TWI636680B - System and method for detecting suspicious domain names based on semi-passive domain name server - Google Patents

Abstract

The present invention relates to a system and method for detecting a suspicious domain name, mainly for actively and passively detecting a known or unknown domain name through a passive domain name server detection module. The domain name record, and through a feature extraction module, the domain name algorithm algorithm including the new domain feature is used to resolve the domain name server record for machine learning to generate classification rules, and finally a suspicious domain name determination module Determine whether the unknown domain is suspicious according to the classification rules.

Description

 System and method for detecting suspicious domain names based on semi-passive domain name server  

The present invention relates to a system and method for detecting a suspicious domain name, and more particularly to a system and method for determining a suspicious domain name by performing a semi-passive domain name server record through both active and passive channels.

In the prior art of detecting malicious domains through domain name server resolution, the method of the Republic of China Patent No. I455546 technology is to analyze the router information, including the router host name and the network address autonomous system number, etc., and then cooperate with the router. The specific part of the host name is the same or the network packet transmission time is greater than the preset check value to determine whether the domain is a malicious domain. However, this method uses the network packet transmission time as the basis for the malicious degree evaluation, and is only applicable to A comparison between a more famous domain name and a malicious domain name is prone to misjudgment for a domain name that is not well-known.

In addition, U.S. Patent No. 20120198549 is a passive domain name server for detecting malicious domain names by cooperating with ISPs and special units, such as some having an Authority Domain Name Server (ADNS). Unit, in order to obtain a record of the passive domain name server with high sample richness, and then parse the benign domain name and malicious network according to the resource records in the passive domain name server record. The difference between domain names; however, the method relies on the ISP and needs to cooperate with a special unit that owns ADNS. In addition, the patented method uses a lot of domain features, but it is actually only a timestamp. Four attributes, such as domain name, resource record type and feedback IP, are extended, so it is easy to misjudge CDN domain name and fast flux domain name.

In view of the above-mentioned lack of prior art, the technique of detecting a malicious domain through domain name server resolution still has to be limited and the accuracy is better.

The system of the present invention for detecting a suspicious domain name according to a semi-passive domain name server includes at least the following three modules.

The invention comprises a half passive domain name server detection module, and the semi-passive domain name server detection module can receive a list of input domains, the domain list is including White, Botnet or A multi-domain list of the APT domain, wherein the semi-passive domain name server detection module further includes an active sensing sub-module, and the active sensing sub-module can automatically input the input domain list Triggering the domain name server mechanism to query to find the domain name of interest. In addition, the semi-passive domain name server detection module further includes a passive sensing sub-module, and the passive sensing sub-module The system is configured to monitor the domain name server cache packet in the domain list to parse the domain name server packet sent by the client; the active sensing submodule and the passive sensing submodule After processing the domain list, the semi-passive domain name server detection module can generate half of the passive domain name server record according to the result, and the semi-passive domain name server detection module of the present invention is transmitted through Induction module contains two kinds of passive and active domains from the list Obtain the required record information.

The present invention further includes a feature capture module, wherein the feature capture module is a module for parsing a domain name server record for performing repeated machine learning, wherein the feature capture module further includes a receiver The module is configured to receive the semi-passive domain name server record generated by the semi-passive domain name server detection module, and further, the feature extraction module further includes a feature vector sub-module, the feature The vector module is configured to calculate the semi-passive domain name server by computing a domain feature algorithm for calculating the overall suspicious degree of the domain to generate a feature vector, wherein the feature capture module further includes a feature The training sub-module performs machine training through the feature vector generated by the feature vector sub-module, thereby generating or refining a domain classification rule.

Finally, the present invention further includes a suspicious domain name determining module, wherein the suspicious domain name determining module determines, by the machine learning result of the feature capturing module, a module of whether the domain name is suspicious, wherein the suspicious domain name determining module The group further includes a vector receiving sub-module for receiving the feature vector generated by the feature capturing module, and the suspect domain name determining module includes a vector classifying sub-module for transmitting the feature through the feature The domain classification rule generated by the feature training sub-module in the group is used to determine the feature vector of the semi-passive domain name server record in the domain list to determine whether the domain name is suspicious .

Briefly, the present invention actively and passively filters the domain list through the semi-passive domain name server detection module to generate the semi-passive domain name server record, and the feature capture mode of the present invention The group is configured to receive the semi-passive domain name server record and calculate the feature vector, and repeatedly perform the training to summarize the domain classification rule according to the feature vector and improve, and the suspicious domain name determining module of the present invention According to the feature extraction module The domain classification rule further determines the feature vector of the data in the semi-passive domain name server record obtained subsequently to determine the potential risk degree of the domain name.

The above-mentioned domain feature algorithm is an algorithm for generating a plurality of feature vectors for each sample in the semi-passive domain name server record, wherein the domain feature algorithm includes several prior techniques. The portion used to calculate the feature vector, however, differently, the domain feature algorithm of the present invention further includes the following four special algorithm parts, which can better determine the suspicious domain, respectively:

1. Algorithm for domain detection for DNS server IP Abuse, which is used to detect the visible state of the IP address of the domain name server. Suspected malicious domain, such IP is currently used as one of the methods that may be used when the APT domain name is in the hidden phase. The main implementation method is to redirect the IP address to other domain name servers. Let the system that automatically detects the NX type domain name generate a false positive to improve the difficulty of reverse tracing.

2. For high-TTL (Very Large TTL) algorithm for domain detection, because the domain name with higher TTL value has a higher probability of being a benign domain, which can be found to be only benign due to statistical data. The TTL of a domain name has a higher chance than a threshold (22,000 seconds), while APT and Botnet's domain name have little or no such high TTL value.

3. For the algorithm of domain detection for the high Attribute Process Time, the domain name with a longer execution time has a higher probability of being a benign domain. The prior art mostly only targets the domain name itself. Related features developed without considering benign domain names, zombies The network domain name and the APT domain name themselves are indirectly affecting the cost of the three in the analysis process due to the difference in the underlying structure, and the experimental data of the present invention can confirm the time spent by the three in the feature extraction, the benign domain name The average time spent is longer, followed by the botnet domain name, and finally the APT domain name.

4. For the algorithm of the domain detection, the number of IP addresses returned at the same time point is higher, and the higher the probability is the benign domain. Usually, in the positive solution of the domain name of the benign domain name, all the IP addresses will be returned to the domain name Client at the same time point (the timestamp is taken to the sixth decimal place), and the botnet domain name And the APT domain name is not because the normal benign domain name generally uses the content delivery network (CDN) architecture to ensure the normal provision of services. Therefore, the number of IP addresses returned by the same point in time can be used as a benign domain name and a malicious domain name. Inferred basis.

Corresponding to the system for detecting a suspicious domain name according to the semi-passive domain name server of the present invention, the method for detecting a suspicious domain name according to the semi-passive domain name server of the present invention is as follows: 1. Passing half of the passive domain name servo The device detection module inputs a domain list; 2. The semi-passive domain name server detection module includes an active sensing sub-module that automatically triggers a domain name server mechanism to query the domain list. The domain name of interest; 3. The passive sensor module included in the semi-passive domain name server detection module monitors the domain name server cache packet in the domain list, and parses out The domain name server packet sent by the client; 4. The semi-passive domain name server detection module generates a semi-passive domain name server record by processing the domain list through the active sensing sub-module and the passive sensing sub-module; 5. The receiving module includes a receiving sub-module that receives the semi-passive domain name server record; 6. a feature vector sub-module included in the feature capturing module, the semi-passive domain name server Recording a domain feature algorithm operation for calculating the overall suspicious degree of the domain to generate a feature vector; 7. using a feature training sub-module included in the feature capture module, generated by the feature vector sub-module The feature vector is machine trained to generate or refine a domain classification rule; 8. receiving a feature vector through a vector receiving submodule included in a suspicious domain name determining module; and 9. the suspicious domain name determining module includes a vector classification sub-module, wherein the feature vector recorded by the semi-passive domain name server is judged by the domain classification rule generated by the feature training sub-module to determine whether the domain name is suspicious

In summary, the system and method for detecting a suspicious domain name according to the semi-passive domain name server of the present invention is an effective suspicious domain name detecting method capable of performing machine training by analyzing the domain characteristics of the novel state.

A‧‧‧ computer

B‧‧‧ computer

C‧‧‧ computer

D‧‧‧ computer

E‧‧‧ computer

F‧‧‧ computer

G‧‧‧ computer

H‧‧‧ computer

S‧‧‧Global DNS Server

1‧‧‧ Attacker

11‧‧‧ Relay Station

12‧‧‧ Relay Station

13‧‧‧Relay station

2‧‧‧ Attackers

21‧‧‧ Relay Station

22‧‧‧Relay station

23‧‧‧ Relay Station

30‧‧‧Normal server

4‧‧‧DNS server

40‧‧‧Intranet

5‧‧‧Semi-passive domain name server detection module

50‧‧‧Active Sensor Module

501‧‧‧A list of known domains

502‧‧‧Unknown domain list

51‧‧‧ Passive sensing submodule

510‧‧‧DNS cache

6‧‧‧Feature capture module

60‧‧‧Feature Vector Sub-module

61‧‧‧Characteristic training sub-module

610‧‧‧ Domain Classification Rules

7‧‧‧suspicious domain name determination module

70‧‧‧Vector Receiver Module

71‧‧‧Vector Classification Submodule

710‧‧‧Unknown domain suspiciousness

S201~S210‧‧‧Step procedure

FIG. 1 is a schematic diagram of an application scenario of a system for detecting a suspicious domain name according to a semi-passive domain name server according to the present invention.

2 is a semi-passive domain name server for detecting a suspicious domain according to the present invention Flow chart of the steps of the method.

FIG. 3 is a first schematic diagram of a data collection architecture of a system for detecting a suspicious domain name by a semi-passive domain name server according to the present invention.

4 is a second schematic diagram of a data collection architecture of a system for detecting a suspicious domain name by a semi-passive domain name server according to the present invention.

FIG. 5 is a schematic diagram of a system architecture of a system for detecting a suspicious domain name by a semi-passive domain name server according to the present invention.

6 is a schematic diagram showing an example of a record of a semi-passive domain name server detecting a suspicious domain name according to the present invention.

FIG. 7 is a first schematic diagram of an example of risk assessment for detecting a suspicious domain name by a semi-passive domain name server according to the present invention.

FIG. 8 is a second schematic diagram of an example of risk assessment of a semi-passive domain name server for detecting a suspicious domain name according to the present invention.

FIG. 9 is a third schematic diagram of an example of risk assessment of a semi-passive domain name server for detecting a suspicious domain name according to the present invention.

FIG. 10 is a first schematic diagram showing an exemplary implementation result of a semi-passive domain name server detecting a suspicious domain name system according to the present invention.

FIG. 11 is a second schematic diagram showing an exemplary implementation result of the semi-passive domain name server detecting a suspicious domain name system according to the present invention.

FIG. 12 is a schematic diagram showing an example of feature ranking in a domain feature algorithm of the present invention.

The present invention will be further described in the following with reference to the embodiments. First, please refer to FIG. 1 , which is a schematic diagram of an application scenario of a system for detecting a suspicious domain name according to a semi-passive domain name server according to the present invention. After constructing Command and Control (C&C), you can further import the user host's connection into C&C by controlling the DNS server 4 or by embedding the malicious program into the victim host and making it a zombie (Bots). Or, if the user accidentally touches C&C, the attacker can use this to conduct malicious behavior. The present invention is a system for analyzing whether some domains are malicious. In FIG. 1, the attacker 1 can use the malicious program to target the enterprise. Computer A and computer B and computer C in the internal network become zombie computers, and malicious programs in computer A and computer B and computer C are connected to relay station 11, relay station 12, and relay station 13, and computer C is also connected to the normal servo. In addition, the attacker 2 can use a malicious program to turn the computer D and the computer E and the computer H in the target enterprise internal network into a zombie computer, and the computer D is also connected to the normal server 30; wherein the computer C and the computer D It will connect to the relay station and connect to the normal website. In addition, the normal server 30 is connected to the computer C, computer D, computer F and computer G which execute the normal application, and the computer and the relay station belong to their respective domains. Through the system and method of the present invention, a list of known or unknown suspicious domains that may be connected to a computer in the intranet 40 of the enterprise is input for continuous machine learning to construct a classification method, and finally find out possible Malicious domain.

2 is a flow chart of a method for detecting a suspicious domain name according to a semi-passive domain name server according to the present invention. Step S201 is to collect a domain list that is known to belong to White or Botnet or APT as a training sample, and step S202 is The collected sample is input into the semi-passive domain name server detection module to generate a semi-passive domain name server record (log record), and in step S203, the feature vector of the known domain is generated through the feature extraction module, and the feature is After receiving the semi-passive domain name record of the training sample, the module will sample the feature vector of the domain through the twenty-seven domain features of the domain feature algorithm, and then step S204 is to train the sample. Feature vector for machine learning Step S205 includes a domain classification rule of a White domain, a Botnet domain, and an APT domain. The domain classification rule is used by the suspect domain name determination module.

Step S206 is to input the unknown domain data of interest, and step S207 is to generate a semi-passive domain name server record (log record) of the unknown domain through the semi-passive domain name server detection module, and then go through step S208. The semi-passive domain name server record of the unknown domain is input into the feature extraction module to generate a corresponding feature vector, and then step S209 is to send the feature vector of the unknown domain to the suspicious domain name determination mode with the domain classification rule. In the group, the three similarity vectors of the domain name to the benign domain name, the Botnet domain name and the APT domain name are respectively calculated, and finally the step S210 can learn the suspicious degree of the unknown domain domain according to the value of the vector.

3 is a first schematic diagram of a data collection architecture of a system for detecting a suspicious domain name by a semi-passive domain name server according to the present invention, wherein the semi-passive domain name server (SPDNS) detection and passive domain name proposed by the present invention are provided. The architecture of the server (PDNS) detection is very similar. The biggest difference is that the semi-passive domain name server of the present invention detects the active sensing sub-module 50 for active detection and the passive sensing sub-module 51 for monitoring. Different from the previous passive domain name server detection, the purpose of the active sensing sub-module 50 is to automatically trigger the DNS mechanism and query the domain name of interest, and the packet generated in the process is the network of interest. Domain information; the passive sensing sub-module 51 in the architecture is different from the traditional passive domain name server sensor, which not only can listen to the packet of the DNS cache 510, but also can send the DNS packet sent by the DNS client. After the analysis, the entire semi-passive domain detection architecture is completed by setting the IP address of the global DNS server S.

By the above active sensing submodule 50 and passive sensing submodule As can be seen from the introduction of group 51, the data collection architecture of the present invention can simultaneously interact with the DNS server S from the DNS cache 510 (passive pipeline) and the interaction between the active sensor module 50 and the DNS server S (active pipeline) Obtain the resource record (RR) of the domain name. This configuration can reduce the DNS log capture threshold and improve the diversity of the domain information in the log. Semi-passive domain detection will utilize semi-passive domain detection for a period of time. The measurement mechanism continuously queries the DNS server for the domain name, thereby leaving the resource record (RR) information corresponding to the domain name itself in the passive sensing sub-module 51 to generate a semi-passive domain name server record (Log record), and then The semi-passive domain name server record is sent for feature extraction.

4 is a second schematic diagram of a data collection architecture of a system for detecting a suspicious domain name by a semi-passive domain name server according to the present invention, wherein an unknown domain list 502 is input into a semi-passive domain name server detection module 5 The global DNS server S connected to it is connected to output a semi-passive domain name server record 511 corresponding to the unknown domain list, so that the subsequent feature vector can be calculated and classified.

The system architecture diagram of the system for detecting a suspicious domain name by the semi-passive domain name server of the present invention is shown in FIG. 5. The overall semi-passive domain name server detection system can be divided into two parts, and the semi-passive domain name servo is used. The detection module 5 is composed of a feature capture module 6 and a suspect domain name determination module 7. The semi-passive domain name server detection module 5 includes an active induction module 50 and a passive induction module. The group 51 is mainly obtained by the passive sensing module 51 in the process of interacting with the DNS server by the active sensing module 50 and the process of the DNS cache 510 and the DNS server, and the semi-passive domain name server record is acquired. The feature vector sub-module 60 in the capture module 6 receives the semi-passive domain name server record to perform the domain through the domain feature algorithm. The feature vector operation is performed by the feature training sub-module 61 to perform machine training to generate or refine the domain classification rule 610.

After the known domain list 501 is input into the semi-passive domain name server detection module 5, the semi-passive domain name server corresponding to the known domain is recorded and the feature extraction module 6 is input. Training is done with the refined domain classification rule 610.

If the unknown domain list 502 is input to the semi-passive domain name server detection module 5, the semi-passive domain name server record corresponding to the unknown domain is obtained, and the feature extraction module 6 is input. The feature vector sub-module 60 performs the feature vector operation of the domain by the domain feature algorithm, and inputs the calculated domain vector data into the suspicious domain name determining module 7, and the vector receiving submodule in the suspicious domain name determining module 7. The group 70 receives the vector data and performs classification calculation by the vector classification sub-module 71 by the domain classification rule 610 to generate the information of the suspicious degree 710 of the unknown network, and the feature vector of the unknown domain is also used for training. Refined Domain Classification Rule 610.

FIG. 6 is a schematic diagram of a record of detecting a suspicious domain name by a semi-passive domain name server according to the present invention, which is a collection of a known domain list 501 for training, and a semi-passive domain name server detection module 5; The resulting output, in which the known domain list 501 contains a list of a number of domains known to belong to White or Botnet or APT, the samples of this embodiment are selected as follows:

1.White domain name: An example of the embodiment of the present invention is selected from Alexa's top 11,000 domain name, and in the range of Alexa's top 90000~100000, 100000~30000 and 300000~500000, a plurality of 1000 domain names are randomly selected. 14,000 training samples.

2. Botnet domain name: Consider the diversity and immediacy of malicious samples, Embodiments of the present invention extract about 10,000 domain names as malicious samples from the malicious domain names published by the Internet blacklist DNSBH from January 1, 2016 to March 14, 2016.

3. APT Domain Name: Embodiment of the Invention The security company Kasper selects 340 still active domain names from the list of APT events published on the Internet as a training sample for the APT.

The semi-passive domain name server record of each domain name is collected by the known domain list 501 via the semi-passive domain name server detection module 5, wherein the semi-passive domain name server detection module The active sensing sub-module 50 of 5 controls the DNS cache 510 to automatically trigger the DNS mechanism and query the input domain name to obtain the domain information of interest, and the passive sensing sub-module 51 is responsible for monitoring and parsing the DNS packet to generate semi-passive. The domain name server records, and the result is shown in the schematic diagram of the record in FIG. 6.

The collected semi-passive domain name server records are sent to the feature extraction module 6 for feature extraction, and are calculated by the domain feature algorithm to generate twenty-seven feature vectors for each sample, and The processed feature vector is used for machine learning to establish a domain classification rule. The twenty-seven feature vectors in this embodiment can be referred to FIG. 12, wherein the identifier is the four new domains proposed by the present invention. The feature is because, in order to verify the effectiveness of the novel domain features, the present invention performs two different experiments and performs feature ranking, wherein in the first experiment, only the twenty-three used in the prior art are used. Characteristic, it is found that the classification accuracy of the classifier for APT, Botnet and White at this time is only 89.9208%; and in the second experiment process (that is, the embodiment of the present invention), the existing twenty-three features are used. And the accuracy of the four new features, the accuracy rate is increased to 97.6398%; then, by the Gain Ratio feature evaluation method to sort each For the degree of utility of the feature, please refer to FIG. 12 for ranking. After ranking, it can be found that among all the features, the DNS server IP Abuse for the domain name server proposed by the present invention is for the high execution time (Meta). Attribute Process Time) and features such as Meta Attribute Compression are more effective than existing domain features, while feature efficiency for Very Large TTL is average. Both the experiment and the feature ranking confirmed that the four novel features proposed by the present invention are quite effective in increasing the classification accuracy.

After the unknown domain list 502 is input into the semi-passive domain name server detection module 5, the semi-passive domain name server record corresponding to the unknown domain domain can be obtained, and the input feature extraction module 6 performs the domain domain. The feature vector operation is performed by the suspicious domain name determining module 7 to output three probability values to indicate the suspicious degree of the domain name, so that the information of the suspicious degree 710 of the unknown network can be determined, wherein the three probability values are respectively The similarity between the unknown domain name and White, Botnet, and APT domains is shown. The results are shown in Figure 7, Figure 8, and Figure 9, respectively. Then, the three network domain names obtained in Figure 7, 8, and 9 are respectively input into the prior art. After the passive domain name detection system outputs the result, and the output is verified on the VirusTotal website, the latter two verification results are shown in Figures 10 and 11, and the network determined to be Botnet and APT by the present invention can be found. The domain is indeed a malicious domain.

Through the description and verification of the above embodiments, it should be understood that the system and method for detecting a suspicious domain name according to the semi-passive domain name server of the present invention is an extremely effective technique for detecting suspicious domain names.

In summary, the present invention is innovative in terms of technical ideas, and also has various functions that are not in the prior art, and has fully complied with the statutory invention patent requirements of novelty and progressiveness, and has filed a patent application according to law, and is requested to approve it. This invention patent application is to invent invention, to the sense of virtue.

Claims (12)

 A system for detecting a suspicious domain name according to a semi-passive domain name server, comprising: a passive domain name server detection module, which is input with a list of domains with high degree of interest; wherein the semi-passive network The domain name server detection module includes an active sensing submodule, and the active sensing submodule is configured to automatically trigger a domain name server mechanism to query a domain name of interest in the domain list; wherein The semi-passive domain name server detection module includes a passive sensing sub-module for monitoring the domain name server cache packet in the domain list and parsing out the client The domain name server packet sent by the terminal; wherein, after the active sensing submodule and the passive sensing submodule process the domain list, the semi-passive domain name server detecting module generates half according to the result Passive domain name server record; a feature capture module for parsing the domain name server record for machine learning; wherein the feature capture module includes a receiving submodule for receiving the half The semi-passive domain name server record generated by the domain name server detection module; wherein the feature capture module includes a feature vector sub-module, and the semi-passive domain name server record is recorded through the computing network A domain feature algorithm operation of the overall suspicious degree of the domain to generate a feature vector; wherein the feature capture module includes a feature training sub-module, and the feature vector generated by the feature vector sub-module is used for machine training And generating or refining a domain classification rule; and a suspicious domain name determining module, determining whether the domain name is suspicious through the machine learning result of the feature capturing module; wherein the suspicious domain name determining module includes a vector Receiving a sub-module to receive the feature vector generated by the feature capture module; wherein the suspect domain name determination module includes a vector classification sub-module to transmit the domain classification rule generated by the feature training sub-module And determining, by the semi-passive domain name server in the domain list, the feature vector to determine whether the domain name is suspicious.    For example, the system according to the semi-passive domain name server for detecting a suspicious domain name, wherein the domain list is a multi-domain list that may include a White, Botnet or APT domain.    A system for detecting a suspicious domain name according to a semi-passive domain name server, wherein the domain feature algorithm includes IP fraud for a domain name server (DNS Server IP Abuse). The algorithm for performing domain detection is used to detect a suspected malicious domain in which the visible state is normal and the IP address of the domain name server is fraudulently used.    A system for detecting a suspicious domain name according to a semi-passive domain name server, wherein the domain feature algorithm includes a high TTL value for domain detection. Algorithms, domain names with higher TTL values have a higher probability of being a benign domain.    For example, a system according to a semi-passive domain name server for detecting a suspicious domain name, wherein the domain feature algorithm includes a Meta Attribute Process Time for domain detection. The algorithm, which takes a longer time to perform a domain name with a higher execution time, is a benign domain.    For example, a system according to a semi-passive domain name server for detecting a suspicious domain name, wherein the domain feature algorithm includes a Meta Attribute Compression for domain detection. The algorithm, the positive solution results in the number of IP addresses returned at the same time point has a higher probability of being a benign domain.    A method for detecting a suspicious domain name according to a semi-passive domain name server, the method comprising: inputting a domain list through a passive domain name server detection module; the semi-passive domain name server detecting mode The active sensing sub-module included in the group automatically queries the domain name server to query the domain name of interest in the domain list; the semi-passive domain name server detection module includes a passive The sensing sub-module monitors the domain name server cache packet in the domain list, and parses out the domain name server packet sent by the client; the semi-passive domain name server detection module will The domain list generates half of the passive domain name server record by the active sensing sub-module and the passive sensing sub-module processing result; receiving the semi-passive network through a receiving sub-module included in a feature capturing module Domain name server record; through a feature vector sub-module included in the feature capture module, the semi-passive domain name server records a domain feature of the overall suspicious degree of the calculated domain a method for generating a feature vector; and a feature training sub-module included in the feature capture module, and performing machine training on the feature vector generated by the feature vector sub-module to generate or refine a domain classification rule Receiving the feature vector through a vector receiving sub-module included in a suspicious domain name determining module; and using the vector classification sub-module included in the suspect domain name determining module to record the feature of the semi-passive domain name server The vector is judged by the domain classification rule generated by the feature training sub-module to determine whether the domain name is suspicious.    For example, a method for detecting a suspicious domain name according to a semi-passive domain name server, which is a multi-domain list that may include a White, Botnet or APT domain.    For example, a method for detecting a suspicious domain name according to a semi-passive domain name server, wherein the domain feature algorithm includes IP fraud for a domain name server (DNS Server IP Abuse). The algorithm for performing domain detection is used to detect a suspected malicious domain in which the visible state is normal and the IP address of the domain name server is fraudulently used.    For example, the method for detecting a suspicious domain name according to the semi-passive domain name server of the seven patent application scopes, wherein the domain feature algorithm includes a high TTL value for domain detection. Algorithms, domain names with higher TTL values have a higher probability of being a benign domain.    For example, a method for detecting a suspicious domain name according to a semi-passive domain name server, wherein the domain feature algorithm includes a Meta Attribute Process Time for domain detection. The algorithm, which takes a longer time to perform a domain name with a higher execution time, is a benign domain.    For example, according to the method of detecting a suspicious domain name according to a semi-passive domain name server, the domain feature algorithm includes a Meta Attribute Compression for domain detection. The algorithm, the positive solution results in the number of IP addresses returned at the same time point has a higher probability of being a benign domain.