CN114666071A - Botnet identification method and device and terminal equipment - Google Patents

Abstract

The present application discloses a botnet identification method, device and terminal device, wherein the method includes: performing risk identification on a DNS message log to be processed, and obtaining a risk identification result, wherein the DNS message log includes multiple domain name information, Each of the domain name information includes a domain name and a source IP corresponding to the domain name; when the risk identification result indicates that the DNS packet log is suspected of malicious traffic, the DNS packet log is determined based on preconfigured DGA family rules. The DGA family set to which each domain name information in the document log belongs; based on the DGA family set and the source IP, cluster the domain name information with the same source IP to obtain multiple target traffic groups; count the target traffic separately The number of source IPs accessing the same type of DGA family set in the group; when the number is greater than the first threshold and the proportion of invalid access returns is greater than the second threshold, it is determined that the network corresponding to the source IP is a botnet.

Description

Botnet identification method, device and terminal device

technical field

The present application relates to the technical field of network security, and in particular, to a method, device and terminal device for identifying a botnet.

Background technique

Botnet is a complex, flexible and efficient network attack platform, which is widely distributed in the Internet. Botnets enable attackers to carry out large-scale malicious activities, such as launching distributed denial of service attacks, sending spam (Spam), phishing (Phishing), and stealing information, etc.

Among them, the logic of the botnet is that hackers use corresponding means to break through user hosts, enterprise servers, etc. to achieve their own illegal purposes. The activities of botnets are mainly divided into three stages: propagation, command and control (C&C), and attack. Command and control is the core mechanism of botnet work. For example, as shown in Figure 1, it is a botnet implementation process based on the central C&C server. It establishes the connection between the C&C server and the bot host through the remote control domain name, and then sends out instructions to launch groups to attack the victim host or server. Network attacks.

Due to the serious harm of botnets, how to effectively identify and fight against botnets has become one of the hotspots in network security research. However, in the game process of botnets with security organizations and manufacturers, in order to solve the problems of concealment and survivability of botnets, they are also constantly evolving, thus showing the following development trends.

1. Decentralization: Decentralized structures are gradually being adopted by more and more botnets due to their advantages in invulnerability.

2. Miniaturization: The scale of botnets is shrinking to a certain extent.

3. Isolation: More botnets will use Domain-Flux (DGA) technology to isolate the direct communication between zombie nodes and command servers, so as to provide a layer of security protection for command servers.

In response to the aforementioned trend of botnets, the existing botnet detection methods in related technologies gradually lose their own advantages, resulting in poor botnet identification effects and ineffective countermeasures against botnet attacks.

SUMMARY OF THE INVENTION

The embodiments of the present application provide a botnet identification method, device, and terminal device, which can effectively solve the problem of poor botnet identification effect and inability to effectively counter botnet attacks.

In order to solve the above problems, this application is implemented as follows:

In a first aspect, an embodiment of the present application provides a method for identifying a botnet, the method comprising: performing risk identification on a DNS message log to be processed, and obtaining a risk identification result, where the DNS message log includes multiple domain name information, Each of the domain name information includes a domain name and a source IP corresponding to the domain name; when the risk identification result indicates that the DNS packet log is suspected of malicious traffic, the DNS packet log is determined based on preconfigured DGA family rules. The target DGA family set to which each domain name information in the document log belongs; based on the DGA family set and the source IP, cluster the domain name information sets with the same source IP to obtain multiple target traffic groups; The number of source IPs accessing the same type of DGA family set in the target traffic group; when the number is greater than the first threshold and the proportion of invalid access returns is greater than the second threshold, it is determined that the network corresponding to the source IP is a botnet .

In a second aspect, an embodiment of the present application further provides a botnet identification device, including: an identification module configured to perform risk identification on a DNS message log to be processed, and obtain a risk identification result, where the DNS message log includes multiple Domain name information, each of the domain name information includes a domain name and a source IP corresponding to the domain name; a first determination module is configured to, when the risk identification result indicates that the DNS packet log is suspected of malicious traffic, based on pre-configured The DGA family rules, determine the target DGA family set to which each domain name information in the DNS message log belongs; the clustering module is used for the domain name information set with the same source IP based on the DGA family set and the source IP. Clustering is performed to obtain a plurality of target traffic groups; a statistics module is used to separately count the number of source IPs accessing the same type of DGA family set in each of the target traffic groups; a second determination module is used for when the number is greater than the number of In the case of a threshold and the proportion of invalid access returns is greater than the second threshold, it is determined that the network corresponding to the source IP is a botnet.

In a third aspect, an embodiment of the present application further provides a terminal device, including a processor, a memory, and a program or instruction stored on the memory and executable on the processor, where the program or instruction is processed by the The steps of implementing the method for identifying a botnet according to the first aspect when the server is executed.

In a fourth aspect, an embodiment of the present application further provides a computer-readable storage medium, when an instruction in the storage medium is executed by a processor in a terminal device, the terminal device can perform the botnet identification described in the first aspect steps of the method.

The above-mentioned at least one technical solution adopted in the embodiments of the present application can achieve the following beneficial effects:

In the embodiment of the present application, the DNS packet log to be processed is analyzed by using the preconfigured DGA family rules, so as to realize the effective identification of the botnet, so as to effectively fight against the attack of the botnet.

The above description is only an overview of the technical solution of the application. In order to understand the technical means of the application more clearly, it can be implemented according to the content of the description, and in order to make the above and other objectives, features and advantages of the application more obvious and understandable, the following The specific embodiments of the present application are specifically cited.

Description of drawings

The drawings described herein are used to provide further understanding of the present application and constitute a part of the present application. The schematic embodiments and descriptions of the present application are used to explain the present application and do not constitute an improper limitation of the present application. In the attached image:

FIG. 1 is a schematic flowchart of a method for identifying a botnet according to an exemplary embodiment.

FIG. 2 is a schematic flowchart of a method for identifying a botnet according to another exemplary embodiment.

FIG. 3 is a block diagram of a botnet identification device provided according to an exemplary embodiment.

FIG. 4 is a block diagram of a terminal device provided according to an exemplary embodiment.

Detailed ways

In order to make the objectives, technical solutions and advantages of the present application clearer, the technical solutions of the present application will be clearly and completely described below with reference to the specific embodiments of the present application and the corresponding drawings. Obviously, the described embodiments are only a part of the embodiments of the present application, but not all of the embodiments. Based on the embodiments in the present application, all other embodiments obtained by those of ordinary skill in the art without creative efforts shall fall within the protection scope of the present application.

The technical solutions provided by the embodiments of the present application will be described in detail below with reference to the accompanying drawings.

The present application provides a botnet identification method, apparatus, and terminal device, wherein the botnet identification method can be applied to a terminal device, and specifically can be executed by hardware or/and software installed in the terminal device. Optionally, the terminal device may be, but is not limited to, a mobile phone, a tablet computer (Tablet Personal Computer), a laptop computer (Laptop Computer) or a notebook computer, a personal digital assistant (Personal Digital Assistant, PDA), a handheld computer , Netbook, Ultra-mobile Personal Computer (UMPC), Mobile Internet Device (MID), Wearable Device (Wearable Device) or Vehicle-mounted Equipment (VUE), Pedestrian Terminal (PUE) and other terminals Side devices, wearable devices include: bracelets, headphones, glasses, etc. It should be noted that, the embodiment of the present application does not limit the specific type of the terminal 11 .

Referring to FIG. 1 , a schematic flowchart of a botnet identification method 100 provided by an exemplary embodiment of the present application, the method 100 at least includes the following steps.

S110: Perform risk identification on the domain name system (Domain Name System, DNS) message log to be processed to obtain a risk identification result.

The DNS message log includes a plurality of domain name information, and each of the domain name information includes a domain name and a source Internet Protocol (IP) corresponding to the domain name. The DNS message log may be acquired in real time. For example, the switch traffic information may be acquired by means of bypass mirroring, and then the switch traffic information may be parsed by the DPI resolution method to obtain the DNS message log.

In an implementation manner, the DNS message log may include 14 fields, and each field is separated by a symbol "|". For example, the DNS message log may be expressed as: timestamp|session ID|source IP| Source Port|Destination IP|Destination Port|Protocol|Data Length|Request or Response|Domain Name|QTYPE|QCLASS|RCODE|RDATA.

It should be noted that the DNS packet log is divided into two categories according to the "request or response" field, one is DNS request, and the other is DNS response. The DNS request and the DNS response can be expressed respectively. as follows.

a. DNS request

15412345677|1231231312123|10.1.1.1|3456|10.1.1.2|53|dns|80|Q|www.a.com|A|IN|.

b. DNS response

15412345677|1231231312123|10.1.1.1|3456|10.1.1.2|53|dns|80|A|www.a.com|A|IN|NoError|10.1.1.1.

S120, when the risk identification result indicates that the DNS message log is suspected of malicious traffic, based on a preconfigured domain name generation algorithm (Domain Generation Algorithm, DGA) family rule, determine each domain name information in the DNS message log The DGA family collection to which it belongs.

Wherein, the acquisition process of the DGA family rules may include: according to the character rules of each DGA family provided by 360, etc., extracting a rule set for determining that the domain name is a certain type of family, for example, the Mirai family domain name meets a fixed length of 12, and the characters are a-y Then, the decision SQL statement of the Mirai family is obtained.

In this embodiment, the acquisition process of the DGA family set may include: matching the DNS packet log of suspected malicious traffic with the DGA family rule to obtain the DGA family set corresponding to each domain name information in the DNS packet log .

It should be noted that if a malicious traffic adds a family field, the content is 15412345677|1231231312123|10.1.1.1|3456|10.1.1.2|53|dns|80|A|abcjiaucnoin.com|A|IN|NoError|10.1. 1.1|[mirai,tempedreve,tinba], can complete the domain name family information of the malicious traffic.

S130, based on the DGA family set and the source IP, cluster domain name information sets with the same source IP to obtain multiple target traffic groups.

S140: Count the number of source IPs accessing the same type of DGA family set in each of the target traffic groups respectively.

S150. In the case that the number is greater than the first threshold and the proportion of invalid access returns is greater than the second threshold, determine that the network corresponding to the source IP is a botnet.

In this embodiment, in S130 to S150, the first threshold and the second threshold may be set according to actual requirements. For example, assuming that the first threshold is θ1 and the second threshold is θ2, respectively, then, as a A possible implementation method, take malicious traffic with the same source IP (that is, target traffic group) as a group, the size is N _IP , and count the number δ of source IP accessing the same type of DGA family set in a group, such as 10.1.1.1 The number of domain names accessing the mirai family set, if δ>θ1, then determine the invalid return ratio η of the DGA family set accessed by the source IP, and if η>θ2, it can be determined that the source IP is a botnet.

Wherein, the calculation method of the invalid return ratio n can be expressed as follows.

Among them, NIP represents the total number of visits, and N _{IP,rcode=NXdomain} represents the number of invalid returns.

In this embodiment, the preconfigured DGA family rules are used to analyze the DNS packet log to be processed, so as to realize the effective identification of the botnet. In addition, the DGA family rules are easy to implement, and have high coverage and versatility. After testing, the identification accuracy of botnets is high.

Referring to FIG. 2 in conjunction with a schematic flowchart of a botnet identification method 200 according to an exemplary embodiment of the present application, the method 200 at least includes the following steps.

S210: Obtain the pending DNS packet log.

Wherein, for the acquisition method of the DNS message log described in S210, reference may be made to the relevant description in the foregoing S110, and in order to avoid repetition, details are not repeated here.

S220: Preprocess the domain name information included in the DNS message log to obtain a plurality of corpora to be identified.

As a possible implementation manner, the implementation process of S220 may include: standardizing each of the domain name information included in the DNS message log; performing word segmentation processing on each of the standardized domain names to obtain corresponding Multiple corpora to be identified for the domain name information.

For example, assuming that the domain name information is QQ.com, then first case-convert the domain name information. For example, if the letter Q is normalized to q, then the domain name information after the normalization of QQ.com is qq.com; The standardized domain name information is subjected to word segmentation, that is, the standardized domain name information is subjected to word segmentation according to each single letter. For example, after the domain name information qq.com is subjected to word segmentation, the expected to-be-identified {q q c o m} is obtained. .

As another possible implementation manner, after obtaining the expectation to be identified, in order to further improve the identification accuracy of the botnet, the length of each of the to-be-identified corpora may be processed as a predetermined length. For example, assuming that the predetermined length of the preconfigured corpus is n (such as 32), then, for each corpus to be recognized, when the length of the corpus to be recognized exceeds the predetermined length, the corpus to be recognized may be truncated, so that the truncation The length of the corpus to be recognized is the predetermined length. On the contrary, when the length of the corpus to be recognized is less than the predetermined length, the length of the corpus to be recognized can be supplemented, so that the length of the supplemented corpus to be recognized is the specified length. the predetermined length.

Wherein, the present embodiment does not limit the complementing manner or truncation manner to be identified.

S230: Query a preconfigured word vector matrix according to each domain name letter included in the corpus to be recognized, and obtain a vector to be recognized.

Wherein, the word vector matrix can be obtained based on the word2vec model. As a possible implementation manner, the generation process of the word vector matrix can be referred to the detailed description in the following S240, which is not repeated here.

S240: Input the to-be-identified vector into a pre-trained DGA identification model to obtain a risk identification result.

Wherein, the DGA recognition model may be obtained by training based on, but not limited to, the Textcnn model. As a possible implementation manner, the pre-training process of the DGA recognition model may include the following (1)-(6).

(1) Obtain multiple domain name information for training dataset construction.

The plurality of domain name information may be acquired in real time, or may be acquired from HDFS.

In this embodiment, a training data set with sample labels can be obtained, wherein the DGA sample obtaining path can be https://data.netlab.360.com/dga/dga.txt, with a total of 1223607. The acquisition path of a normal domain name can be http://s3.amazonaws.com/alexa-static/top-1m.csv.zip, with a total of 1 million, so that a sample data set with positive and negative labels can be obtained.

(2) Preprocessing each of the domain name information to obtain a plurality of training corpora corresponding to each of the domain names, and each of the training corpora includes a domain name sample and a sample label.

Wherein, the preprocessing process of preprocessing each of the domain name information may refer to the detailed description in the foregoing S220, but the difference from the foregoing S220 is that the training corpus includes positive and negative values used to represent the positive and negative of the training samples. Negative label.

For example, assuming that the domain name information used to construct the training dataset is qq.com, Google.com, and ntnipngh.com, then the training corpus containing positive and negative labels can be:

qq.com: q q c o m, 0;

Google.com: go o g l e c o m, 0;

ntnipngh.com: n t n i p n g h c o m,1;

Among them, label 0 represents a normal domain name, and label 1 represents a DGA domain name.

(3) According to each domain name letter included in each training corpus, query the preconfigured word vector matrix in turn to obtain a plurality of one-dimensional word vectors corresponding to the training corpus one-to-one.

The process of obtaining the word vector matrix includes: processing each training corpus into a one-dimensional vector, and passing each of the one-dimensional vectors through the word2vec model in sequence, then a word vector of a predetermined size can be used to provide evidence. For example, assuming that the length of the one-dimensional word vector corresponding to the word2vec model is 64, then the word vector evidence may be 27x64 (26 letters + complement).

(4) Splicing the multiple one-dimensional word vectors to obtain the target vector corresponding to the training corpus.

Among them, according to the obtained word vector matrix, the one-dimensional word vector obtained by querying the word vector matrix based on each letter in the training domain name information is spliced to obtain the corresponding target vector of each training corpus. In this embodiment, the length of the target vector may be 2048.

(5) Constructing a training data set based on the target vector corresponding to each of the training corpora.

(6) Using the training data set to train a predetermined neural network model to obtain a DGA recognition model.

Among them, in (5)-(6), the training data set constructed based on the training corpus can be input into the Textcnn model to train the Textcnn model to obtain the final DGA recognition model for prediction.

It should be noted that, in order to improve the recognition accuracy of the DGA recognition model, the DGA model may be trained multiple times by means of loss functions, replacement of training samples, etc., which will not be repeated in this embodiment.

It should be noted that after the risk identification result is obtained by using the DGA identification model, each domain name information can be marked according to the risk identification result. For example, if the domain name in the DNS packet log is marked as normal, the log is normal. If the domain name in the log is marked as DGA, the log belongs to malicious traffic, and the subsequent S250-S280 are executed.

S250, in the case that the risk identification result indicates that the DNS message log is suspected of malicious traffic, the DGA family set to which each domain name information in the DNS message log to be processed belongs is determined based on the preconfigured DGA family rules .

S260, based on the DGA family set and the source IP, cluster the domain name information sets with the same source IP to obtain multiple target traffic groups;

S270, respectively count the number of source IPs accessing the same type of DGA family set in each of the target traffic groups;

S280, in the case that the number is greater than the first threshold and the proportion of invalid access returns is greater than the second threshold, determine that the network corresponding to the source IP is a botnet.

For the detailed description in S250-S280, reference may be made to the relevant description of the method 100, and details are not repeated here.

In this embodiment, based on the funnel model including two implementation stages, DGA domain names suspected of malicious traffic are screened out, and then based on the screening results, the botnet host can be further accurately identified by using the DGA family rule base. In addition, the method of identifying the DGA based on the word vector space in this embodiment makes the feature processing simpler, avoids the interference of a large number of feature engineering, and has a higher recognition accuracy.

As shown in FIG. 3 , a botnet identification device 300 is provided in an exemplary embodiment of the present application. The device 300 includes an identification module 310 for performing risk identification on the DNS message log to be processed to obtain a risk identification result, The DNS message log includes a plurality of domain name information, and each of the domain name information includes a domain name and a source IP corresponding to the domain name; the first determining module 320 is configured to indicate the DNS message in the risk identification result In the case that the log is suspected to be malicious traffic, based on the preconfigured DGA family rules, determine the target DGA family set to which each domain name information in the DNS message log belongs; the clustering module 330 is configured to be based on the DGA family set and For the source IP, cluster the domain name information sets with the same source IP to obtain multiple target traffic groups; the statistics module 340 is used to separately count the source IPs accessing the same type of DGA family set in each of the target traffic groups. The second determination module 350 is configured to determine that the network corresponding to the source IP is a botnet when the number is greater than the first threshold and the proportion of invalid access returns is greater than the second threshold.

Regarding the botnet identification device 300 in this embodiment, the specific manner in which each module performs operations has been described in detail in the embodiment of the method, and will not be described in detail here.

Please refer to FIG. 4 , which is a block diagram of a terminal device 400 according to an exemplary embodiment. The terminal device 400 may at least include a processor 410 and a memory 420 for storing instructions executable by the processor 410 . Wherein, the processor 410 is configured to execute the instructions to implement all or part of the steps of the botnet identification method in the above-mentioned embodiments.

The processor 410 and the memory 420 are directly or indirectly electrically connected to realize data transmission or interaction. For example, these elements may be electrically connected to each other through one or more communication buses or signal lines.

The processor 410 is used to read/write data or programs stored in the memory, and perform corresponding functions.

The memory 420 is used to store programs or data, such as instructions executable by the processor 410 . The memory 420 can be, but not limited to, random access memory (Random Access Memory, RAM), read only memory (Read Only Memory, ROM), programmable read only memory (Programmable Read-Only Memory, PROM), erasable memory Read-only memory (Erasable Programmable Read-Only Memory, EPROM), Electric Erasable Programmable Read-Only Memory (Electric Erasable Programmable Read-Only Memory, EEPROM), etc.

Further, as a possible implementation manner, the terminal device 400 may further include a power supply component, a multimedia component, an audio component, an input/output (I/O) interface, a sensor component, a communication component, and the like.

The power supply components provide power to the various components of the terminal device 400 . Power components may include a power management system, one or more power sources, and other components associated with generating, managing, and distributing power to end device 400 .

The multimedia component includes a screen that provides an output interface between the terminal device 400 and the user. In some embodiments, the screen may include a liquid crystal display (LCD) and a touch panel (TP). If the screen includes a touch panel, the screen may be implemented as a touch screen to receive input signals from a user. The touch panel includes one or more touch sensors to sense touch, swipe, and gestures on the touch panel. A touch sensor can sense not only the boundaries of a touch or swipe action, but also the duration and pressure associated with the touch or swipe action. In some embodiments, the multimedia component includes a front-facing camera and/or a rear-facing camera. When the terminal device 400 is in an operation mode, such as a shooting mode or a video mode, the front camera and/or the rear camera may receive external multimedia data. Each of the front and rear cameras can be a fixed optical lens system or have focal length and optical zoom capability.

The audio components are configured to output and/or input audio signals. For example, the audio component includes a microphone (MIC) that is configured to receive external audio signals when the terminal device 400 is in an operating mode, such as a calling mode, a recording mode, and a voice recognition mode. The received audio signal may be further stored in memory 420 or transmitted via the communication component. In some embodiments, the audio assembly further includes a speaker for outputting audio signals.

The I/O interface provides an interface between the processing component and a peripheral interface module, and the above-mentioned peripheral interface module can be a keyboard, a click wheel, a button, and the like. These buttons may include, but are not limited to: home button, volume buttons, start button, and lock button.

The sensor assembly includes one or more sensors for providing various aspects of the status assessment for the end device 400 . For example, the sensor component can detect the open/closed state of the terminal device 400, the relative positioning of the components, such as the display and keypad of the terminal device 400, the sensor component can also detect the position change of the terminal device 400 or a component of the terminal device 400 , the presence or absence of the user's contact with the terminal device 400 , the orientation or acceleration/deceleration of the terminal device 400 and the temperature change of the terminal device 400 . The sensor assembly may include a proximity sensor configured to detect the presence of nearby objects in the absence of any physical contact. The sensor assembly may also include a light sensor, such as a CMOS or CCD image sensor, for use in imaging applications. In some embodiments, the sensor assembly may also include an acceleration sensor, a gyroscope sensor, a magnetic sensor, a pressure sensor, or a temperature sensor.

The communication component is configured to facilitate wired or wireless communication between the end device 400 and other devices. The terminal device 400 may access a wireless network based on a communication standard, such as WiFi, an operator network (eg, 2G, 3G, 4G, or 4G), or a combination thereof. In one exemplary embodiment, the communication component receives broadcast signals or broadcast related information from an external broadcast management system via a broadcast channel. In one exemplary embodiment, the communication component further includes a near field communication (NFC) module to facilitate short-range communication. For example, the NFC module may be implemented based on radio frequency identification (RFID) technology, infrared data association (IrDA) technology, ultra-wideband (UWB) technology, Bluetooth (BT) technology and other technologies.

In an exemplary embodiment, end device 400 may be implemented by one or more application specific integrated circuits (ASICs), digital signal processors (DSPs), digital signal processing devices (DSPDs), programmable logic devices (PLDs), field programmable A programmed gate array (FPGA), controller, microcontroller, microprocessor or other electronic component implementation is used to perform the above method.

It should be understood that the structure shown in FIG. 4 is only a schematic structural diagram of the terminal device 400 , and the terminal device 400 may further include more or less components than those shown in FIG. 4 , or have different components from those shown in FIG. 4 . configuration. Each component shown in FIG. 4 can be implemented in hardware, software, or a combination thereof.

In an exemplary embodiment, a non-transitory computer-readable storage medium including instructions, such as a memory including instructions, is also provided, and the instructions can be executed by a processor in a terminal device to complete the above botnet identification method. For example, the non-transitory computer-readable storage medium may be ROM, random access memory (RAM), CD-ROM, magnetic tape, floppy disk, optical data storage device, and the like.

As will be appreciated by those skilled in the art, the embodiments of the present application may be provided as a method, a system, or a computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.

It should be noted that the terms "comprising", "comprising" or any other variation thereof are intended to encompass a non-exclusive inclusion such that a process, method, article or device comprising a series of elements includes not only those elements, but also no Other elements expressly listed, or which are also inherent to such a process, method, article of manufacture or apparatus. Without further limitation, an element qualified by the phrase "comprising a..." does not preclude the presence of additional identical elements in the process, method, article of manufacture or apparatus that includes the element.

It will be appreciated by those skilled in the art that the embodiments of the present application may be provided as a method, a system or a computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.

The above are merely examples of the present application, and are not intended to limit the present application. Various modifications and variations of this application are possible for those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of this application shall be included within the scope of the claims of this application.

Claims (10)

1. A botnet identification method, comprising:

performing risk identification on a DNS message log to be processed to obtain a risk identification result, wherein the DNS message log comprises a plurality of domain name information, and each domain name information comprises a domain name and a source IP (Internet protocol) corresponding to the domain name;

under the condition that the risk identification result indicates the suspected malicious flow of the DNS message log, determining a DGA family set to which each domain name information in the DNS message log belongs based on a preconfigured DGA family rule;

based on the DGA family set and the source IP, clustering domain name information with the same source IP to obtain a plurality of target flow groups;

respectively counting the number of source IPs accessing the same DGA family set in each target flow group;

and under the condition that the number is greater than a first threshold value and the access invalid return occupation ratio is greater than a second threshold value, determining that the network corresponding to the source IP is a botnet.

2. The method of claim 1, wherein the DNS message logs comprise DNS request logs and DNS response logs.

3. The method of claim 1, wherein performing risk identification on the DNS message log to be processed to obtain a risk identification result comprises:

acquiring a DNS message log to be processed;

preprocessing domain name information included in the DNS message log to obtain a plurality of linguistic data to be identified;

inquiring a pre-configured word vector matrix according to each domain name letter included in the linguistic data to be recognized to obtain a vector to be recognized;

and inputting the vector to be recognized into a pre-trained DGA recognition model to obtain a risk recognition result.

4. The method according to claim 3, wherein preprocessing the domain name information included in the DNS packet log to obtain a plurality of corpora to be identified includes:

performing standardization processing on each domain name information included in the DNS message log;

and performing word segmentation on each normalized domain name to obtain a plurality of linguistic data to be identified corresponding to each domain name information.

5. The method according to claim 3, wherein before the pre-configured word vector matrix is queried according to each domain name letter included in the corpus to be recognized to obtain the vector to be recognized, the risk recognition is performed on the DNS message log to be processed to obtain a risk recognition result, further comprising:

and processing the length of each corpus to be identified into a preset length.

6. The method of claim 3, wherein the pre-training process of the DGA recognition model comprises:

acquiring a plurality of domain name information for constructing a training data set;

preprocessing each domain name information to obtain a plurality of training corpora corresponding to each domain name, wherein each training corpora comprises a domain name sample and a sample label;

sequentially inquiring a pre-configured word vector matrix according to each domain name letter included in each training corpus respectively to obtain a plurality of one-dimensional word vectors corresponding to the training corpuses one by one;

splicing the plurality of one-dimensional word vectors to obtain a target vector corresponding to the training corpus;

constructing a training data set based on the target vector corresponding to each training corpus;

and training a preset neural network model by using the training data set to obtain a DGA recognition model.

7. The method of claim 1, wherein before performing risk identification on the DNS message log to be processed and obtaining a risk identification result, the method further comprises:

obtaining the flow information of the switch in a bypass mirror mode;

and analyzing the switch flow information in a DPI (deep packet inspection) analysis mode to obtain the DNS message log.

8. A botnet recognition device, comprising:

the system comprises an identification module, a processing module and a processing module, wherein the identification module is used for carrying out risk identification on a DNS message log to be processed to obtain a risk identification result, the DNS message log comprises a plurality of domain name information, and each domain name information comprises a domain name and a source IP corresponding to the domain name;

a first determining module, configured to determine, based on a preconfigured DGA family rule, a DGA family set to which the DNS message log belongs, when the risk identification result indicates that the DNS message log is suspected to be malicious traffic;

the clustering module is used for clustering the domain name information sets with the same source IP based on the DGA family set and the source IP to obtain a plurality of target flow groups;

the statistical module is used for respectively counting the number of source IPs accessing the same DGA family set in each target flow group;

and the second determining module is used for determining that the network corresponding to the source IP is a botnet under the condition that the number is greater than the first threshold value and the access invalid return occupation ratio is greater than a second threshold value.

9. A terminal device comprising a processor, a memory and a program or instructions stored on the memory and executable on the processor, the program or instructions when executed by the processor implementing the steps of the botnet identification method of any of claims 1 to 7.

10. A computer-readable storage medium, on which a program or instructions are stored, which program or instructions, when executed by a processor, carry out the steps of the botnet identification method according to any one of claims 1-7.

Images