CN115296904A - Domain name reflection attack detection method and device, electronic equipment and storage medium - Google Patents

Domain name reflection attack detection method and device, electronic equipment and storage medium Download PDF

Info

Publication number
CN115296904A
CN115296904A CN202210930014.8A CN202210930014A CN115296904A CN 115296904 A CN115296904 A CN 115296904A CN 202210930014 A CN202210930014 A CN 202210930014A CN 115296904 A CN115296904 A CN 115296904A
Authority
CN
China
Prior art keywords
request
time windows
domain name
time
detected
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202210930014.8A
Other languages
Chinese (zh)
Other versions
CN115296904B (en
Inventor
刘东鑫
汪来富
史国水
温展鹏
肖宇峰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Telecom Corp Ltd
Original Assignee
China Telecom Corp Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Telecom Corp Ltd filed Critical China Telecom Corp Ltd
Priority to CN202210930014.8A priority Critical patent/CN115296904B/en
Publication of CN115296904A publication Critical patent/CN115296904A/en
Priority to PCT/CN2022/140321 priority patent/WO2024027079A1/en
Application granted granted Critical
Publication of CN115296904B publication Critical patent/CN115296904B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the application discloses a domain name reflection attack detection method and device, electronic equipment and a storage medium, wherein the method comprises the following steps: acquiring the number of requests for initiating domain name resolution requests of a request object to be detected in a plurality of time windows; constructing the number of requests of a plurality of time windows according to a preset time relationship to obtain at least two request sequences; calculating a correlation coefficient between at least two request sequences; and determining whether the request object to be detected initiates domain name reflection attack or not according to the correlation coefficient between at least two request sequences. The technical scheme of the embodiment of the application can accurately and timely detect whether the domain name reflection attack is initiated by the request object to be detected.

Description

Domain name reflection attack detection method and device, electronic equipment and storage medium
Technical Field
The present application relates to the field of security technologies, and in particular, to a method and an apparatus for detecting a domain name reflection attack, an electronic device, and a computer-readable storage medium.
Background
The DNS (Domain Name System) is an internet infrastructure, and is gradually valued by large enterprises due to its implicit business value, and each large enterprise establishes a DNS System facing the whole network. The DNS system facing the whole network can not limit the range of an IP (Internet protocol) of a query source and objectively becomes a flow reflection attack resource which can be used by an attacker. Therefore, on the DNS server side, the detection capability of DNS reflection attacks is crucial for emergency response.
The existing detection method for the DNS reflection attack is mainly concentrated on a DNS server side or a victim side, the DNS server side or the victim side monitors according to network bandwidth and the availability of a server, and alarms when a threshold value is exceeded, however, the detection method has obvious hysteresis, when an alarm is sent out, the time is often too late, meanwhile, the DNS server side or the victim side has other reasons to cause the availability of the network bandwidth or the server to be reduced, and further the detection of the DNS reflection attack is influenced, so that the accuracy of the DNS reflection attack detection is low. A series of DDoS (Distributed Denial of Service) cases indicate that a DNS reflection attack easily breaks through the processing capability of an abnormal traffic cleaning device, so that how to discover the DNS reflection attack in time becomes a problem to be solved urgently.
Disclosure of Invention
In order to solve the above technical problems, embodiments of the present application provide a method and an apparatus for detecting a domain name reflection attack, an electronic device, and a computer-readable storage medium, which are intended to solve the technical problem of low accuracy of DNS reflection attack detection.
Other features and advantages of the present application will be apparent from the following detailed description, or may be learned by practice of the application.
According to an aspect of the embodiments of the present application, there is provided a domain name reflection attack detection method, including:
acquiring the number of requests for initiating domain name resolution requests of a request object to be detected in a plurality of time windows;
constructing the request quantity of a plurality of time windows according to a preset time relation to obtain at least two request sequences;
calculating a correlation coefficient between at least two request sequences;
and determining whether the request object to be detected initiates domain name reflection attack or not according to the correlation coefficient between at least two request sequences.
According to an aspect of the embodiments of the present application, there is provided a domain name reflection attack detection apparatus, including:
the acquisition module is configured to acquire the number of requests for initiating domain name resolution requests of a request object to be detected in a plurality of time windows;
the construction module is configured to construct the request quantity of the multiple time windows according to a preset time relation to obtain at least two request sequences;
a calculation module configured to calculate a correlation coefficient between at least two request sequences;
and the determining module is configured to determine whether the request object to be detected initiates domain name reflection attack according to the correlation coefficient between at least two request sequences.
According to an aspect of an embodiment of the present application, there is provided an electronic device including: one or more processors; storage means for storing one or more programs that, when executed by the one or more processors, cause the electronic device to implement the domain name reflection attack detection method as described above.
According to an aspect of embodiments herein, there is provided a computer-readable storage medium having stored thereon computer-readable instructions, which, when executed by a processor of a computer, cause the computer to execute the domain name reflection attack detection method as described above.
According to an aspect of an embodiment of the present application, there is provided a computer program product or a computer program comprising computer instructions stored in a computer readable storage medium. The processor of the computer device reads the computer instructions from the computer-readable storage medium, and executes the computer instructions, so that the computer device executes the domain name reflection attack detection method provided in the various optional embodiments described above.
In the technical solution provided by the embodiments of the present application, in different time windows, forged domain name resolution request behaviors have high self-similarity, while normal domain name resolution request behaviors are unpredictably represented. According to the domain name transmission attack detection method and the domain name transmission attack detection device, the request sequence is constructed according to the number of times of the request object to be detected for sending the domain name resolution request in the time windows, the request sequence can represent the behavior characteristics of the request object to be detected in the time windows, the correlation coefficient is calculated according to the request sequence, and then whether the request object to be detected sends the domain name reflection attack or not can be accurately determined according to the correlation coefficient.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the application.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present application and together with the description, serve to explain the principles of the application. It is obvious that the drawings in the following description are only some embodiments of the application, and that for a person skilled in the art, other drawings can be derived from them without inventive effort. In the drawings:
FIG. 1 is a schematic illustration of an implementation environment to which the present application relates;
FIG. 2 is a flow chart of a domain name reflection attack detection method to which the present application relates;
FIG. 3 is a flow chart of step S210 in one embodiment to which the present application relates;
FIG. 4 is a flowchart of step S220 in one embodiment to which the present application relates;
FIG. 5 is a flowchart of step S410 in an embodiment to which the present application relates;
FIG. 6 is a schematic illustration of determining a first time window and a second time window in an embodiment to which the present application is directed;
FIG. 7 is a schematic illustration of determining a first time window and a second time window in another embodiment to which the present application relates;
FIG. 8 is a flowchart of step S230 in one embodiment to which the present application relates;
FIG. 9 is a flowchart of step S820 in an embodiment to which the present application relates;
FIG. 10 is a flowchart of step S240 in one embodiment to which the present application relates;
FIG. 11 is a flow chart of a method of Domain name reflection attack detection to which the present application relates;
fig. 12 is a block diagram of a domain name reflection attack detection apparatus to which the present application relates;
FIG. 13 illustrates a schematic structural diagram of a computer system suitable for use in implementing the electronic device of an embodiment of the present application.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. The following description refers to the accompanying drawings in which the same numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the present application, as detailed in the appended claims.
The block diagrams shown in the figures are functional entities only and do not necessarily correspond to physically separate entities. I.e. these functional entities may be implemented in the form of software, or in one or more hardware modules or integrated circuits, or in different networks and/or processor means and/or microcontroller means.
The flow charts shown in the drawings are merely illustrative and do not necessarily include all of the contents and operations/steps, nor do they necessarily have to be performed in the order described. For example, some operations/steps may be decomposed, and some operations/steps may be combined or partially combined, so that the actual execution sequence may be changed according to the actual situation.
It should also be noted that: reference to "a plurality" in this application means two or more. "and/or" describes the association relationship of the associated object, indicating that there may be three relationships, for example, a and/or B may indicate: a exists alone, A and B exist simultaneously, and B exists alone. The character "/" generally indicates that the former and latter associated objects are in an "or" relationship.
The DNS (Domain Name System) is a distributed database on the Internet as a mapping between a Domain Name and an IP Address (Internet Protocol Address), and enables a user to access the Internet more conveniently without having to memorize IP strings that can be directly read by a machine. Through the host name, a process of finally obtaining the IP address corresponding to the host name is called domain name resolution.
In the normal domain name resolution process, a source IP address sends a DNS request to a DNS server, the DNS server carries out domain name resolution according to the DNS request to obtain a DNS reply packet, the DNS reply packet is returned to the source IP address, the DNS reply packet obtained after the domain name resolution is larger than the DNS request, and the reflection attack just utilizes the characteristic that the DNS reply packet is larger than the DNS request to amplify flow, forge the IP address of a victim network and send the DNS request to the DNS server by the IP address of the victim network, so that the flow of the DNS reply packet is introduced into the server of the victim network. Referring to fig. 1, fig. 1 is a schematic diagram of an implementation environment related to the present application. The implementation environment includes botnet Zombie110, DNS server 120, and Victim network Vistim 130, botnet Zombie110, DNS server 120, and Victim network Vistim 130 communicating with each other via wired or wireless networks.
Assuming that the data portion of the DNS request is about 40 bytes in length, the data portion of the DNS reply packet may be up to 4000 bytes in length, which means that an attacker can generate about 100 times of amplification effect by using this method. Therefore, an attacker only needs to control one botnet Zombie110 capable of generating 150M traffic to be able to perform about 15G DDoS attack. As shown in fig. 1, the botnet Zombie110 sends a DNS request to the DNS server 120, and after the DNS request is resolved by the DNS server 120, a DNS reply packet is amplified, the DNS server 120 sends the amplified DNS reply packet to the Victim network Victim130, and an attacker implements the DNS reply packet through the botnet Zombie110 for multiple times, thereby achieving the purpose of attacking the Victim network Victim130.
In order to improve the traffic amplification effect, an attacker often forges a DNS request with a Non-existing Domain type response, and forces the DNS server 120 to initiate a recursive query, which causes a sudden increase in CPU (Central Processing Unit) and Ram (Random access memory) of the DNS server 120, whereas an existing Domain name reflection attack detection scheme on the DNS server side based on the availability monitoring of the DNS server 120 is often difficult to find an abnormality, but in reality, an attacker often uses a plurality of different public DNS servers to initiate an attack, and a single DNS server does not often have an availability abnormality. The domain name reflection attack detection scheme for monitoring the link availability by the metropolitan area network close to the Victim network Victim130 side is interfered by other DDoS attack types, and whether the domain name reflection attack is detected needs to be judged by combining with Netflow information, so that the judgment time delay of the detection scheme is longer. A series of recorded domain name reflection attack traffic peaks can break down the upstream link of Victim network Victim130, causing the related judging system to fail.
The domain name reflection attack detection method provided by the embodiment of the application can construct the request sequence according to the request quantity of the to-be-detected request object for initiating the domain name resolution request in a plurality of time windows, the request sequence can represent the behavior characteristics of the to-be-detected request object in the plurality of time windows, in different time windows, the forged domain name resolution request behavior has high self-similarity, and the normal domain name resolution request behavior is unpredictable. And calculating a correlation coefficient according to the request sequence, and further determining whether the request object to be detected initiates the domain name reflection attack according to the correlation coefficient, so that whether the domain name reflection attack is initiated can be determined timely and accurately.
FIG. 2 is a flow diagram illustrating a method for domain name reflection attack detection in accordance with an exemplary embodiment. The method may be applied to the implementation environment shown in fig. 1 and is specifically performed by the DNS server 120 in the embodiment environment shown in fig. 1.
As shown in fig. 2, in an exemplary embodiment, the domain name reflection attack detection method may include steps S210 to S240, which are described in detail as follows:
step S210, obtaining the number of requests for initiating domain name resolution requests in multiple time windows of the object to be detected.
In the embodiment of the application, the object to be detected is a source IP for sending a domain name resolution request to a DNS server, and the DNS network traffic or DNS system log is resolved to obtain the source IP and a timestamp for sending the domain name resolution request by the source IP. And acquiring the number of requests for initiating the domain name resolution requests of the to-be-detected request object in a plurality of time windows according to the time stamps, and recording the number of the requests corresponding to a certain time window as 0 if the to-be-detected request object does not initiate the domain name resolution requests in the certain time window.
In an exemplary embodiment of the present application, referring to fig. 3, before the step S210 obtains the number of requests for initiating domain name resolution requests by the to-be-detected request object in multiple time windows, the method further includes a step S310 and a step S320, which are described in detail as follows:
step S310, obtaining a request object initiating a domain name resolution request in a specified time window, and counting the number of requests for initiating the domain name resolution request in the specified time window by the request object.
In the embodiment of the application, when the request object to be detected is determined, the request object for sending the domain name resolution request to the DNS server in the specified time window is obtained by resolving the DNS network traffic or the DNS system log, the number of requests for sending the domain name resolution request by each request object in the specified time window is counted, for example, in the specified time window, a total of X request objects send the domain name resolution request to the DNS server, and the number of requests for the X request objects in the specified time window is counted respectively.
Step S320, determining the requested object to be detected from the requested objects according to the relationship between the requested number and the preset number threshold.
In the embodiment of the application, a preset quantity threshold is preset, request objects of the X request objects, the request quantity of which is smaller than the preset quantity threshold, are filtered, and the remaining request objects can be used as the request objects to be detected. After filtering, if a plurality of request objects to be detected are determined, descending order arrangement can be carried out on the request objects to be detected according to the request quantity, and whether the request objects to be detected send domain name reflection attacks or not is detected according to the descending order arrangement.
Step S220, constructing the request quantity of a plurality of time windows according to a preset time relation to obtain at least two request sequences.
According to the method and the device, a request sequence is constructed according to the number of the requests of the to-be-detected request objects in each time window in a preset time relationship, for the same to-be-detected request object, the forged domain name resolution request behaviors have high self-similarity in different time windows, the request sequence capable of representing the behaviors of the to-be-detected request objects can be constructed according to the number of the requests, each request sequence is composed of the number of the requests of the corresponding time window, and the number of the time windows corresponding to each request sequence is the same.
In an exemplary embodiment of the present application, referring to fig. 4, in step S220, the request number of the multiple time windows is constructed according to a preset time relationship, so as to obtain at least two request sequences, including step S410 and step S420, which are described in detail as follows:
step S410, dividing the plurality of time windows into a plurality of first time windows and a plurality of second time windows according to a preset time relationship.
In the embodiment of the application, a first time window and a second time window are divided from a plurality of time windows, the sum of the number of the plurality of first time windows and the number of the plurality of second time windows can be less than or equal to the plurality of time windows, and two request sequences are formed through the first time window and the second time window.
Predefining relevant configuration parameters, wherein the configuration parameters comprise a time window T and a buffering time T, wherein T = n × T, and n is a natural number greater than 30; and the specified number k of the first time window and the second time window is configured simultaneously, wherein k x t is more than 30s, so that reasonable numerical value fluctuation can be better overcome.
When a plurality of time windows are determined, n time windows in the adjacent previous cache time of the request object to be detected can be obtained; or acquiring n time windows of the adjacent next cache time of the request object to be detected; or acquiring the first p time windows adjacent to the appointed time window and the last q time windows adjacent to the appointed time window to form a plurality of time windows, wherein the sum of p + q +1 is equal to the number n of the time windows of the cache time, and meanwhile, p or q is more than or equal to k. Within a buffering time, a first time window and a second time window are divided from n time windows, the number of the first time window and the number of the second time window are equal, and the sum of the number of the first time window and the number of the second time window may not be equal to n.
Every time a time window T passes, the cache time T newly increases the request object in the latest time window T, the request object before the cache time T is cleared and released, the DNS server always keeps every time window T, the request object is newly increased, and meanwhile, the unnecessary request object is released in the cache time T, so that the storage pressure of the DNS server is reduced.
Step S420, a first request sequence is constructed according to the number of requests of the plurality of first time windows, and a second request sequence is constructed according to the number of requests of the plurality of second time windows.
In the embodiment of the application, a first request sequence is constructed according to the request number of a first time window, a plurality of first time windows are arranged according to the time sequence, then the first request sequence is constructed based on the request number of the first time window according to the arrangement sequence, and the first request sequence is generated according to the dictionary format of { srcIP: [ request number 1, request number 2, \ 8230 }, request number k ] }, such as 1.1.1.1: [20,20, \ 8230 ], total number of requests for k time windows, 1.1.1.1, characterizes the object to be detected with a source IP address of 1.1.1.1.
Similarly, a first request sequence is constructed according to the request quantity of the second time windows, the plurality of second time windows are arranged according to the time sequence, then a second request sequence is constructed according to the arrangement sequence and the request quantity of the second time windows, and the second request sequence is generated according to the dictionary format of { srCIP: [ request quantity a, request quantity b, \ 8230;, request quantity j ] }.
In an exemplary embodiment of the present application, referring to fig. 5, the plurality of time windows are consecutive time windows; in step S410, the plurality of time windows are divided into a plurality of first time windows and a plurality of second time windows according to a preset time relationship, including step S510 and step S520, which are described in detail as follows:
in step S510, a specified number of consecutive time windows are determined as a plurality of first time windows among the plurality of consecutive time windows.
In the embodiment of the application, the multiple time windows are obtained by obtaining n time windows in the previous cache time adjacent to the specified time window of the request object to be detected, or obtaining n time windows in the next cache time adjacent to the specified time window of the request object to be detected, and in the n time windows, the first k continuous time windows can be obtained as the first time window according to the sequence of each time window. As shown in fig. 6, the multiple time windows shown in fig. 6 are n time windows in the adjacent previous buffering time of the designated time window for obtaining the request object to be detected, and the 1 st to kth time windows are directly used as the first time windows.
In another embodiment, when the multiple time windows are obtained by obtaining p previous time windows adjacent to the specified time window and q subsequent time windows adjacent to the specified time window, k consecutive time windows are determined as first time windows in the p previous time windows, or k consecutive time windows are determined as first time windows in the q subsequent time windows, as shown in fig. 7, in the multiple time windows shown in fig. 7, a represents the specified time window, the time window on the left side of a is the p previous time windows, the time window on the right side of a is the q subsequent time windows, and the 1 st to k-th time windows in the p previous time windows are directly used as the first time windows.
Step S520, determining a specified number of time windows as a plurality of second time windows in other time windows except the first time window; wherein a latest first time window of the plurality of first time windows is earlier than an earliest second time window of the plurality of second time windows.
In the embodiment of the application, k time windows are randomly acquired as second time windows in other time windows except the first time window.
Specifically, as shown in fig. 6, when a plurality of time windows are obtained by obtaining n time windows in the previous neighboring cache time of the specified time window of the to-be-detected request object, or obtaining n time windows in the next neighboring cache time of the specified time window of the to-be-detected request object, randomly determining k time windows as the second time window in the (k + 1) th to nth time windows through the Shuffle algorithm, that is, obtaining the current system time, taking the current system time as a random factor, and calculating to obtain a random number, where a formula for calculating the random number is as follows: m = rand (time) (i + 1) mod (n-k), the formula represents that a random number within a range of [1, (n-k) ] is obtained according to the system time, the time represents the current system time, i +1 represents that a plurality of second time windows are being calculated, the value range of i is [0, k-1], after the random number is calculated through the formula, the m + k time windows are taken as the second time windows, the k time windows can be obtained by repeating the k times, if the calculated random number has a repeated condition, the calculation is carried out again until k different time windows are taken out as the second time windows.
As shown in fig. 7, when multiple time windows are obtained by obtaining the first p time windows adjacent to the designated time window and the last q time windows adjacent to the designated time window, after the first time window is determined in the p time windows, randomly determining k time windows as the second time windows in the last q time windows, and similarly, when the k time windows are randomly determined as the second time windows, randomly determining k time windows as the second time windows in the last q time windows by using a Shuffle algorithm, that is, obtaining the current system time, taking the current system time as a random factor, and calculating to obtain a random number, where a formula for calculating the random number is: m = rand (time) (i + 1) mod (q), the formula represents that a random number within a range of [1, q ] is obtained according to the system time, the time represents the current system time, i +1 represents that a plurality of second time windows are being calculated, the value range of i is [0, k-1], after the random number is calculated through the formula, the m + p +1 time windows are taken as the second time windows, k times of repetition are carried out to obtain the required k time windows, and if the calculated random number has a repeated condition, the calculation is carried out again until k different time windows are taken out as the second time windows.
In other embodiments, when the plurality of time windows are n time windows in the previous cache time adjacent to the specified time window of the to-be-detected request object, or n time windows in the next cache time adjacent to the specified time window of the to-be-detected request object, within the n time windows, the last k consecutive time windows may be obtained as the first time window, and then in the remaining time windows, the k time windows are randomly determined as the second time window. When the k time windows are randomly determined, the k time windows are randomly determined as the second time window by the Shuffle algorithm, in accordance with the foregoing.
In another embodiment, when the plurality of time windows are obtained by obtaining p time windows adjacent to the designated time window and q time windows adjacent to the designated time window, k time windows from the p time windows can be randomly determined as the second time window, and then k consecutive time windows from the q time windows can be determined as the second time window. When the k time windows are randomly determined, the k time windows are randomly determined as the second time window by the Shuffle algorithm, in accordance with the foregoing.
In step S230, a correlation coefficient between at least two request sequences is calculated.
In the embodiment of the application, the correlation coefficient between at least two request sequences is calculated, and if the request sequences comprise two request sequences, the correlation coefficient between the two request sequences is directly calculated; and if the number of the request sequences is more than two, calculating correlation coefficients between every two request sequences, calculating a coefficient average value based on the correlation coefficients between every two request sequences, and taking the coefficient average value as the correlation coefficient between at least two request sequences.
In an exemplary embodiment of the present application, referring to fig. 8, the at least two request sequences include a first request sequence and a second request sequence; the correlation coefficient between at least two request sequences is calculated in step S230, including step S810 and step S820, which are described in detail as follows:
step S810, performing an averaging operation on each request quantity contained in the first request sequence to obtain a first average value, and performing an averaging operation on each request quantity contained in the second request sequence to obtain a second average value.
In the embodiment of the application, the first average value is calculated according to the number of requests in the first request sequence
Figure BDA0003780957580000101
And calculating a second average value according to the number of requests in the second request sequence
Figure BDA0003780957580000102
Step S820, calculating a correlation coefficient between the first request sequence and the second request sequence according to the first mean value, the second mean value, the first request sequence, and the second request sequence.
In the embodiment of the application, the correlation coefficient between the first request sequence and the second request sequence is calculated according to the first mean value, the second mean value, the first request sequence and the second request sequence which are obtained through calculation.
In an exemplary embodiment of the present application, referring to fig. 9, in step S820, calculating correlation coefficients of the first request sequence and the second request sequence according to the first mean value, the second mean value, the first request sequence, and the second request sequence includes steps S910 and S920, which are described in detail as follows:
step S910, performing difference calculation on each request quantity contained in the first request sequence and the first mean value respectively to obtain a plurality of first difference values, and performing difference calculation on each request quantity contained in the second request sequence and the second mean value respectively to obtain a plurality of second difference values.
In the embodiment of the present application, difference calculation is performed on each request quantity in the first request sequence and the first mean value, that is, the first mean value is subtracted from each request quantity in the first request sequence to obtain a plurality of first difference values, and difference calculation is performed on each request quantity in the second request sequence and the second mean value, that is, the second mean value is subtracted from each request quantity in the second request sequence to obtain a plurality of second difference values.
In step S920, a correlation coefficient between the first request sequence and the second request sequence is calculated according to the plurality of first differences and the plurality of second differences.
In the embodiment of the application, the correlation coefficient between the first request sequence and the second request sequence is calculated according to a plurality of first difference values and second difference values.
In particular, by the formula
Figure BDA0003780957580000103
Calculating a correlation coefficient between the first sequence and the second sequence, wherein r represents the correlation coefficient, X j Denotes the jth request number in the first request sequence, Y j Represents the jth request number in the second request sequence, k represents the number of k requests in the first request sequence and the second request sequence respectively,
Figure BDA0003780957580000111
which represents the first mean value of the first mean value,
Figure BDA0003780957580000112
representing the second mean value.
Step S240, determining whether the object to be detected initiates a domain name reflection attack according to the correlation coefficient between the at least two request sequences.
In the embodiment of the application, in different time windows, forged domain name resolution request behaviors have high self-similarity, normal domain name resolution request behaviors are unpredictable, whether domain name resolution request behaviors initiated by a request object to be detected in different time windows have similarity can be known according to a correlation coefficient, and when the domain name resolution request behaviors have similarity, the domain name resolution request behaviors initiated by the request object to be detected in different time windows can be represented to initiate domain name reflection attack
In the embodiment of the application, the forged domain name resolution request behavior has high self-similarity in different time windows, and the normal domain name resolution request behavior is unpredicted. According to the domain name transmission attack detection method, whether domain name reflection attack is initiated or not is detected in the process of receiving the domain name resolution request, and whether domain name reflection attack is initiated or not can be determined timely and accurately.
In an exemplary embodiment of the present application, referring to fig. 10, in step S240, determining whether the request object to be detected initiates a domain name reflection attack according to a correlation coefficient between at least two request sequences includes steps S1010 to S1030, which are described in detail as follows:
step S1010, detecting the relation between the correlation coefficients of at least two request sequences and a preset threshold value to obtain a detection result.
In the embodiment of the present application, the relationship between the correlation coefficient and the preset threshold is detected, that is, the correlation coefficient is compared with the preset threshold to obtain the detection result, and the preset threshold may be set to 0.5.
Step S1020, if the detection result indicates that the correlation coefficient is greater than or equal to the preset threshold, determining that the to-be-detected request object initiates a domain name reflection attack.
In the embodiment of the application, if the correlation coefficient is greater than or equal to the preset threshold, it is determined that the request object to be detected initiates the domain name reflection attack, preset alarm information is generated, and the preset alarm information is sent to the Victim network Victim130, that is, the preset alarm information is sent to the source IP forged by the attacker through the Zombie network zambie 110, so that the Victim network Victim130 is prompted.
Step S1030, if the detection result representation correlation coefficient is smaller than the preset threshold, it is determined that the domain name reflection attack is not initiated by the request object to be detected.
In the embodiment of the application, if the detection result indicates that the correlation coefficient is smaller than the preset threshold, it indicates that the domain name resolution request behaviors initiated by the request object to be detected in different time windows do not have similarity, that is, the request object to be detected does not initiate domain name reflection attack.
In an exemplary embodiment of the present application, please refer to fig. 11, fig. 11 is a flowchart illustrating a domain name reflection attack detection method according to an exemplary embodiment, which includes steps S1110 to S1180, and the detailed description is as follows:
step S1110, acquiring a system log, and analyzing the system log to obtain a plurality of request objects, and a timestamp for initiating a domain name resolution request by the plurality of request objects.
In the embodiment of the application, the system log is analyzed to obtain a plurality of request objects and the timestamp of sending the domain name analysis request by each request object.
Step S1120, according to the timestamp, obtaining a request object for initiating a domain name resolution request in the specified time window, and counting the number of requests for initiating domain name resolution requests in the specified time window by the request object.
In the embodiment of the application, a time window T and a cache time T are preconfigured, and according to the timestamp, a request object initiating a domain name resolution request in a specified time window can be determined, generally, in one time window, a plurality of corresponding request objects are included, and the request quantity of each request object is counted.
Step S1130, determining the request object to be detected from the request objects according to the relationship between the request number and the preset number threshold.
In the embodiment of the application, a preset quantity threshold is preset, the request objects with the request quantity lower than the preset quantity threshold in the specified time window are filtered, the remaining request objects can be used as the request objects to be detected, and at the moment, the request objects to be detected can comprise a plurality of request objects.
Step S1140, obtain multiple time windows adjacent to appointed time window, and in multiple time windows, confirm the appointed number of consecutive time windows as multiple first time windows, and in the other time windows except first time window through Shuffle algorithm, confirm the appointed number of time windows as multiple second time windows at random; the latest first time window of the plurality of first time windows is earlier than the earliest second time window of the plurality of second time windows.
In the embodiment of the application, n time windows in the adjacent previous cache time of the appointed time window or n time windows in the adjacent next cache time of the appointed time window are obtained, the appointed number is k, k continuous time windows are determined from the n time windows to serve as first time windows, and then k time windows are randomly determined from the rest time windows to serve as second time windows through a Shuffle algorithm. Specifically, when a first time window is determined, the 1 st to the kth time windows of the n time windows are selected as the first time window, when a second time window is determined, only the (k + 1) th to the nth time windows are considered, and the k time windows are randomly acquired from the (k + 1) th to the nth time windows through a Shuffle algorithm to serve as the second time window.
When a plurality of request objects to be detected are provided, the first time windows corresponding to the request objects to be detected are the same, and the second time windows are also the same, so that the first time windows and the second time windows of the request objects to be detected do not need to be determined independently, and the calculation amount is reduced. The k time windows are selected as the second time window based on the Shuffle algorithm, an attacker can be caught as far as possible within a relatively long time range, the behavior characteristics are highly similar, and the normal DNS request presents larger randomness. Through the Shuffle algorithm, the calculation speed of subsequent correlation coefficient judgment can be greatly improved.
Step S1150, a first request sequence of the request object to be detected is constructed according to the specified number of first time windows, and a second request sequence of the request object to be detected is constructed according to the specified number of second time windows.
In the embodiment of the application, a corresponding first request sequence is constructed according to the request quantity of each request object to be detected in a first time window, and a corresponding second request sequence is constructed according to the request quantity of each request object to be detected in a second time window.
Step S1160, calculating the correlation coefficient of the to-be-detected request object according to the first request sequence and the second request sequence.
In the embodiment of the present application, the corresponding correlation coefficient is calculated according to the first request sequence and the second request sequence corresponding to each request object to be detected, and the scheme for calculating the correlation coefficient is described in the foregoing, which is not described herein again.
And step S1170, detecting the relation between the correlation coefficient of the request object to be detected and a preset threshold value to obtain the detection result of the request object to be detected.
In the embodiment of the application, the correlation coefficient of each to-be-detected request object is compared with a preset threshold value respectively to obtain a corresponding detection result.
Step S1180, if the detection result representation correlation coefficient of the request object to be detected is greater than or equal to the preset threshold value, determining that the request object to be detected initiates domain name reflection attack, and sending preset alarm information to the request object to be detected.
In the embodiment of the application, if the detection result representation correlation coefficient of the request object to be detected is greater than or equal to the preset threshold, the request object to be detected is calibrated to launch the domain name reflection attack, and when a plurality of request objects to be detected launch the domain name reflection attack, preset alarm information is sent to the plurality of request objects to be detected.
In embodiments of the present application, forged domain name resolution request behavior is highly self-similar, while normal domain name resolution request behavior appears unpredictable in different time windows. According to the method and the device, the request object is obtained according to the system log, the request object to be detected is determined according to the number of requests for the request object to initiate a domain name resolution request, the first time window and the second time window of the request object to be detected are determined from the multiple time windows, the first time window of each request object to be detected is the same, meanwhile, the second time window is also the same, the calculated amount is reduced to a certain extent, the request sequence of the object is constructed according to the number of requests of each request object to be detected in the first time window and the second time window, the request sequence can represent the behavior characteristics of the request object to be detected in the multiple time windows, the correlation coefficient is calculated according to the request sequence, whether the request object to be detected initiates domain name reflection attack or not can be accurately determined according to the correlation coefficient, meanwhile, preset alarm information is generated and sent to the request object to be detected, namely, the preset alarm information is sent to the source IP of an attacker through Zombie network Zombie110 forgery, and therefore, the Victim network Victim130 is reminded. The domain name transmission attack detection method provided by the application detects whether domain name reflection attack is initiated or not in the process of receiving the domain name resolution request, and can timely and accurately determine whether the domain name reflection attack is initiated or not.
In an exemplary embodiment of the present application, please refer to fig. 12, where fig. 12 illustrates a domain name reflection attack detection apparatus according to an exemplary embodiment, including:
an obtaining module 1210 configured to obtain the number of requests for initiating domain name resolution requests by a to-be-detected request object in a plurality of time windows;
a constructing module 1220 configured to construct the number of requests for multiple time windows according to a preset time relationship, so as to obtain at least two request sequences;
a calculation module 1230 configured to calculate a correlation coefficient between at least two request sequences;
the determining module 1240 is configured to determine whether the request object to be detected initiates a domain name reflection attack according to the correlation coefficient between the at least two request sequences.
In an exemplary embodiment of the present application, the building module 1220 includes:
the dividing submodule is configured to divide the plurality of time windows into a plurality of first time windows and a plurality of second time windows according to a preset time relation;
and the construction submodule is configured to construct and obtain a first request sequence according to the request quantity of the plurality of first time windows and construct and obtain a second request sequence according to the request quantity of the plurality of second time windows.
In an exemplary embodiment of the present application, the plurality of time windows are consecutive time windows; partitioning sub-modules, comprising:
a first determination unit configured to determine a specified number of consecutive time windows as a plurality of first time windows among a plurality of consecutive time windows;
a second determination unit configured to determine a specified number of time windows as a plurality of second time windows in other time windows than the first time window; wherein a latest first time window of the plurality of first time windows is earlier than an earliest second time window of the plurality of second time windows.
In an exemplary embodiment of the present application, the at least two request sequences include a first request sequence and a second request sequence; a calculation module 1230, comprising:
the operation sub-module is configured to perform averaging operation on the request quantities contained in the first request sequence to obtain a first average value, and perform averaging operation on the request quantities contained in the second request sequence to obtain a second average value;
and the calculation submodule is configured to calculate a correlation coefficient between the first request sequence and the second request sequence according to the first mean value, the second mean value, the first request sequence and the second request sequence.
In an exemplary embodiment of the present application, the computation submodule includes:
the difference calculation unit is configured to perform difference calculation on each request quantity contained in the first request sequence and the first mean value respectively to obtain a plurality of first difference values, and perform difference calculation on each request quantity contained in the second request sequence and the second mean value respectively to obtain a plurality of second difference values;
a calculating unit configured to calculate a correlation coefficient between the first request sequence and the second request sequence based on the plurality of first difference values and the plurality of second difference values.
In an exemplary embodiment of the present application, the domain name reflection attack detection apparatus further includes:
the acquisition unit is configured to acquire a request object initiating a domain name resolution request in a specified time window and count the number of requests for initiating the domain name resolution request in the specified time window by the request object;
and the to-be-detected request object determining unit is configured to determine the to-be-detected request object from the request objects according to the relation between the request quantity and the preset quantity threshold.
In an exemplary embodiment of the present application, the determining module 1240 includes:
the detection submodule is configured to detect the relation between the correlation coefficients of at least two request sequences and a preset threshold value to obtain a detection result;
the first determining sub-module is configured to determine that the request object to be detected initiates domain name reflection attack if the detection result representation correlation coefficient is larger than or equal to a preset threshold value;
and the second determining submodule is configured to determine that the domain name reflection attack is not initiated by the to-be-detected request object if the detection result representation correlation coefficient is smaller than the preset threshold value.
It should be noted that the apparatus provided in the foregoing embodiment and the method provided in the foregoing embodiment belong to the same concept, and specific ways for the modules, sub-modules, and units to perform operations have been described in detail in the method embodiment, and are not described herein again.
An embodiment of the present application further provides an electronic device, including: one or more processors; a storage device, configured to store one or more programs, which when executed by the one or more processors, enable the electronic device to implement the domain name reflection attack detection method provided in the above-described embodiments.
FIG. 13 illustrates a schematic structural diagram of a computer system suitable for use to implement the electronic device of the embodiments of the subject application.
It should be noted that the computer system 1300 of the electronic device shown in fig. 13 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present application.
As shown in fig. 13, the computer system 1300 includes a Central Processing Unit (CPU) 1301, which can perform various appropriate actions and processes, such as performing the methods described in the above embodiments, according to a program stored in a Read-Only Memory (ROM) 1302 or a program loaded from a storage portion 1308 into a Random Access Memory (RAM) 1303. In the RAM 1303, various programs and data necessary for system operation are also stored. The CPU1301, the ROM 1302, and the RAM 1303 are connected to each other via a bus 1304. An Input/Output (I/O) interface 1305 is also connected to bus 1304.
The following components are connected to the I/O interface 1305: an input portion 1306 including a keyboard, a mouse, and the like; an output section 1307 including a Display such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and a speaker; a storage portion 1308 including a hard disk and the like; and a communication section 1309 including a Network interface card such as a LAN (Local Area Network) card, a modem, or the like. The communication section 1309 performs communication processing via a network such as the internet. The drive 1310 is also connected to the I/O interface 1305 as needed. A removable medium 1311 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 1310 as necessary, so that a computer program read out therefrom is mounted into the storage portion 1308 as necessary.
In particular, according to embodiments of the application, the processes described above with reference to the flow diagrams may be implemented as computer software programs. For example, embodiments of the present application include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising a computer program for performing the method illustrated by the flow chart. In such embodiments, the computer program may be downloaded and installed from a network through communications component 1309 and/or installed from removable media 1311. When the computer program is executed by a Central Processing Unit (CPU) 1301, various functions defined in the system of the present application are executed.
It should be noted that the computer readable medium shown in the embodiments of the present application may be a computer readable signal medium or a computer readable storage medium or any combination of the two. The computer readable storage medium may be, for example, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a Read-Only Memory (ROM), an Erasable Programmable Read-Only Memory (EPROM), a flash Memory, an optical fiber, a portable Compact Disc Read-Only Memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present application, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In this application, however, a computer-readable signal medium may include a propagated data signal with a computer program embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. The computer program embodied on the computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wired, etc., or any suitable combination of the foregoing.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present application. Each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The units described in the embodiments of the present application may be implemented by software, or may be implemented by hardware, and the described units may also be disposed in a processor. Wherein the names of the elements do not in some way constitute a limitation on the elements themselves.
Yet another aspect of the present application provides a computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements a method as described above. The computer-readable storage medium may be included in the electronic device described in the above embodiment, or may exist separately without being incorporated in the electronic device.
Another aspect of the application also provides a computer program product or computer program comprising computer instructions stored in a computer readable storage medium. The processor of the computer device reads the computer instructions from the computer-readable storage medium, and the processor executes the computer instructions to cause the computer device to perform the methods provided in the various embodiments described above.
The above description is only a preferred exemplary embodiment of the present application, and is not intended to limit the embodiments of the present application, and those skilled in the art can easily make various changes and modifications according to the main concept and spirit of the present application, so that the protection scope of the present application shall be subject to the protection scope of the claims.

Claims (10)

1. A domain name reflection attack detection method is characterized by comprising the following steps:
acquiring the number of requests for initiating domain name resolution requests of a request object to be detected in a plurality of time windows;
constructing the request quantity of the multiple time windows according to a preset time relation to obtain at least two request sequences;
calculating a correlation coefficient between the at least two request sequences;
and determining whether the request object to be detected initiates domain name reflection attack or not according to the correlation coefficient between the at least two request sequences.
2. The method of claim 1, wherein the constructing the number of requests for the plurality of time windows according to a predetermined time relationship to obtain at least two request sequences comprises:
dividing the time windows into a plurality of first time windows and a plurality of second time windows according to a preset time relation;
and constructing and obtaining a first request sequence according to the request quantity of the plurality of first time windows, and constructing and obtaining a second request sequence according to the request quantity of the plurality of second time windows.
3. The method of claim 2, wherein the plurality of time windows are consecutive time windows; the dividing the plurality of time windows into a plurality of first time windows and a plurality of second time windows according to a preset time relationship includes:
determining a specified number of consecutive time windows among a plurality of consecutive time windows as the plurality of first time windows;
determining the specified number of time windows as the plurality of second time windows in other time windows than the first time window; wherein a latest first time window of the plurality of first time windows is earlier than an earliest second time window of the plurality of second time windows.
4. The method of claim 1, wherein the at least two request sequences comprise a first request sequence and a second request sequence; the calculating of the correlation coefficient between the at least two request sequences comprises:
averaging the request quantities contained in the first request sequence to obtain a first average value, and averaging the request quantities contained in the second request sequence to obtain a second average value;
calculating a correlation coefficient between the first request sequence and the second request sequence according to the first mean value, the second mean value, the first request sequence and the second request sequence.
5. The method of claim 4, wherein the calculating the correlation coefficients for the first request sequence and the second request sequence based on the first mean, the second mean, the first request sequence, and the second request sequence comprises:
performing difference calculation on each request quantity contained in the first request sequence and the first mean value respectively to obtain a plurality of first difference values, and performing difference calculation on each request quantity contained in the second request sequence and the second mean value respectively to obtain a plurality of second difference values;
calculating a correlation coefficient between the first request sequence and the second request sequence based on the plurality of first differences and the plurality of second differences.
6. The method according to any one of claims 1 to 5, wherein before obtaining the number of requests for initiating domain name resolution requests by the object to be detected within a plurality of time windows, the method further comprises:
acquiring a request object for initiating a domain name resolution request in a specified time window, and counting the number of requests for initiating the domain name resolution request in the specified time window by the request object;
and determining the request object to be detected from the request objects according to the relation between the request number and a preset number threshold.
7. The method according to any one of claims 1 to 5, wherein the determining whether the request object to be detected initiates a domain name reflection attack according to a correlation coefficient between the at least two request sequences comprises:
detecting the relation between the correlation coefficients of the at least two request sequences and a preset threshold value to obtain a detection result;
if the detection result indicates that the correlation coefficient is larger than or equal to the preset threshold value, determining that the to-be-detected request object initiates domain name reflection attack;
and if the detection result indicates that the correlation coefficient is smaller than the preset threshold value, determining that the to-be-detected request object does not launch the domain name reflection attack.
8. A domain name reflection attack detection apparatus, comprising:
the acquisition module is configured to acquire the number of requests for initiating domain name resolution requests of a request object to be detected in a plurality of time windows;
the construction module is configured to construct the request quantity of the plurality of time windows according to a preset time relation to obtain at least two request sequences;
a calculation module configured to calculate a correlation coefficient between the at least two request sequences;
and the determining module is configured to determine whether the to-be-detected request object initiates domain name reflection attack according to the correlation coefficient between the at least two request sequences.
9. An electronic device, comprising:
one or more processors;
storage means for storing one or more programs that, when executed by the one or more processors, cause the electronic device to implement the domain name reflection attack detection method of any one of claims 1 to 7.
10. A computer-readable storage medium having stored thereon computer-readable instructions which, when executed by a processor of a computer, cause the computer to execute the domain name reflection attack detection method according to any one of claims 1 to 7.
CN202210930014.8A 2022-08-03 2022-08-03 Domain name reflection attack detection method and device, electronic equipment and storage medium Active CN115296904B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN202210930014.8A CN115296904B (en) 2022-08-03 2022-08-03 Domain name reflection attack detection method and device, electronic equipment and storage medium
PCT/CN2022/140321 WO2024027079A1 (en) 2022-08-03 2022-12-20 Domain-name reflection attack detection method and apparatus, and electronic device and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210930014.8A CN115296904B (en) 2022-08-03 2022-08-03 Domain name reflection attack detection method and device, electronic equipment and storage medium

Publications (2)

Publication Number Publication Date
CN115296904A true CN115296904A (en) 2022-11-04
CN115296904B CN115296904B (en) 2023-10-27

Family

ID=83826545

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210930014.8A Active CN115296904B (en) 2022-08-03 2022-08-03 Domain name reflection attack detection method and device, electronic equipment and storage medium

Country Status (2)

Country Link
CN (1) CN115296904B (en)
WO (1) WO2024027079A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2024027079A1 (en) * 2022-08-03 2024-02-08 中国电信股份有限公司 Domain-name reflection attack detection method and apparatus, and electronic device and storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2017163104A1 (en) * 2016-03-21 2017-09-28 Telefonaktiebolaget Lm Ericsson (Publ) System and method for mitigating dns attacks
EP3462712A1 (en) * 2017-10-02 2019-04-03 Nokia Solutions and Networks Oy Method for mitigating dns-ddos attacks
CN113347186A (en) * 2021-06-01 2021-09-03 百度在线网络技术(北京)有限公司 Reflection attack detection method and device and electronic equipment
CN113783892A (en) * 2021-09-28 2021-12-10 北京天融信网络安全技术有限公司 Reflection attack detection method, system, device and computer readable storage medium

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120174220A1 (en) * 2010-12-31 2012-07-05 Verisign, Inc. Detecting and mitigating denial of service attacks
US10616267B2 (en) * 2017-07-13 2020-04-07 Cisco Technology, Inc. Using repetitive behavioral patterns to detect malware
CN109005181B (en) * 2018-08-10 2021-07-02 深信服科技股份有限公司 Detection method, system and related components for DNS amplification attack
CN114363062A (en) * 2021-12-31 2022-04-15 深信服科技股份有限公司 Domain name detection method, system, equipment and computer readable storage medium
CN115296904B (en) * 2022-08-03 2023-10-27 中国电信股份有限公司 Domain name reflection attack detection method and device, electronic equipment and storage medium

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2017163104A1 (en) * 2016-03-21 2017-09-28 Telefonaktiebolaget Lm Ericsson (Publ) System and method for mitigating dns attacks
EP3462712A1 (en) * 2017-10-02 2019-04-03 Nokia Solutions and Networks Oy Method for mitigating dns-ddos attacks
CN113347186A (en) * 2021-06-01 2021-09-03 百度在线网络技术(北京)有限公司 Reflection attack detection method and device and electronic equipment
CN113783892A (en) * 2021-09-28 2021-12-10 北京天融信网络安全技术有限公司 Reflection attack detection method, system, device and computer readable storage medium

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2024027079A1 (en) * 2022-08-03 2024-02-08 中国电信股份有限公司 Domain-name reflection attack detection method and apparatus, and electronic device and storage medium

Also Published As

Publication number Publication date
CN115296904B (en) 2023-10-27
WO2024027079A1 (en) 2024-02-08

Similar Documents

Publication Publication Date Title
CN109951500B (en) Network attack detection method and device
US11797671B2 (en) Cyberanalysis workflow acceleration
US8483056B2 (en) Analysis apparatus and method for abnormal network traffic
US9900344B2 (en) Identifying a potential DDOS attack using statistical analysis
CN111277570A (en) Data security monitoring method and device, electronic equipment and readable medium
US11070569B2 (en) Detecting outlier pairs of scanned ports
US8990936B2 (en) Method and device for detecting flood attacks
US9565203B2 (en) Systems and methods for detection of anomalous network behavior
EP2227889B1 (en) Method of detecting anomalies in a communication system using symbolic packet features
US10944784B2 (en) Identifying a potential DDOS attack using statistical analysis
US8341742B2 (en) Network attack detection devices and methods
US20210400073A1 (en) Malicious port scan detection using source profiles
US11711389B2 (en) Scanner probe detection
US11770396B2 (en) Port scan detection using destination profiles
CN110417747B (en) Method and device for detecting violent cracking behavior
US20220217162A1 (en) Malicious port scan detection using port profiles
CN109561097B (en) Method, device, equipment and storage medium for detecting security vulnerability injection of structured query language
CN111641585A (en) DDoS attack detection method and device
KR100950079B1 (en) Network abnormal state detection device using HMMHidden Markov Model and Method thereof
CN115296904B (en) Domain name reflection attack detection method and device, electronic equipment and storage medium
CN110958245A (en) Attack detection method, device, equipment and storage medium
CN114363062A (en) Domain name detection method, system, equipment and computer readable storage medium
JP4060263B2 (en) Log analysis apparatus and log analysis program
CN114499917B (en) CC attack detection method and CC attack detection device
CN114500123B (en) Network information analysis method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant