KR101662530B1 - System for detecting and blocking host access to the malicious domain, and method thereof - Google Patents

System for detecting and blocking host access to the malicious domain, and method thereof Download PDF

Info

Publication number
KR101662530B1
KR101662530B1 KR1020150074619A KR20150074619A KR101662530B1 KR 101662530 B1 KR101662530 B1 KR 101662530B1 KR 1020150074619 A KR1020150074619 A KR 1020150074619A KR 20150074619 A KR20150074619 A KR 20150074619A KR 101662530 B1 KR101662530 B1 KR 101662530B1
Authority
KR
South Korea
Prior art keywords
malicious domain
malicious
information
dns
domain
Prior art date
Application number
KR1020150074619A
Other languages
Korean (ko)
Inventor
이남훈
오은수
최명렬
서인석
지성택
Original Assignee
한국전자통신연구원
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 한국전자통신연구원 filed Critical 한국전자통신연구원
Priority to KR1020150074619A priority Critical patent/KR101662530B1/en
Application granted granted Critical
Publication of KR101662530B1 publication Critical patent/KR101662530B1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/30Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/142Denial of service attacks against network infrastructure

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Technology Law (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

Suggested are a system for detecting and blocking the access of a host to a malicious domain, capable of minimizing the damage to an institute by detecting and blocking the access, identifying an infected host, and removing a malignant code based on an idea that the infected host uses a malicious domain name during the processes in which the infected host accesses a C&C server and receives an order when DDoS or a large malignant code are circulated, and a method thereof. The suggested method comprises: a step of tracing the malicious domain in real time; a step of distributing information of the traced malicious domain to an institute DNS or a malicious domain inquiry right delegating unit; a step of renewing the information of the malicious domain based on the distributed information of the malicious domain; and a step of responding a malicious domain inquiry delegated from the institute DNS and transmitting an IP regarding the malicious domain to an institute host through the institute DNS on the basis of information of a malicious domain zone file.

Description

The present invention relates to a host malicious domain access detection and blocking system,

The present invention relates to a malicious domain access detection and blocking system and method for a host, and more particularly, to a malicious domain access detection and blocking system for a malicious domain, A malicious domain access detection and blocking system of a host capable of detecting, blocking and protecting a cyber threat in advance.

In case of attack using multiple computers such as DDoS or DoS attack while performing security control in the network environment, additional damage such as paralysis of important service and decrease of external credibility occurs because it affects the periodical service of the national institution do.

Therefore, the most common method used in the process of accessing a malicious server using a large-scale infected PC or a rapidly changing malicious server or leaking internal information is an access using a specific domain name. In view of security control, Real-time detection and analysis of traffic to be accessed is important.

Although many methods have been proposed to detect and respond to such large-scale infected PCs and rapidly changing attacks, various countermeasures exist in different stages of attack and malicious behavior, and they are difficult to apply and are not a fundamental solution.

In particular, most existing security countermeasures do not provide a fundamental solution because they are based on post-security events or applying known patterns of countermeasures. Therefore, it is important to prevent access to an external host (C & C server) related to malicious activity in advance in order to prevent a large-scale infected PC or an attack for malicious host access in advance. In general, external hosts associated with malicious behavior are primarily domain names. From this point of view, large-scale damage can be prevented if domain-based access to malicious hosts can be detected and blocked in advance. Therefore, when the access to the external malicious domain can be detected and blocked in advance, the effect can be sufficiently expected as compared with the post-response.

The existing malicious domain access detection system is mostly using a packet detection method using an IDS (Intrusion Detection System) sensor or a DNS sinkhole. In the existing method, the malicious domain pattern may be used to detect an accessing behavior or to block access to a known malicious domain or a domain determined to be a harmful domain.

These existing methods are only temporary countermeasures and do not provide a fundamental solution to perform real-time identification and source blocking for hosts performing malicious domain access. In addition, if a pattern for accessing a malicious domain and performing a malicious action is not known, existing IDS can not detect it and can not identify a suspicious host of an internal infection.

In particular, in the case of introducing and using a separate hardware device used recently, there is a disadvantage that it is difficult to apply it immediately because the DNS or network of the organization network and the change of the basic system are required.

Prior art related to the present invention is disclosed in Korean Patent Publication No. 2012-0092286 (Botnet detection method and system using domain name service query data), Korean Patent No. 1271449 (DNS forced bypassing malicious traffic control and information leakage A method for providing a detection service, a server and a recording medium), Journal of the Korean Information and Communications Society (Detection of cyber threat domain based on DNS traffic, Lim Sun Hee, Vol 37B No 11, pp 1082, 2012.11.

The present invention has been proposed in order to solve the above-mentioned problems of the prior art. In view of the fact that a host infected with DDoS or a large-scale malicious code accesses a C & C server and receives an instruction, And a host system that detects and blocks an infected host and removes malicious code to minimize damage to the host system.

According to another aspect of the present invention, there is provided a malicious domain access detection and blocking method for a host, the malicious domain tracking unit comprising: tracking malicious domains in real time; The malicious domain management and distribution unit receiving the information on the tracked malicious domain and distributing the information to the authority DNS and the malicious domain query authority delegation unit; The authority DNS and the malicious domain inquiry delegation unit updating malicious domain information based on the information of the malicious domain being distributed; And the malicious domain query authority delegation unit responds to a malicious domain query of an authority host delegated from the institutional DNS, and refers to the information of the malicious domain zone file for the updated malicious domain, And transmitting to the institution host via an institutional DNS.

The updating of the malicious domain information may update the DNS configuration file.

Updating the DNS configuration file includes generating a malicious domain zone file for the updated malicious domain according to the malicious domain query delegation unit receiving malicious domain information to be updated from the institutional DNS; The malicious domain query authority delegation unit sending the generated malicious domain zone file to the institution DNS; And adding the malicious domain zone file to the DNS configuration file by the authority DNS.

The step of generating the malicious domain zone file may include: obtaining an IP address of the malicious domain access inducing unit; Setting an IP of the obtained malicious domain access inducement unit to a malicious domain IP; And setting the malicious domain IP as information of the malicious domain zone file.

The TTL of the zone file for the updated malicious domain may be set to "0" in the step of transmitting the IP for the malicious domain to the institution host via the institutional DNS.

The IP for the malicious domain may be the IP of the malicious domain access inducement unit.

The malicious domain access information collection unit may further include collecting access log information and malicious domain access packet information of an institution host accessing the malicious domain.

The access log may include log information according to the malicious domain query, and the malicious domain access packet information may include transmission / reception packet information between the institution host and the malicious domain access guidance section.

And storing the collected access log and malicious domain access packet information in the database unit after collecting the access log and the malicious domain access packet information of the institution host accessing the malicious domain.

A host malicious domain access detection and blocking apparatus according to a preferred embodiment of the present invention includes: a malicious domain tracking unit for tracking a malicious domain in real time; A malicious domain management and distribution unit for receiving the tracked malicious domain information and distributing the information to the authority DNS and malicious domain query authority delegation unit; And updating malicious domain information based on information of the malicious domain to be distributed, responding to a malicious domain query of an institution host delegated from the institutional DNS, and referring to the information of the malicious domain zone file for the updated malicious domain And transmitting the IP for the malicious domain to the institution host through the institution DNS.

The malicious domain query authority delegation unit may update the DNS configuration file in association with the institutional DNS in updating the malicious domain information.

The malicious domain query authority delegation unit generates malicious domain zone files for the updated malicious domain and sends the malicious domain zone file to the institutional DNS in response to receiving the malicious domain information to be updated from the institutional DNS, The DNS configuration file can be updated by adding the domain zone file to the DNS configuration file.

The malicious domain inquiry delegation unit obtains the IP of the malicious domain access inducement unit, sets the acquired IP of the malicious domain access inducement unit as the malicious domain IP, and includes the set malicious domain IP as the information of the malicious domain zone file The malicious domain zone file can be generated.

And a malicious domain access information collection unit for collecting malicious domain access packet information and an access log of an institution host accessing the malicious domain.

The malicious domain access information collection unit may store the collected access log and malicious domain access packet information in a database unit.

When the institutional DNS receives a malicious domain query from the institution host, the institutional DNS can collect query packets including a malicious domain query host IP, a query target malicious domain name, and a query time, and transmit the query packet to the malicious domain management and distribution unit.

According to the present invention having such a configuration, there is an effect that the attempt to connect from an institution host to an external malicious domain is essentially blocked. Malicious activities that attempt to connect to an external malicious domain include downloading and installing malicious code and leakage of important internal data, thereby blocking attempts of such malicious activity.

In addition, host information suspected of being infected or hacked by a malicious file can be directly acquired and countermeasures can be taken.

If the malicious domain information is known but information on the transmission / reception packet pattern is insufficient, additional information may be acquired to acquire important information applicable to the information protection system in operation.

The biggest advantage of the present invention is that a software agent is installed in an active DNS server and the external interworking system is added immediately without changing the DNS structure and network structure used in existing organizations. That is, the present invention can identify the malicious domain access using the institutional DNS without changing the network installed in the existing institution.

The present invention can be applied to a system for detecting a traffic that accesses a specific domain in order to attack a large-scale network using a malicious domain or to leak internal information to the outside.

The system of the present invention can be utilized to identify a user host that is highly likely to be infected with a malicious program within an installed organization.

In addition, the present invention minimizes the damage to an institution by allowing the security officer of the institution to access the intended network and / or host to block malicious domain access.

And malicious behavior can be monitored by directing network access attempts to access malicious domains to a controlled network and / or host. That is, the present invention collects data that can be basic data for monitoring the detailed activity of an infectious agent such as malicious code by inducing traffic of an infected host to an access inducing network (host) intended by a security administrator .

In particular, the system of the present invention can be applied to an actual network without a large change of a specific network. Also, by applying the result generated by the system of the present invention to the existing security control system, it is possible to increase the scan rate of the existing security control system.

1 is a diagram illustrating a configuration and a schematic operation flow of a malicious domain access detection and blocking system of a host according to an embodiment of the present invention.
2 is a flowchart illustrating a malicious domain access detection and blocking method of a host according to an embodiment of the present invention.
FIGS. 3 to 6 are flowcharts for explaining the malicious domain zone file and the DNS configuration file for malicious domain query response shown in FIG. 2 in detail.
FIG. 7 is a flowchart illustrating details of a step of collecting access information of a host accessing the malicious domain shown in FIG. 2. FIG.

While the invention is susceptible to various modifications and alternative forms, specific embodiments thereof are shown by way of example in the drawings and will herein be described in detail.

It should be understood, however, that the invention is not intended to be limited to the particular embodiments, but includes all modifications, equivalents, and alternatives falling within the spirit and scope of the invention.

The terminology used in this application is used only to describe a specific embodiment and is not intended to limit the invention. The singular expressions include plural expressions unless the context clearly dictates otherwise. In the present application, the terms "comprises" or "having" and the like are used to specify that there is a feature, a number, a step, an operation, an element, a component or a combination thereof described in the specification, But do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, or combinations thereof.

Unless defined otherwise, all terms used herein, including technical or scientific terms, have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. Terms such as those defined in commonly used dictionaries should be interpreted as having a meaning consistent with the meaning in the context of the relevant art and are to be interpreted in an ideal or overly formal sense unless explicitly defined in the present application Do not.

Hereinafter, preferred embodiments of the present invention will be described in detail with reference to the accompanying drawings. In order to facilitate the understanding of the present invention, the same reference numerals are used for the same constituent elements in the drawings and redundant explanations for the same constituent elements are omitted.

The present invention provides a method for identifying a host suspected of being infected with a malicious code and preventing an access to a malicious domain in advance. In addition, the present invention provides a method for identifying and blocking a host attempting to access a malicious domain by a software method or to leak internal information to the outside without greatly changing a DNS system or network configuration used in an existing institution. In addition, the present invention quickly collects malicious domain information in real time through the malicious domain tracking unit for rapid malicious domain information management, and enables malicious domain access detection and blocking activities in the organization to reflect the latest information. In particular, the present invention provides a software-based method for providing an ability to change an access network as intended to obtain institutional affiliation information, host information, and additional information for a host to access according to the intention of a security administrator.

1 is a diagram illustrating a configuration and a schematic operation flow of a malicious domain access detection and blocking system of a host according to an embodiment of the present invention.

The host malicious domain access detection and blocking system according to the embodiment of the present invention includes a malicious domain tracking unit 10, a malicious domain management and distribution unit 20, a database unit 30, a malicious domain query authority unit 40 ), A malicious domain access information collection unit 50, and a malicious domain access inducement unit 60.

The malicious domain tracking unit 10 tracks malicious domains in real time. The malicious domain tracking unit 10 stores one or more malicious domains that have been tracked in a record format. Here, the information stored in the malicious domain tracking unit 10 may be referred to as malicious domain tracking information.

The malicious domain tracking unit 10 sends malicious domain tracking information to the malicious domain management and distribution unit 20 at specific time intervals.

The malicious domain management and distribution unit 20 receives the malicious domain tracking information from the malicious domain tracking unit 10 and stores the received malicious domain tracking information in the database unit 30.

In addition, the malicious domain management and distribution unit 20 receives the malicious domain access information from the institutional DNS 80 and stores it in the database unit 30. The authority DNS 80 includes an agent unit. Here, the malicious domain access information is provided in a compressed file format. In other words, when the malicious domain query in the institution host 70 is received in the institutional DNS 80, the agent unit of the institutional DNS 80 sets the 'query domain' to 'query target malicious domain' } To the malicious domain management and distribution unit 20. The malicious domain management and distribution unit 20 transmits the query packet to the malicious domain management and distribution unit 20 in the form of a compressed file (referred to as malicious domain access information). Accordingly, the malicious domain management and distribution unit 20 stores the received malicious domain access information in the database unit 30.

Also, the malicious domain management and distribution unit 20 updates the agent unit (not shown) installed in the authority DNS 80 and / or the agent unit (not shown) installed in the malicious domain query authority unit 40 to the latest information The latest malicious domain distribution information in the form of a list is distributed to the malicious domain query authority authority 40 and / or the institutional DNS 80. [ Here, the latest malicious domain distribution information in list form can be regarded as the latest malicious domain list.

The authority DNS 80 stores a DNS configuration file including a source DNS zone file and a malicious domain zone file. Here, the DNS configuration file may be a file for setting a domain server, and the malicious domain zone file may be a zone file additionally set for a malicious domain.

The agent unit (not shown) installed in the institutional DNS 80 changes the DNS setting so that the malicious domain query is transmitted to the malicious domain query authority unit 40 based on the updated malicious domain list.

When the malicious domain query is received from the institution host 70, the agent unit installed in the institutional DNS 80 filters the DNS log generated by the malicious domain query authority unit 40 ({'malicious domain query host IP' (Referred to as a malicious domain to be queried: query time) as key information, and transmits the query packet to the malicious domain management and distribution unit 20 in the form of a compressed file. Malicious domain access information is stored in the database unit 30 via the malicious domain management and distribution unit 20. [

The malicious domain query authority authority 40 generates a zone file corresponding to the latest updated malicious domain in order to respond to the malicious domain query delegated from the institution host 70. Then, the malicious domain query authority arbitration unit 40 sends the generated malicious domain zone file to the institution DNS 80 as a response. Accordingly, the institution DNS 80 includes the received malicious domain zone file in the DNS configuration file. This changes the DNS configuration file. Here, the authority DNS 80 transmits a malicious domain query response from the malicious domain query authority arbitration unit 40 to the authority host 70. [

In addition, the malicious domain query authority arbitration unit 40 may use malicious domain query information as log information according to the malicious domain query among the internal DNS logs selectively stored in the course of responding to the malicious domain query, (50).

The malicious domain access information collection unit 50 not only stores the malicious domain query information from the malicious domain query authority unit 40 in the database 30 but also stores the malicious domain query information in the malicious domain query authority unit 40, (That is, malicious domain IP access information) from the malicious domain received from the malicious domain, and stores the collected information in the database unit 30. Here, the host of the host which received the IP address of the malicious domain becomes the host of the suspected infection, and the IP of the malicious domain is designated as the IP of the malicious domain access inducement unit 60. The malicious domain IP access information includes transmission / reception packet information between the host 70 and the malicious domain access inducement unit 60 that have received the IP address of the malicious domain.

FIG. 2 is a flowchart for explaining a malicious domain access detection and blocking method of a host according to an embodiment of the present invention. FIGS. 3 to 6 illustrate a DNS setting file for malicious domain query response shown in FIG. 2, FIG. 7 is a flowchart for describing in detail the step of collecting access information of a host accessing the malicious domain shown in FIG. 2; FIG.

In the present invention, the following operations are roughly performed in order to identify a host of an institution performing malicious domain access and block access.

The malicious domain tracking unit 10 tracks malicious domains in real time for malicious domain collection (S10). One or more malicious domains tracked are stored in the malicious domain tracking unit 10 in the form of a record. Then, the malicious domain tracking unit 10 transmits malicious domain tracking information to the malicious domain management and distribution unit 20 at specific time intervals.

The malicious domain management and distribution unit 20 distributes the latest malicious domain list (300 in FIG. 4) to the agent unit installed in the institutional DNS 80 or the agent unit installed in the malicious domain query authority unit 40 S20). That is, the agent unit installed in the institutional DNS 80 or the agent unit installed in the malicious domain query authority unit 40 periodically connects to the malicious domain management and distribution unit 20, The latest malicious domain list is provided to the agent unit installed in the institutional DNS 80 or the agent unit installed in the malicious domain query authority unit 40. [ Here, the latest malicious domain list (300 in FIG. 4) contains agent access information and domain distribution information for each institutional DNS.

Accordingly, the agent unit installed in the institutional DNS 80 or the agent unit installed in the malicious domain query authority unit 40 updates the previously stored malicious domain information based on the latest malicious domain list (S30). At this time, the agent unit installed in the institutional DNS 80 updates (changes) the DNS setting file in the order as shown in FIG. 3, the malicious domain management and distribution unit 20 obtains information of the malicious domain tracking unit 10 (S200) and sets it as the latest malicious domain list (300 in FIG. 4) And an agent unit installed in the malicious domain query authority unit 40. [ Accordingly, the agent unit installed in the institutional DNS 80 and the agent unit installed in the malicious domain query authority unit 40 store the latest malicious domain list (S201). Then, the agent unit installed in the institutional DNS 80 confirms malicious domain individual information in the latest malicious domain list (S202). If there is malicious domain information to be updated ("Yes" in S203), the information is sent to the malicious domain query authorization authority 40. [ Accordingly, the malicious domain query permission authority 40 generates a malicious domain zone file corresponding to the latest malicious domain in order to respond to the domain name query (S204). The malicious domain query permission authority 40 sends the generated malicious domain zone file 302 in FIG. 4 to the agent unit installed in the institutional DNS 80, and the agent unit installed in the institutional DNS 80 The DNS setting file is updated by adding the received malicious domain zone file (302 in Fig. 4) to the DNS setting file (301 in Fig. 4) (S205). Then, the agent unit installed in the institutional DNS 80 performs a DNS daemon live change through the DNS Live application module 303 (FIG. 4) (S206). The generation of the malicious domain zone file in step S204 will be described in more detail with reference to FIG. First, the malicious domain query permission authority 40 acquires the IP of the malicious domain access inducement unit 60 (S400) and confirms the location information of the DNS configuration file (e.g., named.conf) (S401). Then, the malicious domain query permission authority 40 acquires a file for storing malicious domain zone information (S402), sets TTL = 0 in the malicious domain zone file to prevent information caching, The malicious domain IP is set as the IP of the malicious domain access inducement unit 60 (S403). Thereafter, the malicious domain query permission authority 40 includes the malicious domain IP as a malicious domain setting file in the DNS setting file (S404). For example, if a malicious domain configuration file is included in a malicious domain zone file, it may be included in the DNS configuration file. In particular, in FIG. 5, since the IP corresponding to the malicious domain may be arbitrarily changed, the IP corresponding to the malicious domain should not be stored in the DNS cache. In order to satisfy such a condition, the malicious domain query authority authority 40 sets the TTL attribute corresponding to the zone file to the value "0" as in step S403, Resolve the process again. The DNS setting file change in step S205 will be described in more detail with reference to FIG. First, the agent unit installed in the institutional DNS 80 obtains the IP of the malicious domain query authority unit 40 (S405), and confirms the location information of the DNS setting file (e.g., named.conf) (S406). The agent unit installed in the institutional DNS 80 sets forward the domain query corresponding to the updated malicious domain to the IP of the malicious domain access inducement unit 60 in step S407 and stores it as a malicious domain query setting file (S408). Then, the agent unit installed in the institution DNS 80 inserts the malicious domain query setting file into the DNS setting file (S409). For example, if a malicious domain query configuration file is included in a malicious domain zone file, it may be included in the DNS configuration file.

In step S40 of FIG. 2, the host computer 70 performs a response to the malicious domain query. In other words, when a query for a malicious domain occurs in a host of each organization, if the generated query corresponds to the malicious domain updated in the step S30, the malicious domain query is transmitted to the malicious domain query permission authority 40 . Accordingly, the malicious domain query authority authority 40 receiving the malicious domain query transmits the IP corresponding to the predetermined malicious domain to the institutional DNS 80 by referring to the zone file information for the malicious domain . At this time, the TTL of the zone file is set to "0" and is not stored in the server cache. That is, even if the IP corresponding to the malicious domain is changed, the process of transferring the domain name query to the malicious domain query authority arbitration unit 40 proceeds without searching for the server cache. At this time, the obtained IP is designated as the IP of the malicious domain access inducement unit 60, and induces access to the host inside the host according to the received IP. This series of processes is performed according to the procedure described in Fig. 7, when the institution DNS 80 receives a query for a domain from a host of each institution, it searches the updated malicious domain list to determine whether it is a query corresponding to a malicious domain (S500, S501, S502). If the query corresponds to a malicious domain ("Yes" in S502), the authority DNS 80 filters the DNS log generated by the malicious domain query authority arbitration unit 40 to determine whether the malicious domain query host IP: Domain name ':' query time '} as key information, and transmits the query packet to the malicious domain management and distribution unit 20 in the form of a compressed file (S503). The malicious domain management and distribution unit 20 stores the received information in the database unit 30 (S504). Then, the authority DNS 80 forwards the malicious domain query information to the malicious domain query authority arbitration unit 40 (S505). Accordingly, the malicious domain query authority arbitration unit 40 designates the malicious domain IP information to the malicious domain access inducement unit 60 and responds to the institutional DNS 80 (S507). The institution DNS 80 transmits information indicating that the query target domain server is the malicious domain approach inducing unit 60 (i.e., the IP of the malicious domain approach inducing unit 60) to the institution host 70 (S508).

The content of the malicious domain query and connection attempt packet generated in the internal host in the host can be detected and bypassed to the malicious domain access inducement unit 60 by the above described steps S10 to S40, It is possible to prevent a malicious action from being performed by accessing a malicious domain in advance.

2, step S50 collects and analyzes access information (e.g., access log and malicious domain access packet information) of an institution host accessing a malicious domain. That is, when a malicious domain query is generated in the institution host 70, the primary domain query is transmitted to the institution DNS 80. Accordingly, if the domain queryed by the institution host 70 is included in the pre-registered malicious domain list through the installed agent unit (not shown) in the institutional DNS 80, the 'malicious domain query host IP' Malicious domain name ':' query time ') (that is, malicious domain access information) to the malicious domain management and distribution unit 20. The transferred malicious domain management and distribution unit 20 authenticates the information and stores the information in the database unit 30 immediately.

Thereafter, the institution DNS 80 transfers the malicious domain query to the malicious domain query authorization authority 40 according to the DNS setting change applied to the malicious domain. The malicious domain query permission authority 40 responds the IP of the malicious domain access inducement unit 60 with the institutional DNS 80 according to the information of the predetermined malicious domain zone file. The institution DNS 80 delivers the IP of the malicious domain access inducement unit 60 to the institution host 70. As the process proceeds, the malicious domain query permission authority 40 transmits log information (malicious domain query information) according to the malicious domain query among the selectively stored internal DNS logs to the malicious domain access information collection unit 50 do. The transmitted malicious domain query information is stored in the database unit 30.

The institution host 70 that has received the IP (ie, the IP of the malicious domain access inducement unit 60) of the inquired malicious domain accesses the malicious domain access inducement unit 60. At this time, the malicious domain access information collection unit 50 uses the mirroring port in the switch 90 installed in the access path to transmit / receive packet information (i.e., the malicious domain access information) between the institution host 70 suspected of infection and the malicious domain access inducement unit 60, Malicious domain IP access information) are collected and stored in the database unit 30.

The collection of the access log performed in the step S50 may include a query of the malicious domain, a process in which the inquired malicious domain is converted into IP, and a process in which the infected system accesses the malicious domain in the malicious domain access inducement unit 60 It means collecting information. The collected logs can be classified based on factors such as IP of infected host, malicious domain of query, and time. This includes the identification of the infected host and the comprehensive log associated with the malicious domain. Since it includes information from the start of the malicious domain to the malicious behavior, it is possible to identify the infected host and to collect detection pattern information related to the malicious domain.

In the past, there was a method of identifying a malicious domain by IDS, applying a detection rule based on malicious behavior performed by connecting to a DNS sinkhole or a malicious domain, which functions to identify malicious domains and induce them into a think hole. However, there is a disadvantage in that detection rules can not be applied if there is no known pattern without identifying an internal infection host. In addition, since it does not consider interworking with an automated method called malicious domain real-time tracking, it has a disadvantage that it is difficult to block the malicious domain. However, according to the present invention described above, malicious domain access is blocked in advance to prevent leakage of internal information and to prevent malicious acts in advance. It also collects detection patterns for unknown malicious activity, identifies infected internal hosts, removes malicious programs installed on internal infected hosts, and collects information that can be recovered.

As described above, an optimal embodiment has been disclosed in the drawings and specification. Although specific terms have been employed herein, they are used for purposes of illustration only and are not intended to limit the scope of the invention as defined in the claims or the claims. Therefore, those skilled in the art will appreciate that various modifications and equivalent embodiments are possible without departing from the scope of the present invention. Accordingly, the true scope of the present invention should be determined by the technical idea of the appended claims.

10: malicious domain tracking unit 20: malicious domain management and distribution unit
30: Database part 40: Malicious domain query authority
50: malicious domain access information collection unit 60: malicious domain access guidance unit
70: Agency Host 80: Agency DNS
90: Switch

Claims (19)

Tracking the malicious domain in real time based on the domain name corresponding to the query of the institutional host;
The malicious domain management and distribution unit receiving the information on the tracked malicious domain and distributing the information to the authority DNS and the malicious domain query authority delegation unit;
The authority DNS and the malicious domain inquiry delegation unit updating malicious domain information based on the information of the malicious domain being distributed;
The malicious domain query authority delegation unit responds to a malicious domain query of an authority host delegated from the institutional DNS, and refers to the information of the malicious domain zone file for the updated malicious domain, Sending an IP for a malicious domain to the institution host via the institutional DNS; And
The malicious domain access information collecting unit collects the access log and the malicious domain access packet information of the institution host accessing the malicious domain,
And the TTL of the zone file for the updated malicious domain is set to "0 ". The method according to claim 1,
Wherein the step of updating information of the malicious domain updates the DNS configuration file. The method of claim 2,
The update of the DNS configuration file may be performed,
Generating a malicious domain zone file for the updated malicious domain according to the malicious domain query authority delegation unit receiving malicious domain information to be updated from the institutional DNS;
The malicious domain query authority delegation unit sending the generated malicious domain zone file to the institution DNS; And
And adding the received malicious domain zone file to the DNS configuration file by the authority DNS. The method of claim 3,
The step of generating the malicious domain zone file includes:
Obtaining an IP of the malicious domain access inducement unit;
Setting an IP of the obtained malicious domain access inducement unit to a malicious domain IP; And
And storing the malicious domain IP as information of the malicious domain zone file. delete delete delete The method according to claim 1,
Wherein the access log includes log information according to the malicious domain query,
Wherein the malicious domain access packet information includes transmission / reception packet information between the institution host and the malicious domain access inducement unit. The method according to claim 1,
After collecting the access log and the malicious domain access packet information of the institution host accessing the malicious domain,
And storing the collected access log and malicious domain access packet information in a database unit. A malicious domain tracking unit for tracking a malicious domain in real time;
A malicious domain management and distribution unit for receiving the tracked malicious domain information and distributing the information to the authority DNS and malicious domain query authority delegation unit;
Updating the malicious domain information based on the information of the malicious domain being distributed, responding to the malicious domain query of the host institution delegated from the institutional DNS, and referring to the information of the malicious domain zone file for the updated malicious domain A malicious domain query privilege manager transmitting an IP address of the malicious domain set to an IP address of a malicious domain access inducement unit to the institution host via the institutional DNS; And
And a malicious domain access information collection unit for collecting malicious domain access packet information and an access log of an institution host accessing the malicious domain,
And the TTL of the zone file for the updated malicious domain is set to "0 ". The method of claim 10,
Wherein the malicious domain query authority delegation unit updates the DNS configuration file in association with the institutional DNS in updating the malicious domain information. The method of claim 11,
The malicious domain query authority delegation unit generates a malicious domain zone file for the updated malicious domain according to receiving the malicious domain information to be updated from the institution DNS,
Wherein the institutional DNS updates the DNS configuration file by adding the received malicious domain zone file to the DNS configuration file. The method of claim 12,
The malicious domain inquiry delegation unit obtains the IP of the malicious domain access inducement unit, sets the acquired IP of the malicious domain access inducement unit to the malicious domain IP, and sets the set malicious domain IP as information of the malicious domain zone file And generating the malicious domain zone file by including the malicious domain zone file. delete delete delete The method of claim 10,
Wherein the access log includes log information according to the malicious domain query,
Wherein the malicious domain access packet information includes transmission / reception packet information between the institution host and the malicious domain access inducement unit. The method of claim 10,
Wherein the malicious domain access information collection unit stores the collected access log and malicious domain access packet information in a database unit. The method of claim 10,
Wherein the institutional DNS collects query packets including a malicious domain query host IP, a query target malicious domain name, and a query time when receiving the malicious domain query from the institution host, and transmits the query packet to the malicious domain management and distribution unit Host malicious domain access detection and blocking device.
KR1020150074619A 2015-05-28 2015-05-28 System for detecting and blocking host access to the malicious domain, and method thereof KR101662530B1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
KR1020150074619A KR101662530B1 (en) 2015-05-28 2015-05-28 System for detecting and blocking host access to the malicious domain, and method thereof

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
KR1020150074619A KR101662530B1 (en) 2015-05-28 2015-05-28 System for detecting and blocking host access to the malicious domain, and method thereof

Publications (1)

Publication Number Publication Date
KR101662530B1 true KR101662530B1 (en) 2016-10-05

Family

ID=57153919

Family Applications (1)

Application Number Title Priority Date Filing Date
KR1020150074619A KR101662530B1 (en) 2015-05-28 2015-05-28 System for detecting and blocking host access to the malicious domain, and method thereof

Country Status (1)

Country Link
KR (1) KR101662530B1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR102015897B1 (en) * 2018-10-24 2019-08-28 (주) 세인트 시큐리티 Method for Inducing Network Connection Which Generating Fake Ack Packet for Analyzing Malware
CN111935099A (en) * 2020-07-16 2020-11-13 兰州理工大学 Malicious domain name detection method based on deep noise reduction self-coding network

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR100418446B1 (en) * 2001-03-20 2004-02-14 (주) 세이프아이 Method and system for restricting access to specific internet sites and LAN card for the same
KR20130014300A (en) * 2011-07-29 2013-02-07 한국전자통신연구원 Cyber threat prior prediction apparatus and method
KR20140127549A (en) * 2013-04-25 2014-11-04 한국인터넷진흥원 System and method for tracking exploit hopping sites based on sinkhole server

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR100418446B1 (en) * 2001-03-20 2004-02-14 (주) 세이프아이 Method and system for restricting access to specific internet sites and LAN card for the same
KR20130014300A (en) * 2011-07-29 2013-02-07 한국전자통신연구원 Cyber threat prior prediction apparatus and method
KR20140127549A (en) * 2013-04-25 2014-11-04 한국인터넷진흥원 System and method for tracking exploit hopping sites based on sinkhole server

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR102015897B1 (en) * 2018-10-24 2019-08-28 (주) 세인트 시큐리티 Method for Inducing Network Connection Which Generating Fake Ack Packet for Analyzing Malware
CN111935099A (en) * 2020-07-16 2020-11-13 兰州理工大学 Malicious domain name detection method based on deep noise reduction self-coding network

Similar Documents

Publication Publication Date Title
JP6894003B2 (en) Defense against APT attacks
Brotsis et al. Blockchain solutions for forensic evidence preservation in IoT environments
CN111600856B (en) Safety system of operation and maintenance of data center
US20200252429A1 (en) Deceiving Attackers Accessing Network Data
US8789171B2 (en) Mining user behavior data for IP address space intelligence
CN112637220B (en) Industrial control system safety protection method and device
WO2014112185A1 (en) Attack analysis system, coordination device, attack analysis coordination method, and program
Pasquale et al. Adaptive evidence collection in the cloud using attack scenarios
CN111131176B (en) Resource access control method, device, equipment and storage medium
CN108234400B (en) Attack behavior determination method and device and situation awareness system
CN112165488A (en) Risk assessment method, device and equipment and readable storage medium
CN110868403B (en) Method and equipment for identifying advanced persistent Attack (APT)
CN111510463B (en) Abnormal behavior recognition system
CN109150853B (en) Intrusion detection system and method based on role access control
CN113411295A (en) Role-based access control situation awareness defense method and system
KR101662530B1 (en) System for detecting and blocking host access to the malicious domain, and method thereof
JP2006040196A (en) Software monitoring system and monitoring method
Mohammadmoradi et al. Making whitelisting-based defense work against badusb
KR101494329B1 (en) System and Method for detecting malignant process
KR101754195B1 (en) Method for security enhancement based on multi log gathering server
CN110086812B (en) Safe and controllable internal network safety patrol system and method
KR101271449B1 (en) Method, server, and recording medium for providing service for malicious traffic contol and information leak observation based on network address translation of domain name system
CN102325132B (en) System level safety domain name system (DNS) protection method
CN115150137B (en) Redis-based high-frequency access early warning method and device
Murthy et al. Database Forensics and Security Measures to Defend from Cyber Threats

Legal Events

Date Code Title Description
E701 Decision to grant or registration of patent right
GRNT Written decision to grant
FPAY Annual fee payment

Payment date: 20190701

Year of fee payment: 4