CN114301631A - DNS malicious data detection method, device, equipment and medium - Google Patents
DNS malicious data detection method, device, equipment and medium Download PDFInfo
- Publication number
- CN114301631A CN114301631A CN202111463283.XA CN202111463283A CN114301631A CN 114301631 A CN114301631 A CN 114301631A CN 202111463283 A CN202111463283 A CN 202111463283A CN 114301631 A CN114301631 A CN 114301631A
- Authority
- CN
- China
- Prior art keywords
- data
- dns
- malicious
- flow
- cleaning
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to a DNS malicious data detection method, a device, equipment and a medium, wherein the method comprises the following steps: monitoring flow data, and analyzing DNS data in the flow data; and judging whether the DNS data accords with a DNS protocol, if so, cleaning the flow data, respectively sending the cleaned flow data to corresponding DNS malicious data identification models obtained based on data dimension reduction training for detection, and determining whether DNS malicious data exists. The invention adopts various DNS malicious data identification models to detect the flow data, can efficiently and accurately detect the DNS malicious data, finds a hidden channel, realizes high identification rate and low false alarm rate, and protects the network data security of a user.
Description
Technical Field
The invention relates to the technical field of network security, in particular to a method, a device, equipment and a medium for detecting DNS malicious data.
Background
The DNS is a service of the internet, and is used for a client to query a domain name from a domain name server, obtain a final IP address, and support other types of requests such as MX and TXT. The existing firewall and security device often rarely intercepts and filters the DNS, so some malicious software may transmit malicious information using the DNS protocol, or transmit data using a request and response field of the DNS to implement a hidden channel, but from the DNS protocol, it looks like a query and response in a format, so that a common firewall or intermediate security device is often difficult to identify, and the DNS is a common service of the internet and cannot be shielded, thereby posing a threat to network security.
The existing detection means is divided into two methods of traditional rule identification and machine learning, the traditional rule is usually realized by the domain name length, the letter frequency, the time interval of a request message, or according to the source IP statistical frequency, and the like, but the false alarm rate is higher, and new varieties cannot be identified effectively. Machine learning also has a variety of problems, such as too high data dimensionality resulting in too slow computation or poor classification effect, and often training with known samples with low recognition rate of unknown threats.
Disclosure of Invention
In view of this, to partially solve the problems existing in the prior art, embodiments of the present invention provide a method, an apparatus, a device, and a medium for detecting DNS malicious data, where DNS malicious data in traffic data is detected based on a DNS malicious data identification model, and for the characteristic of high dimensionality of the traffic data, the DNS malicious data identification model performs dimensionality reduction processing on the traffic data through data cleaning before training data, so that a training result is more comprehensive and more accurate, and when traffic data is detected based on such a training model, DNS malicious data can be efficiently and accurately detected, a hidden channel is discovered, and network data security of a user is protected.
The specific invention content is as follows:
a DNS malicious data detection method comprises the following steps:
monitoring flow data, and analyzing DNS data in the flow data;
and judging whether the DNS data accords with a DNS protocol, if so, cleaning the flow data, respectively sending the cleaned flow data to corresponding DNS malicious data identification models obtained based on data dimension reduction training for detection, and determining whether DNS malicious data exists.
Further, the cleaning the traffic data, and respectively sending the cleaned traffic data to corresponding DNS malicious data recognition models obtained based on data dimension reduction training for detection specifically include:
classifying and cleaning the traffic data according to traffic data characteristics and DNS malicious behavior characteristics;
and respectively sending each type of flow data obtained after cleaning to a corresponding DNS malicious data recognition model obtained based on data dimension reduction training for detection according to the classified cleaning type to which the flow data belongs.
Further, the training mode of the DNS malicious data recognition model includes:
reading flow data in a flow database;
classifying and cleaning the traffic data according to traffic data characteristics and DNS malicious behavior characteristics respectively so as to reduce the dimensionality of the traffic data;
calculating each type of flow data obtained after cleaning through an isolated forest algorithm to obtain suspicious data in each type of flow data;
and extracting the characteristics of the suspicious data, and writing the characteristics of the suspicious data into a corresponding DNS malicious data identification model.
Further, the classifying and cleaning the traffic data according to the traffic data features and the DNS malicious behavior features specifically includes:
acquiring the characteristics of the flow data, combining the characteristics with the same attribute to obtain comprehensive characteristic labels, and classifying and cleaning the flow data according to the comprehensive characteristic labels;
and classifying and cleaning the flow data according to the characteristic type of the DNS malicious behavior characteristic.
Further, the extracting the feature of the suspicious data and writing the feature of the suspicious data into a corresponding DNS malicious data identification model specifically includes:
and sending the suspicious data to an expert system for examination, judging whether the suspicious data contains malicious data, if so, extracting the characteristics of the suspicious data, and writing the characteristics of the suspicious data into a corresponding DNS malicious data identification model.
Further, the writing the characteristics of the suspicious data into the corresponding DNS malicious data identification model specifically includes:
determining classified and cleaned flow data to which the suspicious data corresponding to the characteristics of the suspicious data belong, determining a classified and cleaned type to which the classified and cleaned flow data belong, and writing the characteristics of the suspicious data into a DNS malicious data identification model for detecting the flow data of the corresponding type according to the classified and cleaned type.
Further, after determining that the DNS malicious data exists, the method further includes: and alarming, acquiring the IP contained in the DNS malicious data, and inquiring the specific threat behavior triggered by the IP for dealing and disposing.
Further, while the alarming is performed, the method further includes:
and sending the monitored flow data which do not contain NDS malicious data to the flow database for training each DNS malicious data identification model.
A DNS malicious data detection apparatus, comprising:
the flow monitoring module is used for monitoring flow data and analyzing DNS data in the flow data;
and the malicious data judging module is used for judging whether the DNS data accords with a DNS protocol, if so, cleaning the flow data, respectively sending the cleaned flow data to corresponding DNS malicious data recognition models obtained based on data dimension reduction training according to the types of the flow data to detect, and determining whether the DNS malicious data exists.
An electronic device, the electronic device comprising: the device comprises a shell, a processor, a memory, a circuit board and a power circuit, wherein the circuit board is arranged in a space enclosed by the shell, and the processor and the memory are arranged on the circuit board; a power supply circuit for supplying power to each circuit or device of the electronic apparatus; the memory is used for storing executable program codes; the processor runs a program corresponding to the executable program code by reading the executable program code stored in the memory for executing the aforementioned method.
A computer readable storage medium storing one or more programs, the one or more programs being executable by one or more processors to implement the aforementioned method.
The invention has the beneficial effects that:
according to the invention, the DNS malicious data in the flow data are detected based on the DNS malicious data identification model, the flow data meeting the DNS protocol are cleaned during detection, and the cleaning result is detected by adopting various DNS malicious data identification models, so that high identification rate and low false alarm rate are realized, the DNS malicious data can be efficiently and accurately detected, a hidden channel is found, and the network data security of a user is protected. Aiming at the characteristic of high dimensionality of flow data, the DNS malicious data recognition model cleans training data before the training data so as to achieve the purpose of data dimensionality reduction and enable a training result to be more comprehensive and accurate.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
Fig. 1 is a flowchart of a method for detecting malicious data of a DNS according to an embodiment of the present invention;
FIG. 2 is a flowchart of a DNS malicious data recognition model training method according to an embodiment of the present invention;
fig. 3 is a flowchart of another DNS malicious data detection method according to an embodiment of the present invention;
fig. 4 is a structural diagram of a DNS malicious data detection apparatus according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of an electronic device according to an embodiment of the invention.
Detailed Description
Embodiments of the present invention will be described in detail below with reference to the accompanying drawings.
It should be noted that, in the case of no conflict, the features in the following embodiments and examples may be combined with each other; moreover, all other embodiments that can be derived by one of ordinary skill in the art from the embodiments disclosed herein without making any creative effort fall within the scope of the present disclosure.
It is noted that various aspects of the embodiments are described below within the scope of the appended claims. It should be apparent that the aspects described herein may be embodied in a wide variety of forms and that any specific structure and/or function described herein is merely illustrative. Based on the disclosure, one skilled in the art should appreciate that one aspect described herein may be implemented independently of any other aspects and that two or more of these aspects may be combined in various ways. For example, an apparatus may be implemented and/or a method practiced using any number of the aspects set forth herein. Additionally, such an apparatus may be implemented and/or such a method may be practiced using other structure and/or functionality in addition to one or more of the aspects set forth herein.
The invention provides an embodiment of a method for detecting DNS malicious data, as shown in FIG. 1, comprising the following steps:
s11: monitoring flow data, and analyzing DNS data in the flow data;
s12: judging whether the DNS data conform to a DNS protocol, if so, entering S13; otherwise, judging that DNS malicious data exist;
s13: cleaning the flow data, respectively sending the cleaned flow data to corresponding DNS malicious data identification models obtained based on data dimension reduction training for detection, judging whether DNS malicious data exist, and judging that DNS malicious data exist if the DNS malicious data exist; otherwise, return to S11.
In this embodiment S11, monitoring and analyzing the traffic data may be implemented according to the DPDK technique, so as to improve data processing performance and throughput. In this embodiment, it is first determined whether DNS data in traffic data conforms to a DNS protocol, and conventional malicious data in the DNS data that does not conform to the DNS protocol is primarily detected, and if the DNS data conforms to the DNS protocol, the non-conventional DNS malicious data, that is, a DNS hidden channel, is further detected by a DNS malicious data identification model. When the DNS hidden channel is detected, the flow data is firstly cleaned, and various DNS malicious data identification models are adopted to detect cleaning results, so that the hidden channel can be efficiently and accurately detected, and network threats can be timely found.
Preferably, the cleaning the traffic data, and sending the cleaned traffic data to corresponding DNS malicious data recognition models obtained based on data dimension reduction training respectively for detection specifically include:
classifying and cleaning the traffic data according to traffic data characteristics and DNS malicious behavior characteristics; and respectively sending each type of flow data obtained after cleaning to a corresponding DNS malicious data recognition model obtained based on data dimension reduction training for detection according to the classified cleaning type to which the flow data belongs.
According to the optimal scheme, based on the flow data classification cleaning result, the cleaned flow data is detected by adopting various DNS malicious data identification models, and high identification rate and low false alarm rate of DNS malicious data detection can be realized.
Preferably, the training mode of the DNS malicious data recognition model includes:
reading flow data in a flow database;
classifying and cleaning the traffic data according to traffic data characteristics and DNS malicious behavior characteristics respectively so as to reduce the dimensionality of the traffic data;
calculating each type of flow data obtained after cleaning through an isolated forest algorithm to obtain suspicious data in each type of flow data;
and extracting the characteristics of the suspicious data, and writing the characteristics of the suspicious data into a corresponding DNS malicious data identification model.
In practical application, the method can be used for periodically reading the traffic database according to requirements, and is convenient for deep training of the DNS malicious data recognition model. The method comprises the steps of classifying and cleaning flow data according to flow data characteristics and DNS malicious behavior characteristics, wherein the process of reducing dimension of the flow data is adopted, each type of flow data obtained after cleaning is calculated based on unsupervised learning of an isolated forest algorithm, the problem that the isolated forest algorithm is not suitable for high-dimension data can be effectively solved, comprehensiveness and accuracy of abnormal data detection are improved, because one dimension is randomly selected in each data space cutting of the isolated forest algorithm under a general condition, a large amount of dimension data are still unused after calculation, and therefore reliability of calculation results is low, and all dimension data after dimension reduction can be calculated by adopting the isolated forest algorithm. According to the invention, by the calculation, suspicious data in the flow data can be comprehensively and accurately obtained, so that the characteristic data in the DNS malicious data identification model is more comprehensive. Because the suspicious data are obtained based on the flow data, the characteristics written into the DNS malicious data identification model comprise the characteristics of conventional DNS malicious data which do not conform to a DNS protocol and DNS hidden channel characteristics.
Preferably, the classifying and cleaning the traffic data according to the traffic data features and the DNS malicious behavior features respectively includes:
acquiring the characteristics of the flow data, combining the characteristics with the same attribute to obtain comprehensive characteristic labels, and classifying and cleaning the flow data according to the comprehensive characteristic labels; and classifying and cleaning the flow data according to the characteristic type of the DNS malicious behavior characteristic.
In the above preferred embodiment, the features with the same attribute are combined to obtain a comprehensive feature tag, for example, as shown in the following table. The traffic data is classified and cleaned according to the DNS malicious behavior characteristics, for example: and cleaning the traffic data according to the DNS malicious traffic family A type, the DNS malicious traffic family B type, the DNS hidden channel A type, the DNS hidden channel B type and the like. The cleaning can divide the flow data into various types, and each cleaning is to clean the full-flow data, namely the cleaning results of the flow data in different cleaning modes are obtained. The cleaning process is applied to the malicious DNS data detection process and the DNS malicious data identification model training process. Aiming at the malicious DNS data detection process, the cleaning results are respectively sent to the DNS malicious data identification models for detecting the corresponding flow data after cleaning, so that the detection efficiency is effectively improved, and the detection result is more accurate. Aiming at the training process of the DNS malicious data recognition model, sufficient training data can be provided for model training, malicious data under various conditions can be accurately obtained, the training range is comprehensive, and unknown malicious DNS data and hidden channels can be detected based on the trained DNS malicious data recognition model.
Preferably, the extracting the feature of the suspicious data and writing the feature of the suspicious data into a corresponding DNS malicious data identification model specifically includes:
and sending the suspicious data to an expert system for examination, judging whether the suspicious data contains malicious data, if so, extracting the characteristics of the suspicious data, and writing the characteristics of the suspicious data into a corresponding DNS malicious data identification model. The examination mode of the expert system comprises the following steps: inquiring the validity of the domain name information contained in the abnormal data; querying for threat behaviors that may be triggered by the anomaly data; comparing with data in other malicious databases; in contrast to malicious information that has been disclosed.
It can be seen that, in the above preferred embodiment, the DNS malicious data identification model is obtained by training based on white data, expert-determined black data, and historical known black data, and the detection result is more accurate when the DNS malicious data is detected by using such a model.
Preferably, the writing the characteristics of the suspicious data into the corresponding DNS malicious data identification model specifically includes:
determining classified and cleaned flow data to which the suspicious data corresponding to the characteristics of the suspicious data belong, determining a classified and cleaned type to which the classified and cleaned flow data belong, and writing the characteristics of the suspicious data into a DNS malicious data identification model for detecting the flow data of the corresponding type according to the classified and cleaned type.
Preferably, after determining that the DNS malicious data exists, the method further includes:
and alarming, acquiring the IP contained in the DNS malicious data, and inquiring the specific threat behavior triggered by the IP for dealing and disposing. Wherein, the inquiry mode comprises: the IP-triggered threat behavior can be obtained through network query, local database query, query sent to relevant organizations such as a comprehensive threat intelligence center and the like, or other query modes capable of obtaining the IP-triggered specific threat behavior.
The preferred scheme queries specific threat behaviors of the DNS malicious data, such as Trojan horse, sql injection attack, Ddos attack and the like, and according to the specific threat behaviors, in combination with the security configuration of the user, a firewall can be informed or the user can cut off corresponding IP and DNS messages by himself, namely, the DNS malicious request or a hidden channel is cut off, so that the network data security of the user can be better protected.
Preferably, while the alerting is performed, the method further comprises:
and sending the monitored flow data which do not contain NDS malicious data to the flow database for training each DNS malicious data identification model. The process is a data feedback process, improves data resources of a traffic database, facilitates training and detection of undetected malicious data in existing white data in the future, optimizes various DNS malicious data identification models, improves identification capability, realizes virtuous cycle, and further improves the detection rate of DNS malicious data and hidden channels in user daily network behaviors.
To further explain the present invention, an embodiment of a method for training a DNS malicious data recognition model is provided, as shown in fig. 2, the method includes:
s21: reading flow data in a flow database;
s22: acquiring the characteristics of the flow data, combining the characteristics with the same attribute to obtain comprehensive characteristic labels, and classifying and cleaning the flow data according to the comprehensive characteristic labels; and
classifying and cleaning the flow data according to the characteristic type of the DNS malicious behavior characteristic;
s23: calculating each type of flow data obtained after cleaning through an isolated forest algorithm to obtain suspicious data in each type of flow data;
s24: sending the suspicious data to an expert system for examination, judging whether the suspicious data contains malicious data, and if so, entering S25; otherwise, not processing;
s25: extracting the characteristics of the suspicious data, determining the classified and cleaned flow data to which the suspicious data corresponding to the characteristics of the suspicious data belong, and determining the classified and cleaned type to which the classified and cleaned flow data belong;
s26: and writing the characteristics of the suspicious data into a DNS malicious data identification model for detecting the corresponding type of flow data according to the classified cleaning type.
Each DNS malicious data identification model in the embodiment shown in FIG. 2 is obtained by training based on white data, expert-determined black data and historical known black data, and the DNS malicious data is detected by using such a model, so that the detection result is more accurate.
For further explanation of the present invention, with reference to the above preferred scheme, another embodiment of a DNS malicious data detection method is provided, as shown in fig. 3, including:
s31: monitoring flow data, and analyzing DNS data in the flow data;
s32: judging whether the DNS data conform to a DNS protocol, if not, entering S36; if yes, go to S33;
s33: acquiring the characteristics of the flow data, combining the characteristics with the same attribute to obtain comprehensive characteristic labels, and classifying and cleaning the flow data according to the comprehensive characteristic labels; and
classifying and cleaning the flow data according to the characteristic type of the DNS malicious behavior characteristic;
s34: respectively sending the cleaned flow data to corresponding DNS malicious data identification models obtained based on data dimension reduction training for detection;
s35: judging whether DNS malicious data exist or not, if so, entering S36; otherwise, returning to S31;
s36: judging that DNS malicious data exist, and giving an alarm;
s37: acquiring an IP contained in DNS malicious data, sending the IP to a comprehensive threat information center, and inquiring a specific threat behavior triggered by the IP;
s38: intercepting the IP and the corresponding DNS message according to the specific threat behavior;
s39: and sending the monitored flow data which do not contain NDS malicious data to the flow database for training each DNS malicious data identification model.
The embodiments shown in fig. 2 and 3 are obtained based on the preferred solution of the embodiment shown in fig. 1, so the embodiments shown in fig. 2 and 3 are described more simply, and the embodiment described with reference to fig. 1 is referred to for relevant points.
The present invention provides an embodiment of a DNS malicious data detection apparatus, as shown in fig. 4, including:
a traffic monitoring module 41, configured to monitor traffic data and analyze DNS data in the traffic data;
and the malicious data judging module 42 is configured to judge whether the DNS data conforms to a DNS protocol, if so, clean the traffic data, and send the traffic data obtained after cleaning to corresponding DNS malicious data identification models obtained based on data dimension reduction training according to the traffic data types to detect, so as to determine whether DNS malicious data exists.
Preferably, the cleaning the traffic data, and sending the cleaned traffic data to corresponding DNS malicious data recognition models obtained based on data dimension reduction training respectively for detection specifically include:
classifying and cleaning the traffic data according to traffic data characteristics and DNS malicious behavior characteristics; and respectively sending each type of flow data obtained after cleaning to a corresponding DNS malicious data recognition model obtained based on data dimension reduction training for detection according to the classified cleaning type to which the flow data belongs.
Preferably, the training mode of the DNS malicious data recognition model includes:
reading flow data in a flow database;
classifying and cleaning the traffic data according to traffic data characteristics and DNS malicious behavior characteristics respectively so as to reduce the dimensionality of the traffic data;
calculating each type of flow data obtained after cleaning through an isolated forest algorithm to obtain suspicious data in each type of flow data;
and extracting the characteristics of the suspicious data, and writing the characteristics of the suspicious data into a corresponding DNS malicious data identification model.
Preferably, the classifying and cleaning the traffic data according to the traffic data features and the DNS malicious behavior features respectively includes:
acquiring the characteristics of the flow data, combining the characteristics with the same attribute to obtain comprehensive characteristic labels, and classifying and cleaning the flow data according to the comprehensive characteristic labels; and classifying and cleaning the flow data according to the characteristic type of the DNS malicious behavior characteristic.
Preferably, the extracting the feature of the suspicious data and writing the feature of the suspicious data into a corresponding DNS malicious data identification model specifically includes:
and sending the suspicious data to an expert system for examination, judging whether the suspicious data contains malicious data, if so, extracting the characteristics of the suspicious data, and writing the characteristics of the suspicious data into a corresponding DNS malicious data identification model.
Preferably, the writing the characteristics of the suspicious data into the corresponding DNS malicious data identification model specifically includes:
determining classified and cleaned flow data to which the suspicious data corresponding to the characteristics of the suspicious data belong, determining a classified and cleaned type to which the classified and cleaned flow data belong, and writing the characteristics of the suspicious data into a DNS malicious data identification model for detecting the flow data of the corresponding type according to the classified and cleaned type.
Preferably, after determining that DNS malicious data exists, the malicious data determination module 42 is further configured to:
and alarming, acquiring the IP contained in the DNS malicious data, and inquiring the specific threat behavior triggered by the IP for dealing and disposing.
Preferably, at the same time as the alerting, the malicious data determination module 42 is further configured to:
and sending the monitored flow data which do not contain NDS malicious data to the flow database for training each DNS malicious data identification model.
The device embodiment of the invention is similar to the method embodiment in part of the process, the description of the device embodiment is simpler, and the method embodiment is referred to in corresponding parts.
An embodiment of the present invention further provides an electronic device, as shown in fig. 5, which can implement the processes in the embodiments shown in fig. 1 to 3 of the present invention, where the electronic device includes: the device comprises a shell 51, a processor 52, a memory 53, a circuit board 54 and a power circuit 55, wherein the circuit board 54 is arranged inside a space enclosed by the shell 51, and the processor 52 and the memory 53 are arranged on the circuit board 54; a power supply circuit 55 for supplying power to each circuit or device of the electronic apparatus; the memory 53 is used to store executable program code; the processor 52 executes a program corresponding to the executable program code by reading the executable program code stored in the memory, for executing the method described in the foregoing embodiment.
The specific execution process of the above steps by the processor 52 and the steps further executed by the processor 52 by running the executable program code may refer to the description of the embodiment shown in fig. 1 to 3 of the present invention, and are not described herein again.
The electronic device exists in a variety of forms, including but not limited to:
(1) a mobile communication device: such devices are characterized by mobile communications capabilities and are primarily targeted at providing voice, data communications. Such terminals include: smart phones (e.g., iphones), multimedia phones, functional phones, and low-end phones, among others.
(2) Ultra mobile personal computer device: the equipment belongs to the category of personal computers, has calculation and processing functions and generally has the characteristic of mobile internet access. Such terminals include: PDA, MID, and UMPC devices, etc., such as ipads.
(3) A portable entertainment device: such devices can display and play multimedia content. This type of device comprises: audio, video players (e.g., ipods), handheld game consoles, electronic books, and smart toys and portable car navigation devices.
(4) A server: the device for providing the computing service comprises a processor, a hard disk, a memory, a system bus and the like, and the server is similar to a general computer architecture, but has higher requirements on processing capacity, stability, reliability, safety, expandability, manageability and the like because of the need of providing high-reliability service.
(5) And other electronic equipment with data interaction function.
Embodiments of the present invention also provide a computer-readable storage medium storing one or more programs, which are executable by one or more processors to implement the method described in the foregoing embodiments.
According to the invention, the DNS malicious data in the flow data are detected based on the DNS malicious data identification model, the flow data meeting the DNS protocol are cleaned during detection, and the cleaning result is detected by adopting various DNS malicious data identification models, so that high identification rate and low false alarm rate are realized, the DNS malicious data can be efficiently and accurately detected, a hidden channel is found, and the network data security of a user is protected. Aiming at the characteristic of high dimensionality of flow data, the DNS malicious data recognition model cleans training data before the training data so as to achieve the purpose of data dimensionality reduction and enable a training result to be more comprehensive and accurate.
The above description is only for the specific embodiment of the present invention, but the scope of the present invention is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present invention are included in the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
Claims (11)
1. A DNS malicious data detection method is characterized by comprising the following steps:
monitoring flow data, and analyzing DNS data in the flow data;
and judging whether the DNS data accords with a DNS protocol, if so, cleaning the flow data, respectively sending the cleaned flow data to corresponding DNS malicious data identification models obtained based on data dimension reduction training for detection, and determining whether DNS malicious data exists.
2. The method according to claim 1, wherein the cleaning of the traffic data and the sending of the cleaned traffic data to corresponding DNS malicious data recognition models obtained based on data dimension reduction training are performed for detection, specifically comprising:
classifying and cleaning the traffic data according to traffic data characteristics and DNS malicious behavior characteristics;
and respectively sending each type of flow data obtained after cleaning to a corresponding DNS malicious data recognition model obtained based on data dimension reduction training for detection according to the classified cleaning type to which the flow data belongs.
3. The method of claim 2, wherein the training of the DNS malicious data recognition model comprises:
reading flow data in a flow database;
classifying and cleaning the traffic data according to traffic data characteristics and DNS malicious behavior characteristics respectively so as to reduce the dimensionality of the traffic data;
calculating each type of flow data obtained after cleaning through an isolated forest algorithm to obtain suspicious data in each type of flow data;
and extracting the characteristics of the suspicious data, and writing the characteristics of the suspicious data into a corresponding DNS malicious data identification model.
4. The method according to claim 3, wherein the classifying and cleaning the traffic data according to the traffic data characteristics and the DNS malicious behavior characteristics respectively comprises:
acquiring the characteristics of the flow data, combining the characteristics with the same attribute to obtain comprehensive characteristic labels, and classifying and cleaning the flow data according to the comprehensive characteristic labels;
and classifying and cleaning the flow data according to the characteristic type of the DNS malicious behavior characteristic.
5. The method according to claim 4, wherein the extracting the feature of the suspicious data and writing the feature of the suspicious data into a corresponding DNS malicious data identification model specifically comprises:
and sending the suspicious data to an expert system for examination, judging whether the suspicious data contains malicious data, if so, extracting the characteristics of the suspicious data, and writing the characteristics of the suspicious data into a corresponding DNS malicious data identification model.
6. The method according to claim 5, wherein writing the characteristics of the suspicious data into the corresponding DNS malicious data identification model specifically comprises:
determining classified and cleaned flow data to which the suspicious data corresponding to the characteristics of the suspicious data belong, determining a classified and cleaned type to which the classified and cleaned flow data belong, and writing the characteristics of the suspicious data into a DNS malicious data identification model for detecting the flow data of the corresponding type according to the classified and cleaned type.
7. The method of claim 6, wherein upon determining that DNS malicious data exists, the method further comprises:
and alarming, acquiring the IP contained in the DNS malicious data, and inquiring the specific threat behavior triggered by the IP for dealing and disposing.
8. The method of claim 7, wherein concurrently with said alerting, the method further comprises:
and sending the monitored flow data which do not contain NDS malicious data to the flow database for training each DNS malicious data identification model.
9. An apparatus for detecting DNS malicious data, comprising:
the flow monitoring module is used for monitoring flow data and analyzing DNS data in the flow data;
and the malicious data judging module is used for judging whether the DNS data accords with a DNS protocol, if so, cleaning the flow data, respectively sending the cleaned flow data to corresponding DNS malicious data recognition models obtained based on data dimension reduction training according to the types of the flow data to detect, and determining whether the DNS malicious data exists.
10. An electronic device, characterized in that the electronic device comprises: the device comprises a shell, a processor, a memory, a circuit board and a power circuit, wherein the circuit board is arranged in a space enclosed by the shell, and the processor and the memory are arranged on the circuit board; a power supply circuit for supplying power to each circuit or device of the electronic apparatus; the memory is used for storing executable program codes; the processor executes a program corresponding to the executable program code by reading the executable program code stored in the memory, for performing the method of any one of claims 1 to 8.
11. A computer-readable storage medium, having one or more programs stored thereon, the one or more programs being executable by one or more processors to perform the method of any of claims 1-8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111463283.XA CN114301631A (en) | 2021-12-02 | 2021-12-02 | DNS malicious data detection method, device, equipment and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111463283.XA CN114301631A (en) | 2021-12-02 | 2021-12-02 | DNS malicious data detection method, device, equipment and medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114301631A true CN114301631A (en) | 2022-04-08 |
Family
ID=80965449
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111463283.XA Pending CN114301631A (en) | 2021-12-02 | 2021-12-02 | DNS malicious data detection method, device, equipment and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114301631A (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105022960A (en) * | 2015-08-10 | 2015-11-04 | 济南大学 | Multi-feature mobile terminal malicious software detecting method based on network flow and multi-feature mobile terminal malicious software detecting system based on network flow |
| US20160294773A1 (en) * | 2015-04-03 | 2016-10-06 | Infoblox Inc. | Behavior analysis based dns tunneling detection and classification framework for network security |
| CN107733851A (en) * | 2017-08-23 | 2018-02-23 | 刘胜利 | DNS tunnels Trojan detecting method based on communication behavior analysis |
| CN110611640A (en) * | 2018-06-15 | 2019-12-24 | 成都蓝盾网信科技有限公司 | DNS protocol hidden channel detection method based on random forest |
| CN111698260A (en) * | 2020-06-23 | 2020-09-22 | 上海观安信息技术股份有限公司 | DNS hijacking detection method and system based on message analysis |
-
2021
- 2021-12-02 CN CN202111463283.XA patent/CN114301631A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20160294773A1 (en) * | 2015-04-03 | 2016-10-06 | Infoblox Inc. | Behavior analysis based dns tunneling detection and classification framework for network security |
| CN105022960A (en) * | 2015-08-10 | 2015-11-04 | 济南大学 | Multi-feature mobile terminal malicious software detecting method based on network flow and multi-feature mobile terminal malicious software detecting system based on network flow |
| CN107733851A (en) * | 2017-08-23 | 2018-02-23 | 刘胜利 | DNS tunnels Trojan detecting method based on communication behavior analysis |
| CN110611640A (en) * | 2018-06-15 | 2019-12-24 | 成都蓝盾网信科技有限公司 | DNS protocol hidden channel detection method based on random forest |
| CN111698260A (en) * | 2020-06-23 | 2020-09-22 | 上海观安信息技术股份有限公司 | DNS hijacking detection method and system based on message analysis |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108763031B (en) | Log-based threat information detection method and device | |
| CN111030986B (en) | Attack organization traceability analysis method and device and storage medium | |
| US9369476B2 (en) | System for detection of mobile applications network behavior-netwise | |
| KR100468232B1 (en) | Network-based Attack Tracing System and Method Using Distributed Agent and Manager Systems | |
| US9462009B1 (en) | Detecting risky domains | |
| CN113973012B (en) | Threat detection method and device, electronic equipment and readable storage medium | |
| US9847968B2 (en) | Method and system for generating durable host identifiers using network artifacts | |
| Chekina et al. | Detection of deviations in mobile applications network behavior | |
| CN110188538B (en) | Method and device for detecting data by adopting sandbox cluster | |
| da Costa et al. | Detecting mobile botnets through machine learning and system calls analysis | |
| CN107666464B (en) | Information processing method and server | |
| CN108234426B (en) | APT attack warning method and APT attack warning device | |
| CN110740117B (en) | Counterfeit domain name detection method and device, electronic equipment and storage medium | |
| He et al. | On‐Device Detection of Repackaged Android Malware via Traffic Clustering | |
| CN113225356B (en) | TTP-based network security threat hunting method and network equipment | |
| CN110955890B (en) | Method and device for detecting malicious batch access behaviors and computer storage medium | |
| CN114281587A (en) | Asset abnormity detection method and device for terminal equipment, electronic equipment and storage medium | |
| CN117768344A (en) | Application layer message depth detection method, device, equipment and medium | |
| CN111030977A (en) | Attack event tracking method and device and storage medium | |
| CN117459266A (en) | Network security risk identification method and device and related products | |
| CN112613576A (en) | Method and device for determining alarm, electronic equipment and storage medium | |
| CN114301631A (en) | DNS malicious data detection method, device, equipment and medium | |
| CN110858132A (en) | Configuration safety detection method and device for printing equipment | |
| CN114268465A (en) | DNS malicious data detection method, device, equipment and medium | |
| CN116015808A (en) | Network port abnormity open sensing method and device, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |