TW201427334A - Fast-flux identification system and a computer programming utilized to identifying the same - Google Patents

Abstract

The present invention discloses a fast-flux identification system and a computer programming product utilized to identifying the same. More specifically, the present invention discloses a localized spatial geolocation detection (LSGD) system for identifying FFSNs in real time that uses the grid distribution of LSGD to possess a precise spatial locating capability for profiling the spatial relations among IP address resolutions. Furthermore, autonomous system numbers (ASNs) are used for enhancing localized geographic characteristics. The proposed system, incorporating LSGD, ASNs, and the domain name system (DNS), can respond well to identify potential FFSNs and also has a better detection capability than state-of-the-art spatial or temporal detection approaches, with a lower false positive rate in real-time detection than the approach based on a spatial snapshot alone.

Description

Domain name attack detection system and computer program for detecting domain name attacks

The invention discloses a domain name attack detection system and a computer program for detecting a domain name attack. More specifically, the present invention uses a spatial geographic segment information and a regional geographic concept to achieve instant use. A system and computer program that detects Fast-flux technology.

In recent years, domain name attacks (especially Fast-flux) are one of the latest botnet issues. Fast-flux uses the Domain Name System (DNS) technology to use the victim host device as a springboard and utilizes fast activity and dynamically changes the Internet Protocol Address (Internet Protocol Address). IP address) to generate more victim hosts and hide themselves behind the proxy server to avoid detection. With the development of the network, when the domain name attack technology becomes more and more popular, the number of victim hosts is more and more generated. When the number of victim hosts increases, the user's personal information will be stolen by the hackers. To reduce these threats, you need to be able to instantly detect Fast-flux technology so that users can immediately know that the website is problematic and reduce the number of users.

In "Thorsten Holz, Christian Gorecki, Konrad Rieck, Felix C. Freiling. Measuring and detecting fast-flux service networks. In Proceedings of the 15th Network & Distributed System Security Symposium (NDSS) (2008)", the main use of survival The concept of time to extract the information of the DNS, and use the multiple survival time to obtain the DNS information, to determine whether the domain uses Fast-flux technology. However, in addition, multiple detections will increase the detection time, which may result in more victim hosts.

In "Passerini Emanuele and Paleari Roberto and Martignoni Lorenzo and Bruschi Danilo. FluXOR: Detecting and Monitoring Fast-Flux Service Networks. In Proceedings of the 5th international conference on Detection In the article "Intrusions and Malware, and Vulnerability Assessment (DIMVA) (2008)", it mainly uses the concept of time to survive to obtain DNS information, but this article has a threshold for survival time, when the survival time exceeds the critical value. When the time-to-live is used to make DNS information, although it reduces some delay time than Holz et al., it still causes the detection time delay.

In "Huang, Si-Yu and Mao, Ching-Hao and Lee, Hahn-Ming. Fast-flux service network detection based on spatial snapshot mechanism for delay-free detection. In Proceedings of the 5th ACM Symposium on Information, Computer and In the article Communications Security (ASIACCS 2010)., the main use of space snapshots to detect Fast-flux. Although this article proposes an instant detection system, it only uses the characteristics of the space and only uses the GMT time zone concept to detect domain name attacks, which will cause detection of domain name attacks and ambiguity on benign domain names. The rate is high.

Traditionally, the method used to detect Fast-flux relies on Time to Live (TTL) method for detection. This method will cause time delay and cause more victim hosts to be generated. Therefore, how to A system and method for effectively detecting Fast-flux in real time has been developed, which is an urgent problem for those skilled in the art.

The scope of the present invention is to provide a domain name attack detection system, which is configured to determine whether a network address is an attack domain according to a domain name data, and includes a domain name system information collector and an area. Spatial feature engine and a domain name attack detection engine. The domain name system information collector is used to obtain a record message according to a domain name data, and the record message corresponds to a domain name system (DNS) format. The regional spatial feature engine is coupled to the domain name system information collector, and is configured to obtain a regional spatial feature data according to the recorded information. The domain name attack detection engine is coupled to the regional spatial feature engine, and is configured to determine whether the domain name data is an attack domain by using an instantaneous one-pass detection mechanism according to the regional spatial feature data.

When the invention is applied, the regional spatial feature engine selectively includes a network. A route agreement address feature extractor, a network protocol address geographic location counterpart, a spatial geolocation distribution estimator, a spatial geolocation service relationship estimator, and a regional spatial geolocation distribution constructor. The foregoing network protocol address feature extracting device is configured to obtain a network protocol address data according to the recorded message, the network protocol address data includes a plurality of network protocol addresses; and the foregoing network protocol address geographic The location counterpart is coupled to the network protocol address feature extractor for generating a geographic coordinate location data based on the network protocol address data.

The foregoing spatial geolocation distribution estimator is coupled to the geographic location counterpart of the network protocol address for generating a degree of dispersion data based on the geographic coordinate location data. The foregoing spatial geolocation service relationship estimator is coupled to the geographic location counterpart of the network protocol address for generating a geolocation service relationship data according to the geographic coordinate location data. The foregoing regional spatial geolocation distribution constructor is coupled with a spatial geolocation distribution estimator and a spatial geolocation service relationship estimator for generating regional spatial features according to geolocation service relationship data and dispersion degree data. data.

In addition, when applied, it further includes a spatial geolocation information database coupled to the geographic location counterpart of the network protocol address, and the spatial geolocation information database stores a geographic coordinate location data for use. The parameter used as a spatial geolocation distribution estimator to calculate the degree of dispersion data. In addition, the present invention may further include a regionally located autonomous system counterpart, coupled to the network protocol address feature extractor for generating an autonomous system number quantity data according to the network protocol address data. It is assumed that the regional spatial geolocation distribution constructor generates the parameters of the regional spatial characteristic data. In addition, the present invention further includes a regionally located autonomous system counterpart, coupled to the network protocol address feature extractor for generating an autonomous system number based on the network protocol address data. The quantity data is the parameter when the regional spatial geolocation distribution constructor generates the regional spatial characteristic data.

Furthermore, the present invention may further comprise a regional autonomous system number information database coupled to the regional geographic positioning autonomous system counterpart, and the regional autonomous system number information database stores an autonomous system number for use as The autonomous system correspondent of the regional geolocation is used to calculate the parameters of the autonomous system number quantity data.

In addition, the present invention further discloses a computer program for detecting a domain name attack, which is used to determine whether a network address is an attack domain according to a domain name data. Execute the program via the computer. The foregoing product includes a domain name system information collection instruction, a regional spatial characteristic instruction, a domain name attack detection instruction, and an output instruction.

The network protocol address feature fetching instruction is used to enable the central processing unit to obtain a network protocol address data according to the recorded message, and the network protocol address data includes a plurality of network protocol addresses. The geographic location correspondence command of the network protocol address is used to cause the central processor to generate a geographic coordinate location data according to the network protocol address data. The spatial geolocation distribution estimation instruction is used to cause the central processor to generate a degree of dispersion data based on the geographic coordinate location data. The spatial geolocation service relationship estimation instruction is used to cause the central processor to generate a geolocation service relationship data based on the geographic coordinate location data. The regional spatial geolocation distribution construction instruction is used to enable the central processor to generate regional spatial characteristic data according to the geolocation service relationship data and the dispersion degree data.

In addition, the foregoing program product further includes a spatial geolocation information data fetching instruction, so that the central processing unit obtains a geographic coordinate location data from a spatial geolocation information database, so as to calculate the spatial geolocation distribution estimation instruction. The parameter when dispersing the data. The above-mentioned program product further includes a regional geographic positioning autonomous system corresponding instruction, so that the central processor generates an autonomous system number quantity data according to the network protocol address data, and constructs an instruction for the regional spatial geographic location distribution. The parameters when generating regional spatial characteristics data. Furthermore, the foregoing program product further includes a regional autonomous system number information data fetching instruction, so that the central processing unit obtains an autonomous system number from a regional autonomous system number information database system, thereby determining the regional geographic positioning autonomy. The system corresponds to the parameters when calculating the number of autonomous system number data.

In summary, the present invention proposes a system and method for utilizing spatial geographic segment information and regional geographic concepts to achieve instant detection of Fast-flux technology and applications. The present invention utilizes the characteristics of spatial distribution while utilizing Grid Distribution, Latitude-longitude Time Zones, and Entropy. The concept and the distance between Internet Protocol Address (IP address) define more accurate geographical distribution information. At the same time, in order to compensate for the lack of space, the present invention further utilizes an autonomous system number (ASN) to enhance regional features. In this way, the effect of real-time detection with high accuracy and low false alarm rate is achieved.

Briefly, the present invention proposes an invention that utilizes spatial geographic segmentation information and regional geographic concepts to achieve instant detection of Fast-flux technology and applications. The present invention utilizes the characteristics of spatial distribution while utilizing the concepts of Grid Distribution, Latitude-longitude Time Zones and Entropy, and Internet Protocol Address (IP address). The distance between them defines a more accurate geographical distribution information. At the same time, in order to compensate for the lack of space, the present invention further utilizes an autonomous system number (ASN) to enhance regional features to achieve high accuracy and low false positive rate.

More specifically, the principle of the present invention is that the inventors have observed that a benign website can determine its own host location. Conversely, the hacker cannot determine the characteristics of the location of the infected host. Thereby, if the difference between the two is observed, the ground surface is further divided into grid blocks, so as to achieve a more accurate effect of determining the geographical location distribution relationship between the hosts. On the other hand, through the characteristics of different Internet service providers distributed through the infected host, the present invention compensates for the lack of spatial features by calculating the number of different autonomous system numbers corresponding to different hosts, thereby achieving the judgment host. The decentralized relationship between regional geolocation. Finally, the present invention utilizes a Bayer network classifier to evaluate spatial and regional geolocation features to achieve instant FAST-FLUX detection.

The present invention provides a domain name attack (hereinafter referred to as a "Fast-flux") detection system. Referring to FIG. 1, FIG. 1 is a functional block diagram of a Fast-flux detection system in an embodiment of the present invention. In order to achieve the foregoing effects, the Fast-flux detection system 1 of the present invention, when simplified, generally includes a domain name system information collector 10, a regional spatial characteristic engine 70, and a domain name attack detection. Engine 90, a spatial geolocation information The database 30 and a regional autonomous system number information database 50.

The domain name system information collector (hereinafter referred to as the network name information collector) 10 refers to a record for collecting a corresponding Domain Name System (DNS) according to a domain name data. The device, module, program or instruction of the message. The foregoing recorded information may include, but is not limited to, the network protocol address (IPV4, IPV6), the modification time, the establishment time, and the time when the service is terminated.

The regional spatial feature engine 70 is used to obtain a regional spatial feature data corresponding to the recorded message. The domain name attack detection engine 90 determines whether the domain name data is based on the maximum likelihood generated by the Bayesian Network classifier and through an instantaneous one-pass detection mechanism. For a Fast-flux domain.

In addition, in order to obtain data corresponding to the geographic coordinate location of the network protocol address, the present invention has a spatial geolocation information database 30 to provide the data. The regional autonomous system number information database 50 stores the corresponding data of the autonomous system numbers corresponding to all network protocol addresses.

It should be further noted that, referring to FIG. 2, FIG. 2 is a functional block diagram of a regional spatial feature engine in an embodiment of the present invention. The regional spatial feature engine 70 of the present invention may include a network protocol address feature extractor 71, a network protocol address geographic location counterpart 73, a spatial geographic location distribution estimator 75, and spatial geography. A location service relationship estimator 77, a regionally located autonomous system counterpart 78, and a regional spatial geolocation distribution constructor 79 are located.

The network protocol address feature extractor 71 extracts the network corresponding to the domain name system (DNS) provided by the domain name system information collector 10 to extract the network corresponding to the domain name. Protocol address data, the network protocol address data contains a plurality of network protocol addresses.

The network protocol address geographic location counterpart 73 is coupled to the network protocol address feature extractor 71 for use in the network protocol address extracted by the network protocol address feature extractor 71. Data, and the corresponding geographic coordinate location found by the spatial geolocation information database 30 to generate geographic coordinates of all network protocol addresses of the domain And its corresponding geographical coordinate location data.

The spatial geolocation distribution estimator 75 is coupled to the geographic location counterpart 73 of the network protocol address, and is configured to find the geographic coordinate location of all network protocol addresses of the domain according to the geographic coordinate location data. Taking advantage of the lattice distribution of Latitude-longitude Time Zones (LLTZs) between these geographic coordinates, the aforementioned latitude and longitude time zone is cut into 24 by 24 grid blocks by the surface and Entropy is established. The concept is based on estimating the geographical dispersion of all network protocol addresses in this domain and generating a level of disparity data.

The spatial geolocation service relationship estimator 77 is coupled to the geographic location counterpart 73 of the network protocol address, and is configured to find the geographic coordinate location of all network protocol addresses of the domain according to the geographic coordinate location data. And using the Euclidean distance between the geographical coordinates of each other to obtain the shortest distance between these addresses in this way, thereby establishing a service distance difference relationship, thereby estimating all network protocol addresses of the domain. Inter-geographical location service relationship and a corresponding geolocation service relationship data.

At the same time, the regionally located autonomous system correspondent 78 is coupled to the network protocol address feature extractor 71 for the network protocol extracted by the network protocol address feature extractor 71. Address data, and through the regional autonomous system number information database 50 to find its corresponding autonomous system number, to generate the number of different autonomous system numbers of all network protocol addresses of the domain, and a corresponding Autonomous system number quantity information.

The regional spatial geolocation distribution constructor 79 is simultaneously coupled with the spatial geolocation distribution estimator 75, the spatial geolocation service relationship estimator 77, and the regional geolocation autonomous system counterpart 78, and The spatial geolocation distribution estimator 75 and the spatial geolocation service relationship estimator 77, the established dispersal degree data, the geolocation service relationship data, and the autonomous system number established by the regional geolocation autonomous system counterpart 78 The quantitative data is combined with spatial and regional characteristics through the Bayesian Network classifier, and the K2 algorithm is used to learn the correlation between the feature data to construct a regional spatial feature data. In view of the detailed process of using the shell network to classify data and how it operates, there are many The combination of changes and should be found in the existing literature, so in order to maintain the simplicity of the description, it will not be repeated.

Subsequently, the regional spatial feature data will be transmitted to the domain name attack detection engine 90 to be based on the maximum likelihood generated by the Bayesian Network classifier, through instant one-pass detection. The measurement mechanism determines whether the domain name data is a Fast-flux domain. In order to determine whether the initial domain name data is a Fast-flux domain.

In practical applications, the aforementioned systems, devices, devices, components, engines, or databases may each have an instruction set, a software that describes the instruction set, a media storage device that describes the software, or It is part of another hardware or hardware that has a corresponding program or function. In this embodiment, the entire system is stored in a data storage device inside a personal computer. The foregoing domain name system information collector 10, regional spatial characteristic engine 70, and domain name attack detection engine 90 are respectively software programs or subroutines composed of a plurality of instruction groups. The spatial geolocation information database 30 and the regional autonomous system number information database 50 are respectively a database storing a plurality of items of data or data. More specifically, referring to FIG. 3, FIG. 3 is a functional block diagram of a personal computer in an embodiment of the present invention. The aforementioned personal computer C includes an interface device C1, a central processing unit C2, a data storage device C3, and an output device C4.

During the application, the user will control the central processor through the interface device to read and execute the Fast-flux detection system in the data storage device. Then, after the system determines that there is a result, the result will be output by an output device. The output device is a display C4. The interface device C1 refers to an assembly or one of a group consisting of a mouse, a keyboard, and a user interface system such as "Microsoft Windows."

However, the present invention is not limited to the prior art. In the application, each component of the present invention may be composed of a plurality of functional components connected by an internet or other coupling means such as a connector. .

In addition, the present invention also discloses a domain name attack detection method relative to the foregoing system. Briefly, the method includes steps S1 and S2. Step S1 is a training phase, which is used to construct a shell network model of the detected Fast-flux and benign domain. Step S2 is a detection phase, which is based on the established shell network model to determine the current behavior category of the domain. The training phase S1 includes sub-steps S11 through S17 in sequence.

In sub-step S11, the network name system is collected from the network domain, and the Internet Protocol Addresses (IP addresses) of the domain are output. In sub-step S13, the corresponding geographic coordinate location of all network protocol addresses is generated. In sub-step S14, the number of different autonomous system numbers for all network protocol addresses is generated. In sub-step S15, the degree of dispersion of the grid distribution of the Latitude-longitude Time Zones (LLTZs) between the geographical coordinates of each other is calculated according to the geographic coordinate position generated in step S13. In sub-step S16, the Euclidean distance between the geographic coordinate positions of each other is utilized according to the geographical coordinate position generated in step S13, and the shortest distance between the addresses is obtained in this way, thereby establishing a service. The distance relationship is determined to calculate the geolocation service relationship. In sub-step S17, based on the regional feature data generated in step S14, the spatial feature data generated in step S15 and step S16, and using the shell network to calculate the feature vector extracted in each training data. A dependent correlation of values in behavior to produce a model of dependent feature behavior.

On the other hand, after constructing the aforementioned model, the detection phase S2 is performed. The detection phase S2 includes sub-steps S21 to S29 in sequence. In sub-step S21, the domain name data is collected from the domain, and the Internet Protocol Addresses (IP addresses) of the domain are extracted. In sub-step S22, the degree of dispersion of the lattice distribution of the Latitude-longitude Time Zones (LLTZs) between the geographical coordinates of each other is calculated according to the geographic coordinate position corresponding to all the network protocol address data, and the degree of dispersion is utilized. The relationship between the service distances of the Euclidean distances between the geographic coordinates of each other to establish spatial geolocation characteristics.

In sub-step S23, the number of different autonomous system numbers that appear in the network protocol address data is used to calculate the number of different autonomous system numbers that are present to establish regionality. Characteristic data quantity data. In sub-step S25, the correlation relationship between each extracted regional and spatial feature vector values in the behavior is calculated through the shell network, thereby establishing the behavior of the characteristic relationship between them. In sub-step S27, according to the maximum possibility between the features generated by the shell network classifier, and through the instantaneous one-pass detection mechanism, it is determined whether the domain name is tested as a Fast- The domain of the flux. In step S29, when the domain detected in step S27 is Fast-flux, a warning is issued.

In summary, the present invention proposes a technique for real-time detection of Fast-flux using spatial geographic segment information and regional geographic concepts, and a system and method using the same. The present invention utilizes the characteristics of spatial distribution while utilizing the concepts of Grid Distribution, Latitude-longitude Time Zones and Entropy, and Internet Protocol Address (IP). Distance between addresses) to define more accurate geographical distribution information. At the same time, in order to compensate for the lack of space, the present invention further utilizes an autonomous system number (ASN) to enhance regional features to achieve an immediate detection effect of high accuracy and low false alarm rate.

Before the present invention is further described, it is to be understood that all of the technical and scientific terms used in the specification have the same meaning as commonly understood by those skilled in the art. In addition, the present description is only one of the many example methods of the present invention. In the actual use of the present invention, any method or means similar or equivalent to the method and apparatus described in the present specification may be used. It. Furthermore, one or more of the numbers mentioned in the specification include the number itself. In addition, if the specification refers to a certain connection between A and B, it means that a certain A and a B have the transmission behavior of energy, data or signals, which is not limited by the actual connection. Therefore, the transmission behavior by means of electricity, light, electromagnetic waves, etc. by means of wired or wireless means its meaning.

It should be understood that the present disclosure discloses certain methods and processes for performing the disclosed functions, and is not limited to the order described in the specification. Except where the specification is explicitly excluded, the sequence of the procedures, steps or processes may be arranged. Freely adjust to the user's request. Further, since the properties of the respective elements of the present invention are considered to be similar to each other, the descriptions and reference numerals between the respective elements apply to each other. In addition, in order to keep the instructions simple, the "product" or "party" mentioned in the article The term "method" refers to the computer program for detecting a domain name attack of the present invention and its corresponding method, respectively. The term "system" in the text refers to the domain name attack detection system of the present invention.

The features and spirit of the present invention will be more apparent from the detailed description of the preferred embodiments. On the contrary, the intention is to cover various modifications and equivalents within the scope of the invention as claimed. Therefore, the scope of the patented scope of the invention should be construed in the broadest

1‧‧‧Domain Name Attack Detection System

10‧‧‧Domain Name System Information Collector

30‧‧‧Spatial Geolocation Information Database

50‧‧‧Regional Autonomous System Number Information Database

70‧‧‧Regional spatial character engine

71‧‧‧Network Protocol Address Feature Extractor

73‧‧‧Location address of the network agreement address

75‧‧‧ Spatial Geolocation Estimator

77‧‧‧ Spatial Geolocation Service Relationship Estimator

78‧‧‧Autonomous System Correspondence for Regional Geolocation

79‧‧‧Regional spatial geolocation distribution constructor

90‧‧‧Domain Name Attack Detection Engine

C‧‧‧PC

C1‧‧‧Interface device

C2‧‧‧ central processor

C3‧‧‧ data storage device

C4‧‧‧ Output device

FIG. 1 is a functional block diagram of a domain name attack detection system in an embodiment of the present invention.

Figure 2 is a functional block diagram of a regional spatial feature engine in one embodiment of the present invention.

Figure 3 is a functional block diagram of a personal computer in one embodiment of the present invention.

1‧‧‧Domain Name Attack Detection System

10‧‧‧Domain Name System Information Collector

30‧‧‧Spatial Geolocation Information Database

50‧‧‧Regional Autonomous System Number Information Database

70‧‧‧Regional spatial character engine

71‧‧‧Network Protocol Address Feature Extractor

73‧‧‧Location address of the network agreement address

75‧‧‧ Spatial Geolocation Estimator

77‧‧‧ Spatial Geolocation Service Relationship Estimator

78‧‧‧Autonomous System Correspondence for Regional Geolocation

79‧‧‧Regional spatial geolocation distribution constructor

90‧‧‧Domain Name Attack Detection Engine

Claims (10)

A domain name attack detection system, which is based on a domain name data to determine whether a network address is an attack domain, and includes: a domain name system information collector, which is based on a domain Name data to obtain a record message corresponding to a Domain Name System (DNS) format; a regional spatial feature engine coupled to the domain name system information collector to record the message according to the To obtain a regional spatial feature data; and a domain name attack detection engine coupled to the regional spatial feature engine for immediate one-pass detection based on the spatial feature data of the region Mechanism to determine whether the domain name data is the attack domain. The domain name attack detection system of claim 1, wherein the regional spatial feature engine includes: a network protocol address feature extractor, which is used to obtain the record information according to the record information a network protocol address data, the network protocol address data comprising a plurality of network protocol addresses; a network protocol address geographical location counterparter coupled to the network protocol address feature extractor Connecting to generate a geographic coordinate location data according to the network protocol address data; a spatial geographic location distribution estimator coupled to the geographic location counterpart of the network protocol address to be based on the geographic coordinate location The data is generated to have a degree of dispersion data; a spatial geolocation service relationship estimator coupled to the geographic location counterpart of the network protocol address to generate a geolocation service relationship data according to the geographic coordinate location data; And a regional spatial geolocation distribution constructor, the system and the spatial geolocation distribution estimator and the spatial geolocation service relationship estimation The device is coupled to generate the spatial feature data of the region according to the geolocation service relationship data and the dispersal data. The domain name attack detection system of claim 2, further comprising a spatial geolocation information database coupled to the geographic location counterpart of the network protocol address, the spatial geography The location information database stores a geographic coordinate location data as a parameter of the spatial geographic location distribution estimator when calculating the dispersion degree data. The domain name attack detection system of claim 2, further comprising a regionally located autonomous system counterpart, coupled to the network protocol address feature extractor to The network protocol address data is used to generate an autonomous system number quantity data as a parameter of the spatial spatial location distribution constructor of the area, when generating the spatial characteristic data of the area. The domain name attack detection system of claim 4, further comprising a regional autonomous system number information database coupled to the regionally located autonomous system counterpart, the regional The autonomous system number information database stores an autonomous system number as a parameter of the autonomous system counterpart of the regional geographic location when calculating the number of the autonomous system number. A computer program for detecting a domain name attack, which is used to determine whether a network address is an attack domain based on a domain name data, and is executed by loading the program on a computer. The method includes the following instructions: a domain name system information collection instruction, which causes a central processing unit to read the domain name data from a data storage device to obtain a record message, and the record message corresponds to the domain name. a system (DNS) format; a regional spatial feature command, which causes the central processor to generate a regional spatial feature data according to the recorded message; a domain name attack detection command, which causes the central processor to The spatial feature data of the region is used to determine whether the domain name data is the attack domain and generate a judgment result data by using an instant one-pass detection mechanism; and an output instruction, which is used to make the central The processor outputs the judgment result data to an output device. The computer program of claim 6, wherein the feature generation instruction comprises: a network protocol address feature capture instruction, wherein the central processor obtains a network protocol according to the record message. Address data, the network protocol address data includes a plurality of network protocol addresses; a geographical location address corresponding to the network protocol address, the system is caused by the central processor according to the network protocol address data Generating a geographic coordinate location data; a spatial geolocation distribution estimation instruction, wherein the central processor generates a disparity data according to the geographic coordinate location data; and a spatial geolocation service relationship estimation instruction The central processor generates a geolocation service relationship data according to the geographic coordinate location data; and a regional spatial geolocation distribution construction instruction, which causes the central processor to locate the service relationship data and the dispersion degree data according to the geographic location To produce spatial characteristics of the region. The computer program of claim 7, further comprising a spatial geolocation information data fetching instruction, so that the central processing unit obtains a geographic coordinate location data from a spatial geolocation information database, As the spatial geolocation distribution estimation instruction, the parameter when calculating the dispersion degree data. The computer program of claim 7, further comprising a regionally located autonomous system corresponding instruction, so that the central processor generates an autonomous system number quantity data according to the network protocol address data. As a parameter of the spatial geolocation distribution construction instruction of the region, the parameters when generating the spatial characteristic data of the region. The computer program according to claim 9, further comprising a regional autonomous system number information data fetching instruction, so that the central processing unit obtains an autonomous system from a regional autonomous system number information database system. The number is used as the autonomous system corresponding instruction for the regional geographic location, and the parameter is used when calculating the number of the autonomous system number.