CN113329035B - Method and device for detecting attack domain name, electronic equipment and storage medium - Google Patents
Method and device for detecting attack domain name, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN113329035B CN113329035B CN202110728721.4A CN202110728721A CN113329035B CN 113329035 B CN113329035 B CN 113329035B CN 202110728721 A CN202110728721 A CN 202110728721A CN 113329035 B CN113329035 B CN 113329035B
- Authority
- CN
- China
- Prior art keywords
- domain names
- domain
- determining
- names
- attack
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4505—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
- H04L61/4511—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0263—Rule management
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0892—Network architectures or network communication protocols for network security for authentication of entities by using authentication-authorization-accounting [AAA] servers or protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Business, Economics & Management (AREA)
- Accounting & Taxation (AREA)
- General Business, Economics & Management (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application discloses a detection method, a detection device, electronic equipment and a storage medium for attacking a domain name, wherein the method comprises the following steps: obtaining a request flow; the request traffic comprises N1 domain names; filtering the N1 domain names included in the request flow by utilizing a domain name blacklist and a domain name whitelist to obtain N2 filtered domain names; decoding each of the N2 domain names; for N3 domain names which are successfully decoded from the N2 domain names, determining whether each domain name in the N3 domain names is an attack domain name according to a first rule; and for the N4 domain names which are not decoded successfully in the N3 domain names, determining whether each domain name in the N4 domain names is an attack domain name according to a second rule.
Description
Technical Field
The embodiment of the application relates to the field of communication, in particular to a method and a device for detecting an attack domain name, electronic equipment and a storage medium.
Background
The Domain Name System Log (DNSLOG) technology is widely applied to attack scenarios in which command execution playback cannot be directly performed and whether a server can be on line or not is judged, and particularly, the number of deserialization vulnerabilities is increasing, and attack behaviors in which the DNSLOG is used for deserialization vulnerability detection are also more and more common. Therefore, it is necessary to design a detection method for implementing DNSLOG attack behavior to cover these attack scenarios. Most of the existing technical schemes are carried out in a blacklist mode, the simple detection mode is easy to generate false alarm of normal access behaviors, attack behaviors in a non-blacklist cannot be detected, and high false alarm exists.
Disclosure of Invention
In order to solve the technical problem, embodiments of the present application provide a method and an apparatus for detecting an attack domain name, an electronic device, and a storage medium.
The embodiment of the application provides a detection method for an attack domain name, which comprises the following steps:
obtaining a request flow; the request traffic comprises N1 domain names;
filtering the N1 domain names included in the request flow by utilizing a domain name blacklist and a domain name whitelist to obtain N2 filtered domain names;
decoding each of the N2 domain names; for N3 domain names which are successfully decoded from the N2 domain names, determining whether each domain name in the N3 domain names is an attack domain name according to a first rule; and for the N4 domain names which are not decoded successfully in the N2 domain names, determining whether each domain name in the N4 domain names is an attack domain name according to a second rule.
In an optional embodiment of the present application, the determining, according to the first rule, whether each of the N3 domain names is an attack domain name includes:
executing each of the N3 domain names with a first set of commands; the first command set comprises at least one execution command;
and determining the domain name which is successfully executed by using the first command set in the N3 domain names as an attack domain name.
In an optional embodiment of the present application, the determining, according to the second rule, whether each of the N4 domain names is an attack domain name includes:
determining N5 accessible domain names and N6 inaccessible domain names of the N4 domain names;
determining, for the N5 accessible domain names, whether each of the N5 accessible domain names is an attack domain name according to a third rule;
for the N6 inaccessible domain names, determining whether each of the N6 inaccessible domain names is an attack domain name according to a fourth rule.
In an optional embodiment of the present application, before determining N5 accessible domain names and N6 inaccessible domain names of the N4 domain names, the method further comprises:
and determining N7 domain names with the access frequency higher than a first frequency threshold in the N4 domain names, and determining the N7 domain names as non-attack domain names.
In an optional embodiment of the present application, the determining, according to the third rule, whether each of the N5 accessible domain names is an attack domain name includes:
executing each of the N5 domain names using a second set of commands, determining N8 domain names that include high risk plaintext characters in the execution result, and N9 domain names that do not include high risk plaintext characters in the execution result; the second command set comprises at least one execution command;
performing network traffic query on access requests of N8 domain names including high-risk plaintext characters in an execution result to obtain N10 domain names only having domain name request traffic in the access requests of the N8 domain names and N11 domain names having non-domain name request traffic in the access requests of the N8 domain names except the domain name request traffic;
and determining the N10 domain names as attack domain names, and determining whether the N9 domain names and the N11 domain names are attack domain names according to a fifth rule.
In an optional embodiment of the present application, the determining, according to a fifth rule, whether the N9 domain names and the N11 domain names are attack domain names includes:
and determining the N9 domain names and N12 domain names which do not accord with the character relevance algorithm model in the N11 domain names by utilizing a character relevance algorithm model, and determining the N12 domain names as attack domain names.
In an optional embodiment of the present application, before determining, by using a character relevance algorithm model, the N9 domain names and N12 domain names of the N11 domain names that do not meet the character relevance algorithm model, the method further includes:
determining at least one set of domain names of the N9 domain names and the N11 domain names that resolve to the same IP; the domain names in each domain name set in the at least one domain name set correspond to the same resolution IP, and the resolution IPs corresponding to the domain name sets in the at least one domain name set are different;
determining that the number of domain names included in the at least one domain name set is greater than M1 domain name sets of a first number threshold, and the number of domain names included in the at least one domain name set is less than or equal to M2 domain name sets of the first number threshold; the M2 domain name sets collectively comprise N13 domain names;
determining each domain name in the M1 domain name sets as an attack domain name;
the determining, by using a character relevance algorithm model, the N9 domain names and N12 domain names of the N11 domain names that do not meet the character relevance algorithm model, and determining the N12 domain names as attack domain names includes:
and determining N14 domain names which do not accord with the character relevance algorithm model in the N13 domain names by using a character relevance algorithm model, and determining the N14 domain names as attack domain names.
In an optional embodiment of the present application, before determining the N12 domain names as attack domain names, the method further includes, by using a character relevance algorithm model to determine the N9 domain names and the N12 domain names of the N11 domain names that do not meet the character relevance algorithm model:
determining the N9 domain names and the N15 domain names with the request IP quantity corresponding to the N11 domain names larger than a second quantity threshold value, and the N9 domain names and the N16 domain names with the request IP quantity corresponding to the N11 domain names smaller than or equal to the second quantity threshold value, and determining the N15 domain names as normal domain names;
correspondingly, the determining, by using the character relevance algorithm model, the N9 domain names and N12 domain names of the N11 domain names that do not meet the character relevance algorithm model, and determining the N12 domain names as attack domain names includes:
and determining N17 domain names which do not accord with the character relevance algorithm model in the N16 domain names by using a character relevance algorithm model, and determining the N17 domain names as attack domain names.
In an optional embodiment of the present application, the determining, according to a fourth rule, whether each of the N6 inaccessible domain names is an attack domain name includes:
and determining N18 domain names which do not accord with the character relevance algorithm model in the N6 domain names by using a character relevance algorithm model, and determining the N18 domain names as attack domain names.
In an optional embodiment of the present application, before determining, by using a character relevance algorithm model, N18 domain names of the N6 domain names that do not conform to the character relevance algorithm model and determining the N18 domain names as attack domain names, the method further includes:
determining that the number of the request IPs corresponding to the N6 domain names is greater than or equal to N19 domain names with a third number threshold, and the number of the request IPs corresponding to the 6 domain names is less than or equal to N20 domain names with a third number threshold, and determining the N19 domain names as normal domain names;
correspondingly, the determining, by using the character relevance algorithm model, N18 domain names of the N6 domain names which do not conform to the character relevance algorithm model, and determining the N18 domain names as attack domain names includes:
and determining N21 domain names which do not accord with the character relevance algorithm model in the N20 domain names by using a character relevance algorithm model, and determining the N21 domain names as attack domain names.
The embodiment of the present application further provides a device for detecting an attack domain name, where the device includes:
an obtaining unit configured to obtain a requested flow; the request traffic comprises N1 domain names;
a filtering unit, configured to filter N1 domain names included in the request traffic by using a domain name blacklist and a domain name whitelist, to obtain N2 filtered domain names;
a determining unit, configured to decode each of the N2 domain names; for N3 domain names which are successfully decoded from the N2 domain names, determining whether each domain name in the N3 domain names is an attack domain name according to a first rule; and for the N4 domain names which are not decoded successfully in the N2 domain names, determining whether each domain name in the N4 domain names is an attack domain name according to a second rule.
In an optional embodiment of the present application, the determining unit is specifically configured to: executing each of the N3 domain names with a first set of commands; the first command set comprises at least one execution command;
and determining the domain name which is successfully executed by utilizing the first command set in the N3 domain names as an attack domain name.
In an optional embodiment of the present application, the determining unit is specifically configured to: determining N5 accessible domain names and N6 inaccessible domain names of the N4 domain names; determining, for the N5 accessible domain names, whether each of the N5 accessible domain names is an attack domain name according to a third rule; for the N6 inaccessible domain names, determining whether each of the N6 inaccessible domain names is an attacking domain name according to a fourth rule.
In an optional embodiment of the present application, the determining unit is further configured to: before determining N5 accessible domain names and N6 inaccessible domain names in the N4 domain names, determining N7 domain names with access frequencies higher than a first frequency threshold in the N4 domain names, and determining the N7 domain names as non-attack domain names.
In an optional embodiment of the present application, the determining unit is further configured to: executing each of the N5 domain names using a second set of commands, determining N8 domain names that include high risk plaintext characters in the execution result, and N9 domain names that do not include high risk plaintext characters in the execution result; the second command set comprises at least one execution command; performing network traffic query on access requests of N8 domain names including high-risk plaintext characters in an execution result to obtain N10 domain names only having domain name request traffic in the access requests of the N8 domain names and N11 domain names having non-domain name request traffic in the access requests of the N8 domain names except the domain name request traffic; and determining the N10 domain names as attack domain names, and determining whether the N9 domain names and the N11 domain names are attack domain names according to a fifth rule.
In an optional embodiment of the present application, the determining unit is further configured to: and determining the N9 domain names and N12 domain names which do not accord with the character relevance algorithm model in the N11 domain names by using a character relevance algorithm model, and determining the N12 domain names as attack domain names.
In an optional embodiment of the present application, the determining unit is further configured to: determining at least one domain name set of the N9 domain names and the N11 domain names which resolve the same IP before determining the N9 domain names and the N12 domain names which do not accord with the character relevance algorithm model in the N11 domain names by using a character relevance algorithm model; the domain names in each domain name set in the at least one domain name set correspond to the same resolution IP, and the resolution IPs corresponding to the domain name sets in the at least one domain name set are different; determining that the number of domain names included in the at least one domain name set is greater than M1 domain name sets of a first number threshold, and the number of domain names included in the at least one domain name set is less than or equal to M2 domain name sets of the first number threshold; the M2 domain name sets collectively comprise N13 domain names; determining each domain name in the M1 domain name sets as an attack domain name; the determining unit is further specifically configured to: and determining N14 domain names which do not accord with the character relevance algorithm model in the N13 domain names by using a character relevance algorithm model, and determining the N14 domain names as attack domain names.
In an optional embodiment of the present application, the determining unit is further configured to: determining the N9 domain names and N12 domain names which do not meet the character relevance algorithm model in the N11 domain names by using a character relevance algorithm model, determining N15 domain names of which the number of request IPs is greater than a second quantity threshold in the N9 domain names and the N11 domain names and N16 domain names of which the number of request IPs is less than or equal to the second quantity threshold in the N9 domain names and the N11 domain names before determining the N12 domain names as attack domain names, and determining the N15 domain names as normal domain names; correspondingly, the determining unit is further specifically configured to: and determining N17 domain names which do not accord with the character relevance algorithm model in the N16 domain names by using a character relevance algorithm model, and determining the N17 domain names as attack domain names.
In an optional embodiment of the present application, the determining unit is further specifically configured to: and determining N18 domain names which do not accord with the character relevance algorithm model in the N6 domain names by using a character relevance algorithm model, and determining the N18 domain names as attack domain names.
In an optional embodiment of the present application, the determining unit is further specifically configured to: determining N18 domain names which do not accord with the character relevance algorithm model in the N6 domain names by using a character relevance algorithm model, determining N19 domain names of which the number of corresponding request IPs is more than or equal to a third number threshold value and N20 domain names of which the number of corresponding request IPs is less than or equal to the third number threshold value in the N6 domain names before determining the N18 domain names as attack domain names, and determining the N19 domain names as normal domain names; correspondingly, the determining unit is further specifically configured to: and determining N21 domain names which do not accord with the character relevance algorithm model in the N20 domain names by using a character relevance algorithm model, and determining the N21 domain names as attack domain names.
The embodiment of the present application further provides an electronic device, where the electronic device includes: the detection method for the attack traffic can be realized when the processor runs the computer executable instructions on the memory.
The embodiment of the present application further provides a computer storage medium, where the storage medium stores executable instructions, and the executable instructions, when executed by a processor, implement the method for detecting attack traffic according to the foregoing embodiment.
