CN117527298A - Malicious domain name detection system based on DNS analysis - Google Patents
Malicious domain name detection system based on DNS analysis Download PDFInfo
- Publication number
- CN117527298A CN117527298A CN202311320549.4A CN202311320549A CN117527298A CN 117527298 A CN117527298 A CN 117527298A CN 202311320549 A CN202311320549 A CN 202311320549A CN 117527298 A CN117527298 A CN 117527298A
- Authority
- CN
- China
- Prior art keywords
- domain name
- access
- module
- malicious
- authority
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 44
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 claims abstract description 20
- 241000700605 Viruses Species 0.000 claims abstract description 15
- 230000002457 bidirectional effect Effects 0.000 claims abstract description 7
- 238000013475 authorization Methods 0.000 claims abstract description 5
- 238000000034 method Methods 0.000 claims description 23
- 238000012795 verification Methods 0.000 claims description 15
- 230000006399 behavior Effects 0.000 claims description 12
- 238000012545 processing Methods 0.000 claims description 12
- 238000012544 monitoring process Methods 0.000 claims description 11
- 230000008569 process Effects 0.000 claims description 11
- 206010000117 Abnormal behaviour Diseases 0.000 claims description 6
- 230000002159 abnormal effect Effects 0.000 claims description 6
- 238000012217 deletion Methods 0.000 claims description 5
- 230000037430 deletion Effects 0.000 claims description 5
- 230000001360 synchronised effect Effects 0.000 claims description 5
- 230000005856 abnormality Effects 0.000 claims description 3
- 238000001914 filtration Methods 0.000 claims description 3
- 238000002513 implantation Methods 0.000 claims description 3
- 238000003780 insertion Methods 0.000 claims description 3
- 230000037431 insertion Effects 0.000 claims description 3
- 230000015654 memory Effects 0.000 claims description 3
- 238000005192 partition Methods 0.000 claims description 3
- 238000010586 diagram Methods 0.000 description 8
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000006978 adaptation Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000008570 general process Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4505—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
- H04L61/4511—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Abstract
The invention provides a malicious domain name detection system based on DNS resolution, which comprises: the system comprises an analysis module, a permission limiting module, a recording module and a firewall module, wherein the analysis module, the permission limiting module, the recording module and the firewall module are used for carrying out higher-level security protection on a malicious domain name, the domain name source generated by a Trojan is locked according to the bidirectional locking mode, a computer cannot directly access the domain name, the domain name cannot generate any access action with the computer, if the domain name needs to be accessed, the limitation of the domain name permission is required to be removed, the domain name needs to be removed from a blacklist, otherwise, the permission locking is continuously carried out, the domain name can only carry out bidirectional access with the computer after an authorization command is acquired, the effectively limited malicious Trojan can also reduce the risk of security access on the computer end through tracing the source in advance for the virus domain name after the name is changed, the practicability is strong, the protection on the security with a network is better, and the system can be widely popularized.
Description
Technical Field
The invention relates to the technical field of network security, in particular to a malicious domain name detection system based on DNS resolution.
Background
The domain name system (Domain Name System, DNS) is a system on the Internet that addresses machine naming on the Internet. Just like a visiting friend knows how to get away by other people, when one host computer needs to visit another host computer on the Internet, the address of the host computer needs to be known first, the IP address in TCP/IP is composed of four sections of numbers separated by "" (here, the address of IPv4 is taken as an example, the address of IPv6 is the same as the address of the name) and is always not as convenient to recall, so that a domain name system is adopted to manage the corresponding relation between the name and the IP;
DNS is a hierarchically distributed database system that can map domain names and IP addresses to each other. The DNS system responds to the inquiry of the user in a recursive inquiry request mode, and provides critical basic services for the operation of the Internet. At present, most firewalls and networks open DNS services, and DNS data packets are not intercepted, so that a hidden channel can be established based on a DNS protocol, and data can be transmitted between a client and a server by smoothly passing through the firewall;
DNS allows end user devices to translate a given human readable URL into a machine-usable IP address that the network can understand. Internet Engineering TaskForce (IETF) standard group defines standardized HTTP and DNS, a hierarchical distributed naming system for computers, services or any resource connected to the internet, DNS becomes an important component of the internet by providing a global, distributed redirection service, and problems often occur in DNS services as network traffic and network topology are increasing in complexity, so the present application provides a DNS resolution-based malicious domain name detection system to meet the needs.
Disclosure of Invention
The technical problem to be solved by the invention is to provide a malicious domain name detection system based on DNS resolution so as to solve the existing problem.
In order to solve the technical problems, the invention provides the following technical scheme:
the DNS system responds to the inquiry of a user in a recursive inquiry request mode based on a malicious domain name detection system of DNS resolution, and the general process is as follows:
the client firstly inquires a preferred domain name server;
the preferred domain name server checks the local resource record, if the local resource record exists, the authoritative answer is made, if the local resource record does not exist, the local cache is checked, if the local resource record exists, the result is directly returned, and if the local resource record and the cache record do not exist, the query is carried out to the root domain name server;
the root domain name server returns the address of the authoritative domain name server of the corresponding top-level domain, and the preferred domain name server continuously inquires the top-level authoritative domain name server;
the top authority domain name server returns the authority domain name server address of the secondary domain, and the preferred domain name server iterates the query in this way until the authority answer to the query domain name is obtained, and the authority answer is stored in a local cache and returned to the client to complete the query;
comprising the following steps: the system comprises an analysis module, a permission limiting module, a recording module and a firewall module.
Preferably, the analysis module carries out automatic analysis and detection on the accessed domain name, carries out log access on the domain name, detects log to obtain domain name information, judges whether abnormal behaviors exist through analyzing the domain name, carries out one-by-one check on the webpage jump behaviors carried out in the domain name, judges the check information one by one, marks the abnormal behaviors and pulls in a blacklist if the judging result is that the domain name is abnormal in access, carries out secondary detection on the domain name in the blacklist, generates a warning if any abnormality exists in the analysis and detection result, sends the warning to the front end of a system, receives the warning by staff, carries out blacklist filtering if the secondary detection is in a non-abnormal state, pulls out the blacklist, adds a whitelist, locks the blacklist domain name after the domain name access is finished, closes all access rights before the blacklist is not released, carries out popup warning when the blacklist domain name is normally entered, and does not display entering links;
preferably, during the domain name access, the resolution module operates synchronously, if the domain name is in a white list state during the access, the resolution module rapidly reacts when the domain name background carries out virus implantation attack, threat positioning is carried out on the accessed domain name, the domain name is judged to be a malicious domain name, the domain name website is rapidly exited, and the firewall is started for self-detection.
Preferably, the authority limit module locks according to a domain name source generated by a Trojan, the locking mode is bidirectional locking, a computer cannot directly access the domain name, the domain name cannot generate any access action with the computer, if the domain name needs to be accessed, the authority limit of the domain name needs to be released, the authority limit needs to be released, the domain name needs to be dropped out of a blacklist, otherwise, the authority is continuously locked, and the domain name can be accessed in both directions with the computer only after an authorization command is acquired;
preferably, the domain name with authority restriction removed is accessible, when receiving the authorized SQL statement, the authority information is obtained from the authorized SQL statement, the authority information is stored as metadata in a database, and the authority information is obtained from the authorized SQL statement, including: performing lexical analysis on the received SQL sentence to obtain a keyword; if the keywords are mapped to the authorized grammar, acquiring an authorized user identifier, an authorized resource identifier and an authorized type from the received SQL statement according to the authorized grammar, wherein the authorized type comprises one or more of insertion, inquiry, update and deletion as authority information, and acquiring an access user identifier and a logic plan corresponding to the access SQL statement when the access SQL statement is received; determining an access type corresponding to the type of the logic plan, acquiring an access resource identifier from the logic plan, and determining the access type, the access resource identifier and the access user identifier as verification information; the method for verifying the verification information by calling the interface of the third party metadata management component to enable the third party metadata management component to verify the verification information according to the authority information comprises the following steps: if authority information that the authorized user identification is matched with the access user identification, the authorized resource identification is matched with the access resource identification, and the authorized type is matched with the access type exists, determining that verification is passed; otherwise, the verification is not passed.
Preferably, the recording module records the domain name of the malicious attack and records the malicious attack mode;
after the domain name attacked by malicious is locked, the recording module immediately records the domain name and traces back to the domain name source, when the domain name is modified, the detection system calls out the domain name source information stored in the recording module for searching and searching again during access, if the domain name source is found to be in a recording state, the domain name source is defined as a malicious website after the domain name is modified, no authority is given, and the authority limiting module locks and suspends access to the domain name;
preferably, during the access period of a new domain name, if an attack is unknown, the unknown attack behavior is analyzed, searching and searching are repeated from the recording module, if the malicious attack behavior is found to be repeated in the recording module, the dangerous domain name is immediately marked, the unknown attack is edited, the unknown attack is locked to be a malicious attack, the access of the domain name is intercepted, all content searching of the domain name is closed, and the domain name with the malicious attack behavior is subjected to blackening treatment in time.
Preferably, if the unknown attack is not searched in the search library and is a malicious attack, continuing to allow access to the domain name, and then carrying out access interception until the malicious attack occurs, during the unknown attack access, carrying out synchronous detection by the analysis module, if only misinformation caused by node confusion occurs in the domain name, not carrying out any measure on the domain name, if a certain security risk exists in the position attack of the domain name is found in the analysis process, carrying out risk grade judgment on the domain name, including primary blue early warning, secondary orange early warning and tertiary red early warning, wherein the primary blue early warning state can normally carry out domain name access, the analysis module carries out uninterrupted detection analysis on the website in the secondary orange early warning state, carries out real-time monitoring on all links, pictures and web page windows after entering the domain name, immediately exits from the domain name if malicious content is found, and carries out Trojan killing, immediately stops domain name access and locks the domain name, immediately deletes all records after the domain name enters the domain name in the access period, carries out synchronous deletion on downloaded cache content during the access period, and then starts up the interception module to carry out firewall early warning.
Preferably, the firewall module includes a main central processing unit for controlling and dividing the virus monitoring and scanning process into a plurality of sub-processes, connected to the main central processing unit through an ethernet and a PCI bus, controlled by the main central processing unit at a software level and a hardware level, wherein each of the sub-processes is received and processed by the slave CPU card, and a programmable logic module controlled by the main central processing unit for acquiring status information of the plurality of slave CPU cards at a preset time interval, and monitoring and modifying a plurality of registers and a plurality of memories of the plurality of slave CPU cards through a debug diagnostic tool in the programmable logic module for hardware level control when the plurality of slave CPU cards are operated in a normal state.
Preferably, after receiving a plurality of analysis problems of the analysis module, the firewall module rapidly gathers the accessed domain name, analyzes the gathered Trojan virus, analyzes an attack source, detects whether the disk drive is hooked according to the Trojan searching and killing instruction, and clears the hook if the disk drive is detected to be hooked; reading a master boot record of a first physical sector of a disk; judging whether the main guide record of the first physical sector accords with the preset virus characteristic, if so, judging whether the data on the second physical sector of the magnetic disk is a normal main guide record, if so, judging whether the partition table of the first physical sector is normal, and if so, covering the main guide record on the second physical sector on the initial position of the first physical sector, and restarting the system to clear Trojan horse; otherwise, ending.
Compared with the prior art, the invention has at least the following beneficial effects:
in the scheme, the higher-level security protection is carried out on the malicious domain name, the locking mode is bidirectional locking according to the domain name source generated by the Trojan, the computer cannot directly access the domain name, any access action cannot be generated between the domain name and the computer, if the domain name needs to be accessed, the limitation of the domain name authority is required to be removed, the domain name needs to be removed from a blacklist, otherwise, the authority locking is continuously carried out, the domain name can only carry out bidirectional access with the computer after an authorization command is acquired, the effectively limited malicious Trojan attacks the computer end, the recording module immediately records the domain name after the malicious attack domain name is locked, and trace back to the domain name source, when the domain name is modified, the detection system calls out the domain name source information stored in the recording module to search and check the domain name source, if the domain name source is found to be in a recording state, the domain name is defined as a malicious address after the domain name is modified, the authority limiting module locks and suspends the access to the domain name, the attack with deceptive domain name can be effectively reduced, the system records the underlying domain name, the security protection can be carried out by the security source in advance, the security protection is better, the network access is more practical, and the security protection is wider popularization can be achieved.
Drawings
The accompanying drawings, which are incorporated herein and form a part of the specification, illustrate embodiments of the present disclosure and, together with the description, further serve to explain the principles of the disclosure and to enable a person skilled in the pertinent art to make and use the disclosure.
FIG. 1 is a schematic block diagram of a malicious domain name detection system based on DNS resolution;
FIG. 2 is a schematic block diagram of an analysis module structure;
FIG. 3 is a schematic block diagram of the operation principle of the analysis module;
FIG. 4 is a schematic block diagram of a rights limitation module architecture;
FIG. 5 is a schematic block diagram of a rights reading flow;
FIG. 6 is a schematic block diagram of a recording module;
FIG. 7 is a schematic block diagram of a firewall module architecture;
fig. 8 is a schematic block diagram of a firewall module workflow.
While particular structures and devices are shown in the drawings to enable a clear implementation of embodiments of the invention, this is for illustrative purposes only and is not intended to limit the invention to the particular structures, devices and environments, which may be modified or adapted by those of ordinary skill in the art, as desired, and which remain within the scope of the appended claims.
Detailed Description
The malicious domain name detection system based on DNS resolution provided by the invention is described in detail below with reference to the accompanying drawings and the specific embodiments. While the invention has been described herein in terms of the preferred and preferred embodiments, the following embodiments are intended to be more illustrative, and may be implemented in many alternative ways as will occur to those of skill in the art; and the accompanying drawings are only for the purpose of describing the embodiments more specifically and are not intended to limit the invention specifically.
It should be noted that references in the specification to "one embodiment," "an example embodiment," "some embodiments," etc., indicate that the embodiment described may include a particular feature, structure, or characteristic, but every embodiment may not necessarily include the particular feature, structure, or characteristic. Further, when a particular feature, structure, or characteristic is described in connection with an embodiment, it is submitted that it is within the knowledge of one skilled in the relevant art to effect such feature, structure, or characteristic in connection with other embodiments whether or not explicitly described.
Generally, the terminology may be understood, at least in part, from the use of context. For example, the term "one or more" as used herein may be used to describe any feature, structure, or characteristic in a singular sense, or may be used to describe a combination of features, structures, or characteristics in a plural sense, depending at least in part on the context. In addition, the term "based on" may be understood as not necessarily intended to convey an exclusive set of factors, but may instead, depending at least in part on the context, allow for other factors that are not necessarily explicitly described.
It will be understood that the meanings of "on … …", "over … …" and "over … …" in this disclosure should be interpreted in the broadest sense so that "on … …" means not only "directly on" but also includes meaning "directly on" something with intervening features or layers therebetween, and "over … …" or "over … …" means not only "on" or "over" something, but also may include its meaning "on" or "over" something without intervening features or layers therebetween.
Furthermore, spatially relative terms such as "under …," "under …," "lower," "above …," "upper," and the like may be used herein for ease of description to describe one element or feature's relationship to another element or feature as illustrated in the figures. Spatially relative terms are intended to encompass different orientations of the device in use or operation in addition to the orientation depicted in the figures. The device may be otherwise oriented and the spatially relative descriptors used herein may similarly be interpreted accordingly.
Referring to fig. 1, the dns system responds to a user's query in a recursive query request, which is generally as follows:
the client firstly inquires a preferred domain name server;
the preferred domain name server checks the local resource record, if the local resource record exists, the authoritative answer is made, if the local resource record does not exist, the local cache is checked, if the local resource record exists, the result is directly returned, and if the local resource record and the cache record do not exist, the query is carried out to the root domain name server;
the root domain name server returns the address of the authoritative domain name server of the corresponding top-level domain, and the preferred domain name server continuously inquires the top-level authoritative domain name server;
the top authority domain name server returns the authority domain name server address of the secondary domain, and the preferred domain name server iterates the query in this way until the authority answer to the query domain name is obtained, and the authority answer is stored in a local cache and returned to the client to complete the query;
comprising the following steps: the system comprises an analysis module, a permission limiting module, a recording module and a firewall module.
Referring to fig. 2 and 3, an analysis module performs automatic analysis and detection on an accessed domain name, performs log access on the domain name, detects log to obtain domain name information, judges whether abnormal behaviors exist through analysis of the domain name, performs one-by-one check on web page jump behaviors performed in the domain name, judges the check information one by one, marks the abnormal behaviors and pulls in a blacklist if the judging result is that the domain name is abnormal in access, performs secondary detection on the domain name in the blacklist, generates a warning if any abnormality exists in the analysis detection result, sends the warning to the front end of a system, receives the warning by a worker, performs blacklist filtering if the secondary detection is in a non-abnormal state, pulls out the blacklist, adds in a whitelist, locks the blacklist domain name after the domain name access is finished, closes all access rights before the blacklist is not released, and pops a window warning when the blacklist is normally entered, and does not display an entering link; and during the domain name access, the analysis module synchronously operates, if the domain name is in a white list state during the access, and when the domain name background carries out virus implantation attack, the analysis module rapidly reacts to threat positioning on the accessed domain name, judges that the domain name is a malicious domain name, rapidly exits from the domain name website, and starts the firewall to carry out self-detection.
Referring to fig. 4 and 5, the permission limiting module locks according to a domain name source generated by a Trojan, the locking mode is bidirectional locking, a computer cannot directly access the domain name, the domain name cannot generate any access action with the computer, if the domain name needs to be accessed, the limitation of the permission of the domain name needs to be removed, the limitation of the permission needs to be removed from a blacklist, otherwise, the permission locking is continuously performed, and the domain name can be accessed in both directions with the computer only after an authorization command is acquired; the domain name with authority limit removed can be accessed, when the authorized SQL statement is received, the authority information is obtained from the authorized SQL statement, the authority information is stored in the database as metadata, and the authority information is obtained from the authorized SQL statement, which comprises the following steps: performing lexical analysis on the received SQL sentence to obtain a keyword; if the keywords are mapped to the authorized grammar, acquiring an authorized user identifier, an authorized resource identifier and an authorized type from the received SQL statement according to the authorized grammar, wherein the authorized type comprises one or more of insertion, inquiry, update and deletion as authority information, and acquiring an access user identifier and a logic plan corresponding to the access SQL statement when the access SQL statement is received; determining an access type corresponding to the type of the logic plan, acquiring an access resource identifier from the logic plan, and determining the access type, the access resource identifier and the access user identifier as verification information; the method for verifying the verification information by calling the interface of the third party metadata management component to enable the third party metadata management component to verify the verification information according to the authority information comprises the following steps: if authority information that the authorized user identification is matched with the access user identification, the authorized resource identification is matched with the access resource identification, and the authorized type is matched with the access type exists, determining that verification is passed; otherwise, the verification is not passed.
Referring to fig. 6, a recording module records a domain name of a malicious attack and records a malicious attack mode; after the domain name attacked by malicious is locked, the recording module immediately records the domain name and traces back to the domain name source, when the domain name is modified, the detection system calls out the domain name source information stored in the recording module for searching and searching again during access, if the domain name source is found to be in a recording state, the domain name source is defined as a malicious website after the domain name is modified, no authority is given, and the authority limiting module locks and suspends access to the domain name; during the access period of a new domain name, if an unknown attack is encountered, the unknown attack behavior is analyzed, searching and searching are repeated from the recording module, if the malicious attack behavior is found to be repeated in the recording module, the dangerous domain name is immediately marked, the unknown attack is edited, the unknown attack is locked to be a malicious attack, the access of the domain name is intercepted, all content searching of the domain name is closed, and the domain name with the malicious attack behavior can be blacked in time. If the unknown attack is not searched in the search library and is a malicious attack, continuing to allow access to the domain name, and carrying out access interception until the malicious attack occurs, during the unknown attack access period, carrying out synchronous detection by an analysis module, if only misinformation caused by node misarrangement occurs in the domain name, not carrying out any measure on the domain name, if a certain security risk exists in the position attack of the domain name is found in the analysis process, carrying out risk grade judgment on the domain name, including primary blue early warning, secondary orange early warning and tertiary red early warning, carrying out normal domain name access in the primary blue early warning state, carrying out uninterrupted detection analysis on the website by the analysis module in the secondary orange early warning state, carrying out real-time monitoring on all links, pictures and web page popup windows after the domain name is entered, immediately exiting the domain name and carrying out Trojan killing if the malicious trend content is found, immediately stopping domain name access, locking the domain name, immediately browsing all records after the domain name is entered in the access period, carrying out synchronous deletion on the downloaded cache content during the access period, and then starting the firewall module to intercept the rest of the domain name.
Referring to fig. 7 and 8, the firewall module includes a main central processing unit for controlling a virus monitoring and scanning process and dividing the virus monitoring and scanning process into a plurality of sub-processes, which are connected with the main central processing unit through an ethernet and a PCI bus, and controlled by the main central processing unit at a software level and a hardware level, wherein each of the sub-CPU cards receives and processes one of the plurality of sub-processes, and a programmable logic module controlled by the main central processing unit, for acquiring status information of the plurality of sub-CPU cards at a preset time interval, monitoring and modifying a plurality of registers and a plurality of memories of the plurality of sub-CPU cards through a debug diagnostic tool in the programmable logic module for hardware level control when the plurality of sub-CPU cards work in a normal state, after receiving a plurality of parsing problems of the parsing module, the firewall module rapidly gathers Trojan horse for an accessed domain name, parses a collected Trojan virus, analyzes an attack source, detects whether a drive is hooked according to a Trojan horse-killing instruction, and if the drive is detected, the hook is cleared; reading a master boot record of a first physical sector of a disk; judging whether the main guide record of the first physical sector accords with the preset virus characteristic, if so, judging whether the data on the second physical sector of the magnetic disk is a normal main guide record, if so, judging whether the partition table of the first physical sector is normal, and if so, covering the main guide record on the second physical sector on the initial position of the first physical sector, and restarting the system to clear Trojan horse; otherwise, ending.
The invention is intended to cover any alternatives, modifications, equivalents, and variations that fall within the spirit and scope of the invention. In the following description of preferred embodiments of the invention, specific details are set forth in order to provide a thorough understanding of the invention, and the invention will be fully understood to those skilled in the art without such details. In other instances, well-known methods, procedures, flows, components, circuits, and the like have not been described in detail so as not to unnecessarily obscure aspects of the present invention.
Those of ordinary skill in the art will appreciate that all or a portion of the steps in implementing the methods of the embodiments described above may be implemented by a program that instructs associated hardware, and the program may be stored on a computer readable storage medium, such as: ROM/RAM, magnetic disks, optical disks, etc.
The foregoing is merely a preferred embodiment of the present invention and it should be noted that modifications and adaptations to those skilled in the art may be made without departing from the principles of the present invention, which are intended to be comprehended within the scope of the present invention.
Claims (10)
1. The malicious domain name detection system based on DNS analysis comprises an analysis module, a permission restriction module, a recording module and a firewall module, and is characterized in that the DNS system responds to the inquiry of a user in a recursive inquiry request mode, and the process is as follows:
the client firstly inquires a preferred domain name server;
the preferred domain name server checks the local resource record, if the local resource record exists, the authoritative answer is made, if the local resource record does not exist, the local cache is checked, if the local resource record exists, the result is directly returned, and if the local resource record and the cache record do not exist, the query is carried out to the root domain name server;
the root domain name server returns the address of the authoritative domain name server of the corresponding top-level domain, and the preferred domain name server continuously inquires the top-level authoritative domain name server;
the top authority domain name server returns the authority domain name server address of the secondary domain, and the preferred domain name server iterates the query in this way until the authority answer to the query domain name is obtained, and the authority answer is stored in the local cache and returned to the client side, so that the query is completed.
2. The DNS resolution-based malicious domain name detection system according to claim 1, wherein the resolution module performs automatic analysis and detection on a visited domain name, performs log access on the domain name, detects log information to obtain domain name information, determines whether abnormal behavior exists by resolving the domain name, performs one-by-one check on web page jump behaviors performed in the domain name, determines one-by-one check information, marks the abnormal behavior and pulls in a blacklist if the determination result is that the domain name is abnormal in access, performs secondary detection on the domain name in the blacklist, generates a warning if any abnormality occurs in the resolution detection result, sends the warning to a front end of the system, is received by a worker, performs blacklist filtering if the secondary detection is in a no abnormal state, pulls out the blacklist, adds a whitelist to the domain name, locks the blacklist domain name after the domain name access is completed, closes all access rights before the blacklist is not released, and pops a warning when the domain name normally enters the blacklist, and does not display an entering link.
3. The DNS resolution-based malicious domain name detection system according to claim 2, wherein the resolution module operates synchronously during domain name access, and if the domain name is in a whitelist state during access, the resolution module rapidly reacts to threat location on the access domain name when a virus implantation attack is performed on the domain name background, determines that the access domain name is a malicious domain name, rapidly exits the domain name website, and starts a firewall to perform self-detection.
4. The DNS resolution-based malicious domain name detection system according to claim 1, wherein the authority limit module locks according to a domain name source generated by a Trojan, the locking mode is bidirectional locking, a computer cannot directly access the domain name, the domain name cannot generate any access action with the computer, if access is required, the authority limit of the domain name needs to be released, the authority limit needs to be released, the domain name needs to be removed from a blacklist, otherwise, the authority is continuously locked, and the domain name can be accessed in both directions with the computer only after an authorization command is acquired.
5. The DNS resolution-based malicious domain name detection system according to claim 4, wherein the domain name from which the authority limit is released is accessible, when the authority SQL statement is received, the authority information is obtained from the authority SQL statement, the authority information is stored as metadata in the database, and the authority information is obtained from the authority SQL statement, comprising: performing lexical analysis on the received SQL sentence to obtain a keyword; if the keywords are mapped to the authorized grammar, acquiring an authorized user identifier, an authorized resource identifier and an authorized type from the received SQL statement according to the authorized grammar, wherein the authorized type comprises one or more of insertion, inquiry, update and deletion as authority information, and acquiring an access user identifier and a logic plan corresponding to the access SQL statement when the access SQL statement is received; determining an access type corresponding to the type of the logic plan, acquiring an access resource identifier from the logic plan, and determining the access type, the access resource identifier and the access user identifier as verification information; the method for verifying the verification information by calling the interface of the third party metadata management component to enable the third party metadata management component to verify the verification information according to the authority information comprises the following steps: if authority information that the authorized user identification is matched with the access user identification, the authorized resource identification is matched with the access resource identification, and the authorized type is matched with the access type exists, determining that verification is passed; otherwise, the verification is not passed.
6. The DNS resolution-based malicious domain name detection system according to claim 1, wherein the recording module records a domain name of a malicious attack and records a malicious attack mode;
after the domain name of the malicious attack is locked, the recording module immediately records the domain name and traces back to the domain name source, when the domain name is modified, the detection system calls the domain name source information stored in the recording module for searching and searching again during access, if the domain name source is found to be in a recording state, the domain name source is defined as a malicious website after the domain name is modified, no authority is given, and the authority limiting module locks and suspends access to the domain name.
7. The DNS resolution-based malicious domain name detection system according to claim 6, wherein during access of a new domain name, if an unknown attack is encountered, the unknown attack behavior is resolved, searching is performed again from the recording module, if the malicious attack behavior is found to be found again in the recording module, the unknown attack is immediately marked as a dangerous domain name, edited, locked as a malicious attack, access to the domain name is intercepted, all content searches for the domain name are closed, and the domain name with the malicious attack behavior is blackened in time.
8. The DNS resolution-based malicious domain name detection system according to claim 7, wherein if no unknown attack is searched in the search library, access to the domain name is continuously allowed until the occurrence of the malicious attack, access interception is performed until the occurrence of the malicious attack, synchronous detection is performed by the resolution module during the unknown attack access period, if only misinformation caused by node confusion occurs in the domain name itself, no measures are performed on the domain name, if a certain security risk is found in the position attack of the domain name during the resolution process, risk grade judgment is performed on the domain name, including primary blue early warning, secondary orange early warning and tertiary red early warning, domain name access can be normally performed in the primary blue early warning state, the resolution module performs uninterrupted detection analysis on the website, real-time monitoring is performed on all links, pictures and web page popup windows after entering the domain name, if malicious content is found, the domain name is immediately withdrawn and is performed with Trojan killing, domain name access is immediately stopped, domain name access is locked, if the malicious content is added in the black state, all the domain name is immediately browsed and the rest of the domain name is immediately deleted during the access period, and the malicious content is synchronously blocked by the firewall module is started up, and the malicious content is blocked.
9. The DNS resolution-based malicious domain name detection system according to claim 1, wherein the firewall module comprises a main central processing unit for controlling the virus monitoring and scanning process and dividing the virus monitoring and scanning process into a plurality of sub-processes, which are connected to the main central processing unit through ethernet and PCI buses, and controlled by the main central processing unit at a software level and a hardware level, wherein each of the sub-CPU cards receives and processes one of the plurality of sub-processes, and a programmable logic module controlled by the main central processing unit for acquiring status information of the plurality of sub-CPU cards at predetermined time intervals, and monitoring and modifying a plurality of registers and a plurality of memories of the plurality of sub-CPU cards for hardware level control by a debug diagnostic tool in the programmable logic module when the plurality of sub-CPU cards are operating in a normal state.
10. The DNS resolution-based malicious domain name detection system according to claim 1, wherein after receiving the multiple resolution problems of the resolution module, the firewall module rapidly gathers the accessed domain name, parses the gathered Trojan virus, analyzes the attack source, detects whether the disk drive is hooked according to the Trojan search and kill instruction, and clears the hook if the disk drive is detected to be hooked; reading a master boot record of a first physical sector of a disk; judging whether the main guide record of the first physical sector accords with the preset virus characteristic, if so, judging whether the data on the second physical sector of the magnetic disk is a normal main guide record, if so, judging whether the partition table of the first physical sector is normal, and if so, covering the main guide record on the second physical sector on the initial position of the first physical sector, and restarting the system to clear Trojan horse; otherwise, ending.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311320549.4A CN117527298A (en) | 2023-10-12 | 2023-10-12 | Malicious domain name detection system based on DNS analysis |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311320549.4A CN117527298A (en) | 2023-10-12 | 2023-10-12 | Malicious domain name detection system based on DNS analysis |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117527298A true CN117527298A (en) | 2024-02-06 |
Family
ID=89744632
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311320549.4A Pending CN117527298A (en) | 2023-10-12 | 2023-10-12 | Malicious domain name detection system based on DNS analysis |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117527298A (en) |
-
2023
- 2023-10-12 CN CN202311320549.4A patent/CN117527298A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10193929B2 (en) | Methods and systems for improving analytics in distributed networks | |
| US7516492B1 (en) | Inferring document and content sensitivity from public account accessibility | |
| US7523301B2 (en) | Inferring content sensitivity from partial content matching | |
| US8516586B1 (en) | Classification of unknown computer network traffic | |
| US9385928B2 (en) | Systems and methods to control web scraping | |
| US9223987B2 (en) | Confidential information identifying method, information processing apparatus, and program | |
| US6662230B1 (en) | System and method for dynamically limiting robot access to server data | |
| JP4358188B2 (en) | Invalid click detection device in Internet search engine | |
| US20180041475A1 (en) | Centralized management and enforcement of online privacy policies | |
| US7941857B2 (en) | Data network and method for checking nodes of a data network | |
| CN108780485A (en) | Data set extraction based on pattern match | |
| CN107465651A (en) | Network attack detecting method and device | |
| Pasquale et al. | Adaptive evidence collection in the cloud using attack scenarios | |
| CN114598525A (en) | IP automatic blocking method and device for network attack | |
| CN111404937B (en) | Method and device for detecting server vulnerability | |
| CN110933082B (en) | Method, device and equipment for identifying lost host and storage medium | |
| RU2659482C1 (en) | Protection of web applications with intelligent network screen with automatic application modeling | |
| CN112769739A (en) | Database operation violation processing method, device and equipment | |
| KR20210110765A (en) | Method for providing ai-based big data de-identification solution | |
| WO2007096890A2 (en) | Device, system and method of database security | |
| CN110225065A (en) | A kind of network security warning system | |
| CN117527298A (en) | Malicious domain name detection system based on DNS analysis | |
| KR20170052779A (en) | Method and apparatus for security enhancement based on java agent | |
| Gawron et al. | Automatic vulnerability detection for weakness visualization and advisory creation | |
| CN112637150A (en) | Honey pot analysis method and system based on nginx |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |