CN116318740A

CN116318740A - Method and device for determining malicious domain name

Info

Publication number: CN116318740A
Application number: CN202111529100.XA
Authority: CN
Inventors: 杨浩鹏
Original assignee: Huawei Technologies Co Ltd
Current assignee: Huawei Technologies Co Ltd
Priority date: 2021-12-14
Filing date: 2021-12-14
Publication date: 2023-06-23

Abstract

The application discloses a method and a device for determining a malicious domain name, which relate to the technical field of computer networks. The method comprises the following steps: acquiring a first domain name carried in a first DNS request message; querying the first domain name in a threat intelligence library comprising at least one malware family; if the result of inquiring the first domain name in the threat information library is hit, recording the first time when the inquiry is hit of the target malicious software family to which the first domain name belongs in the threat information library; determining a time difference between the first time and a second time when the target malware family was previously hit; if the time difference is smaller than a first threshold value, determining that the first domain name in the first DNS request message is a malicious domain name. The first DNS request message is a DNS request message sent by a host of the internal network to a domain name server of the external network. One or more malicious domain names are included in each malware family.

Description

Method and device for determining malicious domain name

Technical Field

The present disclosure relates to the field of computer networks, and in particular, to a method and an apparatus for determining a malicious domain name.

Background

When a host located in an internal network sends a DNS request message to a domain name server, a security device (e.g., a firewall) for protecting the internal network generally obtains a domain name carried by the DNS request message, and queries whether a domain name carried by the DNS request message exists in a threat intelligence library. If the domain name carried by the DNS request message exists in the threat information library, the security device determines that the domain name carried in the DNS request message is a malicious domain name, and further generates and reports a corresponding security event.

Among them, threat intelligence library includes known malicious domain names, which are generally obtained based on extensive data analysis. Malicious domain names include normal malicious domain names and dip domain names. The common malicious domain name refers to a domain name purchased by an attacker from a domain name provider, and the attacker fully has the use right of the common malicious domain name. A collapsed domain name refers to a domain name that would otherwise be purchased and used by a legitimate user, but illegally occupied by an attacker. For example, a legitimate user provides a related network service corresponding to a domain name through a server, and an attacker attacks a vulnerability existing in an operating system of the server through a vulnerability exploiting tool (also referred to as an attack tool) to obtain control rights of the server, and deploys a CnC control end program for implementing command control (command and control, cnC) in the server. In this case, the server becomes a CnC control end, and an attacker can send a command to other infected hosts through the server, and a domain name corresponding to the network service provided by the server is a collapse domain name.

For a subsided domain name, when a legal user of the subsided domain name finds that a server providing network services corresponding to the domain name is implanted into a CnC control end by an attacker, a CnC control end program is deleted, and relevant vulnerabilities are repaired. So that an attacker loses control of the host domain name. That is, the state of the collapsed domain name is restored from the collapsed state to the normal state. In this case, the provider of the threat information library cannot delete the collapsed domain name restored to the normal state in the threat information library in time. Thus, when the security device queries the domain name carried by the DNS request message received later in the threat information library, if the domain name is a domain name that has been restored to a normal state, a false alarm may be generated. Therefore, the false alarm rate of the security device for the malicious domain name is high.

Disclosure of Invention

The application provides a method and a device for determining a malicious domain name, which can reduce the false alarm rate of the malicious domain name reported by safety equipment.

In order to achieve the above purpose, the present application provides the following technical solutions:

in a first aspect, the present application provides a method for determining a malicious domain name. The method comprises the following steps: and acquiring a first domain name carried in a first DNS request message, wherein the first DNS request message is a DNS request message sent by a host of an internal network to a domain name server of an external network. Querying a threat intelligence library comprising at least one malware family, each malware family of the at least one malware family comprising one or more malicious domain names. If the result of querying the threat intelligence library for the first domain name is a hit, then the first time is recorded. A time difference between the first time and a second time that the target malware family was last hit is determined. If the time difference is less than a first threshold, the first domain name is determined to be a malicious domain name. The hit refers to that one malicious software family in the threat information base comprises a first domain name, and the first time is the time when the query of the target malicious software family to which the first domain name belongs in the threat information base is hit.

Because the probability that a normal host in the internal network continuously accesses a domain name belonging to the same malware family (i.e. the target malware family) in a short time is extremely low, the host in the internal network can continuously access the domain name belonging to the same malware family (e.g. the target malware family) in the first threshold time range twice by the method provided by the application, and the domain name belonging to the same malware family (e.g. the target malware family) in threat intelligence can be determined as a malicious domain name. Therefore, the method provided by the application greatly improves the accuracy of determining that the domain name carried by the DNS request message is a malicious domain name, namely, the method provided by the application reduces the false alarm rate of the malicious domain name.

In one possible design, if a query result of querying the threat information repository for the first domain name is a hit, the method further includes: the number of times the targeted malware family is hit is updated. The determining that the first domain name is a malicious domain name includes: if the time difference is smaller than the first threshold value and the hit number of the target malicious software family is larger than or equal to the second threshold value, determining that the first domain name is a malicious domain name.

With this possible design, the malicious domain name determining device can determine, as a malicious domain name, a domain name of the same malware family (e.g., a target malware family) in the same threat intelligence that is accessed by the host in the internal network a plurality of times (more than 2 times) in a time range of the first threshold. Therefore, the accuracy of determining that the domain name carried by the DNS request message is a malicious domain name is further improved by the method provided by the possible design, namely the false alarm rate of the malicious domain name is further reduced.

In another possible design, after the determining that the first domain name is a malicious domain name, the method further includes: the first domain name and/or the target malware family are output.

Through the possible design, the malicious domain name determining device achieves the purpose of reporting security events related to the malicious domain name to management personnel of an internal network by outputting the first domain name and/or the target malicious software family. Moreover, the target malicious software family output by the malicious domain name determining device can be used for a manager to pertinently formulate a security event disposal scheme, so that the manager can efficiently remove risks brought by the security event.

In another possible design manner, if the method is applied to a security device in an internal network, the obtaining the first domain name carried in the first DNS request message includes: a first DNS request message is obtained from traffic flowing through the security device. A first domain name is extracted from a first DNS request message.

Through the possible design, the device for determining the malicious domain name can monitor the DNS request messages in all traffic flowing through the safety equipment in the internal network and accurately determine whether the domain names carried in the DNS request messages are malicious domain names, so that the internal network safety is effectively monitored.

In another possible design manner, if the method is applied to a cloud device that is connected to and communicates with a border device of an internal network, where the border device is located at a border between the internal network and an external network, the obtaining the first domain name carried in the first DNS request message includes: and receiving a domain name query request sent by the boundary equipment, wherein the domain name query request comprises a first domain name carried in a first DNS request message.

In another possible design, after the determining that the first domain name is a malicious domain name, the method further includes: and returning a domain name query result indicating that the first domain name is a malicious domain name to the boundary device.

Through the two possible designs, the method for determining the malicious domain name provided by the application executed by the cloud device can not only reduce the false alarm rate of the malicious domain name, but also save the storage resources and the processing resources of the existing security devices in the internal network.

In another possible design manner, before the obtaining the first domain name carried in the first DNS request message, the method further includes: and acquiring a second domain name carried in a second DNS request message, wherein the second DNS request message is sent by a host of the internal network to a domain name server of the external network. And querying a second domain name in the threat intelligence library. If the result of querying the threat intelligence library for the second domain name is a hit, the second time is recorded.

In another possible design, the first DNS request message and the second DNS request message come from the same host in the internal network.

In another possible design, if the threat information library further includes a common malicious domain name, the first domain name and the second domain name in the threat information library each have a collapse domain name label, where the collapse domain name label is used to indicate that the first domain name and the second domain name in the threat information library are collapse domain names.

In a second aspect, the present application provides a method for determining a malicious domain name. The method comprises the following steps: and acquiring a first domain name carried in a first DNS request message, wherein the first DNS request message is a DNS request message sent by a host of an internal network to a domain name server of an external network. Querying a threat intelligence library comprising at least one malware family, each malware family of the at least one malware family comprising one or more malicious domain names. If the first domain name is searched in the threat information library, the hit number of times that the target malicious software family to which the first domain name belongs in the threat information library is hit in a preset time window is updated. And if the hit number of the target malicious software family in the preset time window is greater than or equal to a set threshold value, determining that the first domain name is a malicious domain name. The hit refers to that one malicious software family included in the threat information library includes a first domain name, and the preset time window refers to a time period taking the moment of inquiring the first domain name in the threat information library as an end point and the duration as a preset duration.

According to the method, when a host in an internal network accesses a plurality of domain names belonging to the same malicious software family (for example, a target malicious software family) in a threat information base for a plurality of times in a preset time window, the accessed domain name is determined as a malicious domain name. Because the possibility that a normal host in the internal network continuously accesses a plurality of domain names belonging to the same malicious software family (namely, the target malicious software family) in a short time is extremely low, the accuracy rate of determining that the domain name carried by the DNS request message is a malicious domain name can be improved by the method provided by the application, namely, the false alarm rate of the malicious domain name is reduced.

In one possible design, the method further includes: outputting the first domain name and/or the target malware family.

In another possible design, after determining that the first domain name is a malicious domain name, the method further includes: and returning a domain name query result indicating that the first domain name is a malicious domain name to the boundary device.

In another possible design, the DNS request message carrying all hit domains within the above-mentioned predetermined time window comes from the same host in the internal network.

In another possible design, if the threat information repository further includes a common malicious domain name, a first domain name in the threat information repository is provided with a collapse domain name tag, where the collapse domain name tag is used to indicate that the first domain name in the threat information repository is a collapse domain name.

In a third aspect, the present application provides a device for determining a malicious domain name.

In a possible design manner, the device for determining a malicious domain name is configured to perform any one of the methods provided in the first aspect. The present application may divide the functional module of the device for determining a malicious domain name according to any of the methods provided in the first aspect. For example, each functional module may be divided corresponding to each function, or two or more functions may be integrated in one processing module. For example, the present application may divide the determination device of the malicious domain name into an obtaining unit, a querying unit, a recording unit, a determining unit, and the like according to functions. The description of possible technical solutions and beneficial effects executed by each of the above-divided functional modules may refer to the technical solutions provided by the above first aspect or the corresponding possible designs thereof, and will not be repeated herein.

In another possible design, the device for determining a malicious domain name is configured to perform any one of the methods provided in the second aspect. The present application may divide the functional module of the device for determining a malicious domain name according to any one of the methods provided in the second aspect. For example, each functional module may be divided corresponding to each function, or two or more functions may be integrated in one processing module. For example, the determining device of the malicious domain name may be divided into an obtaining unit, a querying unit, an updating unit, a determining unit and the like according to functions. The description of possible technical solutions and beneficial effects executed by each of the above-divided functional modules may refer to the technical solutions provided by the above second aspect or the corresponding possible designs thereof, and will not be repeated herein.

In another possible design, the device for determining a malicious domain name includes: one or more processors and a transmission interface through which the one or more processors receive or transmit data, the one or more processors being configured to invoke program instructions stored in the memory to cause the means for determining a malicious domain name to perform any of the methods as provided by the first aspect and any of its possible designs, or to perform any of the methods as provided by the second aspect and any of its possible designs.

In a fourth aspect, the present application provides a computer readable storage medium comprising program instructions which, when run on a computer or processor, cause the computer or processor to perform any of the methods provided in any of the possible implementations of the first or second aspects.

In a fifth aspect, the present application provides a computer program product which, when run on a malicious domain name determining device, causes any one of the methods provided in any one of the possible implementations of the first or second aspects to be performed.

In a sixth aspect, the present application provides a chip system, comprising: a processor for calling from a memory and running a computer program stored in the memory, performing any one of the methods provided by the implementation manner in the first aspect or in the second aspect.

It should be appreciated that any of the apparatus, computer storage medium, computer program product, or chip system provided above may be applied to the corresponding method provided above, and thus, the benefits achieved by the apparatus, computer storage medium, computer program product, or chip system may refer to the benefits in the corresponding method, which are not described herein.

In the present application, the names of the above-mentioned malicious domain name determining means do not constitute limitations on the devices or function modules themselves, and in actual implementation, these devices or function modules may appear under other names. Insofar as the function of each device or function module is similar to the present application, it is within the scope of the claims of the present application and the equivalents thereof.

Drawings

Fig. 1 is a schematic diagram of a network system according to an embodiment of the present application;

fig. 2 is a schematic diagram of another network system according to an embodiment of the present application;

FIG. 3 is a schematic diagram of yet another network system according to an embodiment of the present disclosure;

fig. 4 is a schematic hardware structure diagram of a malicious domain name determining device provided in an embodiment of the present application;

fig. 5 is a flow chart of a method for determining a malicious domain name according to an embodiment of the present application;

fig. 6 is a flowchart of another method for determining a malicious domain name according to an embodiment of the present application;

fig. 7 is a flowchart of another method for determining a malicious domain name according to an embodiment of the present application;

fig. 8 is a flowchart of another method for determining a malicious domain name according to an embodiment of the present application;

fig. 9 is a flowchart of another method for determining a malicious domain name according to an embodiment of the present application;

Fig. 10 is a schematic structural diagram of a malicious domain name determining device according to an embodiment of the present application;

fig. 11 is a schematic structural diagram of another malicious domain name determining device according to an embodiment of the present application.

Detailed Description

For a clearer understanding of embodiments of the present application, some of the terms or techniques involved in the embodiments of the present application are described below:

1) Family of malware

A family of malware is a collection of malware generated by classifying the malware according to the functions it implements, the operating system platform that it applies, and/or the malware's authors. The malware in the collection is applied to the same family of operating system platforms and can perform the same or similar functions. Alternatively, the malware in the collection is often written by the same author or author organization.

In an actual attack event, an attacker typically achieves control of the attack object (e.g., host) by installing malware in the attack object and communicating between the CnC control terminal and the malware. The attack event refers to an event that an attacker attacks a vulnerability existing in an operating system of a host that normally works by using an exploit tool (also referred to as an attack tool) to obtain the control right of the host, thereby causing the host to become a flawed host. Accordingly, a flawed host (i.e., an infected host) refers to a host that the attacker obtains control right after successfully installing malicious software after the vulnerability is utilized by the attacker. Alternatively, the attack event is generated by various security detection devices by analyzing the security data.

2) Threat information library

Threat intelligence library refers to a collection comprising a plurality of threat intelligence items.

The threat intelligence includes, among other things, the collapse indicators (Indicator of Compromised, ioC) and IoC contextual information related to the attack event, refined from the security data. The description of the attack event may be referred to above, and will not be repeated here.

Typical IoC include an internet protocol (internet protocol, IP) address, a malicious domain name, a uniform resource locator (uniform resource locator, URL), or a file hash value, among others. Here, both the IP address and URL are address information for uniquely identifying a host (or an attacker server) in which the CnC control-end program is deployed in the network. The malicious domain name is used to resolve the IP address of the host (or attacker server) that gets the CnC control end program deployed. The file hash value is a hash value of the malicious software (or referred to as a malicious sample file) running in the host, and it should be understood that the CnC control end of the attacker will communicate with the host running the malicious software, so as to realize control over the host. It should be noted that the malicious domain names in IoC (i.e., threat intelligence) include a normal malicious domain name and a collapse domain name. The description of the common malicious domain name and the collapse domain name may refer to the above description, and will not be repeated here.

IoC context information typically includes discovery time, malware family, attack technique, ioC current state, etc. The discovery time refers to the discovery time of the attack event. The malware family refers to the malware family to which the malware communicated with the CnC control end belongs in an attack event. The attack method includes a method for an attacker to attack the collapse host and a method for a CnC control terminal to control the collapse host to realize the attack purpose, which is not limited. IoC current state indicates whether the malicious domain name is currently alive.

Threat intelligence service providers are able to obtain the threat intelligence described above (i.e., ioC and IoC context information) by collecting a large amount of data and analyzing the collected data. The threat intelligence service provider then encapsulates the obtained IoC and IoC context information into a data set according to a specific format, and a threat intelligence library is obtained.

In practice, one malware in the family of malware can communicate with CnC control connections deployed on multiple servers that provide web services corresponding to multiple malicious domain names. That is, one malware may correspond to multiple malicious domain names. Thus, a family of malware to which malware belongs may be understood as a family to which a plurality of malicious domain names corresponding to the malware belong. In this manner, if threat intelligence in the threat intelligence library is categorized by malware families, threat intelligence of at least one malware family is included in the threat intelligence library, and one or more malicious domain names are included in threat intelligence of each of the at least one malware family.

3) Other terms

In the embodiments of the present application, the terms "first," "second," and the like, do not denote a sequential relationship, but rather are used to distinguish one element from another, and the references to first, second, etc. in the following documents are also used to distinguish one message from another, and are not intended to indicate or imply relative importance or implying an order of technical features indicated.

It should also be understood that, in the embodiments of the present application, the sequence number of each process does not mean that the execution sequence of each process should be determined by the function and the internal logic of each process, and should not constitute any limitation on the implementation process of the embodiments of the present application.

In practice, users of the threat intelligence library monitor security events that may exist in the internal network through the threat intelligence library. Specifically, a user of the threat information library extracts feature information from the flow message and inquires whether the feature information exists in the threat information library. When the characteristic information exists in the threat information library, a user of the threat information library can determine a host sending the flow message in the internal network as a collapse host, and further generate and report a corresponding security event. The user of the threat information repository may be, for example, a security device in the internal network. The characteristic information in the flow message is, for example, a domain name carried in the DNS request message, or a hash value of the malware carried in the malware download request message, which is not limited.

For example, taking a case that a user threatening the information base is a security device in the internal network, and taking a case that the above feature information is a domain name carried in a DNS request message, the security device identifies the DNS request message in a traffic message sent by a host of the internal network, and extracts the domain name carried in the DNS message from the DNS request message. The security device then queries the domain name in a pre-set threat intelligence library. When the security device determines that the threat information library comprises the domain name, the domain name is determined to be a malicious domain name, a host sending a DNS request message carrying the domain name in the internal network is determined to be a collapse host, and a security event alarm is sent to remind an administrator of the internal network of timely processing the collapse host so as to eliminate security risks brought by the collapse host.

However, when the malicious domain name in the threat information library includes the collapse domain name, since the server providing the network service corresponding to the collapse domain name at the current moment may have regained the control right of the collapse domain name (that is, the server has deleted the CnC control end program and repaired the related vulnerability), when the domain name extracted from the DNS request message by the security device is the collapse domain name in the threat information library through the query, the error rate of reporting the security event by the security device is higher.

Based on the above, the embodiment of the application provides a method for determining a malicious domain name. For a first DNS request message sent by a host of an internal network to a domain name server of an external network, the method provided by the embodiment of the present application queries a first domain name carried in the first DNS request message in a malicious information base, and records a first time when a current query is hit by a target malware family to which the first domain name belongs in a threat information base when the current query result is hit. If the time difference between the first time and the time the target malware family was hit last time is less than a first threshold, determining the first domain name carried in the first DNS request message as a malicious domain name. Wherein, hit refers to the first domain name included in one malware family in the threat intelligence library.

Because of accidental reasons, the same normal host (but not an infected host) in the internal network has extremely low possibility of continuously accessing the domain name belonging to the same malicious software family (namely the target malicious software family) in a short time, so that the false alarm rate of reporting the malicious domain name by the security device is greatly reduced by the method provided by the embodiment of the application. Further, the method provided by the embodiment of the application greatly reduces the false alarm rate of reporting the security event related to the malicious domain name.

The embodiment of the application also provides a network system, wherein an internal network in the network system comprises a security device, a boundary device and a plurality of hosts, the hosts in the internal network are connected and communicated with an external network through the boundary device, and the security device is used for executing the method for determining the malicious domain name, so that the domain name carried in the DNS request message flowing through the boundary device is accurately determined to be the malicious domain name, and accordingly security events corresponding to the malicious domain name can be timely generated and reported.

The internal network is, for example, an intranet, a campus network, or the like. The external network is, for example, a public network or the like. The above-mentioned border device is, for example, a gateway device (e.g., a switch or router, etc.). The security device is any independent device with computing processing capability or a functional module integrated in an existing independent device in the network system, for example, the security device is a functional module integrated in an existing firewall device. Here, the embodiment of the present application does not specifically limit the internal network, the external network, the boundary device, and the security device.

In one possible implementation, the security device is deployed in a straight-path manner on a communication link between a host and a boundary device in an internal network. Referring to fig. 1, fig. 1 shows a schematic diagram of a network system according to an embodiment of the present application. As shown in fig. 1, the network system includes an internal network 11 and an external network 12. The internal network 11 includes a security device 110, a boundary device 111, and a plurality of hosts.

Wherein the plurality of hosts in the internal network 11 includes a host 1, a host 2, and a host 3. Host 1, host 2, and host 3 are connected to a boundary device 111 through a security device 110, and boundary device 111 is connected to an external network 12. Host 1, host 2, and host 3 communicate with external network 12 via boundary device 111, respectively.

The security device 110 is disposed on a communication link between a host (e.g., host 1, host 2, or host 3) and the edge device 111 in a straight-path manner, and is configured to perform the method for determining a malicious domain name provided in the embodiment of the present application, so as to accurately determine that a domain name carried in a DNS request message flowing through the edge device 111 is a malicious domain name, thereby being capable of timely generating and reporting a security event corresponding to the malicious domain name. By way of example, the security device 110 is, for example, a firewall device, or a functional module integrated into a firewall device, such as a threat intelligence component. The security device 110 receives and processes the traffic flowing through the edge device 111, and is configured to perform the method for determining a malicious domain name provided in the embodiment of the present application, so as to accurately determine that the domain name carried in the DNS request message in the traffic flowing through the edge device 111 is a malicious domain name.

In another possible implementation, the security device is disposed in a bypass manner on a communication link between a host in the internal network and the external network. Referring to fig. 2, fig. 2 shows a schematic diagram of another network system according to an embodiment of the present application. As shown in fig. 2, the network system includes an internal network 21 and an external network 12. The internal network 21 includes a security device 210, a boundary device 211, and a plurality of hosts.

Wherein the plurality of hosts in the internal network 21 includes a host 1, a host 2, and a host 3. Host 1, host 2, and host 3 are connected to boundary device 211, respectively, and boundary device 211 is connected to external network 12. In this way, the host 1, the host 2, and the host 3 communicate with the external network 12 through the boundary device 211, respectively.

Furthermore, the boundary device 211 is also connected to the security device 210. It can be seen that, the security device 210 is disposed on a communication link between a host in an internal network and an external network in a bypass manner, and is configured to perform the method for determining a malicious domain name provided in the embodiment of the present application, so as to accurately determine that a domain name carried in a DNS request message flowing through the border device 211 is a malicious domain name, thereby timely generating and reporting a security event corresponding to the malicious domain name. By way of example, the security device 210 is, for example, a security information and event management (Security Information and Event Management, SIEM) device, or a threat intelligence component integrated into a SIEM device. The security device 210 receives and processes the mirrored traffic from the edge device 211, and is configured to perform the method for determining a malicious domain name provided in the embodiment of the present application, so as to accurately determine that the domain name carried in the DNS request message in the traffic flowing through the edge device 211 is a malicious domain name. Where mirrored traffic is a copy of traffic flowing through the edge device 211.

The embodiment of the application also provides another network system, wherein an internal network in the network system comprises a boundary device and a plurality of hosts, and the hosts respectively communicate with an external network through the boundary device. The boundary device in the internal network is also connected with the cloud device, and the cloud device is used for executing the method for determining the malicious domain name provided by the embodiment of the application so as to accurately determine that the domain name carried in the DNS request message flowing through the boundary device is the malicious domain name, so that a security event corresponding to the malicious domain name can be timely generated and reported. The description of the internal network, the external network, and the boundary device may be referred to above, and will not be repeated here.

As an example, referring to fig. 3, fig. 3 shows a schematic diagram of yet another network system provided in an embodiment of the present application. As shown in fig. 3, the network system includes an internal network 31 and an external network 12. The internal network 31 includes a plurality of hosts and edge devices 311.

Wherein the plurality of hosts in the internal network 31 includes a host 1, a host 2, and a host 3. Host 1, host 2, and host 3 are connected to boundary device 311, and boundary device 311 is connected to external network 12. In this way, the host 1, the host 2, and the host 3 communicate with the external network 12 through the boundary device 211, respectively.

In addition, the boundary device 311 is also connected to the cloud device 310. In this way, the cloud device 310 is configured to interact with the edge device 311 and perform the method for determining a malicious domain name provided by the embodiment of the present application, so as to accurately determine that a domain name carried in a DNS request message flowing through the edge device 311 is a malicious domain name, thereby timely generating and reporting a security event corresponding to the malicious domain name.

The embodiment of the application also provides a malicious domain name determining device, which can be any independent device with calculation processing capability, or can be a functional module integrated in the existing independent device in a network system, and is not limited to the above. The independent device may be the security device shown in fig. 1 or fig. 2, or the cloud device shown in fig. 3, which is not limited thereto.

With reference to fig. 4, fig. 4 shows a schematic hardware structure of a malicious domain name determining apparatus 40 provided in the embodiment of the present application, where the determining apparatus of a malicious domain name is an example of an independent device (for example, a secure device shown in fig. 1 or fig. 2, or a cloud device shown in fig. 3) having a computing processing capability. As shown in fig. 4, the malicious domain name determining device 40 includes a processor 401, a memory 402, a network interface 403, and a bus 404. The processor 401, the memory 402 and the network interface 403 are connected by a bus 404. Optionally, the malicious domain name determining device 40 further includes an input/output interface 405, where the input/output interface 405 communicates with the processor 401, the memory 402, the network interface 403, and the like through the bus 404.

The processor 401 is a control center of the malicious domain name determining device 40, and may be a general purpose CPU, and the processor 401 may also be other general purpose processors, digital signal processors (digital signal processing, DSP), application-specific integrated circuits (application-specific integrated circuit, ASIC), field-programmable gate arrays (field-programmable gate array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, graphics processors (graphics processing unit, GPU), neural network processing units (neural processing unit, NPU), tensor processors (tensor processing unit, TPU) or artificial intelligence (artificial intelligent) chips, data processors (data processing unit, DPU), etc.

As one example, processor 401 includes one or more CPUs, such as CPU 0 and CPU 1 shown in fig. 4. Further, the present application does not limit the number of processor cores in each processor.

The memory 402 is used for storing program instructions or data to be accessed by an application process, and the processor 401 may implement the method for determining a malicious domain name provided in the embodiment of the present application by executing the program instructions in the memory 402.

Memory 402 includes volatile memory or nonvolatile memory, or may include both volatile and nonvolatile memory. The volatile memory may be a read-only memory (ROM), a Programmable ROM (PROM), an Erasable PROM (EPROM), an electrically Erasable EPROM (EEPROM), or a flash memory. The volatile memory may be random access memory (random access memory, RAM) which acts as an external cache. By way of example, and not limitation, many forms of RAM are available, such as Static RAM (SRAM), dynamic Random Access Memory (DRAM), synchronous Dynamic Random Access Memory (SDRAM), double data rate synchronous dynamic random access memory (DDR SDRAM), enhanced SDRAM (ESDRAM), synchronous Link DRAM (SLDRAM), and direct memory bus RAM (DR RAM). The nonvolatile memory may be a storage class memory (storage class memory, SCM), a solid state disk (solid state drive, SSD), a mechanical hard disk (HDD), or the like. The storage level memory may be, for example, a nonvolatile memory (NVM), a phase-change memory (PCM), a persistent memory, or the like.

In one possible implementation, the memory 402 exists independent of the processor 401. The memory 402 is coupled to the processor 401 via a bus 404 for storing data, instructions or program code. When the processor 401 invokes and executes the instructions or the program codes stored in the memory 402, the method for determining the malicious domain name provided in the embodiment of the present application can be implemented.

In another possible implementation, the memory 402 and the processor 401 are integrated.

The network interface 403, the determining means 40 for malicious domain name is connected with other devices (such as the host shown in fig. 1 or the edge device shown in fig. 2) through a communication network, which may be an ethernet, a radio access network (radio access network, RAN), a wireless local area network (wireless local area networks, WLAN), or the like. The network interface 403 includes a receiving unit for receiving data/messages and a transmitting unit for transmitting data/messages.

Bus 404 may be an industry standard architecture (industry standard architecture, ISA) bus, an external device interconnect (peripheral component interconnect, PCI) bus, a high-speed serial computer expansion bus (peripheral component interconnect express, PCIe), a computing fast link (compute express link, CXL), or an extended industry standard architecture (extended industry standard architecture, EISA) bus, among others. The bus may be classified as an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown in fig. 4, but not only one bus or one type of bus.

An input-output interface 405 for implementing man-machine interaction between the user and the malicious domain name determining device 40. Such as text interactions or voice interactions between the user and the malicious domain name determining means 40.

The input/output interface 405 includes an input interface for enabling a user to input information to the determination device 40 for a malicious domain name, and an output interface for enabling the determination device 40 for a malicious domain name to output information to the user.

By way of example, input interfaces include, but are not limited to, a touch screen, keyboard, mouse, microphone, etc., and output interfaces include, but are not limited to, a display screen, speakers, etc. The touch screen, the keyboard or the mouse is used for inputting text/image information, the microphone is used for inputting voice information, the display screen is used for outputting the text/image information, and the loudspeaker is used for outputting the voice information.

It is to be noted that the structure shown in fig. 4 does not constitute a limitation of the malicious domain name determining means 40, and the malicious domain name determining means 40 includes more or less components than those shown in fig. 4, or combines some components, or a different arrangement of components, in addition to those shown in fig. 4.

The method for determining the malicious domain name provided by the embodiment of the application is described below with reference to the accompanying drawings.

Referring to fig. 5, fig. 5 shows a flowchart of a method for determining a malicious domain name according to an embodiment of the present application. Alternatively, the method is performed by a determination device 40 (hereinafter simply referred to as "determination device") of a malicious domain name shown in fig. 4. The method comprises steps S101-S104.

S101, acquiring a first domain name carried in a first DNS request message.

The first DNS request message is a DNS request message sent by a host of the internal network to a domain name server of the external network, where the domain name server of the first DNS request message is configured to obtain, by resolving, according to a first domain name carried in the first DNS request message, an IP address of a server that provides a related network service corresponding to the first domain name. As an example, the internal network is, for example, the internal network 10 shown in fig. 1, or the internal network 20 shown in fig. 2, or the internal network 30 shown in fig. 3, and the external network is, for example, the external network 12 shown in fig. 1 (or fig. 2, 3), which is not limited thereto.

Taking the internal network as the internal network 10 shown in fig. 1 as an example, the first DNS request message may be a DNS request message sent by the host 1 (or the host 2, the host 3) in the internal network 10 to a domain name server in the external network 12.

Specifically, the determining device for the malicious domain name (hereinafter referred to as determining device) may refer to the description of S201 or S301 below to obtain the detailed description of the first domain name carried in the first DNS request message, which is not described herein.

S102, inquiring the first domain name in the threat information library, and recording the first time if the inquiring result is hit.

Optionally, the determining device queries whether the threat information library includes the first domain name by traversing the threat information library after acquiring the first domain name. The determining device is preconfigured with a threat information library, and the detailed description of the threat information library can refer to the description of the threat information library, which is not described herein.

The determining device queries the threat information library for the first domain name, wherein the query result is hit, which means that one malicious software family in the threat information library comprises the first domain name. The target malicious software family refers to the malicious software family to which the first domain name in the threat information library belongs. The malicious domain names contained by the malware families in the threat intelligence library are typically non-overlapping. Only in individual cases will both families of malware in the threat intelligence library contain the same malicious domain name.

In this case, if the malicious domain names in the threat information library are all the collapse domain names, the determining device records the first time after the query result is hit. The first time refers to the time when the query is hit for the target malware family to which the first domain name belongs in the threat information library. The description of the collapse domain name may refer to the above description, and will not be repeated here.

If the malicious domain name in the threat information library not only comprises a collapse domain name but also comprises a common malicious domain name. In this case, the provider of the threat intelligence service also needs to set a tag for the collapsed domain name in the threat intelligence library to distinguish the collapsed domain name from the normal malicious domain name in the threat intelligence library. Accordingly, the determining device determines whether the first domain name in the threat information library is provided with a collapse domain name tag after the query result is hit. When the determining device determines that the first domain name in the threat information library is provided with the subsidence domain name label, the first time is recorded. When the determining device determines that the first domain name in the threat information library has no collapse domain name label, the first domain name in the threat information library is a common malicious domain name. Then, the determining means directly determines the first domain name in the first DNS request message as a malicious domain name.

The collapse domain name label of the first domain name is used for indicating that the first domain name in the threat information library is the collapse domain name. The description of the subsided domain name and the common malicious domain name may be referred to the above description, and will not be repeated here.

As an example, the threat intelligence library is marked with a value of "generalized_match" to determine whether a malicious domain name in the threat intelligence library is a collapsed domain name. When the value of "authorized_match" of the malicious domain name 1 in the threat information library is 1, it indicates that the malicious domain name 1 has a collapse domain name label, that is, the malicious domain name 1 is a collapse domain name. When the value of "authorized_match" of the malicious domain name 2 in the threat information library is 0, it indicates that the malicious domain name 2 has no collapse domain name label, i.e. the malicious domain name 2 is a common malicious domain name.

S103, determining whether the time difference between the first time and the second time is smaller than a first threshold value.

The second time refers to the time when the target malware family was hit in the first time when the target malware family was hit in the threat information library.

Specifically, the determining device further obtains a second domain name in the second DNS request message before obtaining the first domain name in the first DNS message. Here, the second DNS request packet is a DNS request packet sent by the host of the internal network to the domain name server of the external network, where the domain name server of the second DNS request packet is configured to parse the second domain name carried in the second DNS request packet to obtain the IP address of the server that provides the relevant network service corresponding to the second domain name.

Further optionally, the determining device queries whether the threat intelligence repository includes the second domain name by traversing the threat intelligence repository. If the query result of the device for querying the second domain name in the threat information library is a hit, recording a second time when the target malicious software family to which the second domain name belongs is hit. It should be understood that, the detailed description of the determining device recording the second time after the query result of querying the second domain name in the threat intelligence database is hit may refer to the description of recording the first time in S102 above, which is not repeated herein.

In this way, after the determining means records the first time and determines that the first DNS information message and the second DNS information message are messages from the same host in the internal network, a time difference between the first time and the second time is calculated. The detailed description of the determining device determining that the first DNS information message and the second DNS information message are the information from the same host in the internal network refers to the following description, and is not repeated herein.

If the determining means determines that the time difference between the first time and the second time is less than the first threshold, S104 is performed. If the time difference between the first time and the second time is greater than the first threshold, the determining device waits for obtaining the domain name in the DNS request message next time, and starts executing the method provided in the embodiment of the present application again from S102. It should be appreciated that the embodiment of the present application is not specifically limited in the case where the time difference between the first time and the second time is equal to the first threshold value. The specific value of the first threshold in the embodiment of the present application is optionally obtained by analyzing the history log data according to experience of a network administrator, advice of a provider of threat intelligence service, or by an AI method, which is not limited herein, and the first threshold is, for example, 5 minutes, or 10 minutes, etc.

S104, if the time difference is smaller than a first threshold value, determining that the first domain name is a malicious domain name.

Specifically, if the determining device determines that the time difference between the first time and the second time is smaller than the first threshold, the first domain name and the second domain name of the same target malicious software family in the threat information are continuously accessed within the time range of the first threshold by the same host in the internal network. In this case, the determining means determines that the first domain name is a malicious domain name.

Optionally, the determining device records the alarm information including the first domain name and/or the target malware family after determining that the first domain name is a malicious domain name. In addition, the determining device may record the addresses of the hosts sending the first DNS request message and the second DNS request message in the alarm information, so as to help locate the collapsed host. And then, the determining device outputs the alarm information to report the security event related to the malicious domain name to the manager of the internal network. The target malicious software family in the alarm information is used for a manager to pertinently set a security event disposal scheme, so that the manager can efficiently remove risks brought by the security event.

Alternatively, the determining means may output (e.g. display) the alert information via an input-output interface (e.g. display) as shown in fig. 4. Alternatively, the determining means may send the alarm information to a management device of the internal network, and the management device displays the alarm information to the manager through an input-output interface (e.g., a display) of the management device. The embodiments of the present application are not limited in this regard.

It may be understood that if the determining means queries the threat intelligence library for the second domain name carried in the second DNS intelligence, the target malware family is hit for the first time, and the determining means further determines that the second domain name is a malicious domain name.

Thus, since the probability that the same normal host in the internal network continuously accesses the domain name belonging to the same malware family (i.e. the target malware family) in a short time is very low, by the method as shown in fig. 5 provided by the embodiment of the present application, the domain name belonging to the same malware family (i.e. the target malware family) in the threat intelligence and being continuously accessed by the same host in the internal network twice in the time range of the first threshold can be determined as the malicious domain name. Therefore, the accuracy of determining that the domain name carried by the DNS request message is a malicious domain name is greatly improved by the method provided by the embodiment of the application, namely the false alarm rate of the malicious domain name is reduced by the method provided by the embodiment of the application.

In some embodiments, when the determining apparatus provided in the embodiments of the present application is the security device 110 shown in fig. 1 or the security device 210 shown in fig. 2, S101 may be replaced by S201. Referring to fig. 6, fig. 6 shows a flowchart of a method for determining another malicious domain name according to an embodiment of the application itself, and the method includes S201-S104.

S201, the security device acquires a first DNS request message, and extracts a first domain name from the first DNS request message.

In one possible implementation, when a security device in the internal network is deployed between the host and the edge device, a message sent by the host in the internal network to the external network through the edge device flows through the security device. In this case, optionally, the security device may identify the first DNS request message in the traffic message flowing through the security device according to the message format of the DNS request message, and extract the first domain name carried in the first DNS request message. It should be appreciated that DNS datagrams have a standard encapsulation format. In the standard encapsulation format of the DNS request message, the location of the domain name carried by the DNS request message in the DNS request message is determined.

Illustratively, the security device is security device 110 in the network system shown in fig. 1. As shown in fig. 1, since the security device 110 is directly between the host in the internal network 11 and the boundary device 111, a message sent from the host in the internal network 11 to the external network 12 through the boundary device 111 flows through the security device 110. In this way, according to the message format of the DNS request message, the security device 110 can identify the first DNS request message in the traffic message flowing through the security device 110, and extract the first domain name carried in the first DNS request message.

In another possible implementation, when a security device in the internal network is attached to a border device, the security device is able to obtain a mirrored traffic message of traffic messages flowing through the border device. The mirrored traffic message includes all traffic messages flowing through the edge device.

It will be appreciated that in the internal network, the edge device also sends a copy of the received traffic message to the security device when forwarding the traffic message according to the address in the received traffic message. In response, the security device receives a copy of the traffic message flowing through the edge device. Thus, the security device obtains the mirror image flow message of the flow message flowing through the boundary device.

Then, optionally, according to the message format of the DNS request message, the security device may identify the first DNS request message in the obtained mirror image traffic message, and extract a first domain name carried in the first DNS request message. The description of the message format of the DNS request message is referred to above, and will not be repeated here.

Illustratively, the security device is the security device 210 in the network system shown in fig. 2. As shown in fig. 2, the security device 210, which is attached to the edge device 211 in the internal network 21, can obtain the mirrored traffic message flowing through the edge device 211. Then, according to the message format of the DNS request message, the security device 210 can identify the first DNS request message in the obtained mirror image traffic message, and extract the first domain name carried in the first DNS request message.

In addition, it should be noted that, after identifying the first DNS request message, the security device further extracts the source address in the first DNS request message. The source address is used to uniquely identify a host in the internal network. Optionally, when the first DNS request message obtained by the security device is not address-converted by the network address-converting (network address translation, NAT) device, the source address in the first DNS request message is the address of the host sending the first DNS request message in the internal network. When the first DNS request message acquired by the security device is subjected to address conversion by the NAT device, the source address in the first DNS request message is an address which is distributed by the NAT device for a host sending the first DNS request message in the internal network and has a one-to-one correspondence with the address of the host. The embodiments of the present application are not limited in this regard.

Then, the secure device performs S102 and S103.

It should be noted that, in S103, the security device may refer to the security device in S201 to obtain the first DNS packet and extract the description of the first domain name from the first DNS packet before obtaining the first domain name carried in the first DNS request packet to obtain the detailed description of the second domain name carried in the second DNS request packet, which is not described herein again. It should be appreciated that the secure device, after obtaining the second DNS request message, also extracts the source address in the second DNS request message. The description of the source address may be referred to above, and will not be repeated here.

When the security device determines that the source address of the first DNS request message and the source address of the second DNS request message are the same, it determines that the first DNS information message and the second DNS information message are messages from the same host in the internal network. In this way, the security device may further determine whether the time difference between the first time and the second time is less than a first threshold. If it is determined that the time difference between the first time and the second time is less than the first threshold, the secure device performs S104.

In this way, by the method shown in fig. 6 provided by the embodiment of the present application, when the same host in the internal network continuously accesses multiple (greater than or equal to two) domain names belonging to the same malware family (for example, the target malware family) in the threat intelligence library within the time range of the first threshold, the security device in the internal network determines the accessed domain name as a malicious domain name, and reports a corresponding security event. Under the condition that the host is not infected, the possibility that the same normal host in the internal network continuously accesses a plurality of domain names belonging to one malicious software family (namely, a target malicious software family) in a short time is extremely low, so that the accuracy of determining that the domain name carried by the DNS request message is the malicious domain name is greatly improved by the method provided by the embodiment of the application, namely, the false alarm rate of the malicious domain name is reduced by the method provided by the embodiment of the application.

In another embodiment, when the determining device provided in the embodiment of the present application is the cloud device 310 shown in fig. 3, S101 may be replaced by S301. Referring to fig. 7, fig. 7 shows a flowchart of a method for determining a malicious domain name according to an embodiment of the present application, where the method includes S301-S305.

S301, the cloud device receives a domain name query request sent by the boundary device, wherein the domain name query request comprises a first domain name carried in a first DNS request message.

The domain name inquiry request also comprises a source address of the first DNS request message. The domain name query request is used for requesting the cloud device to determine whether a first domain name carried in the domain name query request is a malicious domain name.

Specifically, when the border device identifies the first DNS request message in the traffic flowing through the border device according to the message format of the DNS request message, the border device extracts the first domain name carried by the first DNS request message from the identified first DNS request message, and extracts the source address of the first DNS request message. The description of the message format of the DNS request message and the detailed description of the source address are referred to the above description, and are not repeated herein.

And the boundary equipment generates a domain name query request according to the first domain name and the source address extracted from the first DNS request message, and sends the domain name query request to the cloud equipment.

In response, the cloud device receives a domain name query request sent by the boundary device in the internal network, and acquires a first domain name from the domain name query request.

Next, the cloud device executes S102.

It should be noted that, when the result of querying the first domain name in the threat information library by the cloud device is hit, the source address carried in the domain name query request including the first domain name is recorded in addition to the first time. The source address is the source address of the first DNS request message carrying the first domain name, and the source address is used for uniquely identifying the host in the internal network that sends the first DNS request message.

Further, the cloud device executes S103.

It should be noted that, in S103, the cloud device may refer to the description of the cloud device acquiring the first domain name in S301 to acquire the detailed description of the second domain name carried in the second DNS request message before acquiring the first domain name carried in the first DNS request message, which is not described herein. It should be understood that, when the result of querying the second domain name in the threat information library is hit after the cloud device acquires the second domain name, the cloud device records the second time, and also records the source address carried in the domain name query request including the second domain name. The source address is the source address of the second DNS request message carrying the second domain name, where the source address is used to uniquely identify the host in the internal network that sends the second DNS request message.

When the cloud device determines that the source address of the first DNS request message is the same as the source address of the second DNS request message, the cloud device determines that the first DNS information message and the second DNS information message are messages from the same host in the internal network. In this way, the cloud device further determines whether the time difference between the first time and the second time is less than a first threshold. If it is determined that the time difference between the first time and the second time is less than the first threshold, the cloud device executes S104.

In S104, optionally, after determining that the first domain name is a malicious domain name, the cloud device records and outputs alarm information including the first domain name and/or the target malware family, so as to report a security event related to the malicious domain name to a manager of the internal network. Optionally, the cloud device executes S305 after determining that the first domain name is a malicious domain name.

S305 (optional), the cloud device returns the domain name query result to the edge device.

The domain name query result comprises a target malicious software family to which the first domain name belongs, and is used for indicating that the first domain name is a malicious domain name.

In response, after receiving the domain name query result returned by the cloud device, the boundary device outputs the domain name query result as alarm information so as to report a security event related to the malicious domain name to an administrator of the internal network. The border device may display the domain name query result through an input/output interface (e.g., a display) as shown in fig. 4, thereby implementing reporting of security events related to malicious domain names to an administrator of the internal network.

It can be seen that, by the method provided by the embodiment of the present application, which is executed by the cloud device, as shown in fig. 7, not only the false alarm rate of the malicious domain name can be reduced, but also the processing resources of the existing security device in the internal network can be saved.

Referring to fig. 8, a flowchart of another method for determining a malicious domain name is provided in an embodiment of the present application. Alternatively, the method is performed by the malicious domain name determining means 40 shown in fig. 4. The method includes S101-S104.

The determination means first performs S101 described above. It will be appreciated that in S101, alternatively, S101 may be replaced by S1011 when the determining means is a security device as shown in fig. 1 or fig. 2. When it is determined that the apparatus is the cloud device shown in fig. 3, S101 may be replaced by S1012. And will not be described in detail.

Next, the determination means performs S102 and S103 described above, and performs S401 to S402. It is understood that the execution order of S102-S103 and S401-S402 is not limited in the embodiment of the present application. For example, the determination means performs S102 to S103 first, and then performs S401 to S402. Alternatively, the determination means performs S102 to S103, S401 to S402, and the like simultaneously.

S401, if the query result of querying the first domain name in the threat information library is hit, updating the hit times of the target malicious software family to which the first domain name belongs.

Specifically, if the query result of querying the first domain name in the threat information library is hit, and the first DNS request message carrying the first domain name and the second DNS request message carrying the second domain name come from the same host in the internal network, the number of times that the target malware family to which the first domain name belongs is hit is increased by 1. The second domain name carried by the second DNS request message is a domain name that is queried when it is determined that the previous query result of the device in the threat information library is that the target malware family is hit. The description in S103 may be referred to above for obtaining the second domain name carried by the second DNS request packet and querying the threat information base for the description of the second domain name, which is not repeated herein.

Alternatively, the determining means may set a counter for the malware family hit in the threat intelligence library, and update the number of times the malware family is hit by updating the counter. In this way, when the query result of querying the first domain name in the threat information library is hit, and the first DNS request message carrying the first domain name and the second DNS request message carrying the second domain name come from the same host in the internal network, the counter of the target malware family to which the first domain name belongs is incremented by 1.

S402, determining whether the number of times the target malicious software family to which the first domain name belongs is hit is larger than a second threshold.

If the determining means determines that the number of times the target malware family to which the first domain name belongs is hit is equal to or greater than the second threshold, S104 is performed. If the determining device determines that the number of times the target malicious software family is hit is smaller than the second threshold, waiting for obtaining the domain name in the DNS request message next time, and re-executing the method provided by the embodiment of the application. The second threshold is an integer greater than or equal to 3, for example, the value of the second threshold may be 5, 8, 10, etc.

Then, the determination means executes S104. It should be noted that, in S104, if the time difference is smaller than the first threshold and the number of times the target malware family is hit is equal to or greater than the second threshold, the determining device determines that the first domain name is a malicious domain name.

Specifically, if the determining device determines that the time difference between the first time and the second time is smaller than the first threshold, and the number of times the target malware family is hit is larger than or equal to the second threshold, that is, the same host in the internal network accesses a plurality of domain names (including the first domain name and the second domain name) of the same target malware family in threat intelligence continuously for a plurality of times (the number of times larger than or equal to the second threshold) within the time range of the first threshold. In this case, the determining means determines that the first domain name is a malicious domain name.

Thus, since the probability of the same host in the internal network continuously accessing the domain name belonging to the same malware family (i.e. the target malware family) in a short time is very low, the method as shown in fig. 8 provided by the embodiment of the present application can determine that the domain name belonging to the same malware family (e.g. the target malware family) in threat intelligence is a malicious domain name, which is continuously accessed by the same host in the internal network multiple times (more than 2 times) in the time range of the first threshold. By the method shown in fig. 8, the accuracy of determining that the domain name carried by the DNS request message is a malicious domain name is further improved, that is, the false alarm rate of the malicious domain name is further reduced.

Referring to fig. 9, another flow diagram of a method for determining a malicious domain name is also provided in the embodiments of the present application. Alternatively, the method is performed by the malicious domain name determining means 40 shown in fig. 4. The method includes S501-S504.

S501, acquiring a first domain name carried in a first DNS request message.

Here, the detailed description of the determining device acquiring the first domain name carried in the first DNS request message may refer to the description of S101, S201, or S301 above, which is not described herein.

S502, inquiring the first domain name in the threat information library, and if the inquiring result is hit, updating the hit times of the target malicious software family to which the first domain name belongs in the threat information library in a preset time window.

The preset time window is a time period taking the moment of inquiring the first domain name in the threat information library as an end point and the duration as a preset duration. For example, assuming that the moment of querying the first domain name in the threat information library by the determining device is 12:00 and the preset duration is 1 hour, the preset time window is a time period between 11:00 and 12:00.

It can be seen that over time, the preset time window is a moving time window.

When the query result of querying the first domain name in the threat information library is hit, and the first DNS request message carrying the first domain name and the second DNS request message carrying the second domain name come from the same host in the internal network, the determining device records the first time, and the number of times that the target malicious software family to which the first domain name belongs is hit in a preset time window is increased by 1.

The second domain name carried by the second DNS request message is a domain name that is queried when it is determined that the previous query result of the device in the threat information library is that the target malware family is hit. The description in S103 may be referred to above for obtaining the second domain name carried by the second DNS request packet and querying the threat information base for the description of the second domain name, which is not repeated herein.

The first time refers to the time when the query of the target malicious software family to which the first domain name belongs in the threat information library is hit, and is used for determining the number of times that the target malicious software family is hit in a preset time window in which the device is updated and moved in real time along with the time.

It will be appreciated that for a target malware family in the threat intelligence library, the target malware family is not hit at the present time, but the number of times the target malware family is hit within a moving preset time window is also updated in real time based on the hit times (e.g., first time and second time) recorded each time the target malware family is hit.

S503, determining whether the number of times of hit of the target malicious software family in a preset time window is larger than or equal to a set threshold value.

If the determining means determines that the number of times the target malware family is hit within the preset time window is equal to or greater than the set threshold, S504 is performed. If the determining device determines that the number of times that the target malicious software family is hit in the preset time window is smaller than the set threshold, waiting for obtaining the domain name in the DNS request message next time, and re-executing the method provided by the embodiment of the application.

Wherein the value of the set threshold is an integer greater than or equal to 2.

S504, if the number of times that the target malicious software family is hit in the preset time window is greater than or equal to a set threshold value, determining that the first domain name is a malicious domain name.

It can be appreciated that if the determining device determines that the number of times the target malware family is hit within the preset time window is greater than or equal to the set threshold, that is, the same host in the internal network accesses the plurality of domain names (including the first domain name and the second domain name) of the same target malware family in the threat intelligence for a plurality of consecutive times within the preset time window. In this case, the determining means determines the first domain name carried by the first DNS request message as a malicious domain name.

Optionally, the determining device records and outputs the alarm information including the first domain name and/or the target software family after determining that the first domain name is a malicious domain name. The detailed description of the output of the alarm information by the determining device may refer to the description in S104, which is not repeated here.

In this way, by the method shown in fig. 9 provided by the embodiment of the present application, in a case that the same host in the internal network accesses multiple domain names belonging to the same malware family (for example, the target malware family) in the threat intelligence library multiple times within a preset time window, the accessed domain name is determined as a malicious domain name. Because the possibility that the same normal host in the internal network continuously accesses a plurality of domain names belonging to the same malicious software family (i.e. the target malicious software family) in a short time is extremely low, the accuracy of determining that the domain name carried by the DNS request message is a malicious domain name can be improved by the method shown in fig. 9, i.e. the false alarm rate of the malicious domain name is reduced.

To further illustrate the methods provided by the embodiments themselves, the following description is given by way of specific examples.

Taking the example that the security device 110 shown in fig. 1 executes the method provided in the embodiment of the present application and a threat information base including a collapse domain name and a common malicious domain name is preset in the security device 110, it is assumed that the security device 110 obtains the domain name 1"tailiksahu.com" in the DNS request message 1 at time t1, and queries the domain name 1 in the preset threat information base. If the query result is a hit, threat intelligence 1 including domain name 1 exists in the threat intelligence library. Alternatively, threat intelligence 1 is as shown in table 1:

TABLE 1

Domain name	Family of malware to which the family belongs	compromised_match
			tailiksahu.com	["Sality"]	1

Since the value of "scheduled_match" in threat intelligence 1 is 1, the security device 110 determines that domain name 1 in threat intelligence 1 is tagged with a collapsed domain name. Then, the security device 110 records time t1 at which the target malware family "quality" to which the domain name 1 belongs is hit. It will be appreciated that the time when the security device 110 obtains the domain name 1 is very close to the time when the domain name 1 is queried in the threat information library, so that when the query result is hit, the time when the target malware family "quality" to which the domain name 1 belongs is hit can be replaced by the time t1 when the security device 110 obtains the domain name 1. The specific information of the time t1 at which the security device 110 records that the target malware family "quality" to which the domain name 1 belongs is hit may be as shown in table 2.

TABLE 2

Hit domain name	Hit time	Family of malware to which the family belongs
			tailiksahu.com	t1	Sality

Next, assume that the secure device 110 acquires the domain name 2 "unitarily" in the DNS request message 2 at time t2, and queries the preset threat intelligence library for the domain name 2. If the query result is a hit, threat intelligence 2 including domain name 2 exists in the threat intelligence library. Alternatively, threat intelligence 2 is shown in table 3:

TABLE 3 Table 3

Domain name	Family of malware to which the family belongs	compromised_match
			industriasmeier.com	["Sality"]	1

Since the value of "scheduled_match" in threat information 2 is 1, the security device 110 determines that the domain name 2 in threat information 2 has a collapse domain name tag, and the security device 110 records the time t2 at which the target malware family "quality" to which the domain name 2 belongs is hit. The specific information of time t2 when the security device 110 records that the target malware family "quality" to which the domain name 2 belongs is hit may be as shown in table 4.

TABLE 4 Table 4

Hit domain name	Hit time	Family of malware to which the family belongs
			industriasmeier.com	t2	Sality

Then, the security device 110 determines that the DNS request message 1 carrying the domain name 1 and the DNS request message 2 carrying the domain name 2 come from the same host in the internal network 11 (for example, the host 1 shown in fig. 1, reference is made to the above for specific procedures, which are not described here in detail), and further calculates the time difference between t1 and t2.

Assuming that the time difference between t1 and t2 is less than the first threshold, security device 110 determines that domain name 1 and domain name 2 are both malicious domain names.

Further, the security device 110 outputs the alert information including the determined malicious domain name (domain name 1 and domain name 2) and the malware family to which the malicious domain name belongs (the target malware family to which the domain name 1 and domain name 2 belong). Alternatively, the alarm information output by the security device 110 is shown in table 5. As shown in table 5, the alert information further includes threat information associated with the determined malicious domain name in a threat information library, where the associated threat information includes, for example: the collapse domain name label "completed", the way in which a malicious domain name communicates with malware running in the collapse host "CnC", and the risk value of the malicious domain name. It will be appreciated that the higher the risk value for a malicious domain name, the greater the risk for the malicious domain name.

TABLE 5

The foregoing description of the solution provided in the embodiments of the present application has been mainly presented in terms of a method.

In order to achieve the above functions, as shown in fig. 10, fig. 10 shows a schematic structural diagram of a malicious domain name determining apparatus 100 provided in an embodiment of the present application. The determining device 100 is configured to perform the above-described method for determining a malicious domain name, for example, the method shown in fig. 5, 6, 7, or 8. The determining apparatus 100 may include an acquiring unit 101, a querying unit 102, a recording unit 103, and a determining unit 104.

An obtaining unit 101, configured to obtain a first domain name carried in a first DNS request packet, where the first DNS request packet is a DNS request packet sent by a host of an internal network to a domain name server of an external network. A querying unit 102, configured to query a threat intelligence library including at least one malware family, where each malware family includes one or more malicious domain names. A recording unit 103, configured to record a first time if the result of querying the first domain name in the threat intelligence library is a hit. A determining unit 104 for determining a time difference between the first time and the second time; and if the time difference is less than a first threshold, determining that the first domain name is a malicious domain name. The hit refers to that one malicious software family in the threat information library comprises a first domain name, the first time is the time when the target malicious software family to which the first domain name belongs in the threat information library is hit in the current query, and the second time is the time when the target malicious software family is hit in the previous time.

As an example, in connection with fig. 5, the acquisition unit 101 is used to perform S101, the inquiry unit 102 and the recording unit 103 are used to perform S102, and the determination unit 104 may be used to perform S103 and S104.

Optionally, if the query unit 102 queries the threat information library that the query result of the first domain name is a hit, the determining apparatus 100 further includes: an updating unit 105 for updating the number of times the target malware family is hit. The determining unit 104 is specifically configured to determine that the first domain name is a malicious domain name if the time difference is smaller than a first threshold and the number of times the target malware family is hit is greater than or equal to a second threshold.

As an example, in connection with fig. 8, the updating unit 105 is used to perform S401, and the determining unit 104 is used to perform S103, S402, and S104.

Optionally, after the determining unit 104 determines that the first domain name is a malicious domain name, the determining apparatus 100 further includes: an output unit 106, configured to output the first domain name and/or the target malware family.

Alternatively, if it is determined that the apparatus 100 is applied to a security device in an internal network, the acquiring unit 101 is specifically configured to: a first DNS request message is obtained from traffic flowing through the security device. A first domain name is extracted from a first DNS request message.

As an example, in connection with fig. 6, the acquisition unit 101 is configured to execute S201.

Alternatively, if the determining apparatus 100 is applied to a cloud device in connection communication with a boundary device in an internal network, the boundary device is located at a boundary of the internal network and an external network. The acquisition unit 101 is specifically configured to: and receiving a domain name query request sent by the boundary equipment, wherein the domain name query request comprises a first domain name carried in a first DNS request message.

As an example, in connection with fig. 7, the acquisition unit 101 is configured to execute S301.

Optionally, after the determining unit 104 determines that the first domain name is a malicious domain name, the determining apparatus 100 further includes: a sending unit 107, configured to return, to the border device, a domain name query result indicating that the first domain name is a malicious domain name.

As an example, in connection with fig. 7, the transmission unit 107 is configured to execute S305.

Optionally, before the obtaining unit 101 obtains the first domain name carried in the first DNS request packet, the obtaining unit 101 is further configured to obtain a second domain name carried in a second DNS request packet, where the second DNS request packet is a DNS request packet sent by a host of an internal network to a domain name server of an external network. The querying unit 102 is further configured to query the threat information repository for the second domain name. The recording unit 103 is further configured to record a second time if the result of querying the second domain name in the threat intelligence library is a hit.

Optionally, the first DNS request message and the second DNS request message come from the same host in the internal network.

Optionally, if the threat information library further includes a common malicious domain name, the first domain name and the second domain name in the threat information library each have a collapse domain name label, where the collapse domain name label is used to indicate that the first domain name and the second domain name in the threat information library are collapse domain names.

For a specific description of the above alternative modes, reference may be made to the foregoing method embodiments, and details are not repeated here. In addition, any explanation and description of the beneficial effects of the determining apparatus 100 provided above may refer to the corresponding method embodiments described above, and will not be repeated.

As an example, in connection with fig. 4, the functions implemented by the querying unit 102, the recording unit 103, the determining unit 104, and the updating unit 105 in the determining apparatus 100 may be implemented by the processor 401 in fig. 4 executing the program code in the memory 402 in fig. 4. The functions performed by the acquisition unit 101 may be performed by the processor 401 in fig. 4 executing program code in the memory 402 in fig. 4, or by the network interface 403 in fig. 4. The functions performed by the output unit 106 may be performed by the input-output interface 405 in fig. 4 or by the network interface 403 in fig. 4. The functions implemented by the transmitting unit 107 may be implemented by the network interface 403 in fig. 4.

As shown in fig. 11, fig. 11 is a schematic structural diagram of another malicious domain name determining device 110 according to an embodiment of the present application. The determining means 110 is configured to perform the above-mentioned method for determining a malicious domain name, for example, the method shown in fig. 9. The determining device 110 may include an acquiring unit 111, a querying unit 112, an updating unit 113, and a determining unit 114.

The obtaining unit 111 is configured to obtain a first domain name carried in a first DNS request message, where the first DNS request message is a DNS request message sent by a host of an internal network to a domain name server of an external network. A querying unit 112, configured to query a threat intelligence library including at least one malware family, where each malware family includes one or more malicious domain names. And an updating unit 113, configured to update the number of times that the target malware family to which the first domain name belongs in the threat information library is hit within a preset time window if the result of querying the first domain name in the threat information library is hit. The determining unit 114 is configured to determine that the first domain name is a malicious domain name if the number of hits of the target malware family within the preset time window is greater than or equal to a set threshold. The hit refers to that one malicious software family included in the threat information library includes a first domain name, and the preset time window refers to a time period taking the moment of inquiring the first domain name in the threat information library as an end point and the duration as a preset duration.

As an example, in connection with fig. 9, the acquisition unit 111 is used to perform S501, the inquiry unit 112 and the update unit 113 are used to perform S502, and the determination unit 114 may be used to perform S503 and S504.

Optionally, the determining device 110 further includes: an output unit 115, configured to output the first domain name and/or the target malware family.

Alternatively, if the determining apparatus 110 is applied to a security device in an internal network, the obtaining unit 111 is specifically configured to: a first DNS request message is obtained from traffic flowing through the security device. A first domain name is extracted from a first DNS request message.

Optionally, if the determining apparatus 110 is applied to a cloud device in connection with a boundary device of an internal network, where the boundary device is located at a boundary between the internal network and an external network, the obtaining unit 111 is specifically configured to: and receiving a domain name query request sent by the boundary equipment, wherein the domain name query request comprises a first domain name carried in a first DNS request message.

Optionally, after the determining unit 114 determines that the first domain name is a malicious domain name, the determining device 110 further includes: and a sending unit 116, configured to return, to the border device, a domain name query result indicating that the first domain name is a malicious domain name.

Optionally, the DNS request messages carrying all hit domains within the preset time window come from the same host in the internal network.

Optionally, if the threat information library further includes a common malicious domain name, the first domain name in the threat information library has a collapse domain name tag, where the collapse domain name tag is used to indicate that the first domain name in the threat information library is a collapse domain name.

For a specific description of the above alternative modes, reference may be made to the foregoing method embodiments, and details are not repeated here. In addition, any explanation and description of the beneficial effects of the determining device 110 provided above may refer to the corresponding method embodiments described above, and will not be repeated.

As an example, in connection with fig. 4, the functions implemented by the query unit 112, the update unit 113, and the determination unit 114 in the determination device 110 may be implemented by the processor 401 in fig. 4 executing the program code in the memory 402 in fig. 4. The functions performed by the acquisition unit 111 may be performed by the processor 401 in fig. 4 executing program code in the memory 402 in fig. 4 or by the network interface 403 in fig. 4. The functions performed by the output unit 115 may be performed by the input-output interface 405 in fig. 4 or by the network interface 403 in fig. 4. The functions implemented by the transmitting unit 116 may be implemented by the network interface 403 in fig. 4.

Those of skill in the art will readily appreciate that the elements and algorithm steps of the examples described in connection with the embodiments disclosed herein may be implemented as hardware or combinations of hardware and computer software. Whether a function is implemented as hardware or computer software driven hardware depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.

It should be noted that the division of the modules in fig. 10 and 11 is illustrative, and is merely a logic function division, and other division manners may be implemented in practice. For example, two or more functions may also be integrated in one processing module. The integrated modules may be implemented in hardware or in software functional modules.

Embodiments of the present application also provide a computer program product, and a computer readable storage medium for storing the computer program product. The computer program product may include one or more program instructions that, when executed by one or more processors, may provide the functionality or portions of the functionality described above with respect to fig. 5, 6, 7, 8, or 9. Thus, for example, one or more features of S101-S104 of FIG. 5 may be carried by one or more instructions in the computer program product.

In some examples, a determining means such as described for the malicious domain name of fig. 5, 6, 7, 8, or 9 may be configured to provide various operations, functions, or actions in response to one or more program instructions stored by a computer readable storage medium.

In the above embodiments, it may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented using a software program, it may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. The processes or functions in accordance with the embodiments of the present application are produced in whole or in part on and when the computer-executable instructions are executed by a computer. The computer may be a general purpose computer, a special purpose computer, a computer network, or other programmable apparatus. The computer instructions may be stored in or transmitted from one computer-readable storage medium to another, for example, a website, computer, server, or data center via a wired (e.g., coaxial cable, fiber optic, digital subscriber line (digital subscriber line, DSL)) or wireless (e.g., infrared, wireless, microwave, etc.) means. Computer readable storage media can be any available media that can be accessed by a computer or data storage devices including one or more servers, data centers, etc. that can be integrated with the media. The usable medium may be a magnetic medium (e.g., a floppy disk, a hard disk, a magnetic tape), an optical medium (e.g., a DVD), or a semiconductor medium (e.g., a Solid State Disk (SSD)), or the like.

The foregoing is merely illustrative of the present invention, and the present invention is not limited thereto, and any person skilled in the art will readily recognize that variations or substitutions are within the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.

Claims

1. A method for determining a malicious domain name, comprising:

acquiring a first domain name carried in a first DNS request message, wherein the first DNS request message is sent by a host of an internal network to a domain name server of an external network;

querying the first domain name in a threat intelligence library, wherein the threat intelligence library comprises at least one malicious software family, and each malicious software family in the at least one malicious software family comprises one or more malicious domain names;

if the result of inquiring the first domain name in the threat information library is hit, recording a first time, wherein the hit refers to that one malicious software family in the threat information library comprises the first domain name, and the first time refers to the time when the target malicious software family to which the first domain name in the threat information library belongs is hit;

Determining a time difference between the first time and a second time, the second time being a time when the target malware family was last hit;

and if the time difference is smaller than a first threshold value, determining that the first domain name is a malicious domain name.

2. The method of claim 1, wherein if the query result of querying the threat intelligence library for the first domain name is a hit, the method further comprises:

updating the number of times the target malware family is hit;

then determining that the first domain name is a malicious domain name comprises:

and if the time difference is smaller than the first threshold value and the number of times that the target malicious software family is hit is larger than or equal to a second threshold value, determining that the first domain name is a malicious domain name.

3. The method of claim 1 or 2, wherein after determining that the first domain name is a malicious domain name, the method further comprises:

outputting the first domain name and/or the target malware family.

4. A method according to any of claims 1-3, wherein the method is applied to a security device in the internal network, and the obtaining the first domain name carried in the first DNS request message comprises:

Acquiring the first DNS request message from the traffic flowing through the safety equipment;

and extracting the first domain name from the first DNS request message.

5. A method according to any one of claims 1-3, wherein the method is applied to a cloud device, the cloud device being in connected communication with a border device of the internal network, the border device being located at a border between the internal network and the external network, and the obtaining the first domain name carried in the first DNS request message comprises:

and receiving a domain name query request sent by the boundary equipment, wherein the domain name query request comprises the first domain name carried in the first DNS request message.

6. The method of claim 5, wherein after determining that the first domain name is a malicious domain name, the method further comprises:

and returning a domain name query result to the boundary equipment, wherein the domain name query result indicates that the first domain name is a malicious domain name.

7. The method according to any one of claims 1-6, wherein prior to the obtaining the first domain name carried in the first DNS request message, the method further comprises:

acquiring a second domain name carried in a second DNS request message, wherein the second DNS request message is a DNS request message sent by a host of the internal network to a domain name server of the external network;

Querying the threat information library for the second domain name;

and if the result of inquiring the second domain name in the threat information library is hit, recording the second time.

8. The method of claim 7, wherein the first DNS request message and the second DNS request message are from a same host in the internal network.

9. The method of claim 7 or 8, wherein if a common malicious domain name is also included in the threat intelligence library, the first domain name and the second domain name in the threat intelligence library are each provided with a collapsed domain name label for indicating that the first domain name and the second domain name in the threat intelligence library are collapsed domain names.

10. A method for determining a malicious domain name, comprising:

If the result of inquiring the first domain name in the threat information library is hit, updating the hit times of the target malicious software family to which the first domain name belongs in the threat information library within a preset time window, wherein the hit refers to the fact that one malicious software family included in the threat information library includes the first domain name, and the preset time window refers to a time period taking the moment of inquiring the first domain name in the threat information library as an end point and the duration of the first domain name as a preset duration;

and if the hit frequency of the target malicious software family in the preset time window is greater than or equal to a set threshold value, determining that the first domain name is a malicious domain name.

11. The method according to claim 10, wherein the method further comprises:

outputting the first domain name and/or the target malware family.

12. The method of claim 10 or 11, wherein if a common malicious domain name is also included in the threat intelligence library, the first domain name in the threat intelligence library is provided with a collapse domain name tag for indicating that the first domain name in the threat intelligence library is a collapse domain name.

13. The method according to any of claims 10-12, wherein the method is applied to a security device in the internal network, and the obtaining the first domain name carried in the first DNS request message comprises:

and extracting the first domain name from the first DNS request message.

14. The method according to any one of claims 10-12, wherein the method is applied to a cloud device, the cloud device is in connection communication with a border device of the internal network, the border device is located at a border between the internal network and the external network, and the acquiring the first domain name carried in the first DNS request message includes:

15. The method of claim 14, wherein after determining that the first domain name is a malicious domain name, the method further comprises:

16. A malicious domain name determining apparatus, comprising:

an obtaining unit, configured to obtain a first domain name carried in a first DNS request packet, where the first DNS request packet is a DNS request packet sent by a host of an internal network to a domain name server of an external network;

a query unit, configured to query a threat information library for the first domain name, where the threat information library includes at least one malware family, and each malware family in the at least one malware family includes one or more malicious domain names;

a recording unit, configured to record a first time if a result of querying the first domain name in the threat information library is a hit, where the hit refers to that one malware family in the threat information library includes the first domain name, and the first time is a time when a target malware family to which the first domain name in the threat information library belongs is hit;

a determining unit configured to determine a time difference between the first time and a second time, the second time being a time when the target malware family was hit last time; and if the time difference is smaller than a first threshold value, determining that the first domain name is a malicious domain name.

17. The apparatus according to claim 16, wherein if the query unit queries the threat intelligence library that the query result of the first domain name is a hit, the apparatus further comprises:

an updating unit configured to update the number of times the target malware family is hit;

the determining unit is specifically configured to determine that the first domain name is a malicious domain name if the time difference is smaller than the first threshold and the number of times the target malware family is hit is greater than or equal to a second threshold.

18. The apparatus according to claim 16 or 17, wherein after the determining unit determines that the first domain name is a malicious domain name, the apparatus further comprises:

and the output unit is used for outputting the first domain name and/or the target malicious software family.

19. The apparatus according to any of the claims 16-18, wherein the apparatus is applied to a security device in the internal network, the obtaining unit being specifically configured to:

and extracting the first domain name from the first DNS request message.

20. The apparatus according to any one of claims 16-18, wherein the apparatus is applied to a cloud device, the cloud device being in connected communication with a boundary device of the internal network, the boundary device being located at a boundary of the internal network and the external network, the obtaining unit being specifically configured to:

21. The apparatus according to claim 20, wherein after the determining unit determines that the first domain name is a malicious domain name, the apparatus further comprises:

and the sending unit is used for returning a domain name query result to the boundary equipment, wherein the domain name query result indicates that the first domain name is a malicious domain name.

22. The apparatus according to any one of claims 16-21, wherein, before the obtaining unit obtains the first domain name carried in the first DNS request message,

the obtaining unit is further configured to obtain a second domain name carried in a second DNS request packet, where the second DNS request packet is a DNS request packet sent by the host of the internal network to the domain name server of the external network;

the inquiring unit is further used for inquiring the second domain name in the threat information library;

the recording unit is further configured to record the second time if the result of querying the second domain name in the threat information library is a hit.

23. The apparatus of claim 22, wherein the first DNS request message and the second DNS request message are from a same host in the internal network.

24. The apparatus of claim 22 or 23, wherein if a common malicious domain name is also included in the threat intelligence library, the first domain name and the second domain name in the threat intelligence library are each provided with a collapsed domain name label for indicating that the first domain name and the second domain name in the threat intelligence library are collapsed domain names.

25. A malicious domain name determining apparatus, comprising:

an updating unit, configured to update, if a result of querying the first domain name in the threat information library is a hit, the number of times that a target malware family to which the first domain name belongs in the threat information library is hit within a preset time window, where the hit refers to a time period in which one malware family included in the threat information library includes the first domain name, the preset time window refers to a time period in which a time of querying the first domain name in the threat information library is an end point, and a duration is a preset duration;

And the determining unit is used for determining that the first domain name is a malicious domain name if the hit number of the target malicious software family in the preset time window is greater than or equal to a set threshold value.

26. The apparatus of claim 25, wherein the apparatus further comprises:

27. The apparatus according to claim 25 or 26, wherein the apparatus is applied to a security device in the internal network, the obtaining unit being specifically configured to:

and extracting the first domain name from the first DNS request message.

28. The apparatus according to claim 25 or 26, wherein the apparatus is applied to a cloud device, the cloud device is in connection communication with a boundary device of the internal network, the boundary device is located at a boundary between the internal network and the external network, and the obtaining unit is specifically configured to:

29. The apparatus according to claim 28, wherein after the determining unit determines that the first domain name is a malicious domain name, the apparatus further comprises:

30. A malicious domain name determining apparatus, comprising: a memory, a network interface, and one or more processors to receive or transmit data through the network interface, the one or more processors configured to read program instructions stored in the memory to perform the method of any of claims 1-9, or claims 10-15.

31. A computer readable storage medium comprising program instructions which, when run on a computer or a processor, cause the computer or the processor to perform the method of any of claims 1-9, or claims 10-15.