CN114172707B - Fast-Flux botnet detection method, device, equipment and storage medium - Google Patents
Fast-Flux botnet detection method, device, equipment and storage medium Download PDFInfo
- Publication number
- CN114172707B CN114172707B CN202111437643.9A CN202111437643A CN114172707B CN 114172707 B CN114172707 B CN 114172707B CN 202111437643 A CN202111437643 A CN 202111437643A CN 114172707 B CN114172707 B CN 114172707B
- Authority
- CN
- China
- Prior art keywords
- domain name
- static
- target
- index set
- time unit
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/24—Classification techniques
- G06F18/241—Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches
- G06F18/2411—Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches based on the proximity to a decision surface, e.g. support vector machines
Landscapes
- Engineering & Computer Science (AREA)
- Data Mining & Analysis (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Life Sciences & Earth Sciences (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computing Systems (AREA)
- Artificial Intelligence (AREA)
- Bioinformatics & Cheminformatics (AREA)
- Bioinformatics & Computational Biology (AREA)
- Signal Processing (AREA)
- Evolutionary Biology (AREA)
- Evolutionary Computation (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the invention discloses a Fast-Flux botnet detection method, a Fast-Flux botnet detection device, fast-Flux botnet detection equipment and a storage medium. Acquiring a target detection domain name, and acquiring matched analysis IP result data every monitoring time length; dividing the monitoring time length into a plurality of time units, and calculating a static statistical index set and a dynamic statistical index set of the target detection domain name in each target time unit; when the target static statistics index set is determined to not meet the normal domain name detection condition, calculating a normalized static statistics index set and a normalized dynamic statistics index set; and further calculating a corresponding fitting static value and fitting dynamic value, respectively inputting the fitting static value and the fitting dynamic value into a pre-trained Support Vector Machine (SVM) model, and determining the botnet according to the IP address of the access target detection domain name when the target detection domain name in the monitoring duration is determined to be the abnormal domain name. The technical scheme of the embodiment achieves the effects of improving the working efficiency of analyzing DNS traffic data, reducing the false alarm rate and improving the accuracy of the detection result.
Description
Technical Field
The embodiment of the invention relates to a computer technology, in particular to a Fast-Flux botnet detection method, a Fast-Flux botnet detection device, fast-Flux botnet detection equipment and a storage medium.
Background
Botnets are networks formed by a plurality of internet hosts infected with bot viruses, a one-to-many control network is usually formed between a controller and the infected hosts, and network safety is seriously endangered, so that detection of the botnets is always a hot spot problem.
In a normal DNS server, a user makes a DNS query for the same domain name, and the results returned are essentially unchanged for a long period of time, no matter how many times the query is. The Fast-flux technology is a technology for continuously changing the mapping relation between the domain name and the IP address, that is, querying the domain name deployed by using the Fast-flux technology in a short time can obtain different results, so the Fast-flux technology is a large edge of the botnet. In the prior art, the detection of Fast-flux botnet depends on multiple analysis of DNS query results, DNS records need to be evaluated through an algorithm scoring mechanism, and related information such as IP conditions returned by each DNS query, class A IP addresses, NS resource numbers and the like are analyzed for detection.
The inventors have found that the following drawbacks exist in the prior art in the process of implementing the present invention: and the DNS query result is analyzed for many times, so that the workload is huge and the accuracy is not high.
Disclosure of Invention
The embodiment of the invention provides a Fast-Flux botnet detection method, a Fast-Flux botnet detection device, fast-Flux botnet detection equipment and a storage medium, so that the working efficiency of analyzing DNS traffic data is improved, the false alarm rate is reduced, and the accuracy of a detection result is improved.
In a first aspect, an embodiment of the present invention provides a Fast-Flux botnet detection method, where the method includes:
acquiring a target detection domain name, and acquiring analysis IP result data matched with the target detection domain name from domain name analysis service (DNS) flow data at intervals of monitoring time;
Dividing the monitoring time length into a plurality of time units, and calculating a static statistical index set and a dynamic statistical index set of the target detection domain name in each target time unit according to the analysis IP result data in each time unit;
when the target static statistics index set is determined to not meet the normal domain name detection condition, calculating a normalized static statistics index set and a normalized dynamic statistics index set which respectively correspond to each target time unit;
calculating a fitting static value and a fitting dynamic value which respectively correspond to each target time unit according to the normalized static statistics index set and the normalized dynamic statistics index set which respectively correspond to each target time unit;
Respectively inputting the fitting static value and the fitting dynamic value under each target time unit into a pre-trained Support Vector Machine (SVM) model, and acquiring each recognition result of whether the target detection domain name under each target time unit in the monitoring duration is an abnormal domain name;
Obtaining whether the target detection domain name is the target identification result of the abnormal domain name in the monitoring time period according to the number proportion of the identification results, in which the target detection domain name is the abnormal domain name, in the identification results and a preset proportion threshold;
And when the target detection domain name is determined to be the abnormal domain name in the monitoring time period, determining the botnet matched with the target detection domain name according to the IP address of the access target detection domain name.
In a second aspect, an embodiment of the present invention further provides a Fast-Flux botnet detection device, where the device includes:
the analysis IP result acquisition module is used for acquiring a target detection domain name and acquiring analysis IP result data matched with the target detection domain name from domain name analysis service (DNS) flow data at intervals of monitoring duration;
the statistical index set acquisition module is used for dividing the monitoring time length into a plurality of time units and calculating a static statistical index set and a dynamic statistical index set of the target detection domain name in each target time unit according to the analysis IP result data in each time unit;
The normalized statistical index set acquisition module is used for calculating a normalized static statistical index set and a normalized dynamic statistical index set which respectively correspond to each target time unit when the target static statistical index set is determined to not meet the normal domain name detection condition;
The fitting value calculating module is used for calculating fitting static values and fitting dynamic values respectively corresponding to each target time unit according to the normalized static statistics index set and the normalized dynamic statistics index set respectively corresponding to each target time unit;
The recognition result acquisition module is used for respectively inputting the fitting static value and the fitting dynamic value under each target time unit into a pre-trained Support Vector Machine (SVM) model to acquire the recognition results of whether the target detection domain name under each target time unit in the monitoring duration is an abnormal domain name or not;
The target recognition result acquisition module is used for acquiring a target recognition result of whether the target detection domain name is an abnormal domain name in the monitoring duration according to the recognition result number proportion of the target detection domain name in each recognition result as the abnormal domain name and a preset proportion threshold;
and the botnet determining module is used for determining the botnet matched with the target detection domain name according to the IP address of the access target detection domain name when the target detection domain name is determined to be the abnormal domain name.
In a third aspect, an embodiment of the present invention further provides a computer apparatus, including:
One or more processors;
A storage means for storing one or more programs;
The one or more programs, when executed by the one or more processors, cause the one or more processors to implement Fast-Flux botnet detection methods as described in any of the embodiments of the present invention.
In a fourth aspect, an embodiment of the present invention further provides a computer readable storage medium, where a computer program is stored, where the program when executed by a processor implements a Fast-Flux botnet detection method according to any embodiment of the present invention.
According to the embodiment of the invention, the target detection domain name is acquired, and matched analysis IP result data is acquired every monitoring time length; dividing the monitoring time length into a plurality of time units, and calculating a static statistical index set and a dynamic statistical index set of the target detection domain name in each target time unit; when the target static statistics index set is determined to not meet the normal domain name detection condition, calculating a normalized static statistics index set and a normalized dynamic statistics index set; and then calculating corresponding fitting static values and fitting dynamic values, respectively inputting the fitting static values and the fitting dynamic values into a pre-trained Support Vector Machine (SVM) model, and determining a botnet technical means according to the IP address of the access target detection domain name when the target detection domain name is determined to be an abnormal domain name in the monitoring duration, thereby solving the problems of huge workload and low accuracy caused by multiple analysis of DNS query results in the prior art, realizing the effects of improving the working efficiency of analyzing DNS flow data, reducing the false alarm rate and improving the accuracy of the detection results.
Drawings
FIG. 1A is a flow chart of a Fast-Flux botnet detection method according to an embodiment of the present invention;
FIG. 1B is a flowchart of a specific application scenario of a Fast-Flux botnet detection method according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of a Fast-Flux botnet detection device according to a second embodiment of the present invention;
fig. 3 is a schematic structural diagram of a computer device according to a third embodiment of the present invention.
Detailed Description
The invention is described in further detail below with reference to the drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the invention and are not limiting thereof. It should be further noted that, for convenience of description, only some, but not all of the structures related to the present invention are shown in the drawings.
Example 1
Fig. 1A is a flowchart of a Fast-Flux botnet detection method according to an embodiment of the present invention, where the method may be implemented by a Fast-Flux botnet detection device, and the device may be implemented by software and/or hardware and may be generally integrated in a server. Referring to fig. 1, the method specifically includes the steps of:
S110, acquiring a target detection domain name, and acquiring analysis IP result data matched with the target detection domain name from domain name analysis service (DNS) flow data at intervals of monitoring time.
The target detection domain name may be a domain name that needs to be detected to determine whether it is normal. The monitoring duration may refer to a monitoring duration of DNS traffic matching the target detection domain name, and may be set to 4 hours, for example.
In this embodiment, the target detection domain name may be acquired, DNS traffic data may be monitored, and the resolved IP result data matching the target detection domain name may be acquired from the DNS traffic data within a monitoring period.
In an alternative embodiment of the present invention, obtaining the target detection domain name may include: acquiring a plurality of response data packets from the DNS traffic, and analyzing all the response data packets to acquire a plurality of domain names to be detected; and filtering out detection domain names with CDN characteristics of the content delivery network and cache time value TTL of the analysis IP result data exceeding a set time threshold from the domain names to be detected, and forming the target detection domain name.
The domain name to be detected may refer to all domain names resolved from all response data packets, and the domain name to be detected may be a domain name that the client IP requests to be resolved from the DNS server. The detected domain name for a CDN feature may include two cases: one is a domain name in which the main domain name contains the word "cdn", and the other is a domain name formed by combining two domain names. The set time threshold may refer to a lower limit value of a TTL value of the parsing IP result data.
Optionally, in the monitoring process, a plurality of response data packets can be obtained from the DNS traffic data, and then all the response data packets are resolved to obtain a plurality of domain names to be detected; further, after filtering out the detected domain names having CDN characteristics and TTL of the resolved IP result data exceeding a set time threshold (for example, 1800 seconds) from the detected domain names, the remaining detected domain names in the detected domain names may be determined as target detected domain names. In addition, as the TTL values of the domain names used in the fast-fluox botnet are very small, when the TTL value of the analysis IP result data exceeds 1800 seconds, the corresponding detected domain name is also a normal domain name with high probability, so that the detected domain name can be filtered. It should be noted that the target detection domain name may be a subset of the domain name to be detected, and the number of target detection domain names may be one or more, which is not limited in this embodiment of the present invention.
S120, dividing the monitoring duration into a plurality of time units, and calculating a static statistical index set and a dynamic statistical index set of the target detection domain name in each target time unit according to the analysis IP result data in each time unit.
The time unit may refer to a division of a preset monitoring duration, for example, the monitoring duration of 4 hours may be divided into 4 time units in units of 1 hour. The target time unit may refer to a time unit selected from a plurality of time units, for example, a1 st time unit, a 2 nd time unit, a3 rd time unit, or a4 th time unit within 4 time units having a monitoring duration of 4 hours.
The static set of statistical indicators may be used to characterize the resolved IP within each target time unit, e.g., the number and distribution of resolved IPs, etc. The static statistics may include: maximum request length, cumulative number of different resolved IPs, cumulative number of different network segments, cumulative number of different AS codes, AS score, and resolved IP distribution.
Specifically, the maximum request length (mal) represents the maximum number of returned resolved IPs in a single response packet matching the target detection domain name per time unit.
The accumulated number (nip) of different resolved IPs indicates the number of all the different resolved IPs obtained by the target detection domain name under the same DNS server in each time unit, and the larger the value is, the more resolved IPs the domain name corresponds to.
A larger value for the number of accumulated different segments (nnet) indicates a more decentralized distribution of returned resolved IP, three types of IP addresses can be considered, divided in a first byte range:
Class a: 1-127, the first byte is different, namely a different network segment;
Class B: 128-191, wherein the first byte and the second byte are different, namely a different network segment;
class C: 192-223, the first byte, the second byte and the third byte are different, i.e. a different network segment.
The accumulated different AS code numbers (nas) represent how many different AS codes the resolved IP obtained by the target detection domain name under the same DNS server corresponds to in each time unit, and the larger the value is, the more scattered the returned resolved IP distribution is.
AS score (fas) represents the score of the nip integrated with the nas, fas= (nas-1)/nip.
Resolving IP distribution (dip): the resolved IP (ipv 4) address is converted into a 32-bit integer, denoted as x_i, and the calculation formula may be:
dip=1/p*median(deta_x);
deta _x= { x_i-1}, i=2..n, { x_i > = x_i-1 in { x_i }, p is the average of the 32-bit resolution IPs.
The dynamic statistics set may be used to represent the variation of the parsed IP result data within each target time unit, e.g., the variation of the nip value within the first time unit relative to the average of all time units nip. The dynamic statistics may include: the analysis IP aggregate changes, the network segment changes, AS code changes and single response analysis IP maximum number changes.
Specifically, the IP aggregate change (cip) is resolved: cip=nip/c_nip-1, where c_nip represents the average value of all time units nip over the monitoring period.
Change of network segment (cnet): cnet= nnet/c_ nnet-1, where c_ nnet represents the average value of all time units nnet over the monitoring period.
AS code change (cas): cas = nas/c_nas-1, where c_nas represents the average of all time units nas over the monitored duration.
Single response resolves the change in IP maximum number (cal): cal = mal/c_mal-1, where c_mal represents the average of all time units mal during the monitored duration.
Optionally, the set monitoring duration may be divided in units, so that according to the analysis IP result data obtained in each time unit, all static statistical indexes in each target time unit are determined as a static statistical index set, where the static statistical indexes are matched with the target detection domain name currently processed by statistical calculation; and in the same way, all dynamic statistical indexes matched with the target detection domain name can be obtained and determined as a dynamic statistical index set. It should be noted that the number of requests initiated by the same domain name to a certain DNS server cannot be less than 10 times per time unit. In addition, since the change condition of the resolved IP obtained by the request domain name is detected, at least two or more time units divided in the monitoring duration are required.
In an alternative embodiment of the present invention, calculating the static statistics index set and the dynamic statistics index set of the target detection domain name in each target time unit according to the resolved IP result data in each time unit may include: according to the analysis IP result data in each time unit, calculating to obtain each static statistical index set corresponding to each time unit; and calculating to obtain each dynamic statistical index set corresponding to each time unit according to the average value of each static statistical index corresponding to each static statistical index set corresponding to each time unit and a preset formula.
The preset formula may refer to a formula for calculating a dynamic statistics index, for example, cip=nip/c_nip-1.
Optionally, according to the analysis IP result data acquired in each time unit, each static statistical index set corresponding to each time unit is obtained through statistics; calculating to obtain an average value corresponding to the index value of each static statistical index of all time units in the monitoring time according to the index value of each static statistical index corresponding to all time units in the monitoring time; and further comparing each index value with the average value matched with each index value, and obtaining each dynamic statistical index set according to a preset formula.
The monitoring duration is set to be 4 hours, the monitoring duration is divided into 4 time units by taking 1 hour as a unit, and each static statistical index set corresponding to the 4 time units is obtained through statistics. Taking nip as an example, an average value c_nip corresponding to the nip index within 4 hours can be calculated, and further, 4 nips are substituted respectively according to cip=nip/c_nip-1, so that cip values, namely 4 cip values, within each time unit can be calculated. Similarly, dynamic statistics indexes cnet, cas and cal can be calculated according to other static statistics indexes nnet, nas and mal respectively. It is understood that 4 static statistics sets and 4 dynamic statistics sets may be obtained during the monitoring period.
And S130, when the target static statistics index set is determined to not meet the normal domain name detection condition, calculating a normalized static statistics index set and a normalized dynamic statistics index set which respectively correspond to each target time unit.
The target static statistics index set may refer to one or some static statistics index sets selected from the static statistics index sets corresponding to each time unit. The normal domain name detection condition may refer to whether a certain static statistical index value or a certain static statistical index value in each static statistical index set for judging whether the target detection domain name is normal or not satisfies a preset range. For example, a static statistics index set which does not meet the analysis IP distribution value of 0 and has the accumulated number of different AS codes of less than or equal to 3 is determined AS a target static statistics index set which does not meet the normal domain name detection condition, and the setting has the advantage that the false alarm rate can be reduced to enable the detection result to be more accurate. Accordingly, if the condition that the analysis IP distribution value is 0 and the number of accumulated different AS codes is less than or equal to 3 is satisfied, the corresponding target detection domain name can be determined AS a normal domain name, and the subsequent detection operation is not executed. The normalized static statistics index sets may refer to a result set of normalization processing for each static statistics index set. The normalized dynamic statistics index sets may refer to a result set of normalization processing for each dynamic statistics index set.
Specifically, whether the target static statistics index set meets the normal domain name detection condition can be judged, and when the target static statistics index set is determined to meet the normal domain name detection condition, a normalized static statistics index set and a normalized dynamic statistics index set which respectively correspond to each target time unit are calculated.
In an alternative embodiment of the present invention, calculating a normalized static statistics index set and a normalized dynamic statistics index set respectively corresponding to each target time unit may include: respectively acquiring a plurality of index values corresponding to the current processing statistical index from each static statistical index set or each dynamic statistical index set; according to the formula: Calculating to obtain the current processing statistical index, and normalizing index value X norm under the current target time unit; wherein, X is an index value corresponding to the current target time unit, X max is a maximum value of all the obtained index values, and X min is a minimum value of all the obtained index values.
Alternatively, a plurality of index values corresponding to the current processing statistical index may be obtained from each static statistical index set or each dynamic statistical index set; further, a normalized index value corresponding to each index value can be calculated according to a formula, wherein the normalized index value is in a range of 0-1.
Illustratively, during a monitoring period of 4 hours, 4 static statistics index sets are obtained according to 4 time units, respectively, each static statistics index set contains 6 static statistics indexes, and thus, each static statistics index corresponds to 4 index values. Specifically, for a certain static statistical index, a maximum value and a minimum value are determined from 4 index values corresponding to the static statistical index, and according to the formula: And calculating normalization index values corresponding to the 4 index values respectively, and similarly, calculating normalization values corresponding to the index values of the rest 5 static statistical indexes.
And S140, calculating a fitting static value and a fitting dynamic value which are respectively corresponding to each target time unit according to the normalized static statistics index set and the normalized dynamic statistics index set which are respectively corresponding to each target time unit.
The fitting static value may be a value obtained by performing weighted summation on a plurality of index values included in the normalized static statistics index set corresponding to each time unit. The fitted dynamic value may be a value obtained by weighted summation of a plurality of index values included in the normalized dynamic statistics index set corresponding to each time unit.
Specifically, the fitting static value and the fitting dynamic value corresponding to each target time unit can be calculated based on the index values contained in the normalized static statistics index set and the normalized dynamic statistics index set corresponding to each target time unit.
In an alternative embodiment of the present invention, calculating the fitted static value and the fitted dynamic value corresponding to each target time unit respectively according to the normalized static statistics index set and the normalized dynamic statistics index set corresponding to each target time unit respectively may include: obtaining a fitting static value according to a normalized static statistics index set corresponding to each target time unit and a preset static statistics index weight parameter set; and obtaining a fitting dynamic value according to the normalized dynamic statistics index set corresponding to each target time unit and the preset dynamic statistics index weight parameter set.
The preset static statistics index weight parameter set may be a preset set of coefficient values reflecting importance degrees of the static statistics indexes in the static statistics index set. The preset dynamic statistics index weight parameter set may be a preset set of coefficient values reflecting the importance degree of each dynamic statistics index in the dynamic statistics index set.
Specifically, a matched preset static statistics index weight parameter set or a preset dynamic statistics index weight parameter set can be added for the normalized static statistics index set or the normalized dynamic statistics index set in each target time unit, and a corresponding fitting static value or fitting dynamic value is obtained.
For example, the fitting static value in each target time unit may be obtained according to Ystat =wip+ wnet + nnet +wasnas+ wal ×mal+wffas+wd, where nip, nnet, nas, mal, fas and dip are a normalized static statistics index set, and wip, wnet, was, wal, wf and wd are a corresponding preset static statistics index weight parameter set. The fitting dynamic value in each target time unit may be obtained according to Ydong =wip '×cip+ wnet' ×cnet+was '×cas+ wal' ×cal, where cip, cnet, cas and cal are a normalized dynamic state statistics index set, and wip ', wnet', was 'and wal' are a corresponding preset dynamic statistics index weight parameter set.
S150, respectively inputting the fitting static value and the fitting dynamic value under each target time unit into a pre-trained support vector machine SVM model, and acquiring each recognition result of whether the target detection domain name under each target time unit in the monitoring duration is an abnormal domain name.
The SVM model can be obtained through at least one round of training of a fitting static value and a fitting dynamic value of a known botnet. The recognition result may be a result of the SVM model judging whether the target detection domain name is abnormal according to the inputted fitting static value and fitting dynamic value.
In this embodiment, the fitting static value and the fitting dynamic value under each time unit may be respectively input into the pre-trained SVM model, and then the SVM model may output a recognition result for each fitting static value and each fitting dynamic value under each time unit (the recognition result may be represented by state amounts 0 and 1, the state amount 0 may represent that the recognition result of the currently processed target detection domain name is normal in the current time unit, and the state amount 1 may represent that the recognition result of the currently processed target detection domain name is abnormal in the current time unit).
S160, obtaining target recognition results of whether the target detection domain name is the abnormal domain name in the monitoring duration according to the number proportion of the recognition results of which the target detection domain name is the abnormal domain name in the recognition results and a preset proportion threshold.
The recognition result number proportion may be the number of all recognition results obtained in the monitoring time period, and the currently processed target detection domain name is the number of all abnormal recognition results, and the proportion of the number of all recognition results obtained in the monitoring time period is the proportion of the number of all recognition results. The target recognition result may be a result of integrating all recognition results obtained in the monitoring time period and judging whether the currently processed target detection domain name is abnormal in the monitoring time period. The preset ratio threshold may be a lower limit value of the ratio of the number of recognition results in which the currently processed target detection domain name is an abnormal domain name in each recognition result.
Specifically, the recognition result of whether the domain name detected by the current target processed in the monitoring duration is abnormal or not can be comprehensively obtained according to the number of abnormal number of the recognition results in the all recognition results obtained in the monitoring duration. In all the recognition results correspondingly output by all the time units in the monitoring duration, if the recognition result of the currently processed target detection domain name is abnormal, the number exceeds a preset proportion threshold (for example, 50%), the SVM model can output the recognition result of the currently processed target detection domain name in the monitoring duration as abnormal. Correspondingly, if the recognition result of the currently processed target detection domain name is abnormal in all the recognition results output by all the time units in the monitoring time period, and the preset abnormal proportion threshold value is not exceeded, the SVM model can output that the recognition result of the currently processed target detection domain name in the monitoring time period is normal. The method has the advantages that the detection results of the plurality of characteristics and the plurality of time units on the same domain name are combined, the identification result is further determined through the preset proportion threshold value, and the false alarm rate of the malicious domain name can be better reduced.
For example, 4 pairs of fitting static values and fitting dynamic values are input into the SVM model to obtain 4 pairs of identification results of "0" or "1", and if "1" appears 3 times, that is, 75% of the identification results are judged as "1" by the SVM model, the identification result of the currently processed target detection domain name in the monitoring duration can be output to be abnormal. If "1" appears 1 time, that is, 25% is judged as "1" by the SVM model, the recognition result of the target detection domain name in the monitoring period may be outputted as normal.
S170, when the target detection domain name is an abnormal domain name in the monitoring duration, determining a botnet matched with the target detection domain name according to the IP address of the access target detection domain name.
Optionally, when the currently processed target detection domain name is determined to be an abnormal domain name in the monitoring duration, all IP addresses accessing the target detection domain name can be checked from DNS traffic data, so as to determine a botnet matched with the target detection domain name.
According to the technical scheme of the embodiment, the matched analysis IP result data is obtained every monitoring time by obtaining the target detection domain name; dividing the monitoring time length into a plurality of time units, and calculating a static statistical index set and a dynamic statistical index set of the target detection domain name in each target time unit; when the target static statistics index set is determined to not meet the normal domain name detection condition, calculating a normalized static statistics index set and a normalized dynamic statistics index set; and then calculating corresponding fitting static values and fitting dynamic values, respectively inputting the fitting static values and the fitting dynamic values into a pre-trained Support Vector Machine (SVM) model, determining a technical means of determining a botnet according to an IP address of an access target detection domain name when the target detection domain name in the monitoring duration is an abnormal domain name, solving the problems of huge workload and low accuracy caused by multiple analysis of DNS query results in the prior art, realizing the effects of improving the working efficiency of analyzing DNS flow data, reducing false alarm rate and improving the accuracy of the detection results.
Exemplary, fig. 1B is a flowchart of a specific application scenario of a Fast-Flux botnet detection method according to an embodiment of the present invention. Obtaining a domain name to be detected from original DNS traffic data, filtering the domain name with CDN characteristics, determining a target detection domain name, obtaining an analysis IP data structure related to the target detection domain name from the DNS traffic data, dividing the analysis IP data structure according to the hours, carrying out statistics calculation on analysis IP result data according to static statistics indexes and dynamic statistics indexes of characteristic engineering to obtain corresponding index values, and determining the currently processed target detection domain name as a normal domain name when the index values meet normal domain name detection conditions (dip=0 & nas is less than or equal to 3); and (3) inputting the matched statistical index values of the target detection domain name which does not meet the normal domain name detection conditions into an SVM classification model through normalization, fitting and other operations, and identifying the abnormal domain name, thereby determining the botnet according to the IP address of the access abnormal detection domain name.
Example two
Fig. 2 is a schematic structural diagram of a Fast-Flux botnet detection device according to a second embodiment of the present invention. The apparatus may include: the system comprises an analysis IP result acquisition module 210, a statistics index set acquisition module 220, a normalization statistics index set acquisition module 230, a fitting value calculation module 240, each identification result acquisition module 250, a target identification result acquisition module 260 and a botnet determination module 270. Wherein:
The resolution IP result obtaining module 210 is configured to obtain a target detection domain name, and obtain resolution IP result data matched with the target detection domain name from domain name resolution service DNS traffic data at intervals of monitoring duration;
The statistical index set obtaining module 220 is configured to divide the monitoring duration into a plurality of time units, and calculate a static statistical index set and a dynamic statistical index set of the target detection domain name in each target time unit according to the analysis IP result data in each time unit;
The normalized statistical index set obtaining module 230 is configured to calculate a normalized static statistical index set and a normalized dynamic statistical index set corresponding to each target time unit when it is determined that the target static statistical index set does not meet the normal domain name detection condition;
The fitting value calculating module 240 is configured to calculate a fitting static value and a fitting dynamic value corresponding to each target time unit according to the normalized static statistics index set and the normalized dynamic statistics index set corresponding to each target time unit, respectively;
the recognition result obtaining modules 250 are configured to respectively input the fitting static value and the fitting dynamic value under each target time unit into a support vector machine SVM model trained in advance, and obtain the recognition results of whether the target detection domain name under each target time unit is an abnormal domain name in the monitoring duration;
The target recognition result obtaining module 260 is configured to obtain, according to the ratio of the number of recognition results with the target detection domain name being the abnormal domain name in the recognition results and the preset ratio threshold, whether the target detection domain name is the target recognition result of the abnormal domain name in the monitoring duration;
The botnet determining module 270 is configured to determine, when determining that the target detection domain name is an abnormal domain name within the monitoring duration, a botnet matching the target detection domain name according to the IP address of the access target detection domain name.
According to the technical scheme of the embodiment, the matched analysis IP result data is obtained every monitoring time by obtaining the target detection domain name; dividing the monitoring time length into a plurality of time units, and calculating a static statistical index set and a dynamic statistical index set of the target detection domain name in each target time unit; when the target static statistics index set is determined to not meet the normal domain name detection condition, calculating a normalized static statistics index set and a normalized dynamic statistics index set; and then calculating corresponding fitting static values and fitting dynamic values, respectively inputting the fitting static values and the fitting dynamic values into a pre-trained Support Vector Machine (SVM) model, determining a technical means of determining a botnet according to an IP address of an access target detection domain name when the target detection domain name in the monitoring duration is an abnormal domain name, solving the problems of huge workload and low accuracy caused by multiple analysis of DNS query results in the prior art, realizing the effects of improving the working efficiency of analyzing DNS flow data, reducing false alarm rate and improving the accuracy of the detection results.
In the above apparatus, optionally, the parsing IP result obtaining module 210 may be specifically configured to:
Acquiring a plurality of response data packets from the DNS traffic, and analyzing all the response data packets to acquire a plurality of domain names to be detected;
and filtering out detection domain names with CDN characteristics of the content delivery network and cache time value TTL of the analysis IP result data exceeding a set time threshold from the domain names to be detected, and forming the target detection domain name.
In the above apparatus, optionally, the statistical index set obtaining module 220 may be specifically configured to:
According to the analysis IP result data in each time unit, calculating to obtain each static statistical index set corresponding to each time unit;
And calculating to obtain each dynamic statistical index set corresponding to each time unit according to the average value of each static statistical index corresponding to each static statistical index set corresponding to each time unit and a preset formula.
In the above apparatus, optionally, the normalized statistics set obtaining module 230 may be specifically configured to:
respectively acquiring a plurality of index values corresponding to the current processing statistical index from each static statistical index set or each dynamic statistical index set;
according to the formula: calculating to obtain the current processing statistical index, and normalizing index value X norm under the current target time unit;
wherein, X is an index value corresponding to the current target time unit, X max is a maximum value of all the obtained index values, and X min is a minimum value of all the obtained index values.
In the above apparatus, optionally, the static statistics include: maximum request length, accumulation of different resolved IP numbers, accumulation of different network segment numbers, accumulation of different AS codes, AS scores and resolved IP distribution;
The dynamic statistics include: the analysis IP aggregate changes, the network segment changes, AS code changes and single response analysis IP maximum number changes.
In the above apparatus, optionally, the normalized statistics set obtaining module 230 may be further specifically configured to:
and determining a static statistical index set which does not meet the analysis IP distribution value of 0 and has the accumulated number of different AS codes of less than or equal to 3 AS a target static statistical index set which does not meet the normal domain name detection condition.
In the above apparatus, optionally, the fitting value calculating module 240 may be specifically configured to:
obtaining a fitting static value according to a target normalized static statistics index set corresponding to each target time unit and a preset static statistics index weight parameter set;
and obtaining a fitting dynamic value according to the target normalized dynamic statistics index set corresponding to each target time unit and the preset dynamic statistics index weight parameter set.
The Fast-Flux botnet detection device provided by the embodiment of the invention can execute the Fast-Flux botnet detection method provided by any embodiment of the invention, and has the corresponding functional modules and beneficial effects of the execution method.
Example III
Fig. 3 is a schematic structural diagram of a computer device according to a third embodiment of the present invention, where, as shown in fig. 3, the device includes a processor 310, a storage device 320, an input device 330, and an output device 340; the number of processors 310 in the device may be one or more, one processor 310 being taken as an example in fig. 3; the processor 310, the storage 320, the input 330 and the output 340 in the device may be connected by a bus or other means, in fig. 3 by way of example.
The storage 320 is used as a computer readable storage medium, and may be used to store a software program, a computer executable program, and modules, such as program instructions/modules corresponding to the Fast-Flux botnet detection method in the embodiment of the present invention (for example, the analysis IP result obtaining module 210, the statistics index set obtaining module 220, the normalization statistics index set obtaining module 230, the fitting value calculating module 240, the respective recognition result obtaining modules 250, the target recognition result obtaining module 260, and the botnet determining module 270 in the Fast-Flux botnet detection device). Processor 310 executes various functional applications of the device and data processing by running software programs, instructions and modules stored in storage 320, i.e., implements the Fast-Flux botnet detection method described above, which may include:
acquiring a target detection domain name, and acquiring analysis IP result data matched with the target detection domain name from domain name analysis service (DNS) flow data at intervals of monitoring time;
Dividing the monitoring time length into a plurality of time units, and calculating a static statistical index set and a dynamic statistical index set of the target detection domain name in each target time unit according to the analysis IP result data in each time unit;
when the target static statistics index set is determined to not meet the normal domain name detection condition, calculating a normalized static statistics index set and a normalized dynamic statistics index set which respectively correspond to each target time unit;
calculating a fitting static value and a fitting dynamic value which respectively correspond to each target time unit according to the normalized static statistics index set and the normalized dynamic statistics index set which respectively correspond to each target time unit;
Respectively inputting the fitting static value and the fitting dynamic value under each target time unit into a pre-trained Support Vector Machine (SVM) model, and acquiring each recognition result of whether the target detection domain name under each target time unit in the monitoring duration is an abnormal domain name;
Obtaining whether the target detection domain name is the target identification result of the abnormal domain name in the monitoring time period according to the number proportion of the identification results, in which the target detection domain name is the abnormal domain name, in the identification results and a preset proportion threshold;
And when the target detection domain name is determined to be the abnormal domain name in the monitoring time period, determining the botnet matched with the target detection domain name according to the IP address of the access target detection domain name.
The storage device 320 may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, at least one application program required for functions; the storage data area may store data created according to the use of the terminal, etc. In addition, storage 320 may include high-speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other non-volatile solid-state storage device. In some examples, the storage 320 may further include memory remotely located with respect to the processor 310, which may be connected to the device/terminal/server via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The input device 330 may be used to receive input numeric or character information and to generate key signal inputs related to user settings and function control of the apparatus. The output device 340 may include a display device such as a display screen.
Example IV
A fourth embodiment of the present invention also provides a computer readable storage medium having stored thereon a computer program which, when executed by a processor, is configured to perform a Fast-Flux botnet detection method, the method may include:
acquiring a target detection domain name, and acquiring analysis IP result data matched with the target detection domain name from domain name analysis service (DNS) flow data at intervals of monitoring time;
Dividing the monitoring time length into a plurality of time units, and calculating a static statistical index set and a dynamic statistical index set of the target detection domain name in each target time unit according to the analysis IP result data in each time unit;
when the target static statistics index set is determined to not meet the normal domain name detection condition, calculating a normalized static statistics index set and a normalized dynamic statistics index set which respectively correspond to each target time unit;
calculating a fitting static value and a fitting dynamic value which respectively correspond to each target time unit according to the normalized static statistics index set and the normalized dynamic statistics index set which respectively correspond to each target time unit;
Respectively inputting the fitting static value and the fitting dynamic value under each target time unit into a pre-trained Support Vector Machine (SVM) model, and acquiring each recognition result of whether the target detection domain name under each target time unit in the monitoring duration is an abnormal domain name;
Obtaining whether the target detection domain name is the target identification result of the abnormal domain name in the monitoring time period according to the number proportion of the identification results, in which the target detection domain name is the abnormal domain name, in the identification results and a preset proportion threshold;
And when the target detection domain name is determined to be the abnormal domain name in the monitoring time period, determining the botnet matched with the target detection domain name according to the IP address of the access target detection domain name.
Of course, the computer program of the computer readable storage medium provided by the embodiment of the present invention is not limited to the method operations described above, and may also perform the related operations in the Fast-Flux botnet detection method provided by any embodiment of the present invention.
From the above description of embodiments, it will be clear to a person skilled in the art that the present invention may be implemented by means of software and necessary general purpose hardware, but of course also by means of hardware, although in many cases the former is a preferred embodiment. Based on such understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art in the form of a software product, which may be stored in a computer readable storage medium, such as a floppy disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), a FLASH Memory (FLASH), a hard disk, or an optical disk of a computer, etc., and include several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method according to the embodiments of the present invention.
It should be noted that, in the embodiment of the Fast-Flux botnet detection device, each unit and module included are only divided according to the functional logic, but are not limited to the above-mentioned division, so long as the corresponding functions can be implemented; in addition, the specific names of the functional units are also only for distinguishing from each other, and are not used to limit the protection scope of the present invention.
Note that the above is only a preferred embodiment of the present invention and the technical principle applied. It will be understood by those skilled in the art that the present invention is not limited to the particular embodiments described herein, but is capable of various obvious changes, rearrangements and substitutions as will now become apparent to those skilled in the art without departing from the scope of the invention. Therefore, while the invention has been described in connection with the above embodiments, the invention is not limited to the embodiments, but may be embodied in many other equivalent forms without departing from the spirit or scope of the invention, which is set forth in the following claims.
Claims (9)
1. A Fast-Flux botnet detection method, comprising:
acquiring a target detection domain name, and acquiring analysis IP result data matched with the target detection domain name from domain name analysis service (DNS) flow data at intervals of monitoring time;
Dividing the monitoring time length into a plurality of time units, and calculating a static statistical index set and a dynamic statistical index set of the target detection domain name in each target time unit according to the analysis IP result data in each time unit; the static statistics index set is used for representing the characteristic of the analysis IP in each target time unit, and the dynamic statistics index set is used for representing the change condition of analysis IP result data in each target time unit;
The static statistical index includes: maximum request length, accumulation of different resolved IP numbers, accumulation of different network segment numbers, accumulation of different AS codes, AS scores and resolved IP distribution;
the dynamic statistics include: analyzing IP set change, network segment change, AS code change and single response analysis IP maximum number change;
When the target static statistical index set is determined to not meet the normal domain name detection condition, calculating a normalized static statistical index set and a normalized dynamic statistical index set which respectively correspond to each target time unit, wherein the normal domain name detection condition is whether one or some static statistical index values in each static statistical index set meet a preset range;
calculating a fitting static value and a fitting dynamic value which respectively correspond to each target time unit according to the normalized static statistics index set and the normalized dynamic statistics index set which respectively correspond to each target time unit;
Respectively inputting the fitting static value and the fitting dynamic value under each target time unit into a pre-trained Support Vector Machine (SVM) model, and acquiring each recognition result of whether the target detection domain name under each target time unit in the monitoring duration is an abnormal domain name;
Obtaining whether the target detection domain name is the target identification result of the abnormal domain name in the monitoring time period according to the number proportion of the identification results, in which the target detection domain name is the abnormal domain name, in the identification results and a preset proportion threshold;
And when the target detection domain name is determined to be the abnormal domain name in the monitoring time period, determining the botnet matched with the target detection domain name according to the IP address of the access target detection domain name.
2. The method of claim 1, wherein obtaining the target detection domain name comprises:
Acquiring a plurality of response data packets from the DNS traffic, and analyzing all the response data packets to acquire a plurality of domain names to be detected;
and filtering out detection domain names with CDN characteristics of the content delivery network and cache time value TTL of the analysis IP result data exceeding a set time threshold from the domain names to be detected, and forming the target detection domain name.
3. The method of claim 1, wherein calculating a set of static and dynamic statistics for the target detection domain name in each target time unit based on the parsed IP result data in each time unit, comprises:
According to the analysis IP result data in each time unit, calculating to obtain each static statistical index set corresponding to each time unit;
And calculating to obtain each dynamic statistical index set corresponding to each time unit according to the average value of each static statistical index corresponding to each static statistical index set corresponding to each time unit and a preset formula.
4. A method according to claim 3, wherein calculating a normalized static and a normalized dynamic set of statistical indicators corresponding to each target time unit, respectively, comprises:
respectively acquiring a plurality of index values corresponding to the current processing statistical index from each static statistical index set or each dynamic statistical index set;
according to the formula: calculating to obtain the current processing statistical index, and normalizing index value X norm under the current target time unit;
wherein, X is an index value corresponding to the current target time unit, X max is a maximum value of all the obtained index values, and X min is a minimum value of all the obtained index values.
5. The method of claim 1, wherein determining that the set of target static statistical indicators does not satisfy the normal domain name detection condition comprises:
and determining a static statistical index set which does not meet the analysis IP distribution value of 0 and has the accumulated number of different AS codes of less than or equal to 3 AS a target static statistical index set which does not meet the normal domain name detection condition.
6. The method of claim 1, wherein calculating the fitted static value and the fitted dynamic value corresponding to each target time unit respectively based on the normalized static statistics index set and the normalized dynamic statistics index set corresponding to each target time unit respectively, comprises:
Obtaining a fitting static value according to a normalized static statistics index set corresponding to each target time unit and a preset static statistics index weight parameter set;
And obtaining a fitting dynamic value according to the normalized dynamic statistics index set corresponding to each target time unit and the preset dynamic statistics index weight parameter set.
7. A Fast-Flux botnet detection device, comprising:
the analysis IP result acquisition module is used for acquiring a target detection domain name and acquiring analysis IP result data matched with the target detection domain name from domain name analysis service (DNS) flow data at intervals of monitoring duration;
The statistical index set acquisition module is used for dividing the monitoring time length into a plurality of time units and calculating a static statistical index set and a dynamic statistical index set of the target detection domain name in each target time unit according to the analysis IP result data in each time unit; the static statistics index set is used for representing the characteristic of the analysis IP in each target time unit, and the dynamic statistics index set is used for representing the change condition of analysis IP result data in each target time unit;
The static statistical index includes: maximum request length, accumulation of different resolved IP numbers, accumulation of different network segment numbers, accumulation of different AS codes, AS scores and resolved IP distribution;
the dynamic statistics include: analyzing IP set change, network segment change, AS code change and single response analysis IP maximum number change;
The normalized statistical index set acquisition module is used for calculating a normalized static statistical index set and a normalized dynamic statistical index set which are respectively corresponding to each target time unit when the target static statistical index set is determined not to meet the normal domain name detection condition, wherein the normal domain name detection condition is whether one or some static statistical index values in each static statistical index set meet the preset range;
The fitting value calculating module is used for calculating fitting static values and fitting dynamic values respectively corresponding to each target time unit according to the normalized static statistics index set and the normalized dynamic statistics index set respectively corresponding to each target time unit;
The recognition result acquisition module is used for respectively inputting the fitting static value and the fitting dynamic value under each target time unit into a pre-trained Support Vector Machine (SVM) model to acquire the recognition results of whether the target detection domain name under each target time unit in the monitoring duration is an abnormal domain name or not;
The target recognition result acquisition module is used for acquiring a target recognition result of whether the target detection domain name is an abnormal domain name in the monitoring duration according to the recognition result number proportion of the target detection domain name in each recognition result as the abnormal domain name and a preset proportion threshold;
and the botnet determining module is used for determining the botnet matched with the target detection domain name according to the IP address of the access target detection domain name when the target detection domain name is the abnormal domain name in the monitoring time period.
8. A computer device, the computer device comprising:
One or more processors;
A storage means for storing one or more programs;
The one or more programs, when executed by the one or more processors, cause the one or more processors to implement the Fast-Flux botnet detection method of any of claims 1-6.
9. A computer readable storage medium having stored thereon a computer program, which when executed by a processor implements the Fast-Flux botnet detection method of any one of claims 1-6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111437643.9A CN114172707B (en) | 2021-11-29 | 2021-11-29 | Fast-Flux botnet detection method, device, equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111437643.9A CN114172707B (en) | 2021-11-29 | 2021-11-29 | Fast-Flux botnet detection method, device, equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114172707A CN114172707A (en) | 2022-03-11 |
| CN114172707B true CN114172707B (en) | 2024-04-26 |
Family
ID=80481845
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111437643.9A Active CN114172707B (en) | 2021-11-29 | 2021-11-29 | Fast-Flux botnet detection method, device, equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114172707B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117097639B (en) * | 2023-08-16 | 2024-01-30 | 广州尚全信息技术有限公司 | Real-time prompting method and system for network risk |
Citations (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101702660A (en) * | 2009-11-12 | 2010-05-05 | 中国科学院计算技术研究所 | Abnormal domain name detection method and system |
| CN101826996A (en) * | 2010-03-19 | 2010-09-08 | 中国科学院计算机网络信息中心 | Domain name system flow detection method and domain name server |
| CN102082836A (en) * | 2009-11-30 | 2011-06-01 | 中国移动通信集团四川有限公司 | DNS (Domain Name Server) safety monitoring system and method |
| CN103685230A (en) * | 2013-11-01 | 2014-03-26 | 上海交通大学 | Distributed cooperation detection system and method for botnet malicious domain name |
| CN106375351A (en) * | 2016-11-29 | 2017-02-01 | 神州网云(北京)信息技术有限公司 | Abnormal domain name detection method and device |
| CN107888607A (en) * | 2017-11-28 | 2018-04-06 | 新华三技术有限公司 | A kind of Cyberthreat detection method, device and network management device |
| CN108768917A (en) * | 2017-08-23 | 2018-11-06 | 长安通信科技有限责任公司 | A kind of Botnet detection method and system based on network log |
| CN109391602A (en) * | 2017-08-11 | 2019-02-26 | 北京金睛云华科技有限公司 | A kind of zombie host detection method |
| CN110266739A (en) * | 2019-08-06 | 2019-09-20 | 杭州安恒信息技术股份有限公司 | In conjunction with the detection method for the Fast-Flux Botnet for threatening information |
| CN110730175A (en) * | 2019-10-16 | 2020-01-24 | 杭州安恒信息技术股份有限公司 | A threat intelligence-based botnet detection method and detection system |
| CN111818073A (en) * | 2020-07-16 | 2020-10-23 | 深信服科技股份有限公司 | Method, device, equipment and medium for detecting defect host |
| CN111866196A (en) * | 2019-04-26 | 2020-10-30 | 深信服科技股份有限公司 | Domain name traffic characteristic extraction method, device, equipment and readable storage medium |
| CN111935136A (en) * | 2020-08-07 | 2020-11-13 | 哈尔滨工业大学 | Domain name query and analysis abnormity detection system and method based on DNS data analysis |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10218726B2 (en) * | 2016-03-25 | 2019-02-26 | Cisco Technology, Inc. | Dynamic device clustering using device profile information |
| US10460101B2 (en) * | 2017-06-06 | 2019-10-29 | Microsoft Technology Licensing, Llc | Enriching netflow data with passive DNS data for botnet detection |
-
2021
- 2021-11-29 CN CN202111437643.9A patent/CN114172707B/en active Active
Patent Citations (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101702660A (en) * | 2009-11-12 | 2010-05-05 | 中国科学院计算技术研究所 | Abnormal domain name detection method and system |
| CN102082836A (en) * | 2009-11-30 | 2011-06-01 | 中国移动通信集团四川有限公司 | DNS (Domain Name Server) safety monitoring system and method |
| CN101826996A (en) * | 2010-03-19 | 2010-09-08 | 中国科学院计算机网络信息中心 | Domain name system flow detection method and domain name server |
| CN103685230A (en) * | 2013-11-01 | 2014-03-26 | 上海交通大学 | Distributed cooperation detection system and method for botnet malicious domain name |
| CN106375351A (en) * | 2016-11-29 | 2017-02-01 | 神州网云(北京)信息技术有限公司 | Abnormal domain name detection method and device |
| CN109391602A (en) * | 2017-08-11 | 2019-02-26 | 北京金睛云华科技有限公司 | A kind of zombie host detection method |
| CN108768917A (en) * | 2017-08-23 | 2018-11-06 | 长安通信科技有限责任公司 | A kind of Botnet detection method and system based on network log |
| CN107888607A (en) * | 2017-11-28 | 2018-04-06 | 新华三技术有限公司 | A kind of Cyberthreat detection method, device and network management device |
| CN111866196A (en) * | 2019-04-26 | 2020-10-30 | 深信服科技股份有限公司 | Domain name traffic characteristic extraction method, device, equipment and readable storage medium |
| CN110266739A (en) * | 2019-08-06 | 2019-09-20 | 杭州安恒信息技术股份有限公司 | In conjunction with the detection method for the Fast-Flux Botnet for threatening information |
| CN110730175A (en) * | 2019-10-16 | 2020-01-24 | 杭州安恒信息技术股份有限公司 | A threat intelligence-based botnet detection method and detection system |
| CN111818073A (en) * | 2020-07-16 | 2020-10-23 | 深信服科技股份有限公司 | Method, device, equipment and medium for detecting defect host |
| CN111935136A (en) * | 2020-08-07 | 2020-11-13 | 哈尔滨工业大学 | Domain name query and analysis abnormity detection system and method based on DNS data analysis |
Non-Patent Citations (2)
| Title |
|---|
| Fast Flux Service Network Detection via Data Mining on Passive DNS Traffic;Pierangelo Lombardo, Salvatore Saeli, Federica Bisio, Davide Bernardi & Danilo Massa;《SpringerLink》;全文 * |
| 被管网内基于入侵警报关联的僵尸网络监测研究;刘尚东;《中国博士学位论文全文数据库》;全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114172707A (en) | 2022-03-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109951500B (en) | Network attack detection method and device | |
| AU2017221858B2 (en) | Graph database analysis for network anomaly detection systems | |
| CN107465651B (en) | Network attack detection method and device | |
| US8549645B2 (en) | System and method for detection of denial of service attacks | |
| US9208323B1 (en) | Classifier-based security for computing devices | |
| US20180069883A1 (en) | Detection of Known and Unknown Malicious Domains | |
| CN114615016B (en) | Enterprise network security assessment method and device, mobile terminal and storage medium | |
| CN111641658A (en) | Request intercepting method, device, equipment and readable storage medium | |
| CN109495521B (en) | Abnormal flow detection method and device | |
| CN112491784A (en) | Request processing method and device of Web site and computer readable storage medium | |
| CN107332848A (en) | A kind of exception of network traffic real-time monitoring system based on big data | |
| CN107682345B (en) | IP address detection method and device and electronic equipment | |
| US10911477B1 (en) | Early detection of risky domains via registration profiling | |
| CN114640504B (en) | CC attack protection method, device, equipment and storage medium | |
| CN107426136B (en) | Network attack identification method and device | |
| CN112765502B (en) | Malicious access detection method, device, electronic equipment and storage medium | |
| CN112437062B (en) | ICMP tunnel detection method, device, storage medium and electronic equipment | |
| CN114172707B (en) | Fast-Flux botnet detection method, device, equipment and storage medium | |
| CN112839005B (en) | DNS domain name abnormal access monitoring method and device | |
| CN109413022B (en) | Method and device for detecting HTTP FLOOD attack based on user behavior | |
| CN111131285B (en) | Active protection method for random domain name attack | |
| CN109246157A (en) | A kind of HTTP requests at a slow speed the association detection method of dos attack | |
| CN112261004B (en) | Method and device for detecting Domain Flux data stream | |
| CN110162969B (en) | Flow analysis method and device | |
| CN114615078A (en) | DDoS attack detection method, device and equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |