CN115361358B - IP extraction method and device, storage medium and electronic device - Google Patents
IP extraction method and device, storage medium and electronic device Download PDFInfo
- Publication number
- CN115361358B CN115361358B CN202211001459.4A CN202211001459A CN115361358B CN 115361358 B CN115361358 B CN 115361358B CN 202211001459 A CN202211001459 A CN 202211001459A CN 115361358 B CN115361358 B CN 115361358B
- Authority
- CN
- China
- Prior art keywords
- domain name
- target
- determining
- ips
- alias
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000605 extraction Methods 0.000 title claims abstract description 28
- 238000003860 storage Methods 0.000 title claims abstract description 19
- 238000009826 distribution Methods 0.000 claims abstract description 44
- 238000000034 method Methods 0.000 claims abstract description 42
- 238000005516 engineering process Methods 0.000 abstract description 7
- 238000010586 diagram Methods 0.000 description 8
- 238000004590 computer program Methods 0.000 description 7
- 230000008569 process Effects 0.000 description 6
- 238000012216 screening Methods 0.000 description 6
- 230000006870 function Effects 0.000 description 5
- 238000004458 analytical method Methods 0.000 description 3
- 230000000694 effects Effects 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 2
- 230000009193 crawling Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000001133 acceleration Effects 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
Abstract
The application discloses an IP extraction method, an IP extraction device, a storage medium and an electronic device. The method comprises the following steps: acquiring a plurality of domain names and the IP associated with each domain name in a first preset time period, acquiring a plurality of IP, and judging whether each domain name has an alias or not; determining the IP of the associated domain name from a plurality of IPs according to the field of the alias under the condition that the domain name has the alias, so as to obtain at least one first IP; determining a second IP from the plurality of IPs according to the condition that the domain name is associated with the IP in the condition that the domain name does not have an alias; and determining the first IP and the second IP as target IP to obtain a set of target IP. By the method and the device, the problem that the IP of the content distribution network is inaccurate in the related technology is solved.
Description
Technical Field
The present invention relates to the field of virtual networks, and in particular, to a method and apparatus for extracting IP, a storage medium, and an electronic device.
Background
CDN is called Content Delivery Network, the content delivery network. The CDN is an intelligent virtual network constructed on the basis of the existing network, and by means of the edge servers deployed in various places, through the load balancing, content distribution, scheduling and other functional modules of the central platform, users can browse the needed content on the network nearby, network congestion is reduced, and user association response speed and hit rate are improved. The CDN domain name is also called a sub domain name, and refers to a relatively independent domain name with the same CNAME suffix for CDN acceleration, which is operated by a CDN manufacturer.
In the field of network security, it is often required to intercept malicious IPs, related technicians may intercept multiple IPs under the same domain name as the malicious IPs, a part of CDN domain names belong to security service manufacturers, most of the IPs under the CDN domain names are not malicious IPs, and the related technicians may directly intercept the CDN IPs to cause a certain degree of false alarm due to uncertainty about whether the IPs to be determined are CDN IPs. The service of the CDN is used for assisting in distributing network content, the association speed is improved, and the CDN is provided by CDN manufacturers and does not have malicious behavior tendency, so that in the threat information related task, a CDN server needs to be marked, and reliable reference information is provided for related researchers to inquire, trace the source and other works.
In the related art, by acquiring data in a network and constructing an IP address basic knowledge base of the CDN according to the acquired information, the IP is marked for a CDN server, but the accuracy of the IP marking is not high, and the situation that the common IP is the IP of the CDN is misreported, so that the method is not suitable for the IP label marking of a security service manufacturer. In addition, the related art determines the IP of the CDN by determining whether the domain name in the URL is a CDN domain name. Based primarily on whether the domain name corresponds to multiple IPs within a fixed time. And judging the CDN server from the angles of IP positions, number and the like corresponding to the domain names, and respectively calculating the related attributes of the IP for the domain names.
Aiming at the problem of inaccurate IP determination of a content distribution network in the related technology, no effective solution is proposed at present.
Disclosure of Invention
The application provides an IP extraction method to solve the problem of inaccurate IP determination of a content distribution network in the related technology.
According to one aspect of the present application, a method of extracting IP is provided. The method comprises the following steps: acquiring a plurality of domain names and the IP associated with each domain name in a first preset time period, acquiring a plurality of IP, and judging whether each domain name has an alias or not; determining the IP of the associated domain name from a plurality of IPs according to the field of the alias under the condition that the domain name has the alias, so as to obtain at least one first IP; determining a second IP from the plurality of IPs according to the condition that the domain name is associated with the IP in the condition that the domain name does not have an alias; and determining the first IP and the second IP as target IP to obtain a set of target IP.
Optionally, determining the IP associated with the domain name from the plurality of IPs according to the field of the alias, obtaining at least one first IP includes: combining aliases with the same field to obtain a plurality of groups of aliases, and determining the number of aliases in each group of aliases to obtain a plurality of first numbers; judging whether each first quantity is larger than or equal to an alias quantity threshold value or not respectively; and when the first number is greater than or equal to the threshold value of the number of aliases, determining the IP which is associated with the domain name corresponding to each group of the group names in the plurality of IPs as a first IP.
Optionally, determining the IP associated with the domain name from the plurality of IPs according to the field of the alias, obtaining at least one first IP includes: judging whether the alias contains a target field, wherein the target field is a content distribution network field; determining a second number of domain names corresponding to the aliases containing the target field in each IP association under the condition that the aliases contain the target field, so as to obtain a plurality of second numbers; judging whether each second number is larger than or equal to a first number threshold value of the domain name or not; and under the condition that the second number is larger than or equal to a first number threshold value of the domain names, determining the IP corresponding to the second number as the first IP, and adding the domain name corresponding to the alias containing the target field into a white list, wherein the white list contains a plurality of preset domain names.
Optionally, determining the second IP from the plurality of IPs according to the case of IP-associated domain names includes: determining the number of domain names in each IP associated white list in a second preset time period to obtain a third number, and judging whether the third number is larger than or equal to a second number threshold value of the domain names; and determining the IP corresponding to the third number as a second IP when the third number is larger than or equal to a second number threshold value of the domain name.
Alternatively, the whitelist is obtained by: and acquiring domain names of a plurality of content distribution network manufacturers, and determining a white list according to the domain names of the content distribution network manufacturers.
Optionally, after determining the first IP and the second IP as target IPs, obtaining a set of target IPs, the method further includes: acquiring a plurality of third party IPs stored by a third party platform, wherein each third party IP corresponds to a content distribution network manufacturer; comparing a third party IP corresponding to the same content distribution network manufacturer with a target IP; and under the condition that the third party IP is different from the target IP, the target IP is removed from the collection.
Optionally, after determining the first IP and the second IP as target IPs, obtaining a set of target IPs, the method further includes: combining target IPs with the same fields to obtain a plurality of groups of target IPs; judging whether the number of the IPs in each group of target IPs is smaller than an IP number threshold value or not; and eliminating the group of target IPs from the collection under the condition that the number of the IPs in the group of target IPs is smaller than an IP number threshold value.
According to another aspect of the present application, there is provided an IP extraction apparatus, the apparatus including: the obtaining unit is used for obtaining a plurality of domain names and the IP related to each domain name in a first preset time period, obtaining a plurality of IP, and judging whether each domain name has an alias or not; a first determining unit, configured to determine, when the domain name has an alias, an IP associated with the domain name from the plurality of IPs according to a field of the alias, to obtain at least one first IP; a second determining unit configured to determine a second IP from the plurality of IPs according to a case where the IP associates the domain name in a case where the domain name does not have an alias; and the third determining unit is used for determining the first IP and the second IP as target IP and obtaining a set of target IP.
According to another aspect of the embodiment of the present invention, there is also provided a nonvolatile storage medium, the nonvolatile storage medium including a stored program, wherein when the program runs, the device in which the nonvolatile storage medium is controlled to execute an IP extraction method.
According to another aspect of the embodiment of the present invention, there is also provided an electronic device including a processor and a memory; the memory stores computer readable instructions, and the processor is configured to execute the computer readable instructions, where the computer readable instructions execute a method of extracting IP.
Through the application, the following steps are adopted: acquiring a plurality of domain names and the IP associated with each domain name in a first preset time period, acquiring a plurality of IP, and judging whether each domain name has an alias or not; determining the IP of the associated domain name from a plurality of IPs according to the field of the alias under the condition that the domain name has the alias, so as to obtain at least one first IP; determining a second IP from the plurality of IPs according to the condition that the domain name is associated with the IP in the condition that the domain name does not have an alias; the first IP and the second IP are determined as target IP, and the set of target IP is obtained, so that the problem of inaccurate IP determination of the content distribution network in the related technology is solved. The white list of the content distribution network is constructed for the domain name with the content distribution network field and the domain name corresponding to the content distribution network manufacturer, and the IP corresponding to the content distribution network is determined for the repeated field of the alias screening of the domain name, so that the effect of accurately determining the IP of the content distribution network is achieved.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application, illustrate and explain the application and are not to be construed as limiting the application. In the drawings:
fig. 1 is a flowchart of an IP extraction method provided according to an embodiment of the present application;
FIG. 2 is a flow chart of an alternative IP extraction method provided in accordance with an embodiment of the present application;
fig. 3 is a schematic diagram of an IP extraction apparatus according to an embodiment of the present application.
Detailed Description
It should be noted that, in the case of no conflict, the embodiments and features in the embodiments may be combined with each other. The present application will be described in detail below with reference to the accompanying drawings in conjunction with embodiments.
In order to make the present application solution better understood by those skilled in the art, the following description will be made in detail and with reference to the accompanying drawings in the embodiments of the present application, it is apparent that the described embodiments are only some embodiments of the present application, not all embodiments. All other embodiments, which can be made by one of ordinary skill in the art based on the embodiments herein without making any inventive effort, shall fall within the scope of the present application.
It should be noted that the terms "first," "second," and the like in the description and claims of the present application and the above figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate in order to describe the embodiments of the present application described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
According to an embodiment of the application, an extraction method of an IP is provided.
Fig. 1 is a flowchart of an IP extraction method according to an embodiment of the present application. As shown in fig. 1, the method comprises the steps of:
step S102, acquiring a plurality of domain names and the IP related to each domain name in a first preset time period, acquiring the plurality of IP, and judging whether each domain name has an alias or not.
It should be noted that, domain names associated with the same IP (Internet Protocol Address ) have a larger association within a certain period of time, so that a domain name history analysis record within a first preset period of time is obtained to determine the IP of the CDN. For example, the first preset period may be one month, the domain name history analysis record is obtained according to a fixed period of one month, the plurality of IPs are obtained from the domain name history analysis record, and the plurality of domain names associated with each IP are obtained. Each domain name may be associated with multiple IPs, each IP may be associated with multiple domain names.
It should be noted that, the accelerating of the domain name of the CDN needs to use the CNAME record, after the accelerating of the CDN is configured, an accelerated domain name, called a CNAME domain name, that is, an alias, is obtained, after the user needs to direct his own IP to the alias, the work of domain name resolution is formally turned to the CDN server, and all the requests of each IP associated with the domain name are turned to the node of the CDN. By requesting a network domain corresponding to each domain name to query a CNAME (alias name record), whether each domain name has an alias name or not is judged according to a returned result of each domain name. If the domain name returns data, the domain name has an alias, and if no data is returned, the domain name may have no domain name or reject the returned data.
Step S104, when the domain name has an alias, determining the IP related to the domain name from a plurality of IPs according to the field of the alias, and obtaining at least one first IP.
Specifically, the alias includes a plurality of fields, and the IP of the associated domain name is determined from the plurality of IPs according to the fields of the alias, for example, CDN fields are included in the aliases of some CDN vendors, vendor names are included in the aliases of some CDN vendors, a vendor alias is 10.12.a.3.com, and b vendor alias is 20.45.1.3.cdn.com. The first IP is obtained by determining an IP from a plurality of IPs that will contain a cdn field in the associated alias or that will contain a domain name for the own company name in the alias.
And step S106, when the domain name does not have an alias, determining a second IP from the plurality of IPs according to the condition that the domain name is associated with the IP.
Specifically, in the case that the domain name does not have an alias, the second IP is determined according to the specific situation of the domain name associated with each IP, for example, if the number of domain names in the white list in each domain name associated with each IP exceeds a threshold, the IP is determined to be the second IP. The white list contains the domain names of known CDN vendors and the domain names screened out by the CDN field contained in the alias.
And S108, determining the first IP and the second IP as target IP, and obtaining a set of target IP.
Specifically, the target IP is the IP preliminarily determined to be the CDN, and the first IP and the second IP are collected together to obtain a set of target IPs.
According to the method for extracting the IP, provided by the embodiment of the application, a plurality of domain names and the IP associated with each domain name are obtained in a first preset time period, so that a plurality of IPs are obtained, and whether each domain name has an alias or not is judged; determining the IP of the associated domain name from a plurality of IPs according to the field of the alias under the condition that the domain name has the alias, so as to obtain at least one first IP; determining a second IP from the plurality of IPs according to the condition that the domain name is associated with the IP in the condition that the domain name does not have an alias; and determining the first IP and the second IP as target IP to obtain a set of target IP. By the method and the device, the problem that the IP of the content distribution network is inaccurate in the related technology is solved. The white list of the content distribution network is constructed for the domain name with the content distribution network field and the domain name corresponding to the content distribution network manufacturer, and the IP corresponding to the content distribution network is determined for the repeated field of the alias screening of the domain name, so that the effect of accurately determining the IP of the content distribution network is achieved.
Optionally, in the method for extracting the IP provided in the embodiment of the present application, determining the IP associated with the domain name from the multiple IPs according to the field of the alias, obtaining at least one first IP includes: combining aliases with the same field to obtain a plurality of groups of aliases, and determining the number of aliases in each group of aliases to obtain a plurality of first numbers; judging whether each first quantity is larger than or equal to an alias quantity threshold value or not respectively; and when the first number is greater than or equal to the threshold value of the number of aliases, determining the IP which is associated with the domain name corresponding to each group of the group names in the plurality of IPs as a first IP.
Specifically, since the domain names of different nodes of the CDN vendor generally have the same field, for example, the node name of the a vendor in the a city is 10.2.5.a.com, the node name of the a vendor in the b city is 10.2.3.a.com, and the same field a is owned in both the two aliases, when determining the first IP, multiple groups of aliases including the same field are screened, multiple domain names corresponding to each group of the aliases may be domain names of the CDN nodes, whether the domain name corresponding to each group of the aliases is the domain name of the CDN nodes is determined by determining whether the number of the aliases in each group of the aliases exceeds the number of aliases threshold, for example, the number of aliases threshold is set to 10, when the number of aliases in one group of the aliases is greater than or equal to 10 and the same network segment in the aliases is located in the same network segment in the aliases, the domain name corresponding to the group of the name is regarded as the domain name of the node, and the IP associated with the group of the domain name is determined as the first IP. That is, the present embodiment determines the domain name of the CDN node by screening aliases of the same field, thereby determining the first IP.
In addition to determining aliases of the same fields, it may also be directly determined whether the aliases include a target field to determine the first IP, and optionally, in the method for extracting an IP provided in the embodiment of the present application, determining, according to the fields of the aliases, an IP of an associated domain name from a plurality of IPs, where obtaining at least one first IP includes: judging whether the alias contains a target field, wherein the target field is a content distribution network field; determining a second number of domain names corresponding to the aliases containing the target field in each IP association under the condition that the aliases contain the target field, so as to obtain a plurality of second numbers; judging whether each second number is larger than or equal to a first number threshold value of the domain name or not; and under the condition that the second number is larger than or equal to a first number threshold value of the domain names, determining the IP corresponding to the second number as the first IP, and adding the domain name corresponding to the alias containing the target field into a white list, wherein the white list contains a plurality of preset domain names.
Specifically, the destination field may be CDN, for example, if a certain alias is 10.25.31.Cdn.com, the domain name corresponding to the alias is a domain name of the CDN, the second number of domain names corresponding to the alias including CDN fields in the aliases associated with each IP is determined, the first number threshold of domain names may be set to 5, and if the second number of one IP is greater than or equal to 5, it is determined that the IP is the first IP. And adding the domain name corresponding to the alias containing the CDN field in the alias into a white list, wherein a plurality of preset domain names contained in the white list, namely the domain name of the known CDN manufacturer and the screened domain name corresponding to the alias containing the CDN field. That is, the present embodiment determines the first IP by judging the number of target fields included in the alias corresponding to the domain name associated with the IP.
Optionally, in the method for extracting an IP provided in the embodiment of the present application, determining the second IP from the multiple IPs according to the case of associating the domain name with the IP includes: determining the number of domain names in each IP associated white list in a second preset time period to obtain a third number, and judging whether the third number is larger than or equal to a second number threshold value of the domain names; and determining the IP corresponding to the third number as a second IP when the third number is larger than or equal to a second number threshold value of the domain name.
Specifically, the second preset time period may be set to 1 day, and if the number of domains belonging to the white list in the plurality of domains associated with the IP is greater than or equal to the second number threshold of domains, that is, the third number is greater than or equal to the second number threshold of domains, the IP is the second IP. For example, the second number threshold is 5, and one IP is associated with 8 domain names, where 5 domain names are in the white list, and the IP is the second IP. That is, the present embodiment determines the second IP by the number of domain names in the whitelist of IP associations.
The white list is determined by the domain name of the CDN vendor, and optionally, in the IP extraction method provided in the embodiment of the present application, the white list is obtained by: and acquiring domain names of a plurality of content distribution network manufacturers, and determining a white list according to the domain names of the content distribution network manufacturers.
Specifically, the domain names of most CDN manufacturers have a fixed suffix format, for example, the CDN domain name of cloudflash is xx.xx.cloudflash.cn, and a whitelist is constructed by manually collecting the domain name suffix of the CDN manufacturer by crawling the CDN server information of a part of CDN server record platforms and determining the domain name resolution record as the CDN server IP.
In order to avoid inaccurate IP of the screened CDN, the method further screens the target IP by comparing the IP of the CDN collected by the third party platform, optionally, in the method for extracting IP provided in the embodiment of the present application, after determining the first IP and the second IP as the target IP, and obtaining the set of target IPs, the method further includes: acquiring a plurality of third party IPs stored by a third party platform, wherein each third party IP corresponds to a content distribution network manufacturer; comparing a third party IP corresponding to the same content distribution network manufacturer with a target IP; and under the condition that the third party IP is different from the target IP, the target IP is removed from the collection.
Specifically, the content delivery network manufacturer, that is, the CDN manufacturer, may use a third party platform as a platform for recording the IP of the CDN on the network, obtain the third party IP as a reference by crawling the website of the third party platform for recording the IP of the CDN server, compare the third party IP of the same CDN manufacturer with the target IP, and if the two are different, there is a case that the target IP is inaccurate, but the third party IP also has an inaccurate case, so that the inaccurate target IP is removed from the set of target IPs. According to the embodiment, the target IP is further screened, so that the extracted IP of the CDN is more accurate.
Optionally, in the method for extracting an IP provided in the embodiment of the present application, after determining the first IP and the second IP as the target IP and obtaining the set of target IPs, the method further includes: combining target IPs with the same fields to obtain a plurality of groups of target IPs; judging whether the number of the IPs in each group of target IPs is smaller than an IP number threshold value or not; and eliminating the group of target IPs from the collection under the condition that the number of the IPs in the group of target IPs is smaller than an IP number threshold value.
Specifically, since the IP of the CDN is generally composed of the IPs of a plurality of different nodes, the IPs of the nodes under the same CDN manufacturer have the same field, and part of the target IPs are also extracted into the set of target IPs due to the fact that the target IPs just include CDN fields, but there is no same field between such target IPs and other target IPs, and the extracted IPs of the CDN are ensured to be more accurate by screening and removing isolated target IPs without the same field from the set.
According to another embodiment of the present application, there is further provided an optional IP extraction method, and fig. 2 is a flowchart of an optional IP extraction method provided according to an embodiment of the present application. As shown in fig. 2, a domain name resolution record is first obtained, domain names and IP corresponding to each domain name are determined, and intranet IP is removed.
Then, for the domain name with the alias, judging the number of aliases with the same field in the aliases, and determining the IP corresponding to the aliases with the number of the group of aliases being more than 10 as a first IP, and primarily determining the first IP as the CDN server IP under the condition that the number of the aliases is more than 10.
Meanwhile, for the domain names with the aliases, counting the number of domain names containing CDN fields in the aliases associated with the IP, if the number is larger than 5, preliminarily determining the IP as the CDN server IP, and adding the domain names containing CDN fields in the aliases into a white list. The white list also includes CDN domain names for known CDN vendors.
And counting the domain names associated with each IP in a specified time period for the domain names without the aliases, and preliminarily determining that the IP is the CDN server IP if the number of the domain names belonging to the white list in the domain names associated with the IP is more than 5.
And comparing the primarily determined IP of the CDN server with the third-party CDN data, and rejecting the primarily determined IP if the primarily determined IP of the same CDN manufacturer is different from the IP in the third-party CDN data. Then the orphaned CDN server IP belonging to the C field is rejected.
And finally, determining a domain name corresponding to the CDN server IP, and combining the CDN server IP with the corresponding domain name.
By the optional extraction method of the IP provided by the embodiment, a screening mechanism for aliases is added, so that the IP of the CDN server can be accurately determined.
It should be noted that the steps illustrated in the flowcharts of the figures may be performed in a computer system such as a set of computer executable instructions, and that although a logical order is illustrated in the flowcharts, in some cases the steps illustrated or described may be performed in an order other than that illustrated herein.
The embodiment of the application also provides an IP extracting device, and it should be noted that the IP extracting device of the embodiment of the application may be used to execute the extracting method for IP provided by the embodiment of the application. The following describes an IP extraction device provided in the embodiment of the present application.
Fig. 3 is a schematic diagram of an IP extraction apparatus according to an embodiment of the present application. As shown in fig. 3, the apparatus includes:
an obtaining unit 10, configured to obtain a plurality of domain names and IP associated with each domain name in a first preset period of time, obtain a plurality of IP, and determine whether each domain name has an alias or not;
a first determining unit 20, configured to determine, when the domain name has an alias, an IP associated with the domain name from the plurality of IPs according to a field of the alias, to obtain at least one first IP;
a second determining unit 30 for determining a second IP from the plurality of IPs according to the case where the IP associates the domain name in the case where the domain name does not have an alias;
and a third determining unit 40, configured to determine the first IP and the second IP as target IPs, and obtain a set of target IPs.
According to the IP extraction device provided by the embodiment of the application, the acquisition unit 10 acquires a plurality of domain names and the IP associated with each domain name in a first preset time period to acquire the plurality of IP, and judges whether each domain name has an alias or not; the first determining unit 20 determines the IP of the associated domain name from the plurality of IPs according to the field of the alias, and obtains at least one first IP, in the case where the domain name has the alias; a second determination unit 30 that determines a second IP from among the plurality of IPs according to the case where the IP associates the domain name in the case where the domain name does not have an alias; the third determining unit 40 determines the first IP and the second IP as target IPs, resulting in a set of target IPs. The problem of inaccurate determination of the content distribution network IP in the related art is solved. The white list of the content distribution network is constructed for the domain name with the content distribution network field and the domain name corresponding to the content distribution network manufacturer, and the IP corresponding to the content distribution network is determined for the repeated field of the alias screening of the domain name, so that the effect of accurately determining the IP of the content distribution network is achieved.
Optionally, in the IP extraction apparatus provided in the embodiment of the present application, the first determining unit 20 includes: the combination module is used for combining aliases with the same field to obtain a plurality of groups of aliases, determining the number of the aliases in each group of aliases and obtaining a plurality of first numbers; the first judging module is used for judging whether each first quantity is larger than or equal to an alias quantity threshold value or not respectively; and the first determining module is used for determining the IP related to the domain name corresponding to each group of the group names in the plurality of IPs as a first IP under the condition that the first number is larger than or equal to the threshold value of the number of the aliases.
Optionally, in the IP extraction apparatus provided in the embodiment of the present application, the first determining unit 20 includes: the second judging module is used for judging whether the alias contains a target field, wherein the target field is a content distribution network field; the second determining module is used for determining a second number of domain names corresponding to the aliases with each IP associated containing the target field to obtain a plurality of second numbers when the aliases contain the target field; the third judging module is used for judging whether each second number is larger than or equal to a first number threshold value of the domain name or not; and the third determining module is used for determining the IP corresponding to the second number as the first IP and adding the domain name corresponding to the alias containing the target field into a white list under the condition that the second number is larger than or equal to a first number threshold value of the domain names, wherein the white list contains a plurality of preset domain names.
Optionally, in the IP extraction apparatus provided in the embodiment of the present application, the second determining unit 30 includes: a fourth determining module, configured to determine the number of domain names in the whitelist associated with each IP in a second preset period of time, obtain a third number, and determine whether the third number is greater than or equal to a second number threshold of domain names; and a fifth determining module, configured to determine, when the third number is greater than or equal to the second number threshold of domain names, an IP corresponding to the third number as the second IP.
Optionally, in the IP extraction apparatus provided in the embodiment of the present application, the whitelist is obtained by: and acquiring domain names of a plurality of content distribution network manufacturers, and determining a white list according to the domain names of the content distribution network manufacturers.
Optionally, in the IP extracting apparatus provided in the embodiment of the present application, the apparatus further includes: a third party IP obtaining unit, configured to obtain a plurality of third party IPs stored in a third party platform, where each third party IP corresponds to a content distribution network vendor; the comparison unit is used for comparing the third party IP corresponding to the same content distribution network manufacturer with the target IP; the first eliminating unit is used for eliminating the target IP from the set under the condition that the third party IP is different from the target IP.
Optionally, in the IP extracting apparatus provided in the embodiment of the present application, the apparatus further includes: the combining unit is used for combining the target IPs with the same fields to obtain a plurality of groups of target IPs; the judging unit is used for judging whether the number of the IPs in each group of target IPs is smaller than an IP number threshold value or not; and the second eliminating unit is used for eliminating the group of target IPs from the set under the condition that the number of the IPs in the group of target IPs is smaller than an IP number threshold value.
The IP extracting apparatus includes a processor and a memory, the acquiring unit 10, the first determining unit 20, the second determining unit 30, the third determining unit 40, and the like are stored in the memory as program units, and the processor executes the program units stored in the memory to realize corresponding functions.
The processor includes a kernel, and the kernel fetches the corresponding program unit from the memory. The kernel can be provided with one or more than one, and the content distribution network IP is accurately determined by adjusting the kernel parameters.
The memory may include volatile memory, random Access Memory (RAM), and/or nonvolatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM), among other forms in computer readable media, the memory including at least one memory chip.
The embodiment of the application also provides a nonvolatile storage medium, which comprises a stored program, wherein the program is used for controlling equipment where the nonvolatile storage medium is located to execute an IP extraction method when running.
The embodiment of the application also provides an electronic device, which comprises a processor and a memory; the memory stores computer readable instructions, and the processor is configured to execute the computer readable instructions, where the computer readable instructions execute a method of extracting IP. The electronic device herein may be a server, a PC, a PAD, a mobile phone, etc.
It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
In one typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include volatile memory in a computer-readable medium, random Access Memory (RAM) and/or nonvolatile memory, etc., such as Read Only Memory (ROM) or flash RAM. Memory is an example of a computer-readable medium.
Computer readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of storage media for a computer include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium, which can be used to store information that can be accessed by a computing device. Computer-readable media, as defined herein, does not include transitory computer-readable media (transmission media), such as modulated data signals and carrier waves.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article or apparatus that comprises an element.
The foregoing is merely exemplary of the present application and is not intended to limit the present application. Various modifications and changes may be made to the present application by those skilled in the art. Any modifications, equivalent substitutions, improvements, etc. which are within the spirit and principles of the present application are intended to be included within the scope of the claims of the present application.
Claims (8)
1. An IP extraction method, comprising:
acquiring a plurality of domain names and the IP associated with each domain name in a first preset time period to acquire a plurality of IP, and judging whether each domain name has an alias or not;
determining, when the domain name has the alias, an IP associated with the domain name from the plurality of IPs according to a field of the alias, to obtain at least one first IP, where determining, from the plurality of IPs, the IP associated with the domain name according to the field of the alias includes: judging whether the alias contains a target field, wherein the target field is a content distribution network field; determining a second number of domain names corresponding to the aliases containing the target field in each IP association under the condition that the aliases contain the target field, so as to obtain a plurality of second numbers; judging whether each second number is larger than or equal to a first number threshold value of the domain name or not; determining the IP corresponding to the second number as the first IP and adding the domain name corresponding to the alias containing the target field into a white list under the condition that the second number is larger than or equal to a first number threshold of the domain names, wherein the white list contains a plurality of preset domain names;
determining a second IP from the plurality of IPs according to a case where the domain name does not have the alias, wherein determining the second IP from the plurality of IPs according to a case where the domain name is associated with the IP includes: determining the number of domain names in each IP-associated white list in a second preset time period, obtaining a third number, and judging whether the third number is larger than or equal to a second number threshold value of the domain names; determining the IP corresponding to the third number as the second IP under the condition that the third number is larger than or equal to a second number threshold value of the domain name;
and determining the first IP and the second IP as target IP, and obtaining the set of target IP.
2. The method of claim 1, wherein determining the IP associated with the domain name from the plurality of IPs based on the fields of the alias comprises:
combining aliases with the same field to obtain a plurality of groups of aliases, and determining the number of the aliases in each group of aliases to obtain a plurality of first numbers;
judging whether each first number is larger than or equal to an alias number threshold value or not respectively;
and under the condition that the first number is larger than or equal to the alias number threshold, determining the IP which is related to the domain name corresponding to each group of the group names in the plurality of IPs as the first IP.
3. The method according to any of the claims 1, characterized in that the whitelist is obtained by:
and acquiring domain names of a plurality of content distribution network manufacturers, and determining the white list according to the domain names of the content distribution network manufacturers.
4. The method of claim 1, wherein after determining the first IP and the second IP as target IPs, resulting in the set of target IPs, the method further comprises:
acquiring a plurality of third party IPs stored by a third party platform, wherein each third party IP corresponds to a content distribution network manufacturer;
comparing the third party IP corresponding to the same content distribution network manufacturer with the target IP;
and eliminating the target IP from the set under the condition that the third party IP is different from the target IP.
5. The method of claim 1, wherein after determining the first IP and the second IP as target IPs, resulting in the set of target IPs, the method further comprises:
combining the target IPs with the same fields to obtain a plurality of groups of target IPs;
judging whether the number of the IPs in each group of the target IPs is smaller than an IP number threshold value or not;
and eliminating the group of the target IP from the set under the condition that the number of the IP in the group of the target IP is smaller than the IP number threshold value.
6. An IP extraction device, comprising:
an obtaining unit, configured to obtain a plurality of domain names and IP associated with each domain name in a first preset time period, and determine whether each domain name has an alias or not;
a first determining unit, configured to determine, when the domain name has the alias, an IP associated with the domain name from the plurality of IPs according to a field of the alias, to obtain at least one first IP, where the first determining unit includes: the second judging module is used for judging whether the alias contains a target field, wherein the target field is a content distribution network field; a second determining module, configured to determine, when the alias includes the target field, a second number of domain names corresponding to aliases including the target field in each IP association, so as to obtain a plurality of second numbers; the third judging module is used for judging whether each second number is larger than or equal to a first number threshold value of the domain name or not; a third determining module, configured to determine, when the second number is greater than or equal to a first number threshold of the domain names, an IP corresponding to the second number as a first IP, and add the domain name corresponding to the alias including the target field to a whitelist, where the whitelist includes a plurality of preset domain names;
a second determining unit configured to determine a second IP from the plurality of IPs according to a case where the IP is associated with the domain name, in a case where the domain name does not have the alias, the second determining unit including: a fourth determining module, configured to determine the number of domain names in each of the whitelists associated with the IP within a second preset period of time, obtain a third number, and determine whether the third number is greater than or equal to a second number threshold of domain names; a fifth determining module, configured to determine, when the third number is greater than or equal to a second number threshold of domain names, an IP corresponding to the third number as a second IP;
and a third determining unit, configured to determine the first IP and the second IP as target IPs, and obtain a set of the target IPs.
7. A non-volatile storage medium for storing a program, wherein the program, when executed, controls a device in which the non-volatile storage medium is located to perform the IP extraction method of any one of claims 1 to 5.
8. An electronic device comprising a processor and a memory, the memory having stored therein computer readable instructions for executing the computer readable instructions, wherein the computer readable instructions when executed perform the IP extraction method of any one of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211001459.4A CN115361358B (en) | 2022-08-19 | 2022-08-19 | IP extraction method and device, storage medium and electronic device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211001459.4A CN115361358B (en) | 2022-08-19 | 2022-08-19 | IP extraction method and device, storage medium and electronic device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115361358A CN115361358A (en) | 2022-11-18 |
| CN115361358B true CN115361358B (en) | 2024-02-06 |
Family
ID=84002087
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211001459.4A Active CN115361358B (en) | 2022-08-19 | 2022-08-19 | IP extraction method and device, storage medium and electronic device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115361358B (en) |
Citations (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106533722A (en) * | 2015-09-11 | 2017-03-22 | 北京国双科技有限公司 | Network monitoring method and network monitoring device |
| CN106603734A (en) * | 2015-10-16 | 2017-04-26 | 任子行网络技术股份有限公司 | CDN service IP detection method and system |
| US9774619B1 (en) * | 2015-09-24 | 2017-09-26 | Amazon Technologies, Inc. | Mitigating network attacks |
| CN107347015A (en) * | 2016-05-06 | 2017-11-14 | 阿里巴巴集团控股有限公司 | A kind of recognition methods of content distributing network, apparatus and system |
| US10097566B1 (en) * | 2015-07-31 | 2018-10-09 | Amazon Technologies, Inc. | Identifying targets of network attacks |
| CN108848076A (en) * | 2018-05-31 | 2018-11-20 | 上海连尚网络科技有限公司 | A kind of method and apparatus for being kidnapped by user equipment detection DNS |
| CN109040052A (en) * | 2018-07-26 | 2018-12-18 | 平安科技(深圳)有限公司 | A kind of information processing method, terminal and computer-readable medium |
| CN109165334A (en) * | 2018-09-20 | 2019-01-08 | 恒安嘉新(北京)科技股份公司 | A method of establishing CDN producer primary knowledge base |
| CN109274702A (en) * | 2017-07-12 | 2019-01-25 | 武汉安天信息技术有限责任公司 | A kind of web site contents acquisition method and device |
| CN110099059A (en) * | 2019-05-06 | 2019-08-06 | 腾讯科技(深圳)有限公司 | A kind of domain name recognition methods, device and storage medium |
| CN111277461A (en) * | 2020-01-19 | 2020-06-12 | 杭州安恒信息技术股份有限公司 | Method, system and equipment for identifying content distribution network node |
| CN111314379A (en) * | 2020-03-20 | 2020-06-19 | 深圳市腾讯计算机系统有限公司 | Attacked domain name identification method and device, computer equipment and storage medium |
| CN112637159A (en) * | 2020-12-14 | 2021-04-09 | 杭州安恒信息技术股份有限公司 | Network asset scanning method, device and equipment based on active detection technology |
| CN113381904A (en) * | 2021-05-19 | 2021-09-10 | 上海交通大学 | Lightweight CDN node rapid detection system and method |
| WO2021196446A1 (en) * | 2020-04-03 | 2021-10-07 | 北京市天元网络技术股份有限公司 | Method and device for analyzing content delivery network scheduling process, and electronic apparatus |
| CN114363290A (en) * | 2021-12-31 | 2022-04-15 | 恒安嘉新(北京)科技股份公司 | Domain name identification method, device, equipment and storage medium |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100088405A1 (en) * | 2008-10-08 | 2010-04-08 | Microsoft Corporation | Determining Network Delay and CDN Deployment |
-
2022
- 2022-08-19 CN CN202211001459.4A patent/CN115361358B/en active Active
Patent Citations (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10097566B1 (en) * | 2015-07-31 | 2018-10-09 | Amazon Technologies, Inc. | Identifying targets of network attacks |
| CN106533722A (en) * | 2015-09-11 | 2017-03-22 | 北京国双科技有限公司 | Network monitoring method and network monitoring device |
| US9774619B1 (en) * | 2015-09-24 | 2017-09-26 | Amazon Technologies, Inc. | Mitigating network attacks |
| CN106603734A (en) * | 2015-10-16 | 2017-04-26 | 任子行网络技术股份有限公司 | CDN service IP detection method and system |
| CN107347015A (en) * | 2016-05-06 | 2017-11-14 | 阿里巴巴集团控股有限公司 | A kind of recognition methods of content distributing network, apparatus and system |
| CN109274702A (en) * | 2017-07-12 | 2019-01-25 | 武汉安天信息技术有限责任公司 | A kind of web site contents acquisition method and device |
| CN108848076A (en) * | 2018-05-31 | 2018-11-20 | 上海连尚网络科技有限公司 | A kind of method and apparatus for being kidnapped by user equipment detection DNS |
| CN109040052A (en) * | 2018-07-26 | 2018-12-18 | 平安科技(深圳)有限公司 | A kind of information processing method, terminal and computer-readable medium |
| WO2020019510A1 (en) * | 2018-07-26 | 2020-01-30 | 平安科技(深圳)有限公司 | Information processing method, terminal, and computer readable storage medium |
| CN109165334A (en) * | 2018-09-20 | 2019-01-08 | 恒安嘉新(北京)科技股份公司 | A method of establishing CDN producer primary knowledge base |
| CN110099059A (en) * | 2019-05-06 | 2019-08-06 | 腾讯科技(深圳)有限公司 | A kind of domain name recognition methods, device and storage medium |
| CN111277461A (en) * | 2020-01-19 | 2020-06-12 | 杭州安恒信息技术股份有限公司 | Method, system and equipment for identifying content distribution network node |
| CN111314379A (en) * | 2020-03-20 | 2020-06-19 | 深圳市腾讯计算机系统有限公司 | Attacked domain name identification method and device, computer equipment and storage medium |
| WO2021196446A1 (en) * | 2020-04-03 | 2021-10-07 | 北京市天元网络技术股份有限公司 | Method and device for analyzing content delivery network scheduling process, and electronic apparatus |
| CN112637159A (en) * | 2020-12-14 | 2021-04-09 | 杭州安恒信息技术股份有限公司 | Network asset scanning method, device and equipment based on active detection technology |
| CN113381904A (en) * | 2021-05-19 | 2021-09-10 | 上海交通大学 | Lightweight CDN node rapid detection system and method |
| CN114363290A (en) * | 2021-12-31 | 2022-04-15 | 恒安嘉新(北京)科技股份公司 | Domain name identification method, device, equipment and storage medium |
Non-Patent Citations (1)
| Title |
|---|
| 大规模网络中基于集成学习的恶意域名检测;马旸;强小辉;蔡冰;王林汝;;计算机工程(11);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115361358A (en) | 2022-11-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110768912B (en) | API gateway current limiting method and device | |
| US20180077253A1 (en) | Methods and apparatus to monitor online activity | |
| CN106068639A (en) | The Transparent Proxy certification processed by DNS | |
| CN110677384B (en) | Phishing website detection method and device, storage medium and electronic device | |
| CN102077201A (en) | System and method for dynamic and real-time categorization of webpages | |
| CN107342913B (en) | Detection method and device for CDN node | |
| CN105357233A (en) | Remote call method and device | |
| CN108366012B (en) | Social relationship establishing method and device and electronic equipment | |
| CN112929216A (en) | Asset management method, device, equipment and readable storage medium | |
| CN108322495B (en) | Method, device and system for processing resource access request | |
| CN113591068B (en) | Online login device management method and device and electronic device | |
| CN113676511A (en) | Cloud storage method, system, equipment and storage medium | |
| CN109598526B (en) | Method and device for analyzing media contribution | |
| CN109729054B (en) | Access data monitoring method and related equipment | |
| CN115361358B (en) | IP extraction method and device, storage medium and electronic device | |
| CN110545335A (en) | Internet protocol address acquisition method, server and system | |
| CN111625700B (en) | Anti-grabbing method, device, equipment and computer storage medium | |
| CN107547670B (en) | Domain name information query method and device | |
| CN114244805B (en) | Domain name configuration method and device | |
| CN111241547B (en) | Method, device and system for detecting override vulnerability | |
| CN115941280A (en) | Penetration method, device, equipment and medium based on web fingerprint information | |
| CN110851822B (en) | Network download security processing method and device | |
| CN110263534B (en) | Blacklist storage method, request interception method, device and storage medium | |
| CN110688350B (en) | Method and device for storing logs | |
| CN109426540B (en) | Element click condition detection method and device, storage medium and processor |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |