CN115550021A - Method and system for accurately replicating network space in big data environment and storage medium - Google Patents
Method and system for accurately replicating network space in big data environment and storage medium Download PDFInfo
- Publication number
- CN115550021A CN115550021A CN202211172640.1A CN202211172640A CN115550021A CN 115550021 A CN115550021 A CN 115550021A CN 202211172640 A CN202211172640 A CN 202211172640A CN 115550021 A CN115550021 A CN 115550021A
- Authority
- CN
- China
- Prior art keywords
- domain name
- diagnosis target
- message
- detected
- malicious
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 48
- 230000003362 replicative effect Effects 0.000 title claims description 6
- 238000003745 diagnosis Methods 0.000 claims abstract description 45
- 238000001514 detection method Methods 0.000 claims abstract description 41
- 238000004891 communication Methods 0.000 claims abstract description 31
- 230000008569 process Effects 0.000 claims abstract description 26
- 230000007246 mechanism Effects 0.000 claims abstract description 17
- 230000003068 static effect Effects 0.000 claims description 19
- 230000002159 abnormal effect Effects 0.000 claims description 12
- 238000004422 calculation algorithm Methods 0.000 claims description 8
- 238000004590 computer program Methods 0.000 claims description 6
- 238000010586 diagram Methods 0.000 claims description 4
- 238000004364 calculation method Methods 0.000 claims description 3
- 238000013500 data storage Methods 0.000 claims description 3
- 238000000605 extraction Methods 0.000 claims description 3
- 238000012545 processing Methods 0.000 claims description 2
- 230000010076 replication Effects 0.000 claims 4
- 238000005516 engineering process Methods 0.000 description 5
- 238000010276 construction Methods 0.000 description 3
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 3
- 238000004458 analytical method Methods 0.000 description 2
- 238000011897 real-time detection Methods 0.000 description 2
- 238000012549 training Methods 0.000 description 2
- 238000013473 artificial intelligence Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000004907 flux Effects 0.000 description 1
- 230000009545 invasion Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 230000009466 transformation Effects 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a method and a system for accurately copying a network space in a big data environment and a storage medium, and relates to the field of network security. The invention comprises the following steps: receiving a message to be detected and acquiring communication data in the message to be detected; capturing DNS query according to communication data in a message to be detected, and extracting a diagnosis target domain name; diagnosing the diagnosis target domain name by utilizing a DGA detection process; if the diagnosis target domain name is judged to be a malicious domain name, starting a reverse mechanism; and interrupting the communication node of the malicious domain name through a counter-mechanism. The invention can better improve the network security attack countercheck capability and ensure the network space security.
Description
Technical Field
The invention relates to the field of network security, in particular to a method and a system for accurately copying a network space in a big data environment and a storage medium.
Background
The rapid development of network information technology brings great convenience to the life and work of people, but meanwhile, many safety problems exist in the network. The network world belongs to a virtual space, and lawless persons utilize the virtualization of the network to carry out illegal invasion, so that private information of other persons is stolen, and a serious safety problem is caused.
With the use of an attack platform, a commercial trojan and an open source malicious tool, the network attack and defense war is deepened and refined day by day, and the analysis technologies such as artificial intelligence, big data and the like need to be introduced urgently, so that the network attack countercheck capability is improved, and the deterrence and countercheck on attackers are formed.
Disclosure of Invention
In view of this, the invention provides a method, a system and a storage medium for accurately countering a network space in a big data environment, which identify a malicious domain name by using a DGA algorithm, and timely position a failed host to complete accurate countering.
In order to achieve the purpose, the invention adopts the following technical scheme:
on one hand, the method discloses a network space accurate reverse method under a big data environment, which comprises the following steps:
receiving a message to be detected and acquiring communication data in the message to be detected;
capturing DNS query according to communication data in a message to be detected, and extracting a diagnosis target domain name;
diagnosing the diagnosis target domain name by utilizing a DGA detection process;
if the diagnosis target domain name is judged to be a malicious domain name, starting a reverse mechanism;
and interrupting the communication node of the malicious domain name through a counter-mechanism.
Optionally, the algorithm of the reverse mechanism is specifically as follows:
establishing a network connection diagram based on the average total communication flow, the average communication data packet and the average communication connection times;
deleting nodes which are not communicated with the abnormal domain name nodes in the network graph, and selecting any abnormal domain name node as an initial node;
traversing adjacent nodes from the initial node, and traversing the shortest path between two abnormal domain name nodes by using an ant colony algorithm;
and searching according to the shortest path, interrupting the nodes with the most occurrence and the abnormal domain name nodes, and finishing a reverse mechanism.
Optionally, the DGA detection process includes static feature detection and dynamic feature detection.
Optionally, the static feature detection specifically includes: extracting static characteristics of the diagnosis target domain name, using a static characteristic classifier to make judgment, directly giving a conclusion to a judgment result with the reliability higher than a preset threshold value, ending the process, and adding the diagnosis target domain name to a white list; and judging other judgment results as suspicious domain names, and entering a dynamic characteristic detection process.
Optionally, the dynamic feature detection specifically includes: and extracting dynamic features of the diagnosis target, judging by using a dynamic feature classifier, giving a conclusion to a judgment result with the reliability higher than a preset threshold value, putting the diagnosis target into a corresponding black list or white list, and giving only the conclusion to other judgment results without modifying the black and white list.
Optionally, the method further includes storing a detection result of the DGA detection process by a database, where the database includes a white list database and a black list database; the white list database stores a safe destination host and a destination server domain name; the blacklist database stores known malicious features, the malicious feature detection engine uses the content of the blacklist database for matching, and the temporary operation database stores temporary data storage addresses and calculation results of each module.
On the other hand, the accurate system of turning over of network space under big data environment is still disclosed, includes:
the data receiving and acquiring module to be detected comprises: the message processing device is used for receiving a message to be detected and acquiring communication data in the message to be detected;
a diagnosis target domain name extraction module: the domain name server is used for capturing DNS query according to communication data in a message to be detected and extracting a diagnosis target domain name;
a DGA diagnostic module: the domain name diagnosis device is used for diagnosing a diagnosis target domain name by utilizing a DGA detection process;
malicious domain name interruption module: and if the diagnosis target domain name is judged to be the malicious domain name, starting a reverse mechanism, and interrupting the communication node of the malicious domain name through the reverse mechanism.
Finally, a computer storage medium is disclosed, wherein the computer storage medium stores a computer program, and the computer program is executed by a processor to implement any one of the steps of the method for precisely replicating the network space in a big data environment.
Compared with the prior art, the invention discloses and provides a method, a system and a storage medium for accurately copying a network space in a big data environment, and has the following beneficial effects:
1. the flow can be captured for analysis and use in the subsequent process while normal communication flow is not interfered;
2. the network security attack countercheck capability can be better improved, and the network space security is guaranteed.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
FIG. 1 is a schematic flow diagram of the present invention;
FIG. 2 is a schematic view of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be obtained by a person skilled in the art without making any creative effort based on the embodiments in the present invention, belong to the protection scope of the present invention.
The embodiment of the invention discloses a network space accurate reverse control method under a big data environment, which comprises the following steps as shown in figure 1:
receiving a message to be detected and acquiring communication data in the message to be detected;
capturing DNS query according to communication data in a message to be detected, and extracting a diagnosis target domain name;
diagnosing the diagnosis target domain name by utilizing a DGA detection process;
if the diagnosis target domain name is judged to be a malicious domain name, starting a reverse mechanism;
and interrupting the communication node of the malicious domain name through a reverse mechanism.
In this embodiment, the algorithm of the counter mechanism is specifically as follows:
establishing a network connection diagram based on the average total communication flow, the average communication data packet and the average communication connection times;
deleting nodes which are not communicated with the abnormal domain name nodes in the network graph, and selecting any abnormal domain name node as an initial node;
traversing adjacent nodes from the initial node, and traversing the shortest path between two abnormal domain name nodes by using an ant colony algorithm;
and searching according to the shortest path, interrupting the nodes with the most occurrence and the abnormal domain name nodes, and finishing a reverse mechanism.
The DGA detection flow comprises static characteristic detection and dynamic characteristic detection.
The static characteristic detection specifically comprises the following steps: extracting static characteristics of the diagnosis target domain name, using a static characteristic classifier to make judgment, directly giving a conclusion to a judgment result with the reliability higher than a preset threshold value, ending the process, and adding the diagnosis target domain name to a white list; and judging other judgment results as suspicious domain names, and entering a dynamic characteristic detection process.
The dynamic characteristic detection specifically comprises the following steps: and extracting dynamic features of the diagnosis target, judging by using a dynamic feature classifier, giving a conclusion to a judgment result with the reliability higher than a preset threshold value, putting the diagnosis target into a corresponding black list or white list, and giving a conclusion to other judgment results without modifying the black list or the white list.
Specifically, the detection process is triggered by a DNS query capture event in a protection target network, a diagnosis target firstly passes through a white list filter and a black list filter, if the diagnosis target hits the diagnosis target, a conclusion is immediately given and the process is ended, otherwise, the detection process is carried out backwards; extracting static features of a diagnosis target, then using a static feature classifier to make judgment, directly giving a conclusion to a judgment result with high reliability, ending the process, and judging other judgment results as 'suspicious domain names' to enter a subsequent process; and extracting dynamic features of the diagnosis target, then using a dynamic feature classifier to make judgment, giving a conclusion to a judgment result with high reliability, putting the diagnosis target into a corresponding black or white list, and giving only the conclusion to other judgment results without modifying the black and white list.
In the whole detection process, judgment is carried out at most four times, namely a white list filter, a black list filter, a static feature classifier and a dynamic feature classifier.
The black-and-white list database is self-maintained, and in the research process, a high credible result diagnosed by the dynamic feature classifier is led into the black-and-white list database so as to improve the detection efficiency.
The white list is initialized by taking the domain name with the top rank of Alexa, and the list can be obtained by a crawler from websites such as top. Black list initialization mode-there are two ways: firstly, acquiring a domain name of a trojan hung by a crawler from a trojan hanging reporting platform, such as www.ova.org.cn/virusAddress/listBlack, untroubled.org/spam/and the like; secondly, the domain names in the public junk mail database are extracted, and the trojans and the junk mails are the main purposes of the botnet, so that a large number of malicious domain names are covered.
The static feature classifier mainly aims at carrying out real-time detection on malicious Domain names related to the Domain Flux technology, the detection principle of the classifier is based on the premise hypothesis that a good (or normal) Domain name construction mode has certain statistical rules, for example, the length is not suitable to be overlong, the number is not too much even if the Domain name has the number, the condition that the number and the letter are alternated is generally not more than twice, the construction rules essentially ensure that the Domain name can be easily remembered by people, the impression is deep, the promotion of a website is facilitated, and the Domain name is worth noting that the Domain name is always immediately preempted or even fried, so the registration cost is very high; on the contrary, the purpose of using domain names by botnet is not to be memorized by people, but to be used for connection between computers, and the above construction rules are not considered at all in combination with the consideration of registration cost, so that starting from these rules, statistical features for distinguishing malicious/normal domain names can be effectively established.
The present example was developed primarily from the following static characteristics:
length of domain name: com is for example 11 in length www.163.
Numerical ratio: digitRatio = DigitNum/length, where DigitNum is the number of digits in the FQDN.
Number to letter switching ratio: two adjacent characters are called an 'adjacent character pair', if only one number exists in one adjacent character pair, the character is 'number and letter switching', and the characteristic is the ratio of the total number of the number and letter switching to the total number of the adjacent character pair.
Ratio of site name to main domain name length: sitetratio = SiteLength/MainDomainLength. Wherein, siteLength is the length of the site name in FQDN, and MainDomainLength is the length of the main domain name. Such as: com, site name www, siteLength =3, main domain name 163, maindomainlength =3.
Number of connectors: the number of connectors "-" in the FQDN.
Maximum word length: the FQDN is divided into a plurality of character strings with a decimal point "-" as a separator, wherein the longest character string is the length.
Type of country top-level domain name: such as "cn", "jp", etc.
Type of international top-level domain name: such as "com", "net", etc.
Type of second-level international top-level domain name: such as "edu", "gov", etc.
The training samples of the static feature classifier are from the existing black and white list, and the static features can be directly calculated for each FQDN, so that the training samples are formed, and the samples are labeled as two types, namely normal domain names and malicious domain names according to the black and white list. Aiming at the samples, an SVM algorithm is utilized to establish a classifier model, and the classifier model supports output probability besides distinguishing categories.
The dynamic feature classifier mainly aims at real-time detection of malicious domain names related to the FFSN technology, the detection principle of the dynamic feature classifier is based on the premise hypothesis that normal domain names are generally divided into two types, one domain name corresponds to one ip, TTL (domain name cache duration) is generally large, and the most common situation is that; a domain name corresponds to a group of fixed ip, which are basically fixed and have basically fixed physical locations, and this situation generally occurs at sites with a large access amount, and these sites use CDN technology to implement load balancing.
For other cases it is likely that the botnet is maintaining the appearance of the network as a whole communicating with malicious domain names. For example, due to the vulnerability of the botnet, the C & C proxy often fails, and at this time, the ip corresponding to a malicious domain name needs to be replaced by a new C & C proxy, so that ip frequent transformation, geographical location distribution change and the like are some obvious phenomena. Based on these phenomena, a statistical signature can be established, which collects the results returned by DNS requests N times (empirical value 20 times, 3 hours apart) for the same diagnostic target (domain name).
In this embodiment, the method further includes storing a detection result of the DGA detection process by a database, where the database includes a white list database and a black list database; the white list database stores safe target host and target server domain name; the blacklist database stores known malicious characteristics, the malicious characteristic detection engine uses the content of the blacklist database for matching, and the temporary operation database stores temporary data storage addresses and calculation results of each module.
On the other hand, a system for accurately replicating a network space in a big data environment is also disclosed, as shown in fig. 2, including:
the data receiving and acquiring module to be detected comprises: the message detection device is used for receiving a message to be detected and acquiring communication data in the message to be detected;
a diagnosis target domain name extraction module: the domain name server is used for capturing DNS query according to communication data in a message to be detected and extracting a diagnosis target domain name;
a DGA diagnostic module: the domain name diagnosis device is used for diagnosing a diagnosis target domain name by utilizing a DGA detection process;
malicious domain name interruption module: and if the diagnosis target domain name is judged to be the malicious domain name, starting a reverse mechanism, and interrupting the communication node of the malicious domain name through the reverse mechanism.
Finally, a computer storage medium is disclosed, wherein a computer program is stored on the computer storage medium, and when the computer program is executed by a processor, the computer program implements any one of the steps of the method for precisely replicating the cyberspace in the big data environment.
In the present specification, the embodiments are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (8)
1. A network space accurate replication method under a big data environment is characterized by comprising the following steps:
receiving a message to be detected and acquiring communication data in the message to be detected;
capturing DNS query according to communication data in a message to be detected, and extracting a diagnosis target domain name;
diagnosing the diagnosis target domain name by utilizing a DGA detection process;
if the diagnosis target domain name is judged to be a malicious domain name, starting a counter mechanism;
and interrupting the communication node of the malicious domain name through a counter-mechanism.
2. The method for precisely replicating the cyberspace in the big data environment according to claim 1, wherein an algorithm of the replication mechanism is specifically as follows:
establishing a network connection diagram based on the average total communication flow, the average communication data packet and the average communication connection times;
deleting nodes which are not communicated with the abnormal domain name nodes in the network graph, and selecting any abnormal domain name node as an initial node;
traversing adjacent nodes from the initial node, and traversing the shortest path between two abnormal domain name nodes by using an ant colony algorithm;
and searching according to the shortest path, interrupting the nodes with the most occurrence and abnormal domain name nodes, and finishing a reverse mechanism.
3. The method of claim 1, wherein the DGA detection process comprises static feature detection and dynamic feature detection.
4. The method according to claim 3, wherein the static feature detection specifically comprises: extracting static characteristics of the diagnosis target domain name, judging by using a static characteristic classifier, directly giving a conclusion to a judgment result with the reliability higher than a preset threshold value, ending the process, and adding the diagnosis target domain name to a white list; and judging other judgment results as suspicious domain names, and entering a dynamic characteristic detection process.
5. The method according to claim 4, wherein the dynamic feature detection specifically comprises: and extracting dynamic features of the diagnosis target, judging by using a dynamic feature classifier, giving a conclusion to a judgment result with the reliability higher than a preset threshold value, putting the diagnosis target into a corresponding black list or white list, and giving only the conclusion to other judgment results without modifying the black and white list.
6. The method according to claim 1, further comprising a database for storing the detection results of the DGA detection process, wherein the database comprises a white list database and a black list database; the white list database stores a safe destination host and a destination server domain name; the blacklist database stores known malicious features, the malicious feature detection engine uses the content of the blacklist database for matching, and the temporary operation database stores temporary data storage addresses and calculation results of each module.
7. A cyberspace accurate replication system in a big data environment, comprising:
the data receiving and acquiring module to be detected comprises: the message processing device is used for receiving a message to be detected and acquiring communication data in the message to be detected;
a diagnosis target domain name extraction module: the domain name server is used for capturing DNS query according to communication data in a message to be detected and extracting a diagnosis target domain name;
a DGA diagnostic module: the domain name diagnosis device is used for diagnosing a diagnosis target domain name by utilizing a DGA detection process;
malicious domain name interruption module: and if the diagnosis target domain name is judged to be the malicious domain name, starting a reverse mechanism, and interrupting the communication node of the malicious domain name through the reverse mechanism.
8. A computer storage medium, characterized in that the computer storage medium stores thereon a computer program, which when executed by a processor implements the steps of the method for precise replication of network space in a big data environment according to any of claims 1-6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211172640.1A CN115550021A (en) | 2022-09-26 | 2022-09-26 | Method and system for accurately replicating network space in big data environment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211172640.1A CN115550021A (en) | 2022-09-26 | 2022-09-26 | Method and system for accurately replicating network space in big data environment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115550021A true CN115550021A (en) | 2022-12-30 |
Family
ID=84730073
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211172640.1A Pending CN115550021A (en) | 2022-09-26 | 2022-09-26 | Method and system for accurately replicating network space in big data environment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115550021A (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20180343272A1 (en) * | 2017-05-26 | 2018-11-29 | Qatar Foundation | Method to identify malicious web domain names thanks to their dynamics |
| CN112866023A (en) * | 2021-01-13 | 2021-05-28 | 恒安嘉新(北京)科技股份公司 | Network detection method, model training method, device, equipment and storage medium |
| CN113746952A (en) * | 2021-09-14 | 2021-12-03 | 京东科技信息技术有限公司 | DGA domain name detection method, device, electronic equipment and computer storage medium |
| CN114513355A (en) * | 2022-02-14 | 2022-05-17 | 平安科技(深圳)有限公司 | Malicious domain name detection method, device, equipment and storage medium |
| CN114978770A (en) * | 2022-07-25 | 2022-08-30 | 睿至科技集团有限公司 | Internet of things security risk early warning management and control method and system based on big data |
-
2022
- 2022-09-26 CN CN202211172640.1A patent/CN115550021A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20180343272A1 (en) * | 2017-05-26 | 2018-11-29 | Qatar Foundation | Method to identify malicious web domain names thanks to their dynamics |
| CN112866023A (en) * | 2021-01-13 | 2021-05-28 | 恒安嘉新(北京)科技股份公司 | Network detection method, model training method, device, equipment and storage medium |
| CN113746952A (en) * | 2021-09-14 | 2021-12-03 | 京东科技信息技术有限公司 | DGA domain name detection method, device, electronic equipment and computer storage medium |
| CN114513355A (en) * | 2022-02-14 | 2022-05-17 | 平安科技(深圳)有限公司 | Malicious domain name detection method, device, equipment and storage medium |
| CN114978770A (en) * | 2022-07-25 | 2022-08-30 | 睿至科技集团有限公司 | Internet of things security risk early warning management and control method and system based on big data |
Non-Patent Citations (2)
| Title |
|---|
| 王文通;胡宁;刘波;刘欣;李树栋;: "DNS安全防护技术研究综述" * |
| 王林汝;吴琳;蔡冰;: "基于静态及动态特征的恶意域名检测技术研究" * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Vinayakumar et al. | Scalable framework for cyber threat situational awareness based on domain name systems data analysis | |
| KR102046789B1 (en) | Deep-learning-based intrusion detection method, system and computer program for web applications | |
| Bilge et al. | Exposure: A passive dns analysis service to detect and report malicious domains | |
| Bilge et al. | EXPOSURE: Finding Malicious Domains Using Passive DNS Analysis. | |
| US20140047543A1 (en) | Apparatus and method for detecting http botnet based on densities of web transactions | |
| Catak et al. | Distributed denial of service attack detection using autoencoder and deep neural networks | |
| CN111131260B (en) | Mass network malicious domain name identification and classification method and system | |
| Zhang et al. | BotDigger: Detecting DGA Bots in a Single Network. | |
| CN105141598A (en) | APT (Advanced Persistent Threat) attack detection method and APT attack detection device based on malicious domain name detection | |
| Bisio et al. | Real-time behavioral DGA detection through machine learning | |
| Satam et al. | Anomaly Behavior Analysis of DNS Protocol. | |
| Krishnaveni et al. | Ensemble approach for network threat detection and classification on cloud computing | |
| CN104579782B (en) | A kind of recognition methods of focus security incident and system | |
| Lei et al. | Detecting malicious domains with behavioral modeling and graph embedding | |
| CN109756480A (en) | A kind of ddos attack defence method, device, electronic equipment and medium | |
| CN117354024A (en) | DNS malicious domain name detection system and method based on big data | |
| Xuanzhen et al. | Application of passive DNS in cyber security | |
| Xu et al. | Defending against UDP flooding by negative selection algorithm based on eigenvalue sets | |
| CN115550021A (en) | Method and system for accurately replicating network space in big data environment and storage medium | |
| CN111371917B (en) | Domain name detection method and system | |
| Shaheen et al. | A proactive design to detect denial of service attacks using SNMP-MIB ICMP variables | |
| CN112261004B (en) | Method and device for detecting Domain Flux data stream | |
| Cui et al. | An efficient framework for online malicious domain detection | |
| CN113726775A (en) | Attack detection method, device, equipment and storage medium | |
| Santosa et al. | Analysis of educational institution DNS network traffic for insider threats |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20221230 |