According to the technical scheme of the embodiment of the application, the request flow is obtained; the request traffic comprises N1 domain names; filtering the N1 domain names included in the request flow by utilizing a domain name blacklist and a domain name whitelist to obtain N2 filtered domain names; decoding each of the N2 domain names; for N3 domain names which are successfully decoded from the N2 domain names, determining whether each domain name in the N3 domain names is an attack domain name according to a first rule; and for the N4 domain names which are not decoded successfully in the N2 domain names, determining whether each domain name in the N4 domain names is an attack domain name according to a second rule. Therefore, the method can overcome the limitation that only a blacklist mode is used for detecting the domain name information in the request flow, can comprehensively detect the attack domain name in the non-blacklist, and improves the accuracy of detecting the attack domain name.
Drawings
Fig. 1 is a schematic flowchart of a method for detecting an attack domain name according to an embodiment of the present application;
fig. 2 is a schematic diagram of a detection process of an attack domain name provided in an embodiment of the present application;
fig. 3 is a schematic structural component diagram of a detection apparatus for attacking a domain name provided in an embodiment of the present application;
fig. 4 is a schematic structural component diagram of an electronic device according to an embodiment of the present application.
Detailed Description
So that the manner in which the features and elements of the present embodiments can be understood in detail, a more particular description of the embodiments, briefly summarized above, may be had by reference to embodiments, some of which are illustrated in the appended drawings.
In the following, key terms related to the embodiments of the present application are explained:
a Domain Name System (DNS), a distributed database that maps Domain names and Internet Protocol (IP) addresses to each other, enables a person to access the Internet more conveniently. The DNS uses 53 ports of Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) as service ports,
DNSLOG, which is domain name information stored on a DNS server, records user access information to domain names such as www.baidu.com, etc., like log files.
Domain Generation Algorithms (DGA), algorithms frequently used in various malware families to periodically generate large numbers of Domain names that can be used as rendezvous points for malware command and control servers. For example, a malicious software a has a malicious domain name aaa.com, and generates sub-domain names such as bbb.aaa.com, ccc.aaa.com and the like by using a DGA algorithm, and different sub-domain names represent different attack steps, for example, an attack machine downloads malicious software by accessing the bbb.aaa.com, and uploads data by accessing the ccc.aaa.com, and the like, and distinguishes attack steps and even different control servers by generating different sub-domain names, and an attacker can do all the operations only by modifying a main domain name.
The technical scheme of the embodiment of the application is used for solving the problems that the DNSLOG request flow has no obvious attack characteristics, the DNSLOG request flow characteristics are similar to those of a DNS tunnel, and the like. The method and the device have the advantages that DNSLOG request flow characteristics are analyzed in the existing scene of detecting DNSLOG flow through keywords, DNSLOG attack behaviors which cannot be directly detected through a blacklist are basically covered by combining modes such as netflow and character relevance algorithm, false alarm is well reduced through frequency characteristics, and the full coverage of dnsLog attack behaviors is achieved.
Fig. 1 is a schematic flowchart of a method for detecting an attack domain name provided in an embodiment of the present application, and as shown in fig. 1, the method for detecting an attack domain name provided in the embodiment of the present application includes the following steps:
step 101: obtaining a request flow; the request traffic includes N1 domain names.
In the embodiment of the application, an attacker or a common user initiates a DNSLOG request service to a DNS server by using a client, and the DNS server can receive the request traffic sent by the client under the condition that the attacker or the common user initiates the DNSLOG request service to the DNS server by using the client.
The DNSLOG and DNS tunnel request traffic are all spliced by using different sub-domain names under the same main domain name to achieve the purpose of information transfer, such as a main domain name a.com, and information is spliced in front of the a.com, such as a b.a.com b.b.a.com; the sub-domain names are generated through a DGA algorithm, a coding algorithm or an encryption algorithm, and obvious readability is not used; the domain names are all resolved to the same IP address and other characteristics.
Step 102: and filtering the N1 domain names included in the request traffic by using a domain name blacklist and a domain name whitelist to obtain N2 filtered domain names.
In the embodiment of the present application, the domain name blacklist is a currently known DNSLOG service domain name and a DNSLOG domain name in local threat intelligence, and the whitelist is an address routing parameter domain name (e.g., ip6. arpa), an unspecified domain name (e.g., localhost), a government class domain name (e.g., gov.
If the keywords of a part of domain names in the N1 domain names included in the request traffic are the same as those in the domain name blacklist, the part of domain names that are the same as those in the domain name blacklist are determined as attack domain names.
If the keywords of a part of domain names in the N1 domain names included in the request traffic are the same as those in the domain name white list, the part of domain names that are the same as those in the domain name white list are determined as non-attack domain names, which may also be referred to as normal domain names.
According to the method and the device, all the N1 domain names in the request flow are filtered by utilizing the domain name blacklist and the domain name whitelist, so that obvious attack domain names and normal domain names in the request flow can be filtered, and the data processing amount of the subsequent judgment process for determining whether the domain names in the request flow are attack domain names is reduced.
Step 103: decoding each of the N2 domain names; for N3 domain names which are successfully decoded from the N2 domain names, determining whether each domain name in the N3 domain names is an attack domain name according to a first rule; and for the N4 domain names which are not decoded successfully in the N2 domain names, determining whether each domain name in the N4 domain names is an attack domain name according to a second rule.
The domain name included in the request traffic is decoded, which is mainly used for detecting an attack scene of carrying out-band data through DNSLOG, domain name decoding operation is carried out on N2 domain names which are not in the domain name black list and the domain name white list in step 102, and decoding attempts of common encoding modes are carried out on N2 domain names, including hex, base64, base32 and the like.
In an optional embodiment of the present application, the step of determining whether each of the N3 domain names is an attack domain name according to the first rule may be specifically implemented as follows:
executing each of the N3 domain names with a first set of commands; the first command set comprises at least one execution command;
and determining the domain name which is successfully executed by utilizing the first command set in the N3 domain names as an attack domain name.
Specifically, for the successfully decoded domain name after performing the domain name decoding operation, rule matching of successful command execution is performed on the successfully decoded content, the first command set includes commands such as ifconfig and netstat,
specifically, for example, the execution result of the ifconfig command is the host network card and IP information, and therefore, the execution result of the command can be determined by matching the IP address or the network card information. For the domain name with the command execution result, the behavior that the domain name has the outband information through the domain name can be determined to be in accordance with the attack behavior characteristics of DNSLOG, so that a DNSLOG attack event can be generated, namely the domain name is determined to be an attack domain name.
In the embodiment of the application, for domain names which are not successfully executed, a reminding log of the information class can be generated for subsequent manual analysis or as a record.
In an optional embodiment of the present application, the step of determining whether each of the N4 domain names is an attack domain name according to the second rule may be specifically implemented as follows:
determining N5 accessible domain names and N6 inaccessible domain names of the N4 domain names;
for the N5 accessible domain names, determining whether each of the N5 accessible domain names is an attack domain name according to a third rule;
for the N6 inaccessible domain names, determining whether each of the N6 inaccessible domain names is an attack domain name according to a fourth rule.
In the embodiment of the application, a domain name address and an IP address corresponding to the domain name are requested, and a response data packet capable of accessing the domain name has an analyzed IP address of the domain name, so that the subsequent access behavior can be smoothly carried out, and the response data packet does not exist when the domain name is inaccessible.
In an optional embodiment of the present application, before performing the determining of the N5 accessible domain names and the N6 inaccessible domain names in the N4 domain names, the following steps may be further performed:
and determining N7 domain names with the access frequency higher than a first frequency threshold in the N4 domain names, and determining the N7 domain names as non-attack domain names.
The method is used for eliminating the domain name of the DNS tunnel and the common domain name in the request domain name, and eliminating the domain name with higher access frequency by carrying out frequency statistics on the access domain name in a certain period, if the access domain name is accessed more than 100 times in one minute, the domain name is considered to be not suitable for a DNSLOG attack scene, and the domain name with the access frequency higher than a certain value can be eliminated, namely, the domain name with the access frequency higher than a certain value is determined to be a non-attack domain name.
The high access frequency represents that the domain name has the access requirement of a plurality of hosts, and the characteristic excludes extreme cases (the content of the whole client is attacked) from belonging to DNSLOG attack characteristics, so that the domain names can be excluded, and the data volume of the subsequent judgment logic is reduced
In an optional embodiment of the present application, the step of determining whether each domain name of the N5 accessible domain names is an attack domain name according to the third rule may be specifically implemented as follows:
executing each of the N5 domain names using a second set of commands, determining N8 domain names that include high-risk plaintext characters in the execution result, and N9 domain names that do not include high-risk plaintext characters in the execution result; the second command set comprises at least one execution command;
performing network traffic query on access requests of N8 domain names including high-risk plaintext characters in an execution result to obtain N10 domain names only having domain name request traffic in the access requests of the N8 domain names and N11 domain names having non-domain name request traffic in the access requests of the N8 domain names except the domain name request traffic;
and determining the N10 domain names as attack domain names, and determining whether the N9 domain names and the N11 domain names are attack domain names according to a fifth rule.
This step is used to exclude non-DNSLOG attacks domain name requests. The successful execution result of some simple commands (such as 'whoami', 'hostname', and the like) is defined as high-risk plaintext characters, and the DNS request domain name is matched. In a DNSLOG attack scene, most DNSLOG domain names do not provide services except DNS, so if the DNSLOG attack is performed, only DNS request traffic exists in network traffic (netflow), and other request traffic such as HTTP does not exist, so that a netflow query can be performed on an access request in which a plaintext high-risk character exists in the domain name, and when only DNS request traffic exists in the netflow, it can be determined that the domain name is attacked by DNSLOG.
For high-risk plaintext character, for example, the execution result of whoami may be root, the execution result of hostname may be windows xxx, and the high-risk plaintext character mainly includes the execution results of some simple commands (whoami, hostname).
When matching DNS request domain names, data streams of a certain time window (e.g. several minutes before and after a request, which may be referred to as a time window) may be cached, and then domain name queries may be requested for these data streams.
In an optional embodiment of the present application, the step of determining whether the N9 domain names and the N11 domain names are attack domain names according to the fifth rule may be specifically implemented by:
and determining the N9 domain names and N12 domain names which do not accord with the character relevance algorithm model in the N11 domain names by using a character relevance algorithm model, and determining the N12 domain names as attack domain names.
In the embodiment, the domain name attack is mainly judged through a sub-domain name relevance algorithm, specifically, in a normal scene, the name of the domain name is usually some English words or Chinese pinyin abbreviations, some rules exist among the words, for example, in the English words, words such as 'am' and 'as' exist, so that the probability that the letter 'a' is followed by'm' and's' is higher, and in order to prevent the occurrence of repeated domain names, the domain name used in DNSLOG mostly uses DGA or a random character mode to generate the sub-domain name. Therefore, the common characters can be modeled through an algorithm of character relevance calculation, such as a Markov model algorithm, a fragrance entropy algorithm and the like, and then the domain name which does not conform to the character relevance algorithm model is judged as a DNSLOG attack domain name.
In an optional embodiment of the present application, before the step of determining, by using a character relevance algorithm model, the N9 domain names and one of the N12 domain names of the N11 domain names that do not conform to the character relevance algorithm model is executed, the following steps may be further executed:
determining the N9 domain names and at least one set of domain names of the N11 domain names that resolve to the same IP; the domain names in each domain name set in the at least one domain name set correspond to the same resolution IP, and the resolution IPs corresponding to the domain name sets in the at least one domain name set are different;
determining that the number of domain names included in the at least one domain name set is greater than M1 domain name sets of a first number threshold, and the number of domain names included in the at least one domain name set is less than or equal to M2 domain name sets of the first number threshold; the M2 domain name sets collectively comprise N13 domain names;
determining each domain name in the M1 domain name sets as an attack domain name;
the determining, by using a character association algorithm model, the N9 domain names and N12 domain names of the N11 domain names that do not conform to the character association algorithm model, and determining the N12 domain names as attack domain names, includes:
and determining N14 domain names which do not accord with the character relevance algorithm model in the N13 domain names by using a character relevance algorithm model, and determining the N14 domain names as attack domain names.
In the embodiment, judgment of attacking the domain name is mainly performed through the sub-domain name IP, specifically, the DNSLOG service only has one main domain name, then the attack is performed by accessing different sub-domain names, but the sub-domain names can resolve the same IP address, if the DNSLOG domain name is 'dnlog.cn', and if the DNSLOG domain name is accessed to 'a.dnlog.cn' or 'b.dnlog.cn', the same IP address can be resolved, so that the domain name can be considered to be the dnlog domain name if the resolved IPs of 10 different sub-domain names are the same.
In an optional embodiment of the present application, before the step of determining the N9 domain names and the N12 domain names of the N11 domain names that do not conform to the character relevance algorithm model by using the character relevance algorithm model, and determining the N12 domain names as attack domain names, the following steps may be further performed:
determining the N9 domain names and N15 domain names with the request IP number corresponding to the N11 domain names being larger than a second number threshold, and the N9 domain names and N16 domain names with the request IP number corresponding to the N11 domain names being smaller than or equal to the second number threshold, and determining the N15 domain names as normal domain names;
correspondingly, the determining, by using the character relevance algorithm model, the N9 domain names and N12 domain names of the N11 domain names that do not meet the character relevance algorithm model, and determining the N12 domain names as attack domain names includes:
and determining N17 domain names which do not accord with the character relevance algorithm model in the N16 domain names by using a character relevance algorithm model, and determining the N17 domain names as attack domain names.
Specifically, the step mainly judges the domain name attack through a behavior analysis method, specifically, when a DNSLOG attack behavior exists, the DNSLOG attack behavior is generally executed through a command, the number of affected hosts of the behavior is not too large, and therefore the domain name is considered to be a normal domain name through counting the request IP of a single domain name, if more than 10 different IP access requests exist in one domain name.
In an optional embodiment of the present application, the step of determining whether each of the N6 inaccessible domain names is an attack domain name according to the fourth rule may be specifically implemented by:
and determining N18 domain names which do not accord with the character relevance algorithm model in the N6 domain names by using a character relevance algorithm model, and determining the N18 domain names as attack domain names.
In this embodiment, the determination of the attack domain name is mainly performed by a sub-domain name relevance algorithm, which can be understood by referring to the foregoing example of performing the determination of the attack domain name by the sub-domain name relevance algorithm.
In an optional embodiment of the present application, before the step of determining N18 domain names of the N6 domain names that do not conform to the character relevance algorithm model by using the character relevance algorithm model and determining the N18 domain names as attack domain names is performed, the following steps may be further performed:
determining that the number of the request IPs corresponding to the N6 domain names is greater than or equal to N19 domain names with a third number threshold, and the number of the request IPs corresponding to the 6 domain names is less than or equal to N20 domain names with a third number threshold, and determining the N19 domain names as normal domain names;
correspondingly, the determining, by using the character relevance algorithm model, N18 domain names of the N6 domain names which do not conform to the character relevance algorithm model, and determining the N18 domain names as attack domain names includes:
and determining N21 domain names which do not accord with the character relevance algorithm model in the N20 domain names by using a character relevance algorithm model, and determining the N21 domain names as attack domain names.
The step is mainly to judge the attack domain name by a behavior analysis method, and can be understood by referring to the example of judging the attack domain name by the behavior analysis method.
The technical scheme of the embodiment of the application can be used for solving the problems that no obvious attack characteristic exists in DNSLOG request flow, the DNSLOG request flow characteristic is similar to a DNS tunnel and the like, the limitation that domain name information in the request flow is detected only by using a blacklist mode is overcome, attack domain names in a non-blacklist can be comprehensively detected, and the accuracy of detecting attack domain names is improved.
Fig. 2 is a schematic diagram of a detection process of an attack domain name provided in an embodiment of the present application, where the detection process of the attack domain name in fig. 2 includes the following steps:
step 201: and filtering the blacklist.
For the acquired request traffic, for example, it is determined that the request traffic includes 200 domain names, 200 domain names included in the request traffic are filtered by using a domain name blacklist, and if it is determined that keywords of 20 domain names in the 200 domain names of the request traffic are the same as part of domain names in the blacklist, the 20 domain names are determined as attack domain names, and a DNSLOG event is generated. In addition, the remaining 180 domain names included in the request traffic may also be filtered by using a domain name white list, and here, if there is no domain name whose keyword is the same as the domain name in the domain name white list in the 180 domain names, 180 domain names that do not belong to the domain name black list or the domain name white list may be finally obtained.
Step 202: and (5) domain name decoding.
For the 180 domain names obtained in step 201, performing domain name decoding operation on the 180 domain names by using common decoding modes such as hex, base64, base32 and the like to obtain 20 successfully decodable domain names and 160 unsuccessfully decodable domain names, performing step 203 on 20 successfully decodable domain names, and performing step 204 on 160 unsuccessfully decodable domain names.
Step 203: the command execution success rule base.
For 20 successfully decoded domain names, command execution commands such as ifconfig and netstat are used for successfully executing rule matching, and for the domain name with the command execution result, the behavior that the domain name has the out-band information through the domain name can be determined to be in accordance with the attack behavior characteristics of DNSLOG, so that a DNSLOG attack event can be generated, namely, the domain name is determined to be an attack domain name.
Step 204: high frequency access is excluded.
For the 160 domain names determined in step 203 that cannot be successfully decoded, the access frequencies of the 160 domain names are counted, 20 domain names with access frequencies greater than 100 in one minute are determined, the 20 domain names are determined as non-attack domain names, and the remaining 140 domain names are further determined in step 205.
Step 205: the response data.
Using the response data for the 140 domain names determined at step 204, 120 accessible and 20 inaccessible domain names of the 140 domain names are determined. The determination continues with step 206 for the determined 120 accessible domain names and with step 208 for the determined 20 inaccessible domain names.
Step 206: determining high-risk plaintext characters and inquiring netflow.
Aiming at the 120 accessible domain names determined in the step 205, some simple commands (such as 'whoami', 'hostname', etc.) are used to execute the 120 accessible domain names, wherein the number of the domain names with the execution results including the high-risk plaintext characters is 100, and the number of the domain names without the high-risk plaintext characters is 20, then network traffic query is performed on the 100 domain names with the execution results including the high-risk plaintext characters, 10 domain names with only domain name request traffic in the access request and 90 domain names with non-domain name request traffic in addition to the domain name request traffic are obtained, the 10 domain names with only domain name request traffic in the access request are determined as attack domain names, and a DNSLOG attack event is generated. And the step 207 is used to further judge the 90 domain names with non-domain name request traffic and the 20 domain names with execution results not including high-risk plaintext characters.
Step 207: the sub domain name IP.
And for the total 110 domain names obtained in the step 206, determining the resolution IP of each of the 110 domain names, determining 20 domain names corresponding to the same resolution IP and having the number of more than 10 according to the resolution IP of each domain name, determining the 20 domain names as attack domain names, and generating a DNSLOG event. A further determination is made with step 208 for the remaining 90 domain names.
Step 208: and (5) analyzing the behaviors.
For the 90 domain names obtained in step 207 and the 20 inaccessible domain names obtained in step 205, the number of different IP access requests of each domain name can be determined, the domain name with the number of different IP access requests of the domain name of more than 10 is determined as a normal domain name, the domain name with the number of 100 different IP access requests of less than 10 or 10 is obtained in this step, the 100 domain names are further determined in step 209, and the 10 domain names are determined as normal domain names for the domain names with the number of the remaining 10 different IP access requests of more than 10.
Step 209: and a sub domain name association algorithm.
Since the attack domain name is generally generated by means of DGA or random characters, the association between different domain names is weak, and 60 domain names which do not conform to the character association algorithm and 40 domain names which conform to the character association algorithm are determined from the 100 domain names obtained in step 208 by using a character association algorithm such as a markov model, and the 60 domain names which do not conform to the character association algorithm can be determined as the attack domain name to generate the DNSLOG event.
Step 210: DNSLOG event generation.
In this step, DNSLOG events are generated mainly for each attack domain name determined in the above steps 201 to 209, which can facilitate subsequent analysis of the attack domain name.
In fig. 2, the steps 201 to 210 are performed in sequence, wherein each of the preceding steps can reduce the workload of data processing when the following step is performed. It can be understood that the order of some steps in steps 201 to 210 may be changed or increased or decreased according to the requirement, including but not limited to the following forms, for example, step 201, step 204, step 207, and step 208 in fig. 2 may be partially or completely deleted, and only the remaining steps are used to determine the domain name attacked in the request traffic; alternatively, step 207 and step 208 in fig. 2 may be reversed in order, and determination of whether the attack domain name in the request traffic is the attack domain name can also be achieved.
An embodiment of the present application further provides a detection apparatus for attacking a domain name, fig. 3 is a schematic structural composition diagram of the detection apparatus for attacking a domain name provided in the embodiment of the present application, as shown in fig. 3, the apparatus 300 includes:
an obtaining unit 301, configured to obtain a requested traffic; the request flow comprises N1 domain names;
a filtering unit 302, configured to filter N1 domain names included in the request traffic by using a domain name blacklist and a domain name whitelist, to obtain N2 domain names after filtering;
a determining unit 303, configured to decode each of the N2 domain names; for N3 domain names which are successfully decoded from the N2 domain names, determining whether each domain name in the N3 domain names is an attack domain name according to a first rule; and for the N4 domain names which are not decoded successfully in the N2 domain names, determining whether each domain name in the N4 domain names is an attack domain name according to a second rule.
In an optional embodiment of the present application, the determining unit 303 is specifically configured to: executing each of the N3 domain names with a first set of commands; the first command set comprises at least one execution command; and determining the domain name which is successfully executed by utilizing the first command set in the N3 domain names as an attack domain name.
In an optional embodiment of the present application, the determining unit 303 is specifically configured to: determining N5 accessible domain names and N6 inaccessible domain names of the N4 domain names; determining, for the N5 accessible domain names, whether each of the N5 accessible domain names is an attack domain name according to a third rule; for the N6 inaccessible domain names, determining whether each of the N6 inaccessible domain names is an attacking domain name according to a fourth rule.
In an optional embodiment of the present application, the determining unit 303 is further configured to: before determining N5 accessible domain names and N6 inaccessible domain names in the N4 domain names, determining N7 domain names with access frequencies higher than a first frequency threshold in the N4 domain names, and determining the N7 domain names as non-attack domain names.
In an optional embodiment of the present application, the determining unit 303 is further configured to: executing each of the N5 domain names using a second set of commands, determining N8 domain names that include high-risk plaintext characters in the execution result, and N9 domain names that do not include high-risk plaintext characters in the execution result; the second command set comprises at least one execution command; performing network traffic query on access requests of N8 domain names including high-risk plaintext characters in an execution result to obtain N10 domain names only having domain name request traffic in the access requests of the N8 domain names and N11 domain names having non-domain name request traffic in the access requests of the N8 domain names except the domain name request traffic; and determining the N10 domain names as attack domain names, and determining whether the N9 domain names and the N11 domain names are attack domain names according to a fifth rule.
In an optional embodiment of the present application, the determining unit 303 is further configured to: and determining the N9 domain names and N12 domain names which do not accord with the character relevance algorithm model in the N11 domain names by utilizing a character relevance algorithm model, and determining the N12 domain names as attack domain names.
In an optional embodiment of the present application, the determining unit 303 is further configured to: determining at least one domain name set of the N9 domain names and the N11 domain names which resolve the same IP before determining the N9 domain names and the N12 domain names which do not accord with the character relevance algorithm model in the N11 domain names by using a character relevance algorithm model; the domain names in each domain name set in the at least one domain name set correspond to the same resolution IP, and the resolution IPs corresponding to the domain name sets in the at least one domain name set are different; determining that the number of domain names included in the at least one domain name set is greater than M1 domain name sets of a first number threshold, and the number of domain names included in the at least one domain name set is less than or equal to M2 domain name sets of the first number threshold; the M2 domain name sets collectively comprise N13 domain names; determining each domain name in the M1 domain name sets as an attack domain name; the determining unit is further specifically configured to: and determining N14 domain names which do not accord with the character relevance algorithm model in the N13 domain names by using a character relevance algorithm model, and determining the N14 domain names as attack domain names.
In an optional embodiment of the present application, the determining unit 303 is further configured to: determining the N9 domain names and N12 domain names which do not accord with the character correlation algorithm model in the N11 domain names by using a character correlation algorithm model, determining N15 domain names of which the number of request IPs corresponding to the N9 domain names and the N11 domain names is larger than a second quantity threshold value and N16 domain names of which the number of request IPs corresponding to the N9 domain names and the N11 domain names is smaller than or equal to the second quantity threshold value before determining the N12 domain names as attack domain names, and determining the N15 domain names as normal domain names; correspondingly, the determining unit is further specifically configured to: and determining N17 domain names which do not accord with the character relevance algorithm model in the N16 domain names by using a character relevance algorithm model, and determining the N17 domain names as attack domain names.
In an optional embodiment of the present application, the determining unit 303 is further specifically configured to: and determining N18 domain names which do not accord with the character relevance algorithm model in the N6 domain names by using a character relevance algorithm model, and determining the N18 domain names as attack domain names.
In an optional embodiment of the present application, the determining unit 303 is further specifically configured to: determining N18 domain names which do not accord with the character relevance algorithm model in the N6 domain names by using a character relevance algorithm model, determining N19 domain names of which the number of corresponding request IPs is more than or equal to a third number threshold and N20 domain names of which the number of corresponding request IPs is less than or equal to a third number threshold in the N6 domain names and determining N19 domain names as normal domain names before determining the N18 domain names as attack domain names; correspondingly, the determining unit 303 is further specifically configured to: and determining N21 domain names which do not accord with the character relevance algorithm model in the N20 domain names by using a character relevance algorithm model, and determining the N21 domain names as attack domain names.
It should be understood by those skilled in the art that the implementation functions of each unit in the detection apparatus for attacking a domain name shown in fig. 3 can be understood by referring to the related description of the detection method for attacking a domain name. The functions of the units in the detection apparatus for attacking a domain name shown in fig. 3 may be implemented by a program running on a processor, or may be implemented by a specific logic circuit.
The embodiment of the application also provides the electronic equipment. Fig. 4 is a schematic diagram of a hardware structure of an electronic device according to an embodiment of the present application, and as shown in fig. 4, the electronic device includes: a communication component 403 for data transmission, at least one processor 401 and a memory 402 for storing computer programs capable of running on the processor 401. The various components in the terminal are coupled together by a bus system 404. It is understood that the bus system 404 is used to enable communications among the components. The bus system 404 includes a power bus, a control bus, and a status signal bus in addition to a data bus. For clarity of illustration, however, the various buses are labeled as bus system 404 in FIG. 4.
Wherein the processor 401, when executing the computer program, performs at least the steps of the method shown in fig. 1 or fig. 2.
It will be appreciated that the memory 402 can be either volatile memory or nonvolatile memory, and can include both volatile and nonvolatile memory. Among them, the nonvolatile Memory may be a Read Only Memory (ROM), a Programmable Read Only Memory (PROM), an Erasable Programmable Read-Only Memory (EPROM), an Electrically Erasable Programmable Read-Only Memory (EEPROM), a magnetic random access Memory (FRAM), a magnetic random access Memory (Flash Memory), a magnetic surface Memory, an optical Disc, or a Compact Disc Read-Only Memory (CD-ROM); the magnetic surface storage may be disk storage or tape storage. Volatile Memory can be Random Access Memory (RAM), which acts as external cache Memory. By way of illustration and not limitation, many forms of RAM are available, such as Static Random Access Memory (SRAM), Synchronous Static Random Access Memory (SSRAM), Dynamic Random Access Memory (DRAM), Synchronous Dynamic Random Access Memory (SDRAM), Double Data Rate Synchronous Dynamic Random Access Memory (DDRSDRAM), Enhanced Synchronous Dynamic Random Access Memory (ESDRAM), Enhanced Synchronous Dynamic Random Access Memory (Enhanced DRAM), Synchronous Dynamic Random Access Memory (SLDRAM), Direct Memory (DRmb Access), and Random Access Memory (DRAM). The memory 402 described in embodiments herein is intended to comprise, without being limited to, these and any other suitable types of memory.
The method disclosed in the embodiments of the present application may be applied to the processor 401, or implemented by the processor 401. The processor 401 may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the above method may be performed by integrated logic circuits of hardware or instructions in the form of software in the processor 401. The processor 401 described above may be a general purpose processor, a DSP, or other programmable logic device, discrete gate or transistor logic device, discrete hardware components, or the like. Processor 401 may implement or perform the methods, steps, and logic blocks disclosed in the embodiments of the present application. A general purpose processor may be a microprocessor or any conventional processor or the like. The steps of the method disclosed in the embodiments of the present application may be directly implemented by a hardware decoding processor, or implemented by a combination of hardware and software modules in the decoding processor. The software modules may be located in a storage medium that is located in the memory 402, and the processor 401 reads the information in the memory 402 and, in conjunction with its hardware, performs the steps of the method as described above.
In an exemplary embodiment, the electronic Device may be implemented by one or more Application Specific Integrated Circuits (ASICs), DSPs, Programmable Logic Devices (PLDs), Complex Programmable Logic Devices (CPLDs), FPGAs, general purpose processors, controllers, MCUs, microprocessors (microprocessors), or other electronic components for performing the aforementioned call recording method.
An embodiment of the present application further provides a computer-readable storage medium, on which a computer program is stored, where the computer program is configured to, when executed by a processor, perform at least the steps of the method shown in fig. 1 or fig. 2. The computer readable storage medium may be specifically a memory. The memory may be memory 402 as shown in fig. 4.
The technical solutions described in the embodiments of the present application can be arbitrarily combined without conflict.
In the several embodiments provided in the present application, it should be understood that the disclosed method and intelligent device may be implemented in other ways. The above-described device embodiments are merely illustrative, for example, the division of the unit is only a logical functional division, and there may be other division ways in actual implementation, such as: multiple units or components may be combined, or may be integrated into another system, or some features may be omitted, or not implemented. In addition, the coupling, direct coupling or communication connection between the components shown or discussed may be through some interfaces, and the indirect coupling or communication connection between the devices or units may be electrical, mechanical or other forms.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed on a plurality of network units; some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, all functional units in the embodiments of the present application may be integrated into one second processing unit, or each unit may be separately regarded as one unit, or two or more units may be integrated into one unit; the integrated unit can be realized in a form of hardware, or in a form of hardware plus a software functional unit.
The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application.
Claims (12)
1. A detection method for attacking a domain name is characterized by comprising the following steps:
obtaining a request flow; the request traffic comprises N1 domain names;
filtering the N1 domain names included in the request flow by utilizing a domain name blacklist and a domain name whitelist to obtain N2 filtered domain names;
decoding each of the N2 domain names; executing each of the N3 domain names with a first set of commands for N3 of the N2 domain names that are successfully decoded; the first command set comprises at least one execution command; determining a domain name successfully executed by the first command set from the N3 domain names as an attack domain name; and for the N4 domain names which are not decoded successfully in the N2 domain names, determining whether each domain name in the N4 domain names is an attack domain name according to a second rule.
2. The method according to claim 1, wherein the determining whether each of the N4 domain names is an attack domain name according to a second rule comprises:
determining N5 and N6 of the N4 domain names;
determining, for the N5 accessible domain names, whether each of the N5 accessible domain names is an attack domain name according to a third rule;
for the N6 inaccessible domain names, determining whether each of the N6 inaccessible domain names is an attacking domain name according to a fourth rule.
3. The method of claim 2, wherein prior to determining the N5 accessible domain names and the N6 inaccessible domain names of the N4 domain names, the method further comprises:
and determining N7 domain names with the access frequency higher than a first frequency threshold in the N4 domain names, and determining the N7 domain names as non-attack domain names.
4. The method of claim 2, wherein said determining whether each of the N5 accessible domain names is an attack domain name according to a third rule comprises:
executing each of the N5 domain names using a second set of commands, determining N8 domain names that include high-risk plaintext characters in the execution result, and N9 domain names that do not include high-risk plaintext characters in the execution result; the second command set comprises at least one execution command;
performing network traffic query on access requests of N8 domain names including high-risk plaintext characters in an execution result to obtain N10 domain names only having domain name request traffic in the access requests of the N8 domain names and N11 domain names having non-domain name request traffic in the access requests of the N8 domain names except the domain name request traffic;
and determining the N10 domain names as attack domain names, and determining whether the N9 domain names and the N11 domain names are attack domain names according to a fifth rule.
5. The method of claim 4, wherein said determining whether said N9 domain names and said N11 domain names are attack domain names according to a fifth rule comprises:
and determining the N9 domain names and N12 domain names which do not accord with the character relevance algorithm model in the N11 domain names by utilizing a character relevance algorithm model, and determining the N12 domain names as attack domain names.
6. The method according to claim 5, wherein said determining the N9 domain names using the character relevance algorithm model and before the N12 of the N11 domain names that do not conform to the character relevance algorithm model, further comprises:
determining at least one set of domain names of the N9 domain names and the N11 domain names that resolve to the same IP; the domain names in each domain name set in the at least one domain name set correspond to the same resolution Internet Protocol (IP) address, and the resolution IPs corresponding to the domain name sets in the at least one domain name set are different;
determining that the number of domain names included in the at least one domain name set is greater than M1 domain name sets of a first number threshold, and the number of domain names included in the at least one domain name set is less than or equal to M2 domain name sets of the first number threshold; the M2 domain name sets collectively comprise N13 domain names;
determining each domain name in the M1 domain name sets as an attack domain name;
the determining, by using a character relevance algorithm model, the N9 domain names and N12 domain names of the N11 domain names that do not meet the character relevance algorithm model, and determining the N12 domain names as attack domain names includes:
and determining N14 domain names which do not accord with the character relevance algorithm model in the N13 domain names by using a character relevance algorithm model, and determining the N14 domain names as attack domain names.
7. The method of claim 5, wherein the determining the N9 domain names and the N12 domain names of the N11 domain names that do not meet the character relevance algorithm model using the character relevance algorithm model is preceded by determining the N12 domain names as attack domain names, the method further comprising:
determining the N9 domain names and the N15 domain names with the request IP quantity corresponding to the N11 domain names larger than a second quantity threshold value, and the N9 domain names and the N16 domain names with the request IP quantity corresponding to the N11 domain names smaller than or equal to the second quantity threshold value, and determining the N15 domain names as normal domain names;
correspondingly, the determining, by using the character relevance algorithm model, the N9 domain names and N12 domain names of the N11 domain names that do not meet the character relevance algorithm model, and determining the N12 domain names as attack domain names includes:
and determining N17 domain names which do not accord with the character relevance algorithm model in the N16 domain names by using a character relevance algorithm model, and determining the N17 domain names as attack domain names.
8. The method according to claim 2, wherein the determining whether each of the N6 inaccessible domain names is an attack domain name according to a fourth rule comprises:
and determining N18 domain names which do not accord with the character relevance algorithm model in the N6 domain names by using a character relevance algorithm model, and determining the N18 domain names as attack domain names.
9. The method of claim 8, wherein the determining of the N18 of the N6 domain names that do not conform to the character relevance algorithm model using the character relevance algorithm model is preceded by determining the N18 domain names as attack domain names, and the method further comprises:
determining that the number of the request IPs corresponding to the N6 domain names is greater than or equal to N19 domain names with a third number threshold, and the number of the request IPs corresponding to the 6 domain names is less than or equal to N20 domain names with a third number threshold, and determining the N19 domain names as normal domain names;
correspondingly, the determining, by using the character relevance algorithm model, N18 domain names of the N6 domain names which do not conform to the character relevance algorithm model, and determining the N18 domain names as attack domain names includes:
and determining N21 domain names which do not accord with the character relevance algorithm model in the N20 domain names by using a character relevance algorithm model, and determining the N21 domain names as attack domain names.
10. An apparatus for detecting an attack on a domain name, the apparatus comprising:
an obtaining unit configured to obtain a requested flow; the request traffic comprises N1 domain names;
a filtering unit, configured to filter N1 domain names included in the request traffic by using a domain name blacklist and a domain name whitelist, to obtain N2 filtered domain names;
a determining unit, configured to decode each of the N2 domain names; for the successfully decoded N3 of the N2 domain names, executing each of the N3 domain names with a first set of commands; the first command set comprises at least one execution command; determining a domain name successfully executed by using the first command set in the N3 domain names as an attack domain name; and for the N4 domain names which are not successfully decoded in the N2 domain names, determining whether each domain name in the N4 domain names is an attack domain name according to a second rule.
11. An electronic device, characterized in that the electronic device comprises: a memory having computer-executable instructions stored thereon and a processor operable to implement the method of any of claims 1 to 9 when executing the computer-executable instructions on the memory.
12. A computer storage medium having stored thereon executable instructions which, when executed by a processor, implement the method of any one of claims 1 to 9.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110728721.4A CN113329035B (en) | 2021-06-29 | 2021-06-29 | Method and device for detecting attack domain name, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110728721.4A CN113329035B (en) | 2021-06-29 | 2021-06-29 | Method and device for detecting attack domain name, electronic equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113329035A CN113329035A (en) | 2021-08-31 |
| CN113329035B true CN113329035B (en) | 2022-09-30 |
Family
ID=77425166
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110728721.4A Active CN113329035B (en) | 2021-06-29 | 2021-06-29 | Method and device for detecting attack domain name, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113329035B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114363290B (en) * | 2021-12-31 | 2023-08-29 | 恒安嘉新(北京)科技股份公司 | Domain name identification method, device, equipment and storage medium |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106713312A (en) * | 2016-12-21 | 2017-05-24 | 深圳市深信服电子科技有限公司 | Method and device for detecting illegal domain name |
| US10623425B2 (en) * | 2017-06-01 | 2020-04-14 | Radware, Ltd. | Detection and mitigation of recursive domain name system attacks |
| CN107835149B (en) * | 2017-09-13 | 2020-06-05 | 杭州安恒信息技术股份有限公司 | Network privacy stealing behavior detection method and device based on DNS (Domain name System) traffic analysis |
| CN110636085A (en) * | 2019-11-12 | 2019-12-31 | 中国移动通信集团广西有限公司 | Attack detection method and device based on flow and computer readable storage medium |
| CN112839012B (en) * | 2019-11-22 | 2023-05-09 | 中国移动通信有限公司研究院 | Bot domain name identification method, device, equipment and storage medium |
-
2021
- 2021-06-29 CN CN202110728721.4A patent/CN113329035B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN113329035A (en) | 2021-08-31 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11863587B2 (en) | Webshell detection method and apparatus | |
| US8347394B1 (en) | Detection of downloaded malware using DNS information | |
| US8260914B1 (en) | Detecting DNS fast-flux anomalies | |
| US8515918B2 (en) | Method, system and computer program product for comparing or measuring information content in at least one data stream | |
| US10218733B1 (en) | System and method for detecting a malicious activity in a computing environment | |
| US10511618B2 (en) | Website information extraction device, system website information extraction method, and website information extraction program | |
| US11349866B2 (en) | Hardware acceleration device for denial-of-service attack identification and mitigation | |
| CN111756728B (en) | Vulnerability attack detection method and device, computing equipment and storage medium | |
| CN111314301A (en) | Website access control method and device based on DNS (Domain name Server) analysis | |
| CN112311722A (en) | Access control method, device, equipment and computer readable storage medium | |
| CN110933082B (en) | Method, device and equipment for identifying lost host and storage medium | |
| CN113329035B (en) | Method and device for detecting attack domain name, electronic equipment and storage medium | |
| CN115102781B (en) | Network attack processing method, device, electronic equipment and medium | |
| CN112272175A (en) | Trojan horse virus detection method based on DNS | |
| CN112583827B (en) | Data leakage detection method and device | |
| CN114189390A (en) | Domain name detection method, system, equipment and computer readable storage medium | |
| CN113965392B (en) | Malicious server detection method, system, readable medium and electronic equipment | |
| CN113923039B (en) | Attack equipment identification method and device, electronic equipment and readable storage medium | |
| CN112261004B (en) | Method and device for detecting Domain Flux data stream | |
| CN111371917B (en) | Domain name detection method and system | |
| TW202311994A (en) | System and method of malicious domain query behavior detection | |
| CN113726775A (en) | Attack detection method, device, equipment and storage medium | |
| CN112637171A (en) | Data traffic processing method, device, equipment, system and storage medium | |
| CN118018323B (en) | System, electronic equipment and storage medium for protecting against DNS random subdomain name DDoS attack | |
| US20190158464A1 (en) | Inspection context caching for deep packet inspection |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |