TW201251402A - Detection method and system for fast-flux malicious domain - Google Patents

Detection method and system for fast-flux malicious domain Download PDF

Info

Publication number
TW201251402A
TW201251402A TW100120010A TW100120010A TW201251402A TW 201251402 A TW201251402 A TW 201251402A TW 100120010 A TW100120010 A TW 100120010A TW 100120010 A TW100120010 A TW 100120010A TW 201251402 A TW201251402 A TW 201251402A
Authority
TW
Taiwan
Prior art keywords
domain
destination
network
destination domain
malicious
Prior art date
Application number
TW100120010A
Other languages
Chinese (zh)
Other versions
TWI455546B (en
Inventor
Hui-Tang Lin
Ying-You Lin
Jui-Wei Chiang
Meng-Han Tsai
Original Assignee
Univ Nat Cheng Kung
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Univ Nat Cheng Kung filed Critical Univ Nat Cheng Kung
Priority to TW100120010A priority Critical patent/TWI455546B/en
Publication of TW201251402A publication Critical patent/TW201251402A/en
Application granted granted Critical
Publication of TWI455546B publication Critical patent/TWI455546B/en

Links

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A detection method for malicious domain using fast-flux technology includes the steps of a transmission step, transmitting a plurality of packages to a target domain; a route recording step, recording the host name of at least one router through which the package is transmitted to the target domain; a route checking step, checking the host name; and a determination step, determining if the target domain is malicious domain according to the result of the route checking step. A detection system for malicious domain using fast-flux technology is also disclosed.

Description

201251402 六、發明說明: 【發明所屬之技術領域】 本發明係關於—種惡意網域之偵測方法與偵測系 統’特別關於—種利用快速變動網域技術之惡意網域之^[貞 測方法與偵測系統。 【先前技術】 近年來’用於從事惡意目的的礓屍網路(botnet)活 動數1正與日俱增。惡意人士(botherder)可透過木馬程 式(hot)來操控組織受感染的殖屍電腦(b〇tnet zombie) ’ 這些電腦在平時可能不會有任何攻擊行為,而且透過變形 和自我隱藏,也不太會被防毒軟體偵測到。 圖1為礓屍網路活動的示意圖’如圖1所示’ 一旦惡 意人士想要發動攻擊時,只要在礓屍主機(botmaster) 11 下達一個指令,經由網路給中繼站(Command & Control Server) 12 ’再透過中繼站來呼叫殖屍電腦13,就可組成 為數眾多的瘦屍網路,針對特定目標發動攻擊,例如垃圾 郵件、釣魚網站、惡意軟體等等。 如今,網路犯罪者為了提升礓屍網路的存活率,避免 被執法單位查獲,在殖屍網路架構中利用一種快速變動網 域技術(fast-flux technology)來隱藏其行縱’如此將大幅 增加資安單位對礓屍網路偵測與追縱之困難度。圖2為殖 屍網路利用快速變動網域技術的示意圖’如圖2所示’當 使用者發出網頁請求時,它會經過一個節點的輪轉 4 201251402 (rotation )系統,再被導向彊屍主機。因此,使用者在不 同時間發出的網頁請求,其所經過節點的網路位址(IP) 皆不同,因而使得傳統透過IP網址來封鎖及識別垃圾郵件 的方法不再那麼有效。 當然,最近也有針對利用快速變動網域技術之礓屍網 路發展出偵測方法。在傳統偵測方法中,首先發出多個封 包至一目的網域,然後記錄每次輪轉的網路位址,再依據 所記錄之網路位址之相異程度來判斷該目的網域是否為 惡意網域。然而,上述之偵測方法需要一段較長的時間來 記錄網路位址,因而會產生偵測延遲的問題,因而降低偵 測效能。 因此,如何提供一種惡意網域之偵測方法與偵測系 統,能夠克服偵測延遲問題,實為當前重要課題之一。 【發明内容】 有鑑於上述課題,本發明之目的為提供一種惡意網域 之偵測方法與偵測系統,能夠克服偵測延遲問題並提升偵 測效能。 為達上述目的,依據本發明之一種利用快速變動網域 技術之惡意網域的偵測方法包含:一傳送步驟,係傳送複 數封包至一目的網域;一路由記錄步驟,係記錄各該封包 傳送至該目的網域所經過之至少一路由器之主機名稱;一 路由檢查步驟,係檢查該主機名稱;以及一判斷步驟,係 依據該路由檢查步驟之結果而判斷該目的網域是否為惡 201251402 惡意網域。 在-實施^中,記錄步驟係記錄位於該目的網域之前 的至少二路由之主機名稱。並且路由檢查步驟係檢查該 等路由器之线名稱之-特定部分是否相同。 在一實施例中,偵測方法爭幻人咖a 乃凌吏包含一網路位址記錄步驟 以及一網路位址檢查步驟。锢炚彳 、周路位址圮錄步驟係記錄各封201251402 VI. Description of the Invention: [Technical Field of the Invention] The present invention relates to a method and a detection system for detecting a malicious domain, in particular, a malicious domain using a rapidly changing domain technology. Method and detection system. [Prior Art] In recent years, the number of botnet activities for malicious purposes is increasing day by day. A malicious person (botherder) can manipulate an infected infected corpse computer (b〇tnet zombie) through a trojan (hot). These computers may not have any aggressive behavior in normal times, and they are not too deformed and self-hiding. Will be detected by the anti-virus software. Figure 1 is a schematic diagram of the corpse network activity 'shown in Figure 1'. Once a malicious person wants to launch an attack, as long as an instruction is given to the botmaster 11 to the relay station via the network (Command & Control Server 12' Then through the relay station to call the corpse computer 13, you can form a large number of thin corpse networks to launch attacks against specific targets, such as spam, phishing websites, malicious software and so on. Nowadays, cybercriminals are trying to improve the survival rate of the corpse network and avoid being seized by law enforcement agencies. In the corpse network architecture, a fast-flux technology is used to hide their behavior. Significantly increase the difficulty of the security unit in detecting and tracking the corpse network. Figure 2 is a schematic diagram of the catastrophe network using the fast-changing domain technology. As shown in Figure 2, when the user sends a web page request, it will go through a node rotation 4 201251402 (rotation) system, and then be directed to the corpse host. . Therefore, the web address (IP) of the nodes that the user sends out at different times is different, which makes the traditional method of blocking and identifying spam through IP addresses less effective. Of course, there have also recently been development methods for corpse networks that use fast-changing domain technologies. In the traditional detection method, first, multiple packets are sent to a destination domain, and then the network address of each rotation is recorded, and then according to the degree of difference of the recorded network addresses, whether the destination domain is Malicious domain. However, the above detection method requires a long period of time to record the network address, thereby causing a problem of detection delay, thereby reducing the detection efficiency. Therefore, how to provide a detection method and detection system for a malicious domain can overcome the detection delay problem, which is one of the current important topics. SUMMARY OF THE INVENTION In view of the above problems, an object of the present invention is to provide a method and a detection system for detecting a malicious domain, which can overcome the detection delay problem and improve the detection performance. In order to achieve the above object, a method for detecting a malicious domain using a fast-changing domain technology according to the present invention includes: a transmitting step of transmitting a plurality of packets to a destination domain; and a routing recording step of recording the packets. a host name of at least one router that passes through the destination domain; a route checking step is to check the host name; and a determining step is to determine whether the destination domain is evil 201251402 according to the result of the route checking step Malicious domain. In the implementation, the recording step records the host name of at least two routes located before the destination domain. And the route check step checks if the specific part of the line name of the routers is the same. In one embodiment, the detection method includes a network address recording step and a network address checking step.锢炚彳, Zhou Road address recording steps are recorded

包傳送至目的網域之一網跟彳☆ + L 路位址。網路位址檢查步驟係檢 查目的網域之多個網路位址。 在一實施例中Μ貞測方法更包含一自治系統號碼記錄 步驟以及自、治系、統號碼檢查步驟。自治系統號碼記錄步驟 係記錄各封包傳送至目的網域之一網路位址之自治系統 號碼。自治系統號碼檢查步驟係檢查目的網域之網路位址 之該等自治系統號碼。 在一實施例中’偵測方法更包含一傳送時間記錄步驟 以及-傳送時間檢查步驟。傳送時間記錄步雜記錄各封 包傳送至目的網域之一網路位址之一傳送時間。傳送時間 檢查步驟係檢查該等封包之該等傳送時間。 在一實施例中,判斷步驟更依據網路位址檢查步驟之 結果、或自治系統號碼檢查步驟之結果 '或傳送時間檢查 步驟之結果而判斷目的網域是否為惡意網域。 為達上述目的,本發明另揭露一種偵測系統,其係用 以偵測利用快速變動網域技術之惡意網域並包含一傳送 單元、一記錄單元、一路由檢查單元以及一判斷單元。傳 送單7L係傳送複數封包至一目的網域。記錄單元係記錄各 6 201251402 封包傳送至目的網域所經過之至少—路由器之主機名 稱么尤^查單70係檢查該主機名稱。判斷單元係依據路 由仏―早=之結果而判斷目的網域是否為惡意網域。 在貝^例中,έ己錄單元係記錄值於目的網域之前 機名稱。此外’路由檢查單元係檢查該 專路由5之主機名稱之-特定部分是否相同。 在-實施例中,記錄單元係記錄各封包傳送至目的網 S之罔路位址。偵測系統更包含—網路位 其係檢查㈣網域之多個網路位址。 —早兀 在一實施例中,記錄單元係記錄各封包傳送至目的網 域之-網路位址之自治系統號碼。制系統更包含一自户 系統號碼檢查單元,其係檢查目的網域之網路位址之該= 自治系統號瑪。 Λ寺 貫施例巾’記錄單元係記錄各封包傳送至目的網 : ㈣位址之傳送時間。偵測系統更包含—傳送時間 欢一早7L,其係檢查該等封包之該等傳送時間。 在一實施例中’判斷單元更依據網路位址檢查單元之 f果1自治系統號碼檢查單S之結果、或傳送時間檢杳 早兀之'、、。果而判斷目的網域是否為惡意網域。 一 封包因本發明之制方法與細U _記錄各 '至目的網域所經過之至少一路由器之主機 :再仏查該主機名稱,並藉此判斷該目的網域是否 思網域。由於利用快速變動網域技術之惡意網域,二 位址不斷錢轉,且輪轉㈣域很大,因此其路由器之主 7 201251402 =稱常常不相同,特別是在主機名稱最後面的路由網域 冉口此本發明利用這個特點來對惡意網域進行偵 測,並不需要尤士夕nn τ ^ 太夕時間,通常在針對目的網域之幾個網 仃價測後,即能判斷該目的網 域,進而解決侦測延遲問題,並大幅提升偵測效能Γ肩 【實施方式】 :下將參照相關圖式,說明依本發明較佳實施例之一 種心思網域之偵測方法與偵測系統,其中相 相同的參照符號加以說明。 件將以 的二3:本::較佳實施例之一種惡意網域之偵測方法 Γ意網域利用快速變動網域技術 攻擊。㈣方法包㈣下步驟: 域。步驟_一傳送步驟,係'傳送複數封包至一目的網 步驟S02 —路由記錄步驟’係記錄各封 的網域所經過之至少—路由器之主機名稱。、 步驟S03 :—路由給志半 …ΓΜ. 一 係檢查該主機名稱。 ^ .判斷步驟’係依據路由檢杳步驟之社果 而判斷目的網域是否為惡意網域。 U之結果 之環施例之—種惡意網域之偵測方法 之惡意網域之偵測方法。 04所不’以說明本發明 首先’籍由一值測系統2傳送複數封包至-目的網 201251402 域。假定該目的網域為一惡意網域,其具有複數網路仅址 (網路位址1、網路位址2.....網路位址N)在輪轉。 當摘測系統2傳送封包之後,會被網域名稱服務哭 (D〇mainNameServer,DNS)導向目的網域所對應的其中 一網路位址’而該封包係經過一些路由器(由路由器i、 路由器2、…路由器N選出)而到達目的網域之網路位址, 例如是網路位址1。而偵測系統2係將所經過之至少一路 由器之主機名稱(host name)記錄下來。 在偵測系統2傳送多個封包並將其經過之路由器記錄 下來之後,偵測系統2係檢查該等主機名稱,並依據路由 檢查步驟之結果而判斷目的網域是否為惡意網域。 下表分別為應用本發明之偵測方法針對某一惡意網 域(以 collagegangbang.net 為例)與正常網域(以 Yahoo.com 為例)所記錄之路由器主機名稱的對照表。 collagegangbang.net ------ 網路位址 路由器之主機名稱 1?8.166.128.236 ------- ae-0.krsn-rer4.sib.iD.rostelecom.ru customer-AS41440.xe-0-l-0.krsn- rgr4.sib.iD.rosteIecom.ru 19〇.213.131.193 • · · tengigel-2.usa.nmi-edee05.columbus-networks.com tengige2-l .usa.nmi-edge05.columbus-networks.com 67.163.121.129 · · pos-0-13-0-0-cr01 .dallas.tx.ibone.comcast.net pos-0-1 4-0-0-cr01 .atlanta.pa.ibone.comcast.net pos-0-6-0-0-cr01 .charlotte.nc.ibone.comcast.net 201251402 69.204.88.219 • · · ten2-l-l .buffnvlkp-peOl .nyroc.rr.com gigl 8-0.1 cptnyjy-ar4001 .n vroc.rr.com 82.243.202.181 noisv-6k-l-Do2.intf.routers.Droxad.net ozf77-2.dsla.proxad.net 97.81.81.66 nsh-tenl-4-dal-ten2-l .bboi.net charter-atlanta-bboi.bboi.net 97-81-8 l-66.dhcp.athn.ea.charter.comThe packet is transmitted to one of the destination domains, followed by 彳 + L-way address. The network address check step checks multiple network addresses of the destination domain. In an embodiment, the method further includes an autonomous system number recording step and an auto-rule and system number checking step. The autonomous system number recording step records the number of the autonomous system that each packet is transmitted to the network address of one of the destination domains. The autonomous system number checking step checks the autonomous system numbers of the network addresses of the destination domain. In one embodiment, the detection method further includes a transmission time recording step and a transmission time checking step. The transmission time recording step records the transmission time of each packet to one of the network addresses of one of the destination domains. The transfer time check step checks the transfer times of the packets. In an embodiment, the determining step determines whether the destination domain is a malicious domain based on the result of the network address checking step, or the result of the autonomous system number checking step or the result of the transmission time checking step. To achieve the above object, the present invention further discloses a detection system for detecting a malicious domain using a fast-changing domain technology and including a transmitting unit, a recording unit, a route checking unit, and a determining unit. The transmission sequence 7L transmits a plurality of packets to a destination domain. The recording unit records at least the host name of the router that the 201251402 packet is transmitted to the destination domain. The checklist 70 checks the host name. The judging unit judges whether the destination domain is a malicious domain based on the result of the route 早 early_. In the case of the case, the recorded unit records the value of the machine name in the destination domain. In addition, the route inspection unit checks whether the specific part of the host name of the dedicated route 5 is the same. In an embodiment, the recording unit records the routing address of each packet transmitted to the destination network S. The detection system further includes a network bit that checks (4) multiple network addresses of the domain. - Early in the embodiment, the recording unit records the autonomous system number of the network address that each packet is transmitted to the destination network. The system further includes a home system number checking unit, which checks the network address of the destination domain for the autonomous system number. The temple is used to record the packets sent to the destination network: (4) The transmission time of the address. The detection system further includes a transmission time of 7L, which checks the transmission time of the packets. In an embodiment, the judging unit is further based on the result of the network address check unit, the result of the autonomous system number check list S, or the transmission time check. If it is determined whether the destination domain is a malicious domain. A packet is processed by the method of the present invention and the host of at least one router that passes through each of the 'destination domains': the host name is further checked, and thereby the destination domain is determined whether the domain is considered. Due to the malicious domain that uses fast-changing domain technology, the two sites are constantly turning and the rotation (four) domain is large, so the router's main 7 201251402 = often said to be different, especially in the routing domain at the end of the host name. This invention uses this feature to detect malicious domains. It does not require the U.S. nn τ ^ 夕 时间 time, usually after several net prices for the destination domain, the purpose can be judged. The domain, in turn, solves the problem of detection delay, and greatly improves the detection performance. [Embodiment]: A detection method and detection of a mind domain according to a preferred embodiment of the present invention will be described with reference to related drawings. The system is illustrated with the same reference symbols. The second will be: A: The detection method of a malicious domain in the preferred embodiment The malicious domain utilizes a rapidly changing domain technology attack. (4) Method package (4) Next steps: Domain. Step_A transmission step is to 'transmit a plurality of packets to a destination network. Step S02 - A route recording step' is to record at least the host name of the router through which the respective domains pass. Step S03: - Route to the ambiguous ... ΓΜ. The system checks the host name. ^. The judgment step is based on the social consequences of the route check step to determine whether the destination domain is a malicious domain. U results of the ring example - a method of detecting malicious domain detection method of malicious domain. 04 does not indicate that the present invention first transmits a plurality of packets to the destination network 201251402 by the one-value measurement system 2. Assume that the destination domain is a malicious domain with multiple network addresses (network address 1, network address 2... network address N) in rotation. After the packet measurement system 2 transmits the packet, it will be cryed by the domain name service (D〇mainNameServer, DNS) to one of the network addresses corresponding to the destination domain, and the packet passes through some routers (by router i, router) 2. The router N selects the network address of the destination domain, for example, the network address 1. The detection system 2 records the host name of at least one of the routers that have passed. After the detection system 2 transmits a plurality of packets and records them through the router, the detection system 2 checks the host names and determines whether the destination domain is a malicious domain according to the result of the route inspection step. The following table is a comparison table of the router host names recorded by a detection method of the present invention for a malicious domain (for example, collagegangbang.net) and a normal domain (for example, Yahoo.com). Collagegangbang.net ------ The host name of the network address router is 1?8.166.128.236 ------- ae-0.krsn-rer4.sib.iD.rostelecom.ru customer-AS41440.xe- 0-l-0.krsn- rgr4.sib.iD.rosteIecom.ru 19〇.213.131.193 • · · tengigel-2.usa.nmi-edee05.columbus-networks.com tengige2-l .usa.nmi-edge05 .columbus-networks.com 67.163.121.129 · · pos-0-13-0-0-cr01 .dallas.tx.ibone.comcast.net pos-0-1 4-0-0-cr01 .atlanta.pa.ibone .comcast.net pos-0-6-0-0-cr01 .charlotte.nc.ibone.comcast.net 201251402 69.204.88.219 • · · ten2-ll .buffnvlkp-peOl .nyroc.rr.com gigl 8-0.1 cptnyjy -ar4001 .n vroc.rr.com 82.243.202.181 noisv-6k-l-Do2.intf.routers.Droxad.net ozf77-2.dsla.proxad.net 97.81.81.66 nsh-tenl-4-dal-ten2-l .bboi.net charter-atlanta-bboi.bboi.net 97-81-8 l-66.dhcp.athn.ea.charter.com

Yahoo.com 網路位址 路由器之主機名稱 209.191.122.70 te-9-1 .bas-cl .mud.vahoo.com te-8-2.fab2-a-gdc.mud.vahoo.com 67.195.160.76 ------ xe-2-2-0.clr3.ac4.vahoo.com xe-7-2-0.clr3.ac4.vahoo.com 98.137.149.56 • · te-9-3.basl-l-Drd.SD2.vahoo.com te-9-3.bas2-l-prd.sp2.vahoo.com 69.147.125.65 ^------- te-7-2.bas-al.rel .Yahoo.com te-8-1 .bas-a2.rel.vahoo.com ae-2-dl60.msrl .re 1 .vahoo.com 72.30.2.43 ,* ^ ~~~~__ • · » te-9-1 .bas-k2.skl .vahoo.com te-8-1 .bas-k2.sk 1 .vahoo.com 上表僅列出到達該目的網域之各網路位址倒數2個路 由器之主機名稱。 若封包依序經過& 於此舉例說明倒數2個路由器之定義, 由裔3、路由器1、...、路由器6、路由 10 201251402 器5而到達網路位址’則路由器6及路由器5為倒數2個 路由器。 各別來看’在這一段偵測的時間中, collagegangbang.net網域測得其具有6個網路位址在輪 轉,且在到達網路位址之倒數2個路由器之主機名稱有包 含 rostelecom.ru、columbus-networks.com、comcast.net、 rr.com、proxad.net、bboi.net、charter.com 等 7 種不同的路 由網域名稱,並且97.81.81.66之網路位址就具有2種不同 的路由網域名稱(bboi.net、charter.com )。於此,路由網 域名稱為主機名稱之一特定部分,其係指主機名稱最後面 的部分’如上表中的粗體加底線字,例如rostelecom.ru、 columbus-networks.com、comcast.net、rr.com、proxad.net、 bboi.net、charter.com。 反觀,在這一段偵測的時間中,Yahoo.com網域測得 其具有5個網路位址在輪轉,且在到達網路位址之倒數2 個路由益之主機名稱僅包含yahoo.com之路由網域名稱, 且各網路位址所對應的多個路由網域名稱皆相同。 上述關於惡意網域與正常網域之路由器主機名稱的 差異性即為本發明之路由檢查步驟之基礎。當然,路由檢 查步驟可在此基礎上延伸,例如僅檢查倒數幾個路由器之 主機名稱、或僅檢查主機名稱之路由網域名稱,藉此可提 升檢查速度。另外,還可作一些搭配或計算式而產生—檢 查值,例如檢查值可至少包含相異路由網域名稱之個數作 為一參數,以及同一網路位址所包含之相異路由網域名稱 201251402 之個數作為一參數。 在進行完路由檢查步驟之後,即可依據路由檢查步驟 之結果而判斷目的網域是否為惡意網域,其例如是若路由 檢查步驟所得到之一檢查值大於一預設值時,判斷該目的 網域為惡意網域。當然,上述判斷機制僅為舉例說明,並 非用以限制本發明;另外也可只用相異之路由網域名稱的 個數來作判斷、或利用其他參數來作判斷。 除了上述利用路由檢查步驟來進行惡意網域的判斷 之外,也可以利用其他檢查步驟來輔助惡意網域的判斷。 以下舉例說明。 本實施例之偵測方法可更包含:一網路位址記錄步 驟,其係記錄各封包傳送至目的網域之一網路位址;以及 一網路位址檢查步驟,其係檢查目的網域之多個網路位 址。當網路位址檢查步驟完成之後,判斷步驟可更依據網 路位址檢查步驟之結果而判斷目的網域是否為惡意網域。 請參照圖4所示,當偵測系統2傳送多個封包至目的 網域時,由於目的網域之網路位址會輪轉,因此各封包所 傳送到的網路位址亦不同。網路位址記錄步驟係記錄各封 包傳送至目的網域的網路位址,然後網路位址檢查步驟係 檢查目的網域之多個網路位址。通常,惡意網域所輪轉的 網路位址會很多;而正常網域的網路位址較少,而且正常 網域之多個網路位址輪轉係利用循環式網域名稱服務 (Round-Robin DNS,RR-DNS )而達到負載平衡之目的。 由於網路位址檢查步驟為傳統的檢查,故其細節於此不再 12 201251402 贅述。 本貫施例之彳貞測方法可更包含:一自治系統號碼 (Autonomous System Number,ASN)記錄步驟,其係記錄 各封包傳送至目的網域之一網路位址之自治系統號碼;以 及自治糸統號碼檢查步驟’其係檢查目的網域之網路位 址之δ亥專自治系統號碼。當自治系統號碼檢查步驟完成之 後’判斷步驟可更依據自治系統號碼檢查步驟之結果而判 斷目的網域是否為惡意網域。 美國網際網路編號註冊(ARIN )匈母一辦(路服務供應 商分派16位元識別號碼給每個自治系統的管理者,即為 自治系統號碼。通常,惡意網域之節點分佈於較廣的區 域,且其網路位址不斷輪轉以免被抓到,因而偵測系統2 在同-區域發出多個封包時’會收到多個不同的自治系統 遗碼’而正常網域的自、治系統號碼之網路位址所輪轉的區 =較小’因而债測系統2在同一區域發出多個封包時,通 I、收到同-個自、治系統號碼。因此,自治系統號碼亦可 作為惡意網域之判斷參數。 =施例之偵測方法可更包含:―傳送時間記錄步 U錄各封包傳送至目的網域之-網路位址之一僂 =間;以及—傳送時間檢查步驟,其係檢查該等封包之 傳运時間。當傳送時間記錄步驟完成之 為惡意網域。錄步驟之結果而判斷目的網域是否 通常 惡意網域之節點較分散, 因而目的網域之一些 13 201251402 網路位址若離偵測系統2之所在位置太遠,則封包的傳送 時間會較久;而正常網域的節點常會設置在一些主要區域 上,使得偵測系統2所在位置離正常網域不會太遠,因而 封包傳送時間較短。因此封包的傳送時間亦可作為惡意網 域之判斷參數。於此,封包之傳送時間可例如為單程傳送 的時間、或來回傳送的時間、或來回傳送的平均時間。下 表為應用本發明之偵測方法所得到之一些正常網域與惡 意網域所對應的傳送時間。 正常網域 惡意網域 google.com 0.632ms rxshoponline.net 723.662ms yahoo.com 46.04ms rrx-online.com 369.196m microsoft.com 2-l21ms gipills.com 186.396ms amazon.com 3 -606ms medz41ess.net 519.075ms wordpress.com 5.196ms hotestdateingsite.net 918.99ms 由表可知’正常網域的傳送時間皆小於l〇0ins,而惡 意網域的傳送時間皆大於1 〇〇ms。當然,1 〇〇mS並非絕對 的比較值,而僅為舉例說明。由上表可知,封包的傳送時 間亦可作為惡意網域之判斷參數。 圖5為本發明較佳實施例之一種偵測系統2的方塊示 意圖’偵測系統2係偵測利用快速變動網域技術之惡意網 域,並包含一傳送單元21、一記錄單元22、一路由檢查 單元23以及一判斷單元24。傳送單元21係傳送複數封& 至一目的網域。記錄單元22係記錄各封包傳送至目的= 域所經過之至少一路由器之主機名稱。路由檢查單元幻 14 201251402 係檢查該主機名稱。判斷單元24係 檢查結果而判斷目的網域是否為惡意網域路由仏查單元之 二路= 22係記錄位於目的網域之前的至少 由器之:機名稱且路由檢查單元23係檢查該等路 是路由=:? 一特定部分是否相同,該特定部分例如 另外,記錄單元22係記錄各 一網路位址。_系統2更包含一網路位二之 其係檢查目的網域之多個網路位址。 70 -網::址=單元22係記錄各封包傳送至目的網域之 钱警杳。。統號碼。谓測系統2更包含一自治系 、=认查早兀26,其係檢查目的網域 自治系統號碼。 止炙4寺 1外’記錄單元22係記錄各封包傳送至目的網域之 二位址之傳送時間。偵測系統更包含一傳送時間檢查 早疋27’其係檢查料封包之料傳送時間。 判斷單元24可更依據網路位址檢查單元25之处果、 或自治系統號碼檢查單元26之結果、或傳送時㈣杳單 凡27之結果而判斷目的網域是否為惡意網域。由於上述 判斷機制已則貞測方法中—併詳述,故於此不再贅述。 综上所述’因本發明之镇測方法與债測系統係記錄各 1包傳送至目的網域所經過之至少一路由器之主機名 ^ ’再檢查該主機名稱’並藉此判斷該目的網域是否為惡 思’、.罔域。由於利用快迷變動網域技術之惡意網域,其網路 201251402 主機名輪轉的區域报大,㈣其路由器之 域不相同’特別是在主機名稱最後面的路由網 因此’本發明利用這個特點來對惡意網域進行偵 路位址^以太多時間’通常在針對目的網域之幾個網 姥 仃偵測後’即能判斷該目的網域是否為惡意網 成’進而解決偵測延遲問題,並大幅提升偵測效能。 以上所述僅為舉例性’而非為限制性者。任何未脫離 x明之精神與範嘴’ ^對其進行之等效修改或變更,均 應包含於後附之申請專利範圍中。 【圖式簡單說明】 圖1為殘:屍網路活動的示意圖; 圖2為歹塁屍網路利用快速變動網域技術的示意圖; 圖3為本發明較佳實施例之一種惡意網域之偵測方法 的流程圖; 圖4為本發明較佳實施例之一種惡意網域之偵 之環境的示意圖;以及 圖5為本發明較佳實施例之一種偵測系統的方塊示意 圖。 【主要元件符號說明】 11 :繮屍主機 12 :中繼站 13 :彊屍電腦 16 201251402 2 :偵測系統 21 :傳送單元 22 :記錄單元 23 :路由檢查單元 24 :判斷單元 25 :網路位址檢查單元 26 :自治系統號碼檢查單元 27 :傳送時間檢查單元 S01〜S04 :惡意網域之偵測方法的步驟 17The host name of the Yahoo.com network address router is 209.191.122.70 te-9-1 .bas-cl .mud.vahoo.com te-8-2.fab2-a-gdc.mud.vahoo.com 67.195.160.76 - ----- xe-2-2-0.clr3.ac4.vahoo.com xe-7-2-0.clr3.ac4.vahoo.com 98.137.149.56 • · te-9-3.basl-l- Drd.SD2.vahoo.com te-9-3.bas2-l-prd.sp2.vahoo.com 69.147.125.65 ^------- te-7-2.bas-al.rel .Yahoo.com Te-8-1 .bas-a2.rel.vahoo.com ae-2-dl60.msrl .re 1 .vahoo.com 72.30.2.43 ,* ^ ~~~~__ • · » te-9-1 .bas -k2.skl .vahoo.com te-8-1 .bas-k2.sk 1 .vahoo.com The above table only lists the host names of the two routers that arrive at the destination of the destination network. If the packet passes through & here to illustrate the definition of the last two routers, by the 3, router 1, ..., router 6, routing 10 201251402 5 and reach the network address ' router 6 and router 5 Count down 2 routers. Individually see 'In the time of this detection, the collagegangbang.net domain measured that it has 6 network addresses in rotation, and the host name of the last 2 routers arriving at the network address contains rostelecom .ru, columbus-networks.com, comcast.net, rr.com, proxad.net, bboi.net, charter.com, etc. 7 different routing domain names, and the network address of 97.81.81.66 has 2 Different routing domain names (bboi.net, charter.com). Here, the routing network domain name is called a specific part of the host name, which refers to the last part of the host name 'the bold and bottom line words in the above table, such as rostelecom.ru, columbus-networks.com, comcast.net, Rr.com, proxad.net, bboi.net, charter.com. On the other hand, during this detection period, the Yahoo.com domain measured that it has 5 network addresses in rotation, and the host name of the last 2 routes to the network address only contains yahoo.com. The routing domain name, and the names of multiple routing domains corresponding to each network address are the same. The above difference between the host name of the malicious domain and the normal domain is the basis of the route checking step of the present invention. Of course, the route inspection step can be extended based on this, for example, checking only the host names of the last few routers, or only the routing domain name of the host name, thereby improving the checking speed. In addition, it can also be generated by some collocation or calculation method. For example, the check value can include at least the number of different routing domain names as a parameter, and the different routing domain names included in the same network address. The number of 201251402 is taken as a parameter. After the route check step is performed, whether the destination domain is a malicious domain may be determined according to the result of the route check step, for example, if one of the check values obtained by the route check step is greater than a preset value, the purpose is determined. The domain is a malicious domain. Of course, the foregoing judging mechanism is merely illustrative and is not intended to limit the present invention. Alternatively, only the number of different routing domain names may be used for judgment, or other parameters may be used for judgment. In addition to the above-described routing check steps for malicious domain determination, other inspection steps may be utilized to assist in the determination of the malicious domain. The following examples are given. The detecting method of this embodiment may further include: a network address recording step of recording each packet to a network address of the destination domain; and a network address checking step, which is to check the destination network Multiple network addresses of the domain. After the network address checking step is completed, the determining step may further determine whether the destination domain is a malicious domain according to the result of the network address checking step. Referring to FIG. 4, when the detection system 2 transmits multiple packets to the destination domain, since the network addresses of the destination domain are rotated, the network addresses transmitted by the packets are also different. The network address recording step records the network address that each packet transmits to the destination domain, and then the network address checking step checks multiple network addresses of the destination domain. In general, a malicious domain will have a lot of network addresses rotated; while a normal domain has fewer network addresses, and multiple network address rotations in a normal domain use a round-robin domain name service (Round- Robin DNS, RR-DNS) for load balancing purposes. Since the network address inspection step is a traditional check, the details are not described here. The method for detecting the present embodiment may further include: an Autonomous System Number (ASN) recording step of recording the autonomous system number of each packet transmitted to a network address of the destination domain; and autonomy The system number checking step is to check the number of the network address of the destination network domain. After the autonomous system number checking step is completed, the judging step can judge whether the destination domain is a malicious domain according to the result of the autonomous system number checking step. US Internet Number Registration (ARIN) Hungarian Mother (The service provider assigns a 16-digit identification number to the administrator of each autonomous system, which is the autonomous system number. Usually, the nodes of the malicious domain are distributed widely. The area of the network, and its network address is continuously rotated to avoid being caught. Therefore, when the detection system 2 sends multiple packets in the same-area, it will receive multiple different autonomous system legacy codes and the normal domain will be The area where the network address of the system number is rotated = the smaller one. Therefore, when the debt measurement system 2 sends multiple packets in the same area, the I and the same self-receiving system number are received. Therefore, the autonomous system number is also It can be used as the judgment parameter of the malicious domain. The detection method of the example can further include: “Transfer time recording step U record each packet transmitted to the destination domain—one of the network addresses 间=between; and—transfer time The checking step is to check the transit time of the packets. When the transfer time recording step is completed as a malicious domain, the result of the step is recorded to determine whether the destination domain is usually a malicious node, and thus the destination domain is One 13 201251402 If the network address is too far away from the location of the detection system 2, the transmission time of the packet will be longer; and the nodes of the normal domain are often set in some main areas, so that the location of the detection system 2 is normal. The domain is not too far away, so the packet transmission time is short. Therefore, the transmission time of the packet can also be used as a judgment parameter of the malicious domain. Here, the transmission time of the packet can be, for example, the time of one-way transmission, or the time of transmission back and forth, Or the average time of transmission back and forth. The following table shows the transmission time corresponding to some normal domains and malicious domains obtained by applying the detection method of the present invention. Normal domain malicious domain google.com 0.632ms rxshoponline.net 723.662ms Yahoo.com 46.04ms rrx-online.com 369.196m microsoft.com 2-l21ms gipills.com 186.396ms amazon.com 3 -606ms medz41ess.net 519.075ms wordpress.com 5.196ms hotestdateingsite.net 918.99ms By table, 'normal network The transmission time of the domain is less than l〇0ins, and the transmission time of the malicious domain is greater than 1 〇〇ms. Of course, 1 〇〇mS is not an absolute comparison value. For example, it can be seen from the above table that the transmission time of the packet can also be used as a judgment parameter of the malicious domain. FIG. 5 is a block diagram of a detection system 2 according to a preferred embodiment of the present invention. The malicious domain of the fast-changing domain technology is used, and includes a transmitting unit 21, a recording unit 22, a route checking unit 23, and a determining unit 24. The transmitting unit 21 transmits a plurality of packets & to a destination domain. The recording unit 22 records the host name of at least one router through which each packet is transmitted to the destination=domain. The route check unit phantom 14 201251402 checks the host name. The judging unit 24 checks whether the destination domain is a malicious domain routing unit by checking the result. The 22 system records at least the device before the destination domain: the machine name and the route checking unit 23 checks the paths. Is the route =:? Whether a particular part is the same, for example, in addition, the recording unit 22 records each network address. _ System 2 further includes a network bit 2 to check the network addresses of the destination domain. 70-Net::Address=Unit 22 records the money alerts that each packet is sent to the destination domain. . System number. The predicate system 2 further includes an autonomous system, = check early 26, which checks the destination domain autonomous system number. The stop 4 temple 1 outer record unit 22 records the transfer time of each packet to the address of the destination domain. The detection system also includes a transmission time check. The delivery time of the inspection material packet is as early as 27'. The judging unit 24 can judge whether the destination domain is a malicious domain or not according to the result of the network address checking unit 25, or the result of the autonomous system number checking unit 26, or the result of the transmission (4) 杳 凡 27 . Since the above-mentioned judgment mechanism is already in the method of speculation - and is detailed, it will not be described here. In summary, the method for testing and the debt measurement system of the present invention records the host name of at least one router that each packet is transmitted to the destination domain ^ 'rechecks the host name' and thereby determines the destination network Whether the domain is a bad thinking, . Due to the malicious domain that uses the dynamic domain technology, the network 201251402 host name rotation area is large, (4) the domain of the router is different 'especially the routing network at the end of the host name. Therefore, the present invention utilizes this feature. To detect the rogue address of the malicious domain ^ too much time 'usually after detecting several networks for the destination domain' can determine whether the destination domain is malicious." And greatly improve detection performance. The above is intended to be illustrative only and not limiting. Any equivalent modifications or changes made to the spirit of the invention and the scope of the application shall be included in the scope of the appended patent application. BRIEF DESCRIPTION OF THE DRAWINGS FIG. 1 is a schematic diagram of a corpse network activity; FIG. 2 is a schematic diagram of a corpse network utilizing a rapidly changing domain technology; FIG. 3 is a diagram of a malicious domain according to a preferred embodiment of the present invention; FIG. 4 is a schematic diagram of a malicious network domain detection environment according to a preferred embodiment of the present invention; and FIG. 5 is a block diagram of a detection system according to a preferred embodiment of the present invention. [Main component symbol description] 11: corpse host 12: relay station 13: strong corpse computer 16 201251402 2: detection system 21: transmission unit 22: recording unit 23: route inspection unit 24: judgment unit 25: network address check Unit 26: Autonomous System Number Checking Unit 27: Transmission Time Checking Units S01 to S04: Step 17 of the Method of Detecting Malicious Domains

Claims (1)

201251402 七、申請專利範圍: 1、 一種利用快速變動網域技術之惡意網域的_方法, 包含: -傳送步驟,係傳送複數封包至—目的網域; -路由記錄步驟’係記錄各該封包傳送至該目的網域 所經過之至少一路由器之主機名稱; 一路由檢查步驟,係檢查該主機名稱;以及 一判斷步驟’係依據該路由檢查步驟之結果而判斷該 目的網域是否為惡意網域。 2、 =:專利範圍第1項所述之偵測方法,其中該記錄 々驟中,係e錄位於該目的網域之前的至少 之主機名稱。 ® °° 3、 =請專觀㈣2項所述之_方法,其中該路由 核—步驟中,係檢查該等路由器之主機名稱之一特定 部分是否相同^ 4、 如申請專利範圍第i項所述之偵測方法,更包含· —網路位址記錄步驟,記錄各該封包傳送至該目的網 域之一網路位址;以及 —網路位址檢查步驟,檢查該目的網域之多個網路位 址。 1 5、 如申請專利範圍第1項所述之偵測方法,更包含: —自治系統號碼記錄步驟’記錄各該封包傳送3至該目 —的網域之一網路位址之自治系統號碼;以及^ -自治系統號碼檢查步驟,檢查該目的網域之網路位 18 201251402 址之4等自治系統號碼。 6 7 一1°月專利乾圍第1項所述之仙方法,更包含: 一:送時間記錄㈣,記錄各該封包傳送至該目的網 知之網路位址之一傳送時間;以及 2送時間檢查步驟’檢查該等封包之該等傳送時間。 範圍第4項至第6項之任-項所述之侦測 中該判斷步驟更依據該網路位址檢查步驟之 該自治系統號碼檢查步驟之結果、或該傳送 ::步驟之結果而判斷該目的網域是否為惡意網 網域技術之 ""種係用則貞測利用快速變動 惡意網域,包含: 傳送單元’係傳送複數封包至—目的網域; 記錄單元’係記錄各該封包傳送至該目的網域所經 過之至少一路由器之主機名稱; 一路由檢查單元’係檢查該主機名稱;以及 判斷早7G,係依據該路由檢查單元之結果而判斷該 目的網域是否為惡意網域。 Μ請專利第8項所叙偵喝統,其中該記錄 早兀係記錄位於該目的網域之前的至少二路由器之主 機名益。 10、如申請專利範圍第9項所述之偵測系統,其中該路由 檢查單元係檢查料路由器之主機名稱之 是否相同。 19 201251402 n、=請專利範圍第8項所述之_系統,其中該記錄 早几係d錄各該封包傳送至該目的網域之—網路位 址’該偵測系統更包含·· .罔路位址檢查單元,檢查該目的網域之多個網路位 址。 12、^ ^專利範圍第8項所述之偵測系統,其中該記錄 己錄各該封包傳送至該目的網域之—網路位 冶系統號碼,該偵測系統更包含: —自治系統號碼檢查單元,係檢查該目的網域之網路 位址之該等自治系統號碼。 Ι3、Π專利範圍第8項所述之侦測系統,其中該記錄 IS記:各該封包傳送至該目的網域之-網路位 之傳运時間,該偵測系統更包含: 14 1送相檢查單元,錄查鱗封包之料傳送時 如申請專利範圍第u項至第 測系缔貝主弟13項之任一項所述之偵 m其中該料更依據朗路 ,结果、或該自治系統號碼檢查單元之結果; :時:檢查皁元之結果而判斷該目的網否 意網域。 〜疋占与心 20201251402 VII. Patent application scope: 1. A method for using a malicious domain that rapidly changes the domain technology, including: - a transmission step of transmitting a plurality of packets to a destination domain; - a route recording step of recording each packet Transmitting to the host name of at least one router through which the destination domain passes; a route checking step of checking the host name; and a determining step of determining whether the destination domain is a malicious network according to the result of the route checking step area. 2. =: The detection method described in the first item of the patent scope, wherein in the recording step, at least the host name located before the destination domain is recorded. ® ° ° 3, = Please look at (4) the method described in 2, in which the routing core - step, check whether the specific part of one of the host names of the routers is the same ^ 4, as claimed in the scope of the i The detection method further includes: - a network address recording step, recording each of the packets transmitted to a network address of the destination domain; and - a network address checking step, checking the destination domain Network addresses. The detection method described in claim 1 of the patent scope further includes: - an autonomous system number recording step 'recording an autonomous system number of one of the network addresses of each of the packets transmitted to the destination of the packet And ^ - autonomous system number check step, check the autonomous system number of the network address 18 201251402 of the destination domain. 6 7 1 1 month patent dry circumference method according to the first item, including: one: send time record (four), record the transmission time of each packet transmitted to the destination network address; and 2 send The time check step 'checks the transfer times of the packets. The determining step in the detection of the items 4 to 6 of the scope is further determined according to the result of the autonomous system number checking step of the network address checking step or the result of the transmitting:: step Whether the destination domain is a malicious network domain technology "" is used to detect the rapid change of malicious domain, including: the transmitting unit 'transports multiple packets to the destination domain; the recording unit' records each The packet is transmitted to the host name of at least one router through which the destination domain passes; a route inspection unit 'checks the host name; and judges the early 7G, and determines whether the destination domain is malicious according to the result of the route inspection unit Domain. The patent system of the eighth item of the patent is filed, wherein the record records the host name of at least two routers located before the destination domain. 10. The detection system of claim 9, wherein the route inspection unit checks whether the host name of the router is the same. 19 201251402 n, = Please refer to the system described in item 8 of the patent scope, in which the record is transmitted to the destination domain of the packet - the network address is further included. The network address inspection unit checks a plurality of network addresses of the destination domain. 12. The detection system of claim 8, wherein the record has been recorded for each of the packets transmitted to the destination domain - the network location system number, the detection system further comprising: - an autonomous system number The checking unit checks the autonomous system numbers of the network addresses of the destination domain.侦测 3. The detection system of claim 8 , wherein the record IS records: the transmission time of each packet transmitted to the destination domain - the network bit, the detection system further comprises: 14 1 send The phase inspecting unit, when recording the material of the scale packet, is in the case of any one of the application of the patent scope range u to the 13th of the test system, which is based on the road, the result, or the The result of the autonomous system number checking unit; : hour: check the result of the soap element to determine whether the destination network is a domain. ~疋占与心 20
TW100120010A 2011-06-08 2011-06-08 Detection method and system for fast-flux malicious domain TWI455546B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW100120010A TWI455546B (en) 2011-06-08 2011-06-08 Detection method and system for fast-flux malicious domain

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW100120010A TWI455546B (en) 2011-06-08 2011-06-08 Detection method and system for fast-flux malicious domain

Publications (2)

Publication Number Publication Date
TW201251402A true TW201251402A (en) 2012-12-16
TWI455546B TWI455546B (en) 2014-10-01

Family

ID=48139457

Family Applications (1)

Application Number Title Priority Date Filing Date
TW100120010A TWI455546B (en) 2011-06-08 2011-06-08 Detection method and system for fast-flux malicious domain

Country Status (1)

Country Link
TW (1) TWI455546B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI634769B (en) * 2016-09-20 2018-09-01 中華電信股份有限公司 Method for detecting domain name transformation botnet through proxy server log

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI648650B (en) 2017-07-20 2019-01-21 中華電信股份有限公司 Gateway device, detection method of malicious domain and host host, and non-transitory computer readable media
TWI764618B (en) * 2020-10-19 2022-05-11 新加坡商賽博創新新加坡股份有限公司 Cyber security protection system and related proactive suspicious domain alert system
US11558352B2 (en) 2020-10-19 2023-01-17 Cycraft Singapore Pte. Ltd. Cyber security protection system and related proactive suspicious domain alert system

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9038193B2 (en) * 1998-08-14 2015-05-19 Azos Al, Llc System and method of data cognition incorporating autonomous security protection
CN102045215B (en) * 2009-10-21 2013-04-24 成都市华为赛门铁克科技有限公司 Botnet detection method and device

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI634769B (en) * 2016-09-20 2018-09-01 中華電信股份有限公司 Method for detecting domain name transformation botnet through proxy server log

Also Published As

Publication number Publication date
TWI455546B (en) 2014-10-01

Similar Documents

Publication Publication Date Title
WO2018113594A1 (en) Method and device for defending dns attack and storage medium
US9497213B2 (en) System and method to manage sinkholes
KR101863024B1 (en) Distributed load balancer
JP4667437B2 (en) Abnormal traffic detection apparatus, abnormal traffic detection method, and abnormal traffic detection program
US20120054869A1 (en) Method and apparatus for detecting botnets
CN105681133B (en) A method of the detection whether anti-network attack of dns server
KR20130014226A (en) Dns flooding attack detection method on the characteristics by attack traffic type
Bushart et al. DNS unchained: Amplified application-layer DoS attacks against DNS authoritatives
US10326794B2 (en) Anycast-based spoofed traffic detection and mitigation
Barbhuiya et al. Detection of neighbor discovery protocol based attacks in IPv6 network
EP3545451B1 (en) Automatic forwarding of access requests and responses thereto
JP4931881B2 (en) Server allocation system and method using white list
TW201251402A (en) Detection method and system for fast-flux malicious domain
US10411981B2 (en) Method and system for detecting client causing network problem using client route control system
Futai et al. Hybrid detection and tracking of fast-flux botnet on domain name system traffic
Al-Duwairi et al. Fast Flux Watch: A mechanism for online detection of fast flux networks
Herzberg et al. DNS authentication as a service: preventing amplification attacks
US20220182354A1 (en) Decoupling of ip address bindings and use in a distributed cloud computing network
JP2018007244A (en) Method for transferring a packet in an information centric networking
Park et al. Identification of hosts behind a NAT device utilizing multiple fields of IP and TCP
WO2019007139A1 (en) Method, device, and system for implementing fault detection
Zhang et al. Wolf in Sheep's Clothing: Evaluating Security Risks of the Undelegated Record on DNS Hosting Services
WO2020231688A1 (en) Using the state of a request routing mechanism to inform attack detection and mitigation
US8660143B2 (en) Data packet interception system
Lee et al. A perspective towards NCIFA and CIFA in named-data networking architecture

Legal Events

Date Code Title Description
MM4A Annulment or lapse of patent due to non-payment of fees