfk, euijk, and sfjie, as shown in fig. 6, an exemplary huffman encoding flow diagram provided for the embodiment of the present application includes the following steps:
in a first step, the encoder counts the number of different characters for all subfields, i.e. the count is (f, j, k, e, i, s, u) — (3,3,2,2,2,1, 1).
And secondly, constructing a Huffman tree based on the character frequency.
And thirdly, converting the characters into binary codes based on the Huffman tree, namely, the codes are (f, j, k, e, i, s, u) ═ 01,00,100,101,110,1111, 1110.
Fourthly, in order to further standardize the vector dimension of the subdomains, the coding result of each character is filled with 2 as a prefix, and the shorter code is standardized to be the longest code, namely (01,00,100,101,110,1111,1110) ═ 2201,2200,2100,2101,2110,1111,1110.
And fifthly, connecting the normalized binary codes according to the character sequence to form a vector of the subdomains, namely, finally coding the three character strings into (fjfk), (euijk) and (sfjie) (2201220022012100,21011110211022002100,11112201220021102101).
Specifically, the training process of the DNS water criminal attack detection model may be specifically completed in a trainer, and fig. 7 is an exemplary model training flow diagram provided in the embodiment of the present application, and specifically, for an encoded vector v e R output by an encoderdThe trainer first constructs an Automatic Encoding (AE) layer for mapping v to a lower dimensional space, i.e., v → v ', v' e Rd′Of d'<d. Given an input matrix Wi∈Rd×d′And an output matrix Wo∈Rd×dThen the feed-forward process of embedded learning can be expressed as: (input vector, output vector)
v″=Wo(Wiv′+bi)+b0
Wherein, biAnd b0Representing the input and output offset vectors, respectively. L is2=|v″-v′|2Is a loss function used to train the AE model. The goal of the optimization is to use gradient descent to make L2Reaches a minimum, vr=Wiv′+biIs the vector after dimensionality reduction.
Then, the dimensionality reduction vector vrThe input neural network (e.g., LSTM network) is further represented and the logistic regression classifier is used to output the probability of whether a sub-domain is generated by DNS water criminal attack.
The DNS water criminal attack detection model construction method provided by the embodiment of the application comprises the following steps: monitoring DNS request flow to obtain a DNS request flow set of a target secondary domain name; judging whether DNS water criminal attack exists in the target secondary domain name according to the DNS request distribution condition of the DNS request traffic set of the target secondary domain name; if yes, determining the DNS request traffic in the DNS request traffic set of the target secondary domain name as abnormal traffic; and training the initial DNS water criminal attack detection model by using the abnormal flow to obtain a target DNS water criminal attack detection model. According to the method provided by the scheme, whether the DNS request flow set is attacked by the disposable domain is analyzed according to the DNS request distribution condition in the DNS request flow set, and the DNS request flow set is used as a positive sample to be put into model training, so that the obtained target DNS water criminal attack detection model can perform security detection on the DNS request flow set according to the semantic information of the DNS request, namely the target DNS water criminal attack detection model obtained by the scheme can detect the attack of the disposable domain, and a foundation is laid for comprehensively guaranteeing the security of the DNS server. And moreover, the problem that the training classification model of the attack domain name sample cannot be obtained in advance can be effectively solved. When the attack is detected, model training is carried out on the basis of the neural network, the coding structure of the one-time domain is learned quickly, and the training model can classify DNS water criminal attack flow and normal flow when the attack occurs later, so that flow cleaning is realized.
The embodiment of the application provides a flow cleaning method, and the use mode of the target DNS water criminal attack detection model constructed by the DNS water criminal attack detection model construction method provided by the embodiment is used for detecting DNS water criminal attack and carrying out corresponding flow cleaning. The execution subject of the embodiment of the present application is an electronic device, such as a server, a desktop computer, a notebook computer, a tablet computer, and other electronic devices that can be used for performing flow cleansing.
As shown in fig. 8, a schematic flow chart of a flow cleaning method provided in an embodiment of the present application is shown, where the method includes:
step 801, acquiring DNS request flow;
step 802, inputting the DNS request traffic into the target DNS water criminal attack detection model constructed by the DNS water criminal attack detection model construction method provided in the above embodiment;
step 803, judging whether the DNS request flow is abnormal flow by using a target DNS water criminal attack detection model;
and step 804, if yes, cleaning the DNS request flow.
Specifically, a sub-domain vector to be detected is determined according to the obtained DNS request flow, and whether the sub-domain vector is a DNS water criminal attack (abnormal flow) is judged by using a target DNS water criminal attack detection model. And then forwarding the normal traffic, intercepting and discarding the abnormal traffic, and realizing traffic cleaning.
The flow cleaning method provided by the embodiment of the application is a use mode of the target DNS water criminal attack detection model constructed by the DNS water criminal attack detection model construction method provided by the embodiment, and the implementation mode and the principle are the same, and are not repeated.
The embodiment of the application provides a DNS water criminal attack detection model construction device, which is used for executing the DNS water criminal attack detection model construction method provided by the embodiment.
As shown in fig. 9, a schematic structural diagram of a DNS water criminal attack detection model construction device provided in an embodiment of the present application is shown. This DNS water criminal attack detection model construction device 90 includes: a monitoring module 901, a first judging module 902, a determining module 903 and a training module 904.
The monitoring module is used for monitoring DNS request flow to obtain a DNS request flow set of a target secondary domain name; the first judgment module is used for judging whether the target second-level domain name has DNS water criminal attack according to the DNS request distribution condition of the DNS request traffic set of the target second-level domain name; the determining module is used for determining the DNS request traffic in the DNS request traffic set of the target secondary domain name as abnormal traffic if the DNS request traffic set of the target secondary domain name is the abnormal traffic; and the training module is used for training the initial DNS water criminal attack detection model by using the abnormal flow so as to obtain a target DNS water criminal attack detection model.
With regard to the DNS watercriminal attack detection model construction apparatus in the present embodiment, the specific manner in which each module performs operations has been described in detail in the embodiment related to the method, and will not be described in detail here.
The device for constructing the DNS water criminal attack detection model provided by the embodiment of the application is used for executing the method for constructing the DNS water criminal attack detection model provided by the embodiment, the implementation mode and the principle are the same, and the description is omitted.
The embodiment of the application provides a flow cleaning device, which is used for executing the flow cleaning method provided by the embodiment.
Fig. 10 is a schematic structural diagram of a flow cleaning apparatus according to an embodiment of the present application. This DNS water criminal attack detection model construction device 100 includes: an acquisition module 1001, a detection module 1002, a second determination module 1003, and a cleaning module 1004.
The specific manner in which the various modules perform operations has been described in detail in relation to the flow cleaning apparatus of this embodiment in relation to embodiments of the method and will not be elaborated upon here.
The flow cleaning device provided by the embodiment of the application is used for executing the flow cleaning method provided by the embodiment, and the implementation manner and the principle of the flow cleaning device are the same, and are not repeated.
The embodiment of the application provides electronic equipment, which is used for executing the DNS water criminal attack detection model construction method or the flow cleaning method provided by the embodiment.
Fig. 11 is a schematic structural diagram of an electronic device according to an embodiment of the present application. The electronic device 110 includes: at least one processor 1101 and memory 1102;
the memory stores computer-executable instructions; the at least one processor executes the computer-executable instructions stored by the memory, causing the at least one processor to perform the DNS watercriminal attack detection model construction method or the traffic cleansing method as provided by the above embodiments.
The electronic device provided by the embodiment of the application is used for executing the DNS water criminal attack detection model construction method or the flow cleaning method provided by the embodiment, the implementation mode and the principle are the same, and the description is omitted.
The embodiment of the present application provides a computer-readable storage medium, where a computer executing instruction is stored in the computer-readable storage medium, and when a processor executes the computer executing instruction, the DNS water criminal attack detection model construction method or the flow cleaning method provided in any of the above embodiments is implemented.
The storage medium containing the computer executable instructions according to the embodiment of the present application may be used to store the computer executable instructions of the DNS water criminal attack detection model construction method or the flow cleaning method provided in the foregoing embodiment, and an implementation manner thereof is the same as the principle and is not described again.
In the several embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, a division of a unit is merely a logical division, and an actual implementation may have another division, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, or in a form of hardware plus a software functional unit.
The integrated unit implemented in the form of a software functional unit may be stored in a computer readable storage medium. The software functional unit is stored in a storage medium and includes several instructions to enable a computer device (which may be a personal computer, a server, or a network device) or a processor (processor) to execute some steps of the methods according to the embodiments of the present application. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
It is obvious to those skilled in the art that, for convenience and simplicity of description, the foregoing division of the functional modules is merely used as an example, and in practical applications, the above function distribution may be performed by different functional modules according to needs, that is, the internal structure of the device is divided into different functional modules to perform all or part of the above described functions. For the specific working process of the device described above, reference may be made to the corresponding process in the foregoing method embodiment, which is not described herein again.
Finally, it should be noted that: the above embodiments are only used for illustrating the technical solutions of the present application, and not for limiting the same; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some or all of the technical features may be equivalently replaced; and the modifications or the substitutions do not make the essence of the corresponding technical solutions depart from the scope of the technical solutions of the embodiments of the present application.

Claims (10)

1. A DNS water criminal attack detection model construction method is characterized by comprising the following steps:
monitoring DNS request flow to obtain a DNS request flow set of a target secondary domain name;
judging whether the target second-level domain name has DNS water criminal attack according to the DNS request distribution condition of the DNS request traffic set of the target second-level domain name;
if yes, determining the DNS request traffic in the DNS request traffic set of the target secondary domain name as abnormal traffic;
and training the initial DNS water criminal attack detection model by using the abnormal flow to obtain a target DNS water criminal attack detection model.
2. The method according to claim 1, wherein said determining whether there is a DNS flood attack on the target secondary domain name according to the DNS request distribution of the DNS request traffic set of the target secondary domain name comprises:
detecting a query subdomain corresponding to each DNS request flow in the DNS request flow set so as to obtain a subdomain query diversity index of the DNS request flow set;
and when the subdomain query diversity index of the DNS request traffic set reaches a preset subdomain query diversity index threshold value, determining that the target secondary domain name has DNS water criminal attack.
3. The method according to claim 1, wherein said determining whether there is a DNS flood attack on the target secondary domain name according to the DNS request distribution of the DNS request traffic set of the target secondary domain name comprises:
detecting a source IP address of each DNS request flow in the DNS request flow set to obtain a source IP address diversity index of the DNS request flow set;
and when the source IP address diversity index of the DNS request traffic set reaches a preset source IP address diversity index threshold value, determining that the target secondary domain name has DNS water criminal attack.
4. The method according to claim 1, wherein said training an initial DNS water criminal attack detection model with said abnormal traffic to obtain a target DNS water criminal attack detection model comprises:
acquiring normal flow equal to the abnormal flow;
respectively coding the sub domain names of the query subdomains corresponding to the abnormal flow and the normal flow according to a preset coding rule to obtain an abnormal vector characteristic corresponding to the abnormal flow and a normal vector characteristic corresponding to the normal flow;
and inputting the abnormal vector characteristics and the normal flow characteristics into the initial DNS water criminal attack detection model so as to train the initial DNS water criminal attack detection model.
5. The method of claim 1, further comprising:
and when the target secondary domain name is determined to have no DNS water criminal attack according to the DNS request distribution condition of the DNS request traffic set of the target secondary domain name, storing the DNS request traffic in the DNS request traffic set of the target secondary domain name as normal traffic in a preset historical database.
6. A flow cleaning method, comprising:
acquiring DNS request flow;
inputting the DNS request traffic to a target DNS water criminal attack detection model constructed by the DNS water criminal attack detection model construction method according to any one of claims 1 to 5;
judging whether the DNS request flow is abnormal flow by using the target DNS water criminal attack detection model;
and if so, cleaning the DNS request flow.
7. A DNS water criminal attack detection model construction device is characterized by comprising:
the monitoring module is used for monitoring DNS request flow to obtain a DNS request flow set of a target secondary domain name;
the first judgment module is used for judging whether the target second-level domain name has DNS water criminal attack according to the DNS request distribution condition of the DNS request traffic set of the target second-level domain name;
a determining module, configured to determine, if yes, DNS request traffic in the DNS request traffic set of the target secondary domain name as abnormal traffic;
and the training module is used for training the initial DNS water criminal attack detection model by using the abnormal flow so as to obtain a target DNS water criminal attack detection model.
8. A flow washer apparatus, comprising:
the acquisition module is used for acquiring DNS request flow;
a detection module for inputting the DNS request traffic to the target DNS water criminal attack detection model constructed by the DNS water criminal attack detection model construction apparatus according to claim 7;
the second judgment module is used for judging whether the DNS request flow is abnormal flow by using the target DNS water criminal attack detection model;
and the cleaning module is used for cleaning the DNS request flow if the DNS request flow is the same as the DNS request flow.
9. An electronic device, comprising: at least one processor and memory;
the memory stores computer-executable instructions;
the at least one processor executing the computer-executable instructions stored by the memory causes the at least one processor to perform the DNS watercriminal attack detection model building method according to any one of claims 1-5 or the traffic cleansing method according to claim 6.
10. A computer-readable storage medium, characterized in that the computer-readable storage medium has stored therein computer-executable instructions that, when executed by a processor, implement the DNS water criminal attack detection model building method according to any one of claims 1 to 5 or the traffic cleansing method according to claim 6.
CN202110930732.0A 2021-08-13 2021-08-13 DNS water criminal attack detection model construction method and flow cleaning method Active CN113660256B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110930732.0A CN113660256B (en) 2021-08-13 2021-08-13 DNS water criminal attack detection model construction method and flow cleaning method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110930732.0A CN113660256B (en) 2021-08-13 2021-08-13 DNS water criminal attack detection model construction method and flow cleaning method

Publications (2)

Publication Number Publication Date
CN113660256A true CN113660256A (en) 2021-11-16
CN113660256B CN113660256B (en) 2023-04-18

Family

ID=78479793

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110930732.0A Active CN113660256B (en) 2021-08-13 2021-08-13 DNS water criminal attack detection model construction method and flow cleaning method

Country Status (1)

Country Link
CN (1) CN113660256B (en)

Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102404318A (en) * 2011-10-31 2012-04-04 杭州迪普科技有限公司 Method and device for prevention of DNS (Domain Name Server) cathe attack
CN103152357A (en) * 2013-03-22 2013-06-12 北京网御星云信息技术有限公司 Defense method, device and system for DNS (Domain Name System) services
CN104184585A (en) * 2013-05-28 2014-12-03 杭州迪普科技有限公司 Device and method preventing DNS flood attack
US9294490B1 (en) * 2014-10-07 2016-03-22 Cloudmark, Inc. Apparatus and method for identifying a domain name system resource exhaustion attack
CN107124434A (en) * 2017-07-06 2017-09-01 中国互联网络信息中心 A kind of discovery method and system of DNS malicious attacks flow
US20190306188A1 (en) * 2018-03-29 2019-10-03 Radware, Ltd. Techniques for defense against domain name system (dns) cyber-attacks
CN110324295A (en) * 2018-03-30 2019-10-11 阿里巴巴集团控股有限公司 A kind of defence method and device of domain name system extensive aggression
US20200137095A1 (en) * 2018-10-31 2020-04-30 Fujitsu Limited Cyber attack evaluation method and cyber attack evaluation device
CN111464359A (en) * 2020-04-03 2020-07-28 杭州迪普科技股份有限公司 Abnormal flow alarm decision system and method
US20210112091A1 (en) * 2019-10-10 2021-04-15 Charter Communications Operating, Llc Denial-of-service detection and mitigation solution
CN113098878A (en) * 2021-04-06 2021-07-09 哈尔滨工业大学(威海) Industrial internet intrusion detection method based on support vector machine and implementation system

Patent Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102404318A (en) * 2011-10-31 2012-04-04 杭州迪普科技有限公司 Method and device for prevention of DNS (Domain Name Server) cathe attack
CN103152357A (en) * 2013-03-22 2013-06-12 北京网御星云信息技术有限公司 Defense method, device and system for DNS (Domain Name System) services
CN104184585A (en) * 2013-05-28 2014-12-03 杭州迪普科技有限公司 Device and method preventing DNS flood attack
US9294490B1 (en) * 2014-10-07 2016-03-22 Cloudmark, Inc. Apparatus and method for identifying a domain name system resource exhaustion attack
US20160099954A1 (en) * 2014-10-07 2016-04-07 Cloudmark, Inc. Apparatus and method for identifying a domain name system resource exhaustion attack
CN107124434A (en) * 2017-07-06 2017-09-01 中国互联网络信息中心 A kind of discovery method and system of DNS malicious attacks flow
US20190306188A1 (en) * 2018-03-29 2019-10-03 Radware, Ltd. Techniques for defense against domain name system (dns) cyber-attacks
CN110324295A (en) * 2018-03-30 2019-10-11 阿里巴巴集团控股有限公司 A kind of defence method and device of domain name system extensive aggression
US20200137095A1 (en) * 2018-10-31 2020-04-30 Fujitsu Limited Cyber attack evaluation method and cyber attack evaluation device
US20210112091A1 (en) * 2019-10-10 2021-04-15 Charter Communications Operating, Llc Denial-of-service detection and mitigation solution
CN111464359A (en) * 2020-04-03 2020-07-28 杭州迪普科技股份有限公司 Abnormal flow alarm decision system and method
CN113098878A (en) * 2021-04-06 2021-07-09 哈尔滨工业大学(威海) Industrial internet intrusion detection method based on support vector machine and implementation system

Also Published As

Publication number Publication date
CN113660256B (en) 2023-04-18

Similar Documents

Publication Publication Date Title
CN110266647B (en) Command and control communication detection method and system
CN109474575B (en) DNS tunnel detection method and device
CN112019575B (en) Data packet processing method and device, computer equipment and storage medium
CN103733590B (en) Compiler for regular expressions
CN101291323B (en) Using partly determination finite automatic mode matching for network attack detection
Zhao et al. Malicious domain names detection algorithm based on N-gram
US7596810B2 (en) Apparatus and method of detecting network attack situation
CN109450842A (en) A kind of network malicious act recognition methods neural network based
CN112866023B (en) Network detection method, model training method, device, equipment and storage medium
CN111818103B (en) Traffic-based tracing attack path method in network target range
CN111953673B (en) DNS hidden tunnel detection method and system
CN101213812A (en) Method for defending against denial of service attacks in IP networks by target victim self-identification and control
CN113660275B (en) Domain name system request processing method and device, electronic equipment and storage medium
CN112532598B (en) Filtering method for real-time intrusion detection system
CN109756480B (en) DDoS attack defense method, device, electronic equipment and medium
Ma et al. Discovering suspicious APT families through a large-scale domain graph in information-centric IoT
CN111224941A (en) Threat type identification method and device
CN111314379B (en) Attacked domain name identification method and device, computer equipment and storage medium
CN112583827B (en) Data leakage detection method and device
CN113660256B (en) DNS water criminal attack detection model construction method and flow cleaning method
CN114301696B (en) Malicious domain name detection method, malicious domain name detection device, computer equipment and storage medium
WO2016118153A1 (en) Marking nodes for analysis based on domain name system resolution
Lysenko et al. Botnet Detection Approach Based on DNS.
CN113810372B (en) Low-throughput DNS hidden channel detection method and device
CN118018323A (en) System, electronic equipment and storage medium for protecting against DNS random subdomain name DDoS attack

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant