WO2011150579A1 - Method and device for detecting domain name system (dns) anomaly - Google Patents

Method and device for detecting domain name system (dns) anomaly Download PDF

Info

Publication number
WO2011150579A1
WO2011150579A1 PCT/CN2010/074577 CN2010074577W WO2011150579A1 WO 2011150579 A1 WO2011150579 A1 WO 2011150579A1 CN 2010074577 W CN2010074577 W CN 2010074577W WO 2011150579 A1 WO2011150579 A1 WO 2011150579A1
Authority
WO
WIPO (PCT)
Prior art keywords
query
data block
domain name
dns
name system
Prior art date
Application number
PCT/CN2010/074577
Other languages
French (fr)
Chinese (zh)
Inventor
毛伟
李晓东
丁森林
王欣
吴军
金键
Original Assignee
中国科学院计算机网络信息中心
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中国科学院计算机网络信息中心 filed Critical 中国科学院计算机网络信息中心
Publication of WO2011150579A1 publication Critical patent/WO2011150579A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention provides a method and device for detecting Domain Name System (DNS) anomaly, which belongs to the technical field of computer network. The method includes: dividing DNS query data stream into multiple data blocks; calculating the entropy values of said multiple data blocks according to predetermined query property to obtain the corresponding multiple entropy values; judging if there are a predetermined number of entropy values which exceed the predetermined threshold in the obtained multiple entropy values; if yes, determining DNS anomaly occurs. The device includes: a dividing module, a calculating module and a judging module. By calculating the entropy values of the multiple data blocks in DNS query data stream, this invention determines DNS anomaly occurs, if there are a predetermined number of entropy values which exceed the predetermined threshold in the obtained multiple entropy values. This invention can bears an early warning function for occurrence of DNS anomaly, thus reducing the loss after DNS anomaly occurs, and compared with the prior art, achieving high detection precision and low omission ratio.

Description

检测域名系统异常的方法和装置 技术领域  Method and apparatus for detecting domain name system anomalies
本发明涉及计算机网络安全技术, 尤其涉及一种检测域名系统异常的方 法和装置, 属于计算机网络技术领域。 背景技术  The present invention relates to computer network security technologies, and in particular, to a method and apparatus for detecting domain name system anomalies, and belongs to the technical field of computer networks. Background technique
域名系统 ( Domain Name System, 以下简称 DNS )是一个分布式数 据库系统,该系统用于将域名转换成为网络可以识别的 IP地址。由于 DNS 是互联网络的基础, 如果 DNS异常将会对整个网络造成严重的影响, 因 此对 DNS异常进行检测十分重要。  The Domain Name System (DNS) is a distributed database system that translates domain names into IP addresses that the network can recognize. Since DNS is the foundation of the Internet, if DNS anomalies will have a serious impact on the entire network, it is important to detect DNS anomalies.
现有技术对 DNS异常进行检测的方法主要有基于查询流量的变化或 查询属性取值的变化来确定 DNS是否发生异常。 基于查询流量的变化来 确定 DNS是否发生异常是指: 当查询流量特别大或者特别小的时候认为 DNS发生异常。  The methods for detecting DNS anomalies in the prior art mainly determine whether the DNS is abnormal based on the change of the query traffic or the change of the query attribute value. The determination of whether the DNS is abnormal based on the change of the query traffic means that the DNS is abnormal when the query traffic is particularly large or extremely small.
发明人在实现本发明的过程中, 发现现有技术至少存在以下问题: 基于查询流量的变化来确定 DNS是否发生异常的方案具有滞后性, 在检测到异常的时候, 查询流量往往已经累积到一定程度, 已经造成了比 较严重的后果, 因此不能起到预警作用。 有时, 异常的发生不一定能影响 DNS查询流量, 因此基于查询流量的变化来确定 DNS是否发生异常具有 很高的漏检率。 发明内容  In the process of implementing the present invention, the inventors have found that at least the following problems exist in the prior art: The scheme for determining whether the DNS is abnormal based on the change of the query traffic has hysteresis, and when the abnormality is detected, the query traffic often accumulates to a certain extent. The degree has already caused serious consequences and therefore cannot serve as an early warning. Sometimes, the occurrence of an exception does not necessarily affect the DNS query traffic. Therefore, it is highly suspected that the DNS is abnormal based on the change in query traffic. Summary of the invention
本发明提供一种检测 DNS 异常的方法和装置, 以解决现有技术中检测 DNS异常滞后, 且漏检率高的问题。  The present invention provides a method and apparatus for detecting a DNS anomaly to solve the problem of detecting DNS abnormality lag in the prior art and having a high missed detection rate.
本发明提供的检测 DNS异常的方法包括: 将域名系统查询数据流划分为多个数据块; The method for detecting DNS anomaly provided by the present invention includes: Divide the domain name system query data stream into multiple data blocks;
根据预设查询属性计算所述多个数据块的熵值, 得到对应的多个熵 值;  Calculating an entropy value of the plurality of data blocks according to a preset query attribute, to obtain a corresponding plurality of entropy values;
判断得到的所述多个熵值中是否有预设个数的熵值超过预设阈值, 如 果是, 则确定所述域名系统发生了异常。  Determining whether a predetermined number of entropy values of the plurality of entropy values exceeds a preset threshold, and if so, determining that the domain name system has an abnormality.
本发明提供的检测 DNS异常的装置包括:  The device for detecting DNS abnormality provided by the present invention includes:
划分模块, 用于将域名系统查询数据流划分为多个数据块; 计算模块, 用于根据预设查询属性计算所述多个数据块的熵值, 得到 对应的多个熵值;  a dividing module, configured to divide the domain name system query data stream into a plurality of data blocks; and a calculating module, configured to calculate an entropy value of the plurality of data blocks according to a preset query attribute, to obtain a corresponding plurality of entropy values;
判断模块, 用于判断得到的多个熵值中是否有预设个数的熵值超过预 设阈值, 如果是, 则输出表示所述域名系统发生异常的信息。  The determining module is configured to determine whether a predetermined number of entropy values of the plurality of entropy values exceed a preset threshold, and if yes, output information indicating that the domain name system is abnormal.
本发明通过计算 DNS 查询数据流中多个数据块的熵值, 当得到的对应 的多个熵值中有预设个数的熵值超过预设阈值时, 确定 DNS 系统发生了异 常, 本发明能够对 DNS系统发生异常起到预警作用, 从而减少当 DNS系统 发生异常后的损失, 且漏检率低。 附图说明  The present invention determines that the entropy value of the plurality of data blocks in the data stream is queried, and when the entropy value of the corresponding plurality of entropy values exceeds a preset threshold, determining that the DNS system has an abnormality, the present invention It can play an early warning role in the abnormality of the DNS system, thereby reducing the loss after the abnormality of the DNS system, and the missed detection rate is low. DRAWINGS
为了更清楚地说明本发明或现有技术中的技术方案, 下面将对实施例或 现有技术描述中所需要使用的附图作一简单地介绍。  In order to more clearly illustrate the present invention or the technical solutions in the prior art, a brief description of the drawings used in the embodiments or the prior art description will be briefly made below.
图 1为本发明检测 DNS异常的方法实施例流程示意图;  1 is a schematic flowchart of an embodiment of a method for detecting a DNS abnormality according to the present invention;
图 2为根据指定时间划分数据块的示意图;  2 is a schematic diagram of dividing a data block according to a specified time;
图 3为采用窗口大小为 10000时得到的熵值曲线;  Figure 3 is an entropy curve obtained when the window size is 10000;
图 4为 DNS查询率曲线;  Figure 4 shows the DNS query rate curve;
图 5为本发明检测 DNS异常的装置实施例结构示意图。 具体实施方式 为使本发明的目的、 技术方案和优点更加清楚, 下面将结合本发明的附 图, 对本发明的技术方案进行清楚、 完整地描述, 显然, 所描述的实施例是 本发明一部分实施例, 而不是全部的实施例。 基于本发明中的实施例, 本领 域普通技术人员在没有作出创造性劳动前提下所获得的所有其他实施例, 都 属于本发明保护的范围。 FIG. 5 is a schematic structural diagram of an apparatus for detecting a DNS abnormality according to the present invention. detailed description The present invention will be clearly and completely described in the following detailed description of the embodiments of the present invention. Not all embodiments. All other embodiments obtained by those skilled in the art based on the embodiments of the present invention without creative efforts are within the scope of the present invention.
本发明初次将熵的理论应用到 DNS的异常检测中, 因此首先对熵作一下 介绍。 熵在信息论中的定义为: 如果一个系统 S中存在一个事件集合 E={E1, E2,..., En}, El, E2, En为事件集合 Ε中的每一个事件。 每个事件的概 率分布 P={P1, P2,...,Pn}, PI, P2, Pn为每一个事件出现的概率。 每个 事件 r本身的信息量 可由公式(1)计算: r =- l0g2 r (1) 公式( 1 ) 中, r=l, 2, ..., n。 The present invention applies the theory of entropy to the anomaly detection of DNS for the first time, so the entropy is first introduced. Entropy is defined in information theory as follows: If there is a set of events in a system S E={E1, E2,..., En}, El, E2, En are each event in the event set. The probability distribution of each event P = {P1, P2, ..., Pn}, PI, P2, Pn is the probability of occurrence of each event. The amount of information for each event r itself can be calculated by equation (1): r =- l0 g 2 r (1) In equation (1), r = l, 2, ..., n.
例如: 英语有 26个字母, 假如每个字母在文章中出现次数平均的话, 每 个字母的信息量为: / = _log2(l/26) = 4.7 For example: English has 26 letters. If the average number of occurrences of each letter in the article, the amount of information for each letter is: / = _log 2 (l/26) = 4.7
而汉字常用的有 2500个, 假如每个汉字在文章中出现次数平均的话, 每 个汉字的信息量为: / = - log2(l/2500) = 11.3 There are 2,500 commonly used Chinese characters. If the average number of Chinese characters appears in the article, the amount of information for each Chinese character is: / = - log 2 (l/2500) = 11.3
熵是整个系统 S的平均信息量, 设熵为 , 则熵的计算方法如公式(2) 所示:  Entropy is the average information of the whole system S. If entropy is set, then the entropy is calculated as shown in formula (2):
n n
Figure imgf000005_0001
Nn
Figure imgf000005_0001
在信息传播领域中熵表示信息的不确定性。 高信息度的熵值较低, 说明 高信息度的系统比较稳定; 而低信息度的熵值较高, 说明低信息度的系统不 稳定, 容易发生异常, 因此可以通过熵值来检测 DNS是否发生异常。  In the field of information dissemination, entropy represents the uncertainty of information. The high-entropy entropy is low, indicating that the high-information system is relatively stable; while the low-information entropy is high, indicating that the low-information system is unstable and prone to anomalies, so it is possible to detect whether the DNS is based on the entropy value. An exception occurs.
实施例 1  Example 1
图 1为本发明检测 DNS异常的方法实施例流程示意图, 如图 1所示, 该 方法包括: 1 is a schematic flowchart of a method for detecting a DNS abnormality according to the present invention, as shown in FIG. Methods include:
步骤 101 : 将 DNS查询数据流划分为多个数据块;  Step 101: Divide the DNS query data stream into multiple data blocks;
需要说明的是: 划分的数据块越大, 也就是说每个数据块包括的查询 数据量越多, 该数据块的熵值的变化就越平緩, 能够有效降低误检测的情 况发生, 但同时也降低了对异常流量的敏感度, 漏检率上升; 反之, 数据 块越小, 也就是说每个数据块包括的查询数据量越少, 检测 DNS 异常的 灵敏度就越高, 但准确性又会相应的降低。  It should be noted that: the larger the divided data blocks, that is, the more the amount of query data included in each data block, the more gradual changes in the entropy value of the data block, which can effectively reduce the occurrence of false detection, but at the same time It also reduces the sensitivity to abnormal traffic and increases the missed detection rate. Conversely, the smaller the data block, that is, the smaller the amount of query data included in each data block, the higher the sensitivity of detecting DNS anomalies, but the accuracy is Will be reduced accordingly.
实际应用中, 可以将 DNS查询数据流按照指定时间和 /或按照指定查 询量划分为多个数据块。 例如, 可以将 DNS查询数据流中每一分钟的查询 数据量划分为一个数据块, 或者将 DNS查询数据流中每 1000条查询记录的 查询量划分为一个数据块;还可以同时按照指定时间和指定查询量进行划分, 例如, 当达到指定时间, 但未达到指定查询量时划分为一个数据块, 或者达 到指定查询量,但没有达到指定时间时划分为一个数据块。 还可以根据时间 段函数来划分, 比如, 在上午 8:30到 12:00之间, 可以将数据块按照较小 的时间段来划分, 例如: 每隔 20-30秒划分一个数据块; 在中午 12:00到 下午 1 :00可以将数据块按照较长的时间段划分, 例如: 每隔 2-3分钟划分 一个数据块。 这种划分可以由技术人员根据实际情况进行调整, 或者依据 经验和查询数据量的大小来划分数据块。  In practical applications, the DNS query data stream can be divided into multiple data blocks according to a specified time and/or according to a specified query amount. For example, the amount of query data per minute in the DNS query data stream may be divided into one data block, or the query amount of each 1000 query records in the DNS query data stream may be divided into one data block; The specified query quantity is divided, for example, when the specified time is reached, but the specified query quantity is not divided into one data block, or the specified query quantity is reached, but it is divided into one data block when the specified time is not reached. It can also be divided according to the time period function. For example, between 8:30 and 12:00 in the morning, the data blocks can be divided into smaller time segments, for example: dividing a data block every 20-30 seconds; The data block can be divided into longer time periods from 12:00 noon to 1:00 pm, for example: One data block is divided every 2-3 minutes. This division can be adjusted by the technician according to the actual situation, or the data block can be divided according to the experience and the size of the query data.
步骤 102: 根据预设查询属性计算多个数据块的熵值, 得到对应的多个 熵值;  Step 102: Calculate an entropy value of the plurality of data blocks according to the preset query attribute, to obtain a corresponding plurality of entropy values;
其中, 预设查询属性包括查询类型、 查询中出现的错误类型、 查询中出 现的查询源 IP或者查询中的查询域名出现情况, 但不限于这些查询属性, 只 要是按照某种类别划分的查询属性均可。  The default query attribute includes the query type, the type of error that occurs in the query, the query source IP appearing in the query, or the occurrence of the query domain name in the query, but is not limited to these query attributes, as long as the query attribute is classified according to a certain category. Yes.
上述的查询类型至少包括:域名对应的 IP地址记录(Address, 简称 A )、 IPv6主机的地址记录 AAAA、 反向记录(Pointer, 简称 PTR ) 、 邮件交换记 录( Mail exchanger, 简称 MX )、名字服务器记录( Name Server, 简称 NS )、 起始授权机构记录( Start Of Authority, 简称 SOA ) 。 The above query types include at least: an IP address record corresponding to the domain name (Address, abbreviated as A), an address record AAAA of the IPv6 host, a Pointer (PTR), a mail exchange (MX exchanger), a name server. Record (Name Server, referred to as NS), Start Of Authority (SOA).
查询中出现的错误类型是指: 发送的 DNS查询请求中包含非法的字段, 主要错误类型包括: 查询源地址是私有地址、 查询类型不存在、 查询的顶级 域不存在、 查询的名字中包含非法的字符、 查询的名字格式错误、 重复查询 或正常查询类等。 其中, 正常查询是指没有错误的查询, 可以当预设查询属 性为错误类型时, 将没有错误的查询归入到正常查询类中, 使得每条查询记 录都可以归入具体某个类型中。  The type of error that occurs in the query is: The sent DNS query request contains an illegal field. The main error types are: The query source address is a private address, the query type does not exist, the top-level domain of the query does not exist, and the name of the query contains illegal information. Characters, query name format errors, duplicate queries or normal query classes, etc. The normal query refers to a query with no errors. When the default query attribute is of the wrong type, the query with no errors is classified into the normal query class, so that each query record can be classified into a specific type.
根据预设查询属性计算多个数据块的熵值, 具体为:  Calculating the entropy value of multiple data blocks according to the preset query attribute, specifically:
计算预设查询属性的每个元素在每个数据块中出现的概率;  Calculate the probability that each element of the preset query attribute appears in each data block;
根据预设查询属性的每个元素在每个数据块中出现的概率, 计算每个 数据块的熵值。  The entropy value of each data block is calculated based on the probability that each element of the preset query attribute appears in each data block.
当划分的多个数据块之间存在相互重叠的部分时, 例如, 图 2为根据 指定时间划分数据块的示意图, 如图 2所示, 8: 00至 8: 10之间的查询 量为一个数据块, 8: 03至 8: 13之间的查询量为一个数据块, ... ..., 即 When there are overlapping portions between the divided plurality of data blocks, for example, FIG. 2 is a schematic diagram of dividing the data blocks according to the specified time. As shown in FIG. 2, the query amount between 8: 00 and 8: 10 is one. Data block, 8: The query amount between 03 and 8: 13 is a data block, ..., ie
10分钟划分一个数据块, 每个数据块之间有 3分钟的重叠时间, 这样将查 询数据流划分为多个有重叠的数据块。 本实施例以划分的每个数据块包括 指定查询量为例进行详细说明。 A data block is divided into 10 minutes, and there is a 3-minute overlap time between each data block, so that the query data stream is divided into a plurality of overlapping data blocks. This embodiment will be described in detail by taking each of the divided data blocks including the specified query amount as an example.
设每个数据块包括的指定查询量为 10条查询记录, 当前数据块为第 i 个数据块, 与当前数据块相邻的前一数据块为第 i-1 个数据块, 与当前数 据块相邻的后一数据块为第 i+1个数据块, 若第 i-1个数据块包括第 1条 至第 10条的查询记录,则第 i个数据块包括第 2条至第 11条的查询记录, 第 i+1个数据块包括第 3条至第 12条查询记录。 第 i-1个数据块与第 i个 数据块重叠部分的查询量为第 2条至第 10条查询记录,第 i个数据块与第 i+1个数据块重叠部分的查询量为第 3条至第 11条查询记录。  Let each data block include a specified query quantity of 10 query records, the current data block is the i-th data block, and the previous data block adjacent to the current data block is the i-1th data block, and the current data block. The adjacent next data block is the i+1th data block, and if the i-1th data block includes the query records of the first to the tenth, the i th data block includes the second to the eleventh The query record, the i+1th data block includes the third to twelfth query records. The query quantity of the overlap of the i-1th data block and the i-th data block is the second to tenth query records, and the query quantity of the overlapping part of the i-th data block and the i+1th data block is the third. Articles to Article 11 query records.
当划分的多个数据块之间存在相互重叠的部分时, 根据预设查询属性 计算多个数据块的熵值, 可以包括: 计算与当前数据块相邻的前一数据块的熵值 H,; When there are overlapping portions between the divided plurality of data blocks, calculating the entropy values of the plurality of data blocks according to the preset query attribute may include: Calculating an entropy value H of a previous data block adjacent to the current data block;
根据与当前数据块相邻的前一数据块的熵值 计算当前数据块的熵 值 H2The entropy value H 2 of the current data block is calculated from the entropy value of the previous data block adjacent to the current data block.
根据与当前数据块相邻的前一数据块的熵值 ,计算当前数据块的熵 值 H2 , 具体为: Calculating an entropy value H 2 of the current data block according to an entropy value of a previous data block adjacent to the current data block, specifically:
计算第一指定查询量和第二指定查询量分别在第 个数据块中的加 权信息量 7>和 7;;第一指定查询量是指第 i个数据块与第 i-1个数据块重叠 部分前不重叠部分的查询量; 第二指定查询量是指第 i个数据块与第 i+1 个数据块重叠部分后不重叠部分的查询量;  Calculating a weighted information amount of the first specified query amount and the second specified query amount in the first data block respectively 7> and 7; the first specified query quantity means that the i-th data block overlaps with the i-1th data block The amount of the query that does not overlap the part before; the second specified query quantity refers to the query quantity of the part that does not overlap after the overlapping part of the i-th data block and the i+1th data block;
继续上述的例子, 第一指定查询量是指第 1条查询记录, 第二指定查 询量是指第 12条查询记录。  Continuing with the above example, the first specified query quantity refers to the first query record, and the second specified query quantity refers to the 12th query record.
第 1条查询记录所属的查询类型在第 i-1个数据块中出现的概率为尸 ,, 则 } =-i lo 7 ; 第 12条查询记录所属的查询类型在第 i-1个数据块中出现的概率为尸/ , 则 7;二一 lo 。  The probability that the query type to which the query record belongs in the i-1th data block is corpse, then } =-i lo 7 ; the query type of the 12th query record belongs to the i-1th data block. The probability of occurrence is corpse /, then 7; two one lo.
计算第二指定查询量和第三指定查询量分别在第 i个数据块中的加权 信息量 Γ/和 ; 第三指定查询量是指第 i个数据块与第 i+1个数据块重叠 部分前不重叠部分的查询量;  Calculating a weighted information amount Γ/sum of the second specified query quantity and the third specified query quantity respectively in the i-th data block; the third specified query quantity is an overlapping part of the ith data block and the i+1th data block The amount of queries that do not overlap before;
继续上述的例子, 第 12条查询记录所属的查询类型在第 i个数据块中 出现的概率为 P; , 则 T; = log2 P;; Continuing with the above example, the probability that the query type of the 12th query record appears in the i-th data block is P; , then T; = log 2 P;;
第三指定查询量是指第 2条查询记录, 则第 2条查询记录所属的查询 类型在第 i个数据块中出现的概率为 Pf' , 则 Tf' =-Pf \ g2 Pf - 根据第 i-1数据块的熵值 H,、 T Τρ 7 和 Γ/, 计算第 i个数据块的熵 值 H2 , 即/ 2 = —7}—7; +7 +7;。 其中, 当 i为 2, 即与当前数据块相邻的前一数据块为划分的第一个 数据块时, 计算预设查询属性的每个元素在第一个数据块中出现的概率; 根据上述概率计算第一个数据块的熵值 H,。 The third specified query quantity refers to the second query record, and the probability that the query type of the second query record belongs in the i-th data block is P f ', then T f ' =-P f \ g 2 P f - calculating the entropy of the i-th data block based on the entropy values H, T Τ ρ 7 and Γ/ of the i-1th data block The value H 2 , ie / 2 = —7}—7; +7 +7;. Wherein, when i is 2, that is, the previous data block adjacent to the current data block is the first data block divided, the probability that each element of the preset query attribute appears in the first data block is calculated; The above probability calculates the entropy value H of the first data block.
例如, 若预设查询属性为查询类型, 则查询类型中的元素为具体的查 询类型, 如上述的 、 AAAA、 PTR、 MX、 NS、 SOA等, 每一条查询记录 只能属于一个查询类型。 可以计算该数据块中每一条查询记录所属的查询 类型在该数据块中出现的概率, 然后根据每一条查询记录所属的查询类型 在该数据块中出现的概率来计算该数据块的熵值, 计算公式为
Figure imgf000009_0001
For example, if the preset query attribute is a query type, the elements in the query type are specific query types, such as AAAA, PTR, MX, NS, SOA, etc., and each query record can belong to only one query type. The probability that the query type to which each query record belongs in the data block appears in the data block may be calculated, and then the entropy value of the data block is calculated according to the probability that the query type of each query record belongs in the data block. The calculation formula is
Figure imgf000009_0001
公式(3 ) 中, Hk为每个数据块的熵值, j表示每个数据块中第 j条查 询记录, n表示每个数据块中有 n条查询记录, 为每个数据块中第 j条 查询记录所属的查询类型在该数据块中出现的概率; In formula (3), H k is the entropy value of each data block, j represents the jth query record in each data block, and n represents n query records in each data block, which is the first in each data block. The probability that the query type to which the query record belongs appears in the data block;
当预设查询属性为查询源 IP时,查询源 IP中的元素为每一条查询记录 对应的 IP地址。 由于每个数据块中的每一条查询记录只能是来自一个 IP 地址, 则可以计算一个数据块中每一条查询记录的 IP 地址在该数据块中 出现的概率, 然后根据每一条查询记录的 IP地址在该数据块中出现的概 率来计算该数据块的熵值。  When the default query attribute is the query source IP, the elements in the query source IP record the corresponding IP address for each query record. Since each query record in each data block can only come from one IP address, it can calculate the probability that the IP address of each query record in a data block appears in the data block, and then record the IP according to each query. The probability that the address appears in the data block to calculate the entropy value of the data block.
需要说明的是:预设查询属性还可以同时包括两种或两种以上,例如, 当预设查询属性包括查询类型和查询源 IP时, 可以根据该两种查询属性分 别计算每个数据块的熵值,然后将根据查询类型和查询源 IP分别计算得到的 两个熵值加权相加, 将得到的加权相加的结果作为该数据块的最终熵值。  It should be noted that the preset query attribute may also include two or more types at the same time. For example, when the preset query attribute includes the query type and the query source IP, each data block may be separately calculated according to the two query attributes. The entropy value is then weighted and added according to the query type and the query source IP respectively, and the obtained weighted addition result is used as the final entropy value of the data block.
步骤 103: 判断上述得到的多个熵值中是否有预设个数的熵值超过预 设阈值, 如果是, 则确定 DNS发生了异常。 若设置预设个数为 5 , 则如果步骤 102得到的多个熵值中有 5个熵值 均超过了预设阈值 ,则确定该 DNS发生了异常。预设个数也可以设置为 1、 2等等其它个数。预设个数的多少会影响检测结果的精度,预设个数越大, 得到的检测精度越高, 但同时漏检率也上升。 预设个数越小, 检测精度越 低, 漏检率也同时降低, 预设个数的选择需要根据实际的网络状况和经验 来确定。 Step 103: Determine whether a predetermined number of entropy values of the plurality of entropy values obtained exceed a preset threshold, and if yes, determine that an abnormality occurs in the DNS. If the preset number is set to 5, if 5 entropy values of the plurality of entropy values obtained in step 102 exceed the preset threshold, it is determined that the DNS has an abnormality. The preset number can also be set to 1, 2 and so on. The preset number will affect the accuracy of the detection result. The larger the preset number, the higher the detection accuracy, but the miss detection rate also increases. The smaller the preset number, the lower the detection accuracy and the lower the detection rate. The selection of the preset number needs to be determined according to the actual network conditions and experience.
本实施例中 DNS查询数据可以是历史 DNS查询数据, 也可以是实时 DNS查询数据。 如果 DNS查询数据是历史 DNS查询数据, 则本实施例提 供的方法可以用来对 DNS使用情况进行分析 ,分析结果可以用来进行 DNS 优化; 本实施例更多的应用在实时检测的场景中, 即 DNS 查询数据为实 时 DNS查询数据, 用来及时发现 DNS中的异常, 避免 DNS遭受严重损 失。  In this embodiment, the DNS query data may be historical DNS query data or real-time DNS query data. If the DNS query data is historical DNS query data, the method provided in this embodiment may be used to analyze the DNS usage, and the analysis result may be used for DNS optimization. In this embodiment, more applications are used in the real-time detection scenario. That is, the DNS query data is real-time DNS query data, which is used to detect abnormalities in the DNS in time to avoid serious loss of the DNS.
为了更好的体现本发明的效果, 可以 2009年 5月 19日中国互联网发 生大面积断网事故为例进行说明。 发生大面积断网事故的原因就是 DNS 系统遭受到了攻击, 根据从中国 (China, 简称 CN )某个顶级结点的 DNS 权威服务器上采集到的 2009年 5月 19日 9:00-24:00之间的查询记录进行 具体分析, 将 2009年 5月 19日 9:00-24:00之间的查询记录划分为多个数 据块, 每个数据块的大小为 10000, 即每个数据块包括 10000条查询记录, 计算每个数据块的熵值, 将得到的多个熵值绘制为熵值曲线。 图 3为数据 块大小为 10000时得到的熵值曲线, 图 4为 DNS查询率曲线, 查询率为 每分钟的查询次数。 从图 3 中可以看出, 16:00左右熵值曲线已经出现了 剧烈波动, 即有多个熵值均超过了预设阈值, 表明这时候已经开始有大量 的 DNS异常流量进入网络, 即 DNS已经发生了异常; 而在图 4所示的查 询率曲线中, 18:30 左右查询流量才呈现出显著异常, 但此时大面积断网 已经开始发生, 因此可以明显看出, 现有技术基于查询流量的检测方案具 有滞后性和很高的漏检率;本发明提供的检测 DNS异常的方法可以预先及 时的检测到 DNS中的异常, 起到了预警的作用。 In order to better embody the effects of the present invention, an example of a large-scale network disconnection accident on the Internet in China on May 19, 2009 will be described as an example. The reason for the large-scale network disconnection accident is that the DNS system has been attacked, according to the DNS authoritative server from a top node of China (CN), which was collected on May 19, 2009, 9:00-24:00. The query record is analyzed in detail, and the query record between 9:00 and 24:00 on May 19, 2009 is divided into multiple data blocks, each of which has a size of 10000, that is, each data block includes 10000 query records, calculate the entropy value of each data block, and draw the obtained multiple entropy values into an entropy curve. Figure 3 shows the entropy curve obtained when the data block size is 10000. Figure 4 shows the DNS query rate curve. The query rate is the number of queries per minute. As can be seen from Figure 3, the entropy curve has fluctuated sharply around 16:00, that is, multiple entropy values have exceeded the preset threshold, indicating that a large amount of DNS abnormal traffic has begun to enter the network at this time, namely DNS. Anomalies have occurred; in the query rate curve shown in Figure 4, the query traffic shows significant abnormalities around 18:30, but at this time a large area of network disconnection has begun to occur, so it is obvious that the prior art is based on The detection scheme of the query traffic has hysteresis and high missed detection rate; the method for detecting DNS anomaly provided by the present invention can be pre- When the abnormality in the DNS is detected, it plays an early warning role.
本发明通过将 DNS查询数据流划分为多个数据块,根据预设查询属性 计算多个数据块的熵值, 得到对应的多个熵值, 当该多个熵值中有预设个数 的熵值超过预设阈值时, 确定 DNS发生了异常。 由于熵值是对 DNS查询数 据的查询属性随机分布的度量, 当 DNS发生异常时, 例如, 当 DNS遭受 到攻击时, DNS查询数据的查询属性的随机分布就会发生变化, 从而也会 导致熵值发生变化。 根据熵值的变化情况就可以得知 DNS发生了异常, 而现有技术的基于流量的检测方法在 DNS发生异常时, 当 DNS异常的表 现不是很明显时, DNS的查询流量也不会发生很明显的变化, 因而也就不 能检测出 DNS发生异常, 只有当 DNS异常表现得很严重时, 例如发生大 面积的网络瘫痪, 导致大量用户无法使用网络时, 现有技术的基于流量的 检测方法才能检测出 DNS流量异常, 进而检测出 DNS发生异常, 具有明 显的滞后性; 而本发明可以在发生如大面积网络故障等严重的异常情况之 前就可以检测到 DNS发生了异常, 能够对 DNS发生异常起到预警作用, 使用户能够在 DNS异常严重之前做好准备, 避免了严重的 DNS异常给用 户带来的损失, 降低了漏检率, 提高了用户体验; 并且由于 DNS是一个 极其复杂的系统, 现有技术基于查询属性取值的变化来确定 DNS是否发 生异常时, 没有考虑 DNS系统内部复杂的状态变化, 因而检测精度不高, 而本发明进一步的实施例中, 当划分的多个数据块之间存在重叠部分时, 得到的多个熵值之间也反映了 DNS 系统内部状态的变化, 使得检测精度 大大提高。 实施例 2  The invention divides the DNS query data stream into a plurality of data blocks, calculates an entropy value of the plurality of data blocks according to the preset query attribute, and obtains a corresponding plurality of entropy values, where the preset number of the plurality of entropy values is When the entropy value exceeds the preset threshold, it is determined that an abnormality has occurred in the DNS. Since the entropy value is a measure of the random distribution of the query attributes of the DNS query data, when the DNS is abnormal, for example, when the DNS is attacked, the random distribution of the query attributes of the DNS query data changes, which also leads to entropy. The value has changed. According to the change of the entropy value, it can be known that the DNS is abnormal. However, in the prior art traffic-based detection method, when the DNS abnormality is not obvious, the DNS query traffic does not occur very much. Obvious changes, and therefore can not detect DNS anomalies, only when the DNS anomaly is very serious, such as a large-scale network 瘫痪, resulting in a large number of users can not use the network, the current technology based traffic-based detection method can The abnormality of the DNS traffic is detected, and the abnormality of the DNS is detected, which has obvious hysteresis. However, the present invention can detect that an abnormality occurs in the DNS before a serious abnormal situation such as a large-area network failure occurs, and an abnormality can occur in the DNS. It plays an early warning role, enabling users to prepare before the DNS is abnormally serious, avoiding the loss caused by serious DNS abnormality, reducing the missed detection rate and improving the user experience; and because DNS is an extremely complicated system The prior art determines whether the DNS is based on the change of the value of the query attribute. When an abnormality occurs, the complex state change within the DNS system is not considered, and thus the detection accuracy is not high. In a further embodiment of the present invention, when there is an overlap between the divided plurality of data blocks, the obtained plurality of entropy values are obtained. It also reflects the changes in the internal state of the DNS system, which greatly improves the detection accuracy. Example 2
图 5为本发明检测 DNS异常的装置实施例示意图, 如图 5所示, 该 装置包括: 划分模块 201、 计算模块 202和判断模块 203;  5 is a schematic diagram of an apparatus for detecting a DNS abnormality according to the present invention. As shown in FIG. 5, the apparatus includes: a dividing module 201, a calculating module 202, and a determining module 203;
其中, 划分模块 201 , 用于将 DNS查询数据流划分为多个数据块; 具体的, 划分模块 201用于将 DNS查询数据流按照指定时间和 /或按 照指定查询量划分为多个数据块。 The dividing module 201 is configured to divide the DNS query data stream into multiple data blocks. Specifically, the dividing module 201 is configured to divide the DNS query data stream into multiple data blocks according to a specified time and/or according to a specified query amount.
计算模块 202, 用于根据预设查询属性计算划分模块 201划分的多个 数据块的熵值, 得到对应的多个熵值;  The calculating module 202 is configured to calculate, according to the preset query attribute, an entropy value of the plurality of data blocks divided by the dividing module 201, to obtain a corresponding plurality of entropy values;
其中, 计算模块 202包括第一计算单元和第二计算单元;  The calculation module 202 includes a first calculation unit and a second calculation unit;
第一计算单元, 用于计算预设查询属性的每个元素在每个数据块中出 现的概率;  a first calculating unit, configured to calculate a probability that each element of the preset query attribute appears in each data block;
第二计算单元, 用于根据第一计算单元得到的预设查询属性的每个元 素在每个数据块中出现的概率, 计算划分模块 201划分的多个数据块的熵 值, 得到对应的多个熵值。  a second calculating unit, configured to calculate, according to a probability that each element of the preset query attribute obtained by the first calculating unit appears in each data block, calculate an entropy value of the plurality of data blocks divided by the dividing module 201, and obtain corresponding multiple Entropy values.
当划分模块 201划分的多个数据块之间存在相互重叠的部分时, 计算 模块 202包括:  When there are overlapping portions between the plurality of data blocks divided by the dividing module 201, the calculating module 202 includes:
第三计算单元, 用于计算与当前数据块相邻的前一数据块的熵值 H,; 第四计算单元, 用于根据第三计算单元计算的与当前数据块相邻的前 一数据块的 H 计算当前数据块的熵值 H2a third calculating unit, configured to calculate an entropy value H of a previous data block adjacent to the current data block, and a fourth calculating unit, configured to calculate a previous data block adjacent to the current data block according to the third calculating unit H calculates the entropy value H 2 of the current data block.
其中, 第三计算单元包括:  The third computing unit includes:
第一计算子单元, 用于当上述与当前数据块相邻的前一数据块为划为 的第一个数据块时, 计算预设查询属性的每个元素在第一个数据块中出现 的概率;  a first calculating subunit, configured to: when the previous data block adjacent to the current data block is the first data block that is drawn, calculate each element of the preset query attribute to appear in the first data block Probability
第二计算子单元, 用于根据预设查询属性的每个元素在第一个数据块 中出现的概率, 计算第一个数据块的熵值 H,。  And a second calculating sub-unit, configured to calculate an entropy value H of the first data block according to a probability that each element of the preset query attribute appears in the first data block.
判断模块 203 , 用于判断计算模块 202得到的多个熵值中是否有预设 个数的熵值超过预设阈值, 如果是, 则输出表示 DNS发生异常的信息。  The determining module 203 is configured to determine whether a predetermined number of entropy values of the plurality of entropy values obtained by the calculating module 202 exceed a preset threshold, and if yes, output information indicating that the DNS is abnormal.
需要说明的是: 对于检测 DNS异常的装置第一实施例而言, 由于其基 本相应于方法第一实施例, 所以相关之处参见方法第一实施例的部分说明即 可。 本发明通过将 DNS查询数据流划分为多个数据块,根据预设查询属性 计算多个数据块的熵值, 得到多个对应的熵值, 当该多个熵值中有预设个数 的熵值超过预设阈值时, 确定 DNS发生了异常。 由于熵值是对 DNS查询数 据的查询属性随机分布的度量, 当 DNS发生异常时, 例如, 当 DNS遭受 到攻击时, DNS查询数据的查询属性的随机分布就会发生变化, 从而也会 导致熵值发生变化。 根据熵值的变化情况就可以得知 DNS发生了异常, 而现有技术的基于流量的检测方法在 DNS发生异常时, 当 DNS异常的表 现不是很明显时, DNS的查询流量也不会发生很明显的变化, 因而也就不 能检测出 DNS发生异常, 只有当 DNS异常表现得很严重时, 例如发生大 面积的网络瘫痪, 导致大量用户无法使用网络时, 现有技术的基于流量的 检测方法才能检测出 DNS流量异常, 进而检测出 DNS发生异常, 具有明 显的滞后性; 而本发明可以在发生如大面积网络故障等严重的异常情况之 前就可以检测到 DNS发生了异常, 能够对 DNS发生异常起到预警作用, 使用户能够在 DNS异常严重之前做好准备, 避免了严重的 DNS异常给用 户带来的损失, 降低了漏检率, 提高了用户体验; 并且由于 DNS是一个 极其复杂的系统, 现有技术基于查询属性取值的变化来确定 DNS是否发 生异常时, 没有考虑 DNS系统内部复杂的状态变化, 因而检测精度不高, 而本发明进一步的实施例中, 当划分的多个数据块之间存在重叠部分时, 得到的多个熵值之间也反映了 DNS 系统内部状态的变化, 使得检测精度 大大提高。 It should be noted that, for the first embodiment of the apparatus for detecting a DNS abnormality, since it basically corresponds to the first embodiment of the method, the relevant parts can be referred to the description of the first embodiment of the method. The invention divides the DNS query data stream into a plurality of data blocks, calculates an entropy value of the plurality of data blocks according to the preset query attribute, and obtains a plurality of corresponding entropy values, where the preset number of the plurality of entropy values is When the entropy value exceeds the preset threshold, it is determined that an abnormality has occurred in the DNS. Since the entropy value is a measure of the random distribution of the query attributes of the DNS query data, when the DNS is abnormal, for example, when the DNS is attacked, the random distribution of the query attributes of the DNS query data changes, which also leads to entropy. The value has changed. According to the change of the entropy value, it can be known that the DNS is abnormal. However, in the prior art traffic-based detection method, when the DNS abnormality is not obvious, the DNS query traffic does not occur very much. Obvious changes, and therefore can not detect DNS anomalies, only when the DNS anomaly is very serious, such as a large-scale network 瘫痪, resulting in a large number of users can not use the network, the current technology based traffic-based detection method can The abnormality of the DNS traffic is detected, and the abnormality of the DNS is detected, which has obvious hysteresis. However, the present invention can detect that an abnormality occurs in the DNS before a serious abnormal situation such as a large-area network failure occurs, and an abnormality can occur in the DNS. It plays an early warning role, enabling users to prepare before the DNS is abnormally serious, avoiding the loss caused by serious DNS abnormality, reducing the missed detection rate and improving the user experience; and because DNS is an extremely complicated system The prior art determines whether the DNS is abnormal based on the change of the value of the query attribute, Considering the complicated state change inside the DNS system, the detection accuracy is not high. In a further embodiment of the present invention, when there is an overlap between the divided plurality of data blocks, the obtained plurality of entropy values are also reflected. The change in the internal state of the DNS system greatly improves the detection accuracy.
本领域普通技术人员可以理解: 实现上述方法实施例的全部或部分步骤 可以通过程序指令相关的硬件来完成, 前述的程序可以存储于一计算机可读 取存储介质中, 该程序在执行时, 执行包括上述方法实施例的步骤; 而前述 的存储介质包括: ROM、 RAM, 磁碟或者光盘等各种可以存储程序代码的介 质。  A person skilled in the art can understand that all or part of the steps of implementing the above method embodiments may be completed by using hardware related to program instructions, and the foregoing program may be stored in a computer readable storage medium, and the program is executed when executed. The foregoing steps include the steps of the foregoing method embodiments; and the foregoing storage medium includes: a medium that can store program codes, such as a ROM, a RAM, a magnetic disk, or an optical disk.
最后应说明的是: 以上实施例仅用以说明本发明的技术方案, 而非对其 限制; 尽管参照前述实施例对本发明进行了详细的说明, 本领域的普通技术 人员应当理解: 其依然可以对前述各实施例所记载的技术方案进行修改, 或 者对其中部分技术特征进行等同替换; 而这些修改或者替换, 并不使相应技 术方案的本质脱离本发明各实施例技术方案的精神和范围。 Finally, it should be noted that the above embodiments are only used to illustrate the technical solution of the present invention, rather than The present invention has been described in detail with reference to the foregoing embodiments, and those skilled in the art should understand that the technical solutions described in the foregoing embodiments may be modified or equivalently substituted for some of the technical features. The modifications and substitutions of the present invention do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention.

Claims

权利要求 Rights request
1、 一种检测域名系统异常的方法, 其特征在于, 所述方法包括: 将域名系统查询数据流划分为多个数据块;  A method for detecting an abnormality of a domain name system, the method comprising: dividing a domain name system query data stream into a plurality of data blocks;
根据预设查询属性计算所述多个数据块的熵值, 得到对应的多个熵 值;  Calculating an entropy value of the plurality of data blocks according to a preset query attribute, to obtain a corresponding plurality of entropy values;
判断得到的所述多个熵值中是否有预设个数的熵值超过预设阈值, 如 果是, 则确定所述域名系统发生了异常。  Determining whether a predetermined number of entropy values of the plurality of entropy values exceeds a preset threshold, and if so, determining that the domain name system has an abnormality.
2、 根据权利要求 1 所述的检测域名系统异常的方法, 其特征在于, 所述将所述域名系统查询数据流划分为多个数据块包括:  The method for detecting a domain name system abnormality according to claim 1, wherein the dividing the domain name system query data stream into a plurality of data blocks comprises:
将所述域名系统查询数据流按照指定时间和 /或指定查询量划分为多 个数据块。  The domain name system query data stream is divided into a plurality of data blocks according to a specified time and/or a specified query amount.
3、 根据权利要求 1或 2所述的检测域名系统异常的方法, 其特征在 于, 根据预设查询属性计算所述多个数据块的熵值, 具体为:  The method for detecting an abnormality of a domain name system according to claim 1 or 2, wherein the entropy value of the plurality of data blocks is calculated according to a preset query attribute, specifically:
计算所述预设查询属性的每个元素在每个数据块中出现的概率; 根据所述概率计算每个数据块的熵值。  Calculating a probability that each element of the preset query attribute appears in each data block; calculating an entropy value of each data block according to the probability.
4、 根据权利要求 1或 2所述检测域名系统异常的方法, 其特征在于, 当所述多个数据块之间存在相互重叠的部分时, 则根据预设查询属性计算 多个数据块的熵值, 包括:  The method for detecting a domain name system abnormality according to claim 1 or 2, wherein when there are overlapping portions between the plurality of data blocks, calculating entropy of the plurality of data blocks according to the preset query attribute Values, including:
计算与当前数据块相邻的前一数据块的熵值;  Calculating an entropy value of a previous data block adjacent to the current data block;
根据所述与当前数据块相邻的前一数据块的熵值, 计算所述当前数据 块的熵值。  And calculating an entropy value of the current data block according to the entropy value of the previous data block adjacent to the current data block.
5、 根据权利要求 4所述的检测域名系统异常的方法, 其特征在于, 当所述与当前数据块相邻的前一数据块为划为的第一个数据块时, 计算所 述预设查询属性的每个元素在所述第一个数据块中出现的概率;  The method for detecting an abnormality of a domain name system according to claim 4, wherein when the previous data block adjacent to the current data block is the first data block that is drawn, the preset is calculated. The probability that each element of the query attribute appears in the first data block;
根据所述概率计算所述第一个数据块的熵值。  An entropy value of the first data block is calculated based on the probability.
6、 根据权利要求 1 所述的检测域名系统异常的方法, 其特征在于, 所述预设查询属性包括: 查询类型、 错误类型、 查询源 IP地址和 /或查询 域名。 6. The method of detecting an abnormality of a domain name system according to claim 1, wherein: The preset query attributes include: a query type, an error type, a query source IP address, and/or a query domain name.
7、 根据权利要求 6所述的检测域名系统异常的方法, 其特征在于, 所述预设查询属性包括至少两种查询属性时, 所述熵值为分别根据所述至 少两种查询属性得到的至少两个熵值加权求和的结果。  The method for detecting an abnormality of a domain name system according to claim 6, wherein when the preset query attribute includes at least two types of query attributes, the entropy value is respectively obtained according to the at least two query attributes. At least two entropy values weight the result of the summation.
8、 一种检测域名系统异常的装置, 其特征在于, 所述装置包括: 划分模块, 用于将域名系统查询数据流划分为多个数据块;  A device for detecting a domain name system abnormality, the device comprising: a dividing module, configured to divide a domain name system query data stream into a plurality of data blocks;
计算模块, 用于根据预设查询属性计算所述多个数据块的熵值, 得到 对应的多个熵值;  a calculation module, configured to calculate an entropy value of the plurality of data blocks according to a preset query attribute, to obtain a corresponding plurality of entropy values;
判断模块, 用于判断得到的多个熵值中是否有预设个数的熵值超过预 设阈值, 如果是, 则输出表示所述域名系统发生异常的信息。  The determining module is configured to determine whether a predetermined number of entropy values of the plurality of entropy values exceed a preset threshold, and if yes, output information indicating that the domain name system is abnormal.
9、 根据权利要求 8 所述的检测域名系统异常的装置, 其特征在于, 所述划分模块,具体用于将所述域名系统查询数据流按照指定时间和 /或指 定查询量划分为多个数据块。  The device for detecting an abnormality of a domain name system according to claim 8, wherein the dividing module is specifically configured to divide the query data stream of the domain name system into a plurality of data according to a specified time and/or a specified query amount. Piece.
10、 根据权利要求 8或 9所述的检测域名系统异常的装置, 其特征在 于, 所述计算模块包括:  The device for detecting an abnormality of a domain name system according to claim 8 or 9, wherein the calculating module comprises:
第一计算单元, 用于计算所述预设查询属性的每个元素在每个数据块 中出现的概率;  a first calculating unit, configured to calculate a probability that each element of the preset query attribute appears in each data block;
第二计算单元, 用于根据所述概率计算每个数据块的熵值, 得到对应 的多个熵值。  And a second calculating unit, configured to calculate an entropy value of each data block according to the probability, to obtain a corresponding plurality of entropy values.
11、 根据权利要求 8或 9所述的检测域名系统异常的装置, 其特征在 于, 所述多个数据块之间存在相互重叠的部分, 则所述计算模块包括: 第三计算单元, 用于计算与当前数据块相邻的前一数据块的熵值; 第四计算单元, 用于根据所述第三计算单元计算的与当前数据块相邻 前一数据块的熵值, 计算所述当前数据块的熵值。  The device for detecting an abnormality of a domain name system according to claim 8 or 9, wherein the plurality of data blocks have mutually overlapping portions, and the calculating module comprises: a third calculating unit, configured to: Calculating an entropy value of a previous data block adjacent to the current data block; a fourth calculating unit, configured to calculate, according to an entropy value of a previous data block adjacent to the current data block, calculated by the third calculating unit The entropy value of the data block.
12、 根据权利要求 11所述的检测域名系统异常的装置, 其特征在于, 所述第三计算单元包括: 12. The apparatus for detecting an abnormality of a domain name system according to claim 11, wherein: The third computing unit includes:
第一计算子单元, 用于当所述与当前数据块相邻的前一数据块为划为 的第一个数据块时, 计算所述预设查询属性的每个元素在所述第一个数据 块中出现的概率;  a first calculating subunit, configured to: when the previous data block adjacent to the current data block is the first data block that is drawn, the first element of the preset query attribute is calculated in the first The probability of occurrence in the data block;
第二计算子单元, 用于根据所述概率计算所述第一个数据块的熵值。  a second calculating subunit, configured to calculate an entropy value of the first data block according to the probability.
PCT/CN2010/074577 2010-06-04 2010-06-28 Method and device for detecting domain name system (dns) anomaly WO2011150579A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201010198228.8 2010-06-04
CN201010198228.8A CN101854404B (en) 2010-06-04 2010-06-04 Method and device for detecting anomaly of domain name system

Publications (1)

Publication Number Publication Date
WO2011150579A1 true WO2011150579A1 (en) 2011-12-08

Family

ID=42805666

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2010/074577 WO2011150579A1 (en) 2010-06-04 2010-06-28 Method and device for detecting domain name system (dns) anomaly

Country Status (2)

Country Link
CN (1) CN101854404B (en)
WO (1) WO2011150579A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111818037A (en) * 2020-07-02 2020-10-23 上海工业控制安全创新科技有限公司 Vehicle-mounted network flow abnormity detection defense method and system based on information entropy
CN113676379A (en) * 2021-09-01 2021-11-19 上海观安信息技术股份有限公司 DNS tunnel detection method, device and system and computer storage medium

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2015077917A1 (en) * 2013-11-26 2015-06-04 Telefonaktiebolaget L M Ericsson (Publ) Method and apparatus for anomaly detection in a network
CN104268289B (en) * 2014-10-21 2017-12-12 中国建设银行股份有限公司 The abatement detecting method and device of link URL
CN105471639B (en) * 2015-11-23 2018-07-27 清华大学 Network flow entropy evaluation method based on median and device
CN106533829B (en) * 2016-11-04 2019-04-30 东南大学 A kind of DNS method for recognizing flux based on bit entropy
CN106803824A (en) * 2016-12-19 2017-06-06 互联网域名系统北京市工程研究中心有限公司 A kind of means of defence attacked for random domain name inquiry
CN107707375B (en) * 2017-05-26 2018-07-20 贵州白山云科技有限公司 A kind of method and apparatus of positioning parsing failure
SG10202002125QA (en) * 2020-03-09 2020-07-29 Flexxon Pte Ltd System and method for detecting data anomalies by analysing morphologies of known and/or unknown cybersecurity threats

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101378394A (en) * 2008-09-26 2009-03-04 成都市华为赛门铁克科技有限公司 Detection defense method for distributed reject service and network appliance
CN101645884A (en) * 2009-08-26 2010-02-10 西安理工大学 Multi-measure network abnormity detection method based on relative entropy theory

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2006047694A1 (en) * 2004-10-25 2006-05-04 Orsini Rick L Secure data parser method and system
CN101051952A (en) * 2007-04-18 2007-10-10 东南大学 Self adaption sampling stream measuring method under high speed multilink logic channel environment
CN101572701B (en) * 2009-02-10 2013-11-20 中科信息安全共性技术国家工程研究中心有限公司 Security gateway system for resisting DDoS attack for DNS service

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101378394A (en) * 2008-09-26 2009-03-04 成都市华为赛门铁克科技有限公司 Detection defense method for distributed reject service and network appliance
CN101645884A (en) * 2009-08-26 2010-02-10 西安理工大学 Multi-measure network abnormity detection method based on relative entropy theory

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
CHEN SI-QI ET AL.: "Entropy-based anomaly detection method for education network.", APPLICATION RESEARCH OF COMPUTERS., vol. 27, no. 4, 30 April 2010 (2010-04-30), pages 1434 - 1436 *
NING ZHUO ET AL.: "Sampling method for IDS in high bandwidth network.", JOURNAL ON COMMUNICATIONS., vol. 30, no. 11, 30 November 2009 (2009-11-30), pages 27 - 36 *
TANG JIE ET AL.: "A Network Anomaly Detection method Based on Net Flow.", NETINFO SECURITY, 31 December 2007 (2007-12-31), pages 57 - 58 *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111818037A (en) * 2020-07-02 2020-10-23 上海工业控制安全创新科技有限公司 Vehicle-mounted network flow abnormity detection defense method and system based on information entropy
CN113676379A (en) * 2021-09-01 2021-11-19 上海观安信息技术股份有限公司 DNS tunnel detection method, device and system and computer storage medium
CN113676379B (en) * 2021-09-01 2022-08-09 上海观安信息技术股份有限公司 DNS tunnel detection method, device and system and computer storage medium

Also Published As

Publication number Publication date
CN101854404A (en) 2010-10-06
CN101854404B (en) 2013-08-07

Similar Documents

Publication Publication Date Title
WO2011150579A1 (en) Method and device for detecting domain name system (dns) anomaly
US8429747B2 (en) Method and device for detecting flood attacks
WO2017107965A1 (en) Web anomaly detection method and apparatus
US20080174426A1 (en) Monitoring usage rate patterns in storage resources
WO2011113239A1 (en) Flow detection method for domain name system and domain name server thereof
EP2811691B1 (en) Method and device for synchronizing network data flow detection status
WO2009155453A1 (en) System and method for fast flux detection
US20110264781A1 (en) Techniques for directory data resolution
CN111885086B (en) Malicious software heartbeat detection method, device and equipment and readable storage medium
US11595416B2 (en) Method, product, and system for maintaining an ensemble of hierarchical machine learning models for detection of security risks and breaches in a network
US20210152454A1 (en) Network Flow Measurement Method, Network Measurement Device, and Control Plane Device
TWI234974B (en) Methodology of predicting distributed denial of service based on gray theory
CN108563718B (en) Method and system for preventing log flood
CN105827599A (en) Cache infection detection method and apparatus based on deep analysis on DNS message
CN107682345A (en) Detection method, detection means and the electronic equipment of IP address
US20190238572A1 (en) Indicating malware generated domain names using n-grams
CN109862129A (en) DNS Traffic anomaly detection method, apparatus, electronic equipment and storage medium
TWM594841U (en) Packet capture and analysis device and cyber security system having the same capability
US10719523B2 (en) NXD query monitor
WO2011026371A1 (en) Method and device for detecting validity of historical performance data
US20190007285A1 (en) Apparatus and Method for Defining Baseline Network Behavior and Producing Analytics and Alerts Therefrom
WO2005004388A1 (en) A method of calculating broadband access server dhcp user’s on-line time
CN114050924A (en) Method and device for automatically controlling access control strategy enabling attribute based on time
TW202008749A (en) Domain name filtering method
WO2007059667A1 (en) A method for obtaining the network element alarm data

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 10852377

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 10852377

Country of ref document: EP

Kind code of ref document: A1