CN114172862B - Domain name screening method, system, device and computer readable storage medium - Google Patents
Domain name screening method, system, device and computer readable storage medium Download PDFInfo
- Publication number
- CN114172862B CN114172862B CN202111452686.4A CN202111452686A CN114172862B CN 114172862 B CN114172862 B CN 114172862B CN 202111452686 A CN202111452686 A CN 202111452686A CN 114172862 B CN114172862 B CN 114172862B
- Authority
- CN
- China
- Prior art keywords
- domain name
- domain
- domain names
- screening
- dns
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000012216 screening Methods 0.000 title claims abstract description 79
- 238000000034 method Methods 0.000 title claims abstract description 42
- 238000003860 storage Methods 0.000 title claims abstract description 11
- 238000004458 analytical method Methods 0.000 claims abstract description 52
- 230000002159 abnormal effect Effects 0.000 claims abstract description 25
- 238000004590 computer program Methods 0.000 claims description 11
- 238000012360 testing method Methods 0.000 description 37
- 238000005516 engineering process Methods 0.000 description 7
- 238000011161 development Methods 0.000 description 4
- 241000565357 Fraxinus nigra Species 0.000 description 3
- 238000004519 manufacturing process Methods 0.000 description 2
- 238000009960 carding Methods 0.000 description 1
- 150000001875 compounds Chemical class 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000009826 distribution Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000003203 everyday effect Effects 0.000 description 1
- 238000000605 extraction Methods 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 238000012549 training Methods 0.000 description 1
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Debugging And Monitoring (AREA)
Abstract
The application discloses a domain name screening method, a system, a device and a computer readable storage medium, comprising the following steps: receiving a 1-level domain name; acquiring a DNS analysis log in a preset time range from a designated DNS server; obtaining all domain names under all 1-level domain names by using the DNS analysis log; and removing the abnormal domain names meeting the preset abnormal conditions from all the domain names to obtain effective domain names. The method optimizes the data source, obtains the DNS analysis log from the DNS server which has high authority and high reliability and is representatively appointed by a large amount of use, improves the reliability of the data source while guaranteeing the richness of the data source, only obtains the data within a preset time range, simplifies the data quantity, ensures that the obtained domain name is frequently used, improves the validity of the data, optimizes the data source, reduces the data quantity to be analyzed, and improves the effective rate of the data, thereby improving the efficiency of subsequent analysis and screening.
Description
Technical Field
The present invention relates to the field of internet technologies, and in particular, to a domain name screening method, system, device, and computer readable storage medium.
Background
Currently, many websites have the condition of extensive analysis, or different reasons such as business requirements, black ash flow cheating and the like. The generic resolved domain name actually corresponds to a plurality of final business systems, only one. Effective screening and carding are carried out, which is helpful for finding enterprise domain name asset information and also is helpful for rapidly studying and judging the reputation, safety risk and other conditions of the domain name.
The general analysis technology: any sub-domain prefix is added before the widely resolved root domain name, so that the same WEB address can be accessed. For example, the root name abc.com (referring to any string for which a domain name is available), egdbapse 2332 dwf.abc.com) all resolve to the same IP address.
Meaning of broad resolution: the meaning of the generic resolution is that when the user is prevented from inputting wrong domain name prefix, the user can also jump to the domain name head page, such as the domain name of JD.com. When any non-existing domain name is accessed, the method jumps to 'https:// www.jd.com/error2. Aspx', and can also promote JD access flow to guide a user to access a correct system. Another meaning is that a sub domain name is provided for all registered users of the netbook blog to use, so that internet users can conveniently remember the blog address. For example, sfswfefsf.blog.163.com and wsdfwwswsblo.blog.163.com are both resolved to the same IP address.
Hazard of broad resolution domain name: the technical idea of the generic parsing is to facilitate the service development, but with the development of network security, the generic parsing also brings some challenges. On one hand, the security management work is comprehensively analyzed, the difficulty is increased, and the security manager is difficult to hold effective internet domain name assets. On the other hand, the broad resolution technology can be utilized by the black ash production technology for carrying out search engine recording cheating.
The technical idea of the generic parsing is to facilitate the service development, but with the development of network security, the generic parsing also brings some challenges. On one hand, the security management work is comprehensively analyzed, the difficulty is increased, and the security manager is difficult to hold effective internet domain name assets. If the search is directly performed on the full range of domain names. On the other hand, the broad resolution technology can be utilized by the black ash production technology for carrying out search engine recording cheating.
Therefore, whether the internal security management is to be solved or the abused situation is to be monitored, the situation needs to be clearly combed, and an effective domain name asset list in a general resolution scene is opened.
The current technology for identifying the domain name with the broad resolution is mainly two, one is based on the web page access similarity after the domain name with the broad resolution to judge whether the current domain name is similar to a non-existing domain name or not, and the page similarity is judged. Another is to collect a large amount of data and then use machine learning algorithms to comprehensively train the multiple dimensions and use models to predict new data.
Both techniques involve extensive data computation, including network IO requests or extensive DNS feature extraction, model training predictions. So that efficiency and performance are not high.
For this reason, a domain name screening method that is more efficient and simpler is needed.
Disclosure of Invention
In view of the above, the present invention is directed to a domain name screening method, system, device and computer readable storage medium, which are more efficient and simpler. The specific scheme is as follows:
A domain name screening method, comprising:
Receiving a 1-level domain name;
Acquiring a DNS analysis log in a preset time range from a designated DNS server;
obtaining all domain names under all the 1-level domain names by using the DNS analysis log;
and removing the abnormal domain names meeting the preset abnormal conditions from all the domain names to obtain effective domain names.
Optionally, the process of obtaining all domain names under all the level 1 domain names by using the DNS resolution log includes:
counting the number of different domain names appearing in each time window according to a preset time window by utilizing the DNS analysis log;
and obtaining a trend table comprising all domain names under all the 1-level domain names according to the time window and the domain name grades.
Optionally, the process of removing the abnormal domain name meeting the preset condition from all domain names to obtain the effective domain name includes:
judging whether the domain name of each domain name class starts the extensive resolution;
Removing all domain names under a time window meeting preset screening conditions in the domain name grades of the open generic resolution by using the trend table;
The screening condition is that the number of domain names in a unit time window exceeds a preset number threshold.
Optionally, the method further comprises:
and counting CNAME analysis information of all the effective domains, and screening out only one domain name from a plurality of domains pointing to the same CNAME if the number of the domains pointing to the same CNAME exceeds a preset pointing threshold value.
The invention also discloses a domain name screening system, which comprises:
The domain name receiving module is used for receiving the 1-level domain name;
The DNS log acquisition module is used for acquiring DNS analysis logs in a preset time range from a designated DNS server;
The DNS analysis module is used for obtaining all domain names under all the class 1 domain names by utilizing the DNS analysis log;
the domain name screening module is used for removing abnormal domain names meeting preset abnormal conditions from all domain names to obtain effective domain names.
Optionally, the DNS resolution module includes:
the quantity counting unit is used for counting the quantity of different domain names in each time window according to a preset time window by utilizing the DNS analysis log;
and the table making unit is used for obtaining a trend table comprising all domain names under all the 1-level domain names according to the time window and the domain name grades.
Optionally, the domain name screening module includes:
the universal analysis judging unit is used for judging whether the domain name of each domain name grade starts universal analysis or not;
The domain name screening unit is used for removing all domain names under a time window meeting preset screening conditions in the domain name grade of the open generic resolution by utilizing the trend table;
The screening condition is that the number of domain names in a unit time window exceeds a preset number threshold.
Optionally, the method further comprises:
And the CNAME screening module is used for counting CNAME analysis information of all effective domains, and if the number of domains pointing to the same CNAME exceeds a preset pointing threshold value, only screening one domain from a plurality of domains pointing to the same CNAME to reserve.
The invention also discloses a domain name screening device, which comprises:
a memory for storing a computer program;
And a processor for executing the computer program to implement the domain name screening method as described above.
The invention also discloses a computer readable storage medium, wherein the computer readable storage medium is stored with a computer program, and the computer program realizes the domain name screening method when being executed by a processor.
The domain name screening method comprises the following steps: receiving a 1-level domain name; acquiring a DNS analysis log in a preset time range from a designated DNS server; obtaining all domain names under all 1-level domain names by using the DNS analysis log; and removing the abnormal domain names meeting the preset abnormal conditions from all the domain names to obtain effective domain names.
The method optimizes the data source, obtains the DNS analysis log from the DNS server which has high authority and high reliability and is representatively appointed by a large amount of use, improves the reliability of the data source while guaranteeing the richness of the data source, only obtains the data within a preset time range, simplifies the data quantity, ensures that the obtained domain name is frequently used, improves the validity of the data, optimizes the data source, reduces the data quantity to be analyzed, and improves the effective rate of the data, thereby improving the efficiency of subsequent analysis and screening.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are required to be used in the embodiments or the description of the prior art will be briefly described below, and it is obvious that the drawings in the following description are only embodiments of the present invention, and that other drawings can be obtained according to the provided drawings without inventive effort for a person skilled in the art.
Fig. 1 is a schematic flow chart of a domain name screening method according to an embodiment of the present invention;
FIG. 2 is a schematic flow chart of another domain name screening method according to an embodiment of the present invention;
fig. 3 is a schematic structural diagram of a domain name screening system according to an embodiment of the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
The embodiment of the invention discloses a domain name screening method, which is shown in fig. 1 and comprises the following steps:
s11: a level 1 domain name is received.
Specifically, the 1-level domain name which is input by the user and needs to be screened is received, so that each domain name below the 1-level domain name can be judged based on the 1-level domain name.
S12: and acquiring a DNS analysis log in a preset time range from the appointed DNS server.
Specifically, in order to reduce the domain name statistics time, reduce the acquired data volume, not screen from massive data, but select DNS resolution logs from pre-designated DNS servers, the DNS servers can be preferentially selected to have high authority, high reliability and be used in a large number as representative DNS servers, because the DNS servers have high effective rate, few useless domain names and small possibility of polluting domain names, the domain name information acquired in a large probability is an effective domain name, meanwhile, the richness of the domain names can be ensured, and the data sources are optimized.
Further, after the reliable DNS server is specified, the data size is further reduced, only DNS resolution logs within a certain time range can be obtained, for example, only DNS resolution logs within 7 days are obtained, because valid domain names are usually used repeatedly, the domain names with a certain frequency of use are screened through setting the time range, domain names with a too low frequency of use can not be extracted within a preset time range, and only domain names with a certain rate of use can be obtained, so that the data size is reduced, a certain data screening effect is also achieved, the obtained data has higher effective rate again, and the data source is optimized.
S13: and obtaining all domain names under all 1-level domain names by using the DNS analysis log.
Specifically, all domain names under the 1-level domain name are obtained based on the obtained DNS analysis log so as to be screened later.
S14: and removing the abnormal domain names meeting the preset abnormal conditions from all the domain names to obtain effective domain names.
Specifically, screening conditions are preset, for example, screening is performed according to judgment conditions such as using frequency, feature information of the domain name, confidence level, abnormal extremum and the like by using a preset algorithm, abnormal domain names meeting preset abnormal conditions are removed, and then effective domain names are obtained, so that screening and sorting of all levels of domain names under 1-level domain names are completed, and finally all the effective domain names are obtained.
Therefore, the embodiment of the invention optimizes the data source, obtains the DNS analysis log from the designated DNS server with high authority and high reliability by being used in a large amount, improves the reliability of the data source while guaranteeing the richness of the data source, only obtains the data in the preset time range, simplifies the data quantity, ensures that the obtained domain name is frequently used, improves the validity of the data, optimizes the data source, reduces the data quantity to be analyzed, and improves the effective rate of the data, thereby improving the efficiency of subsequent analysis and screening.
The embodiment of the invention discloses a specific domain name screening method, and compared with the previous embodiment, the technical scheme is further described and optimized. See fig. 2 for details:
s21: receiving a 1-level domain name;
S22: acquiring a DNS analysis log in a preset time range from a designated DNS server;
s23: and counting the number of different domain names appearing in each time window according to a preset time window by utilizing the DNS analysis log.
Specifically, after the DNS resolution log is obtained, a time window is set so as to display the occurrence of domain names according to a time sequence, so that the counted data has a time dimension, and additional dimensions are provided as references, for example, one time window is taken as one day, and the time range is 7 days, so that the number of different domain names appearing every day in 7 days can be obtained respectively, for example, as shown in table 1.
TABLE 1
It will be appreciated that a domain name may be accessed multiple times during a time window, where the number of repeated accesses is not counted, only different domain names within a time window are displayed, and a domain name may appear multiple times during different time windows.
S24: and obtaining a trend table comprising all domain names under all 1-level domain names according to the time window and the domain name grades.
Specifically, after counting the number of domain names under different time windows, sorting according to the time windows and the domain name grades, sorting according to the time sequence, and sorting according to the domain name grades, and finally obtaining a trend table including all domain names under all 1-level domain names, for example, as shown in table 2.
TABLE 2
S25: and removing the abnormal domain names meeting the preset abnormal conditions from all the domain names to obtain effective domain names.
For example, based on the table 2, the screening using the preset abnormal condition can be performed to obtain the screened table 3.
TABLE 3 Table 3
It can be seen that after screening and removal of duplicate domain names generated between different time windows, the remaining domain names in table 3 are significantly reduced relative to table 2.
Further, the abnormal condition may include various conditions and various methods, and one or more methods may be adopted to perform compound screening, where in the case that a domain name of a certain level is open to broad resolution, a large number of new invalid broad resolution domains violently enumerated in a short time may exist in a next level of domain names, and these domains all point to the same previous level of domain name, so that the domain name is an invalid domain name, and for this purpose, individual screening is performed for this special case, and specific processes are S251 to S252; wherein,
S251: judging whether the domain name of each domain name class starts the extensive resolution.
Specifically, whether the domain name under each domain name grade is opened or not is firstly judged, whether the address finally pointed by the two constructed domain names is the same domain name or not can be judged by randomly constructing the domain name of the next stage of the two domain names to be judged, if so, the opening is indicated, if the pointed addresses are different, the opening is indicated, for example, the input domain name is www.test.com, the domain name is a 2-stage domain name, the corresponding 1-stage domain name is test.com, 2 random domain names are continuously constructed, and the analysis A records the IP address as shown in the table 4.
TABLE 4 Table 4
| Level 2 random domain name | Recording analysis result |
| db6444ca5355c4df0fbba07fa2c9455b.test.com | 8.8.8.8 |
| 22e312e73a28aab32d569ae9cb43bc31.test.com | 1.1.1.1 |
It can be seen that the 2-level domain name is judged to have no root domain resolution opened according to the different results. The similar general resolution state of the multi-level domain name is also obtained by obtaining the domain name of the upper level, for example, 4 level obtains 3 level, 3 level obtains 2 level, then constructing a random domain name, and checking whether the resolution is the same.
Wherein the 3-level domain name is shown in table 5.
TABLE 5
| Level 3 random domain name | 3-Level domain name |
| db6444ca5355c4df0fbba07fa2c9455b.blog.test.com | blog.test.com |
| 22e312e73a28aab32d569ae9cb43bc31.blog.test.com | blog.test.com |
S252: removing all domain names under a time window meeting preset screening conditions in the domain name grade of the open generic resolution by using a trend table; the screening condition is that the number of domain names in a unit time window exceeds a preset number threshold.
Specifically, since the DNS resolution log on the specified DNS server is obtained initially, it can be ensured that the resolved domain names are all new, so that a large number of domain name requests are generated in a short time, it can be determined that the domain names are invalid, and therefore, once the number of domain names in a certain time window in the domain name class of open domain resolution exceeds a threshold set by a preset screening condition, it is indicated that the domain names with high probability in the window are all invalid domain names of the domain names of open domain resolution, and therefore, the time window can be removed and the domain names in the time window are not recorded.
For example, based on the description in table 3, the 3-level domain name is a generic resolution domain name of the 2-level domain name, in which the time windows 20210624 and 20210626 generate a large number of domain names with respect to other time windows, the time window of the top 30% of the 3-level domain names, that is, the 2 most windows, which open the generic resolution domain name, can be removed, and thus, the domain names described during the time windows 20210624 and 20210626 can be removed to obtain table 6. In addition, the data can be screened by different mathematical processing modes such as normal distribution confidence intervals, and the embodiment of the invention only provides an example of an individual screening mode and does not limit a specific screening method.
TABLE 6
S26: and counting CNAME analysis information of all the effective domains, and screening out only one domain name from a plurality of domains pointing to the same CNAME if the number of the domains pointing to the same CNAME exceeds a preset pointing threshold value.
Specifically, after obtaining the effective domain name, CNAME analysis can be further performed so as to further optimize the domain name, count the CNAME analysis information of all the effective domain names, obtain a CNAME analysis value of each effective domain name, judge whether the actual domain names pointed by the plurality of domain names are consistent according to the CNAME analysis value, if the number of the domain names pointed to the same CNAME exceeds a preset pointing threshold, only one domain name is screened from the plurality of domain names pointed to the same CNAME to remain, discard other redundant domain names, and optimize the number of the domain names.
For example, as shown in table 7, where no CNAME is used for domain names such as admin.test.com, the screening determination is not performed, but 6 domain names such as chengdu.quyu.test.com and nanjin.quyu.test.com in table 7 have the same CNAME resolution value, and the 6 domain names are all directed to ngx-fan-v6.Op.test.com, and exceed the preset direction threshold value 5, so only one domain name may be reserved, may be selected randomly, or may be selected by default such as the first domain name in the table, for example, only chengdu.quyu.test.com may be reserved.
TABLE 7
| Domain name | CNAME resolution value |
| admin.test.com | N/A |
| login.test.com | N/A |
| admin4.test.com | N/A |
| login3.test.com | N/A |
| admin1.test.com | N/A |
| login2.test.com | N/A |
| chengdu.quyu.test.com | ngx-fan-v6.op.test.com |
| nanjing.quyu.test.com | ngx-fan-v6.op.test.com |
| changsha.quyu.test.com | ngx-fan-v6.op.test.com |
| hangzhou.quyu.test.com | ngx-fan-v6.op.test.com |
| beijing.quyu.test.com | ngx-fan-v6.op.test.com |
| shanghai.quyu.test.com | ngx-fan-v6.op.test.com |
Specifically, after all the filtering is finally performed, the effective list address may be obtained, for example, based on the effective domain name in the above table 7, the following several domain name addresses are finally obtained as the final effective domain name.
admin.test.com
login.test.com
admin4.test.com
login3.test.com
admin1.test.com
login2.test.com
chengdu.quyu.test.com
Correspondingly, the embodiment of the invention also discloses a domain name screening system, which is shown in fig. 3, and comprises the following steps:
A domain name receiving module 11, configured to receive a 1-level domain name;
A DNS log obtaining module 12, configured to obtain a DNS resolution log in a preset time range from a specified DNS server;
a DNS resolution module 13, configured to obtain all domain names under all level 1 domain names by using a DNS resolution log;
The domain name screening module 14 is configured to remove abnormal domain names that satisfy a preset abnormal condition from all domain names, and obtain valid domain names.
Therefore, the embodiment of the invention optimizes the data source, obtains the DNS analysis log from the designated DNS server with high authority and high reliability by being used in a large amount, improves the reliability of the data source while guaranteeing the richness of the data source, only obtains the data in the preset time range, simplifies the data quantity, ensures that the obtained domain name is frequently used, improves the validity of the data, optimizes the data source, reduces the data quantity to be analyzed, and improves the effective rate of the data, thereby improving the efficiency of subsequent analysis and screening.
Specifically, the DNS resolution module 13 may include: a quantity counting unit and a table making unit; wherein,
The quantity counting unit is used for counting the quantity of different domain names in each time window according to a preset time window by utilizing the DNS analysis log;
and the table making unit is used for obtaining a trend table comprising all domain names under all 1-level domain names according to the time window and the domain name grades.
Specifically, domain name screening module 14 may include: a generic resolution judging unit and a domain name screening unit; wherein,
The universal analysis judging unit is used for judging whether the domain name of each domain name grade starts universal analysis or not;
The domain name screening unit is used for removing all domain names under a time window meeting preset screening conditions in the domain name grade of the open domain name resolution by utilizing the trend table;
The screening condition is that the number of domain names in a unit time window exceeds a preset number threshold.
Specifically, the method may further include: a CNAME screening module; wherein,
And the CNAME screening module is used for counting CNAME analysis information of all effective domains, and if the number of domains pointing to the same CNAME exceeds a preset pointing threshold value, only screening one domain from a plurality of domains pointing to the same CNAME to reserve.
In addition, the embodiment of the invention also discloses a domain name screening device, which comprises the following steps:
a memory for storing a computer program;
A processor for executing a computer program to implement a domain name screening method as described above.
In addition, the embodiment of the invention also discloses a computer readable storage medium, wherein a computer program is stored on the computer readable storage medium, and the computer program realizes the domain name screening method when being executed by a processor.
Finally, it is further noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative elements and steps are described above generally in terms of functionality in order to clearly illustrate the interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
The foregoing has outlined rather broadly the more detailed description of the invention in order that the detailed description of the invention that follows may be better understood, and in order that the present principles and embodiments may be better understood; meanwhile, as those skilled in the art will have variations in the specific embodiments and application scope in accordance with the ideas of the present invention, the present description should not be construed as limiting the present invention in view of the above.
Claims (8)
1. A domain name screening method, comprising:
Receiving a 1-level domain name;
Acquiring a DNS analysis log in a preset time range from a designated DNS server;
obtaining all domain names under all the 1-level domain names by using the DNS analysis log;
removing abnormal domain names meeting preset abnormal conditions from all domain names to obtain effective domain names;
the process of obtaining all domain names under all the level 1 domain names by using the DNS resolution log includes:
Counting the number of different domain names appearing in each time window according to a preset time window by utilizing the DNS analysis log; obtaining a trend table comprising all domain names under all the 1-level domain names according to the time window and the domain name grades; the trend table consists of a time window, a domain name grade and a domain name number resolution field.
2. The domain name screening method according to claim 1, wherein the process of removing abnormal domain names satisfying a preset condition from all domain names to obtain valid domain names comprises:
judging whether the domain name of each domain name class starts the extensive resolution;
Removing all domain names under a time window meeting preset screening conditions in the domain name grades of the open generic resolution by using the trend table;
The screening condition is that the number of domain names in a unit time window exceeds a preset number threshold.
3. The domain name screening method according to claim 1 or 2, further comprising:
and counting CNAME analysis information of all the effective domains, and screening out only one domain name from a plurality of domains pointing to the same CNAME if the number of the domains pointing to the same CNAME exceeds a preset pointing threshold value.
4. A domain name screening system, comprising:
The domain name receiving module is used for receiving the 1-level domain name;
The DNS log acquisition module is used for acquiring DNS analysis logs in a preset time range from a designated DNS server;
The DNS analysis module is used for obtaining all domain names under all the class 1 domain names by utilizing the DNS analysis log;
the domain name screening module is used for removing abnormal domain names meeting preset abnormal conditions from all domain names to obtain effective domain names;
the DNS resolution module is specifically configured to:
Counting the number of different domain names appearing in each time window according to a preset time window by utilizing the DNS analysis log; obtaining a trend table comprising all domain names under all the 1-level domain names according to the time window and the domain name grades; the trend table consists of a time window, a domain name grade and a domain name number resolution field.
5. The domain name screening system of claim 4, wherein the domain name screening module comprises:
the universal analysis judging unit is used for judging whether the domain name of each domain name grade starts universal analysis or not;
The domain name screening unit is used for removing all domain names under a time window meeting preset screening conditions in the domain name grade of the open generic resolution by utilizing the trend table;
The screening condition is that the number of domain names in a unit time window exceeds a preset number threshold.
6. The domain name screening system according to claim 4 or 5, further comprising:
And the CNAME screening module is used for counting CNAME analysis information of all effective domains, and if the number of domains pointing to the same CNAME exceeds a preset pointing threshold value, only screening one domain from a plurality of domains pointing to the same CNAME to reserve.
7. A domain name screening apparatus, comprising:
a memory for storing a computer program;
a processor for executing the computer program to implement a domain name screening method according to any one of claims 1 to 3.
8. A computer readable storage medium, characterized in that the computer readable storage medium has stored thereon a computer program which, when executed by a processor, implements a domain name screening method according to any of claims 1 to 3.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111452686.4A CN114172862B (en) | 2021-11-30 | 2021-11-30 | Domain name screening method, system, device and computer readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111452686.4A CN114172862B (en) | 2021-11-30 | 2021-11-30 | Domain name screening method, system, device and computer readable storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114172862A CN114172862A (en) | 2022-03-11 |
| CN114172862B true CN114172862B (en) | 2024-04-19 |
Family
ID=80482253
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111452686.4A Active CN114172862B (en) | 2021-11-30 | 2021-11-30 | Domain name screening method, system, device and computer readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114172862B (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105634845A (en) * | 2014-10-30 | 2016-06-01 | 任子行网络技术股份有限公司 | Method and system for carrying out multi-dimensional statistic analysis on large number of DNS journals |
| CN108933846A (en) * | 2018-06-21 | 2018-12-04 | 北京谷安天下科技有限公司 | A kind of recognition methods, device and the electronic equipment of general parsing domain name |
| CN109873788A (en) * | 2017-12-01 | 2019-06-11 | 中国联合网络通信集团有限公司 | The method and device of Botnet detection |
| CN109995886A (en) * | 2017-12-30 | 2019-07-09 | 中国移动通信集团河北有限公司 | Domain name recognition methods, device, equipment and medium |
| CN111935136A (en) * | 2020-08-07 | 2020-11-13 | 哈尔滨工业大学 | Domain name query and analysis abnormity detection system and method based on DNS data analysis |
-
2021
- 2021-11-30 CN CN202111452686.4A patent/CN114172862B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105634845A (en) * | 2014-10-30 | 2016-06-01 | 任子行网络技术股份有限公司 | Method and system for carrying out multi-dimensional statistic analysis on large number of DNS journals |
| CN109873788A (en) * | 2017-12-01 | 2019-06-11 | 中国联合网络通信集团有限公司 | The method and device of Botnet detection |
| CN109995886A (en) * | 2017-12-30 | 2019-07-09 | 中国移动通信集团河北有限公司 | Domain name recognition methods, device, equipment and medium |
| CN108933846A (en) * | 2018-06-21 | 2018-12-04 | 北京谷安天下科技有限公司 | A kind of recognition methods, device and the electronic equipment of general parsing domain name |
| CN111935136A (en) * | 2020-08-07 | 2020-11-13 | 哈尔滨工业大学 | Domain name query and analysis abnormity detection system and method based on DNS data analysis |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114172862A (en) | 2022-03-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103888490A (en) | Automatic WEB client man-machine identification method | |
| CN111104579A (en) | Identification method and device for public network assets and storage medium | |
| CN111865925A (en) | Network traffic based fraud group identification method, controller and medium | |
| CN110602029A (en) | Method and system for identifying network attack | |
| Lande et al. | OSINT as a part of cyber defense system | |
| US11956261B2 (en) | Detection method for malicious domain name in domain name system and detection device | |
| CN112333185B (en) | Domain name shadow detection method and device based on DNS (Domain name Server) resolution | |
| CN111556077A (en) | Network data acquisition method, equipment and related equipment | |
| CN113923003A (en) | Attacker portrait generation method, system, equipment and medium | |
| CN114172862B (en) | Domain name screening method, system, device and computer readable storage medium | |
| CN111625700B (en) | Anti-grabbing method, device, equipment and computer storage medium | |
| CN116319089B (en) | Dynamic weak password detection method, device, computer equipment and medium | |
| CN115174205B (en) | Network space safety real-time monitoring method, system and computer storage medium | |
| CN112003884B (en) | Method for collecting network assets and retrieving natural language | |
| CN113852625B (en) | Weak password monitoring method, device, equipment and storage medium | |
| CN109583210A (en) | A kind of recognition methods, device and its equipment of horizontal permission loophole | |
| CN111858733A (en) | Government affair information comparison method and system based on internet multi-source heterogeneous data | |
| CN113709265A (en) | Method, device and system for identifying domain name and computer readable storage medium | |
| CN113347139A (en) | Method, device, system and medium for identifying safety information | |
| CN111460337B (en) | URL recognition rate analysis method and device | |
| CN111611483A (en) | Object portrait construction method, device, equipment and storage medium | |
| CN110990810A (en) | User operation data processing method, device, equipment and storage medium | |
| CN115001868B (en) | APT attack homologous analysis method and device, electronic equipment and storage medium | |
| CN110912860B (en) | Method and device for detecting pseudo periodic access behavior | |
| CN115242500A (en) | Method and device for detecting target website, nonvolatile storage medium and processor |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |