CN101854404B - Method and device for detecting anomaly of domain name system - Google Patents

Method and device for detecting anomaly of domain name system Download PDF

Info

Publication number
CN101854404B
CN101854404B CN201010198228.8A CN201010198228A CN101854404B CN 101854404 B CN101854404 B CN 101854404B CN 201010198228 A CN201010198228 A CN 201010198228A CN 101854404 B CN101854404 B CN 101854404B
Authority
CN
China
Prior art keywords
entropy
domain name
data block
name system
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201010198228.8A
Other languages
Chinese (zh)
Other versions
CN101854404A (en
Inventor
毛伟
李晓东
丁森林
王欣
吴军
金键
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Internet Network Information Center
Original Assignee
Computer Network Information Center of CAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Computer Network Information Center of CAS filed Critical Computer Network Information Center of CAS
Priority to CN201010198228.8A priority Critical patent/CN101854404B/en
Priority to PCT/CN2010/074577 priority patent/WO2011150579A1/en
Publication of CN101854404A publication Critical patent/CN101854404A/en
Application granted granted Critical
Publication of CN101854404B publication Critical patent/CN101854404B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides a method and device for detecting the anomaly of a domain name system, belonging to the technical field of computer network. The method comprises the following steps: dividing the inquiry data stream of the domain name system into a plurality of data blocks; calculating the entropy values of the data blocks according to the preset inquiry attribute to obtain the corresponding entropy values; judging whether preset quantity of entropy values in the obtained entropy values are more than a preset threshold; and if so, determining that the domain name system is abnormal. The device of the invention comprises a dividing module, a calculating module and a judging module. The device of the invention calculates the entropy values of a plurality of data blocks in the inquiry data stream of the domain name system and determines that the domain name system is abnormal when preset quantity of entropy values in the obtained entropy values are more than the preset threshold; the device of the invention can perform early warning to the anomaly of the domain name system, thus reducing loss after the anomaly of domain name system appears; and compared with the prior art, the method of the invention has high detection accuracy degree and low omission ratio.

Description

Detect the method and apparatus of anomaly of domain name system
Technical field
The present invention relates to computer network security technology, relate in particular to a kind of method and apparatus that detects anomaly of domain name system, belong to technical field of the computer network.
Background technology
Domain name system (Domain Name System is hereinafter to be referred as DNS) is a distributed data base system, and this system is used for domain name is converted into the IP address that network can be identified.Because DNS is the basis of internet, if will causing whole network unusually, DNS seriously influences, therefore DNS is detected unusually very important.
The method that prior art detects unusually to DNS mainly contains based on the variation of the variation of query flows or querying attributes value determines whether DNS takes place unusually.Determine based on the variation of query flows whether DNS takes place to refer to unusually: it is unusual to think that when query flows is big or especially little especially DNS takes place.
The inventor finds that there is following problem at least in prior art in realizing process of the present invention:
Determine based on the variation of query flows whether DNS unusual scheme takes place have hysteresis quality, detect unusual in, therefore query flows often has been accumulated to a certain degree, has caused more serious consequence, can not play forewarning function.Sometimes, unusual differing influences the DNS query flows surely, therefore determines based on the variation of query flows whether DNS takes place to have very high loss unusually.
Summary of the invention
The invention provides the unusual method and apparatus of a kind of DNS of detection, detection DNS lags behind unusually in the prior art to solve, and the high problem of loss.
The unusual method of detection DNS provided by the invention comprises:
Domain name system data query stream is divided into a plurality of data blocks;
According to presetting the entropy that querying attributes calculates described a plurality of data blocks, obtain corresponding a plurality of entropy;
Judge that the entropy whether default number is arranged in the described a plurality of entropy that obtain surpasses predetermined threshold value, if determine that then the domain name system has taken place unusually.
The unusual device of detection DNS provided by the invention comprises:
Divide module, be used for domain name system data query stream is divided into a plurality of data blocks;
Computing module is used for obtaining corresponding a plurality of entropy according to presetting the entropy that querying attributes calculates described a plurality of data blocks;
Judge module is used for judging whether a plurality of entropy that obtain have the entropy of default number to surpass predetermined threshold value, if then unusual information takes place in output expression domain name system.
The present invention is by calculating the entropy of a plurality of data blocks in the DNS data query stream, when the entropy that default number is arranged in a plurality of entropy of the correspondence that obtains surpasses predetermined threshold value, determine that the DNS system has taken place unusually, forewarning function can take place to play unusually to the DNS system in the present invention, thereby reduce the loss after the DNS system takes place unusually, and loss is low.
Description of drawings
In order to be illustrated more clearly in the present invention or technical scheme of the prior art, will to do one to the accompanying drawing of required use in embodiment or the description of the Prior Art below and introduce simply.
Fig. 1 detects the unusual method embodiment schematic flow sheet of DNS for the present invention;
Fig. 2 is the schematic diagram according to fixed time dividing data piece;
Fig. 3 is the entropy curve that obtained in 10000 o'clock for adopting window size;
Fig. 4 is DNS inquiry rate curve;
Fig. 5 detects the unusual device example structure schematic diagram of DNS for the present invention.
Embodiment
For making the purpose, technical solutions and advantages of the present invention clearer, below in conjunction with accompanying drawing of the present invention, technical scheme of the present invention is clearly and completely described, obviously, described embodiment is the present invention's part embodiment, rather than whole embodiment.Based on the embodiment among the present invention, those of ordinary skills belong to the scope of protection of the invention not making the every other embodiment that obtains under the creative work prerequisite.
The present invention is applied to the theory of entropy in the abnormality detection of DNS for the first time, therefore at first entropy is once introduced.Entropy is defined as in information theory: if having an event sets E={E1 among the S of system, and E2 ..., En}, E1, E2 ..., En is each event among the event sets E.The probability distribution P={P1 of each event, P2 ..., Pn}, P1, P2 ..., the probability that Pn occurs for each event.The amount of information I of each event r itself rCan be calculated by formula (1):
I r=-log 2P r (1)
In the formula (1), r=1,2 ..., n.
For example: English has 26 letters, if each letter occurrence number in article is average, each alphabetical amount of information is: I=-log 2(1/26)=4.7
And Chinese character commonly used have 2500, if each Chinese character occurrence number in article is average, the amount of information of each Chinese character is: I=-log 2(1/2500)=11.3
Entropy is the average information of whole system S, and establishing entropy is H s, then the computational methods of entropy are as shown in Equation (2):
H s = Σ r = 1 n p r I r = - Σ r = 1 n p r log 2 p r - - - ( 2 )
Entropy is represented the uncertainty of information in the information communication sphere.The entropy of high information degree is lower, illustrates that the systematic comparison of high information degree is stable; Whether and the entropy of low information degree is higher, and system's instability of low information degree is described, take place easily therefore can detect DNS by entropy and take place unusually unusually.
Embodiment 1
Fig. 1 detects the unusual method embodiment schematic flow sheet of DNS for the present invention, and as shown in Figure 1, this method comprises:
Step 101: DNS data query stream is divided into a plurality of data blocks;
Need to prove: the data block of division is more big, that is to say that the data query amount that each data block comprises is more many, the variation of the entropy of this data block is just more mild, can effectively reduce the situation that flase drop surveys and take place, but also reduced the susceptibility to abnormal flow simultaneously, loss rises; Otherwise data block is more little, that is to say that the data query amount that each data block comprises is more few, and it is just more high to detect the unusual sensitivity of DNS, but accuracy can reduce again accordingly.
In the practical application, DNS data query stream can be divided into a plurality of data blocks according to the fixed time and/or according to the given query amount.For example, the data query amount of each minute in the DNS data query stream can be divided into a data block, perhaps the inquiry amount with per 1000 query notes in the DNS data query stream is divided into a data block; Can also divide according to fixed time and given query amount simultaneously, for example, when reaching the fixed time, but be divided into a data block when not reaching the given query amount, perhaps reach the given query amount, but be divided into a data block when not reaching the fixed time.Can also divide according to the time period function, such as, the morning 8:30 between the 12:00, data block can be divided according to the less time period, for example: divide a data block second every 20-30; At noon 12:00 to afternoon 1:00 data block can be divided according to the long time period, for example: divided a data block every 2-3 minute.This division can be adjusted according to actual conditions by the technical staff, perhaps comes the dividing data piece according to the size of experience and data query amount.
Step 102: according to presetting the entropy that querying attributes calculates a plurality of data blocks, obtain corresponding a plurality of entropy;
Wherein, default querying attributes comprises that situation appears in the query source IP that occurs in the type of error that occurs in query type, the inquiry, the inquiry or the nslookup in the inquiry, but be not limited to these querying attributes, so long as all can according to the querying attributes of certain category division.
Above-mentioned query type comprises at least: the IP address record (Address of domain name correspondence, abbreviation A), the address record AAAA of IPv6 main frame, reverse record (Pointer, abbreviation PTR), mail exchange record (Mail exchanger, abbreviation MX), name server record (Name Server, abbreviation NS), initial authorized organization record (Start Of Authority is called for short SOA).
The type of error that occurs in the inquiry refers to: comprise illegal field in the DNS query requests of transmission, main type of error comprises: the query source address is the name format mistake that comprises illegal character, inquiry in TLD that privately owned address, query type do not exist, the inquire abouts name that do not exist, inquire about, repeat to inquire about or normal queries class etc.Wherein, normal queries refers to not have wrong inquiry, can work as default querying attributes when being type of error, will not have wrong inquiry to be included in the normal queries class, makes every query note can be included into specifically in certain type.
According to presetting the entropy that querying attributes calculates a plurality of data blocks, be specially:
The probability that each element of the default querying attributes of calculating occurs in each data block;
According to the probability that each element of presetting querying attributes occurs, calculate the entropy of each data block in each data block.
When having overlapped part between a plurality of data blocks of dividing, for example, Fig. 2 is the schematic diagram according to fixed time dividing data piece, as shown in Figure 2, the inquiry amount between the 8:00 to 8:10 is a data block, and the inquiry amount between the 8:03 to 8:13 is a data block, divide a data block in namely 10 minutes, arranged between each data block 3 minutes overlapping time, like this data query stream is divided into a plurality of overlapping data blocks that have.Present embodiment comprises that with each data block of dividing the given query amount is that example is elaborated.
If the given query amount that each data block comprises is 10 query notes, current data block is i data block, the last data piece adjacent with current data block is i-1 data block, a back data block adjacent with current data block is i+1 data block, if i-1 data block comprises the 1st to the 10th query note, then i data block comprises the 2nd query note to Sub_clause 11, and i+1 data block comprises the 3rd to the 12nd query note.The inquiry amount of i-1 data block and i data block lap is the 2nd to the 10th query note, the inquiry amount of i data block and i+1 data block lap be the 3rd to the Sub_clause 11 query note.
When having overlapped part between a plurality of data blocks of dividing, according to presetting the entropy that querying attributes calculates a plurality of data blocks, can comprise:
Calculate the entropy H of the last data piece adjacent with current data block 1
Entropy H according to the last data piece adjacent with current data block 1, the entropy H of calculating current data block 2
Entropy H according to the last data piece adjacent with current data block 1, the entropy H of calculating current data block 2, be specially:
Calculate the first given query amount and the second given query amount weighted information amount T in i-1 data block respectively fAnd T lThe first given query amount refers to before i data block and i-1 the data block lap the not inquiry amount of lap; The second given query amount refers to behind i data block and i+1 the data block lap the not inquiry amount of lap;
Continue above-mentioned example, the first given query amount refers to the 1st query note, and the second given query amount refers to the 12nd query note.
Article 1, the probability that occurs in i-1 data block of the query type under the query note is P f, T then f=-P fLog 2P f
Article 12, the probability that occurs in i-1 data block of the query type under the query note is P l, T then l=-P lLog 2P l
Calculate the second given query amount and the 3rd given query amount weighted information amount in i data block respectively
Figure BSA00000148895300061
With
Figure BSA00000148895300062
The 3rd given query amount refers to before i data block and i+1 the data block lap the not inquiry amount of lap;
Continue above-mentioned example, the probability that the query type under the 12nd query note occurs in i data block is Then
Figure BSA00000148895300064
The 3rd given query amount refers to the 2nd query note, and then the probability that occurs in i data block of the query type under the 2nd query note is
Figure BSA00000148895300065
Then
Figure BSA00000148895300066
Entropy H according to the i-1 data block 1, T f, T l,
Figure BSA00000148895300067
With
Figure BSA00000148895300068
Calculate the entropy H of i data block 2, namely
Figure BSA00000148895300071
Wherein, when i is 2, when namely the last data piece adjacent with current data block is for first data block of dividing, calculate the probability that each element of default querying attributes occurs in first data block;
Entropy H according to above-mentioned first data block of probability calculation 1
For example, if default querying attributes is query type, then the element in the query type is concrete query type, and as above-mentioned A, AAAA, PTR, MX, NS, SOA etc., each bar query note can only belong to a query type.Can calculate the probability that the query type under each bar query note occurs in this data block in this data block, the probability that occurs in this data block according to the query type under each bar query note calculates the entropy of this data block then, and computing formula is
H k = Σ j = 1 n p i I j = - Σ j = 1 n p j log 2 p j - - - ( 3 )
In the formula (3), H kBe the entropy of each data block, j represents j bar query note in each data block, and n represents that n bar query note, p are arranged in each data block jThe probability that in this data block, occurs for the query type under the j bar query note in each data block;
When default querying attributes was query source IP, the element among the query source IP was the IP address of each bar query note correspondence.Because each the bar query note in each data block can only be from an IP address, then can calculate the probability that the IP address of each bar query note in the data block occurs in this data block, the probability that occurs in this data block according to the IP address of each bar query note calculates the entropy of this data block then.
Need to prove: default querying attributes can also comprise two or more simultaneously, for example, when default querying attributes comprises query type and query source IP, can calculate the entropy of each data block according to these two kinds of querying attributes respectively, two entropy weighting summations that will calculate respectively according to query type and query source IP then are with the result of the weighting summation that the obtains final entropy as this data block.
Step 103: judge that the entropy whether default number is arranged in the above-mentioned a plurality of entropy that obtain surpasses predetermined threshold value, if determine that then DNS has taken place unusually.
If it is 5 that default number is set, if then have 5 entropy all to surpass predetermined threshold value in a plurality of entropy that step 102 obtains, determine that then this DNS has taken place unusually.Default number also can be set to 1,2 etc. other numbers.The precision that how much can influence testing result of default number, default number is more big, and the accuracy of detection that obtains is more high, but loss also rises simultaneously.Default number is more little, and accuracy of detection is more low, and loss also reduces simultaneously, and the selection of default number need be determined according to actual network conditions and experience.
The DNS data query can be historical DNS data query in the present embodiment, also can be real-time DNS data query.If the DNS data query is historical DNS data query, then the method that provides of present embodiment can be used for the DNS operating position is analyzed, and analysis result can be used for carrying out DNS and optimize; The present embodiment more applications is in the scene that detects in real time, and namely the DNS data query is real-time DNS data query, is used in time finding unusual among the DNS, avoids DNS to sustain losses severely.
In order better to embody effect of the present invention, can Chinese the Internet occurrence of large-area suspension on May 19th, 2009 accident be that example describes.The reason of occurrence of large-area suspension accident is exactly that the DNS system has been subjected to attack, according to from China (China, being called for short CN) query note of 19 days Mays in 2009 between the 9:00-24:00 that collect on the DNS authoritative server of certain top node make a concrete analysis of, query note between on May 19th, 2009 9:00-24:00 is divided into a plurality of data blocks, the size of each data block is 10000, be that each data block comprises 10000 query notes, calculate the entropy of each data block, a plurality of entropy that obtain are plotted as the entropy curve.Fig. 3 is the entropy curve that obtained in 10000 o'clock for the data block size, and Fig. 4 is DNS inquiry rate curve, and the inquiry rate is the inquiry times of per minute.As can be seen from Figure 3, big ups and downs have appearred in 16:00 left and right sides entropy curve, namely have a plurality of entropy all to surpass predetermined threshold value, show at this time to have begun to have a large amount of DNS abnormal flows to enter network, and namely DNS has taken place unusually; And in inquiry rate curve shown in Figure 4,18:30 left and right sides query flows just presents significantly unusual, but large tracts of land suspension this moment has begun to take place, and therefore can find out obviously that prior art has hysteresis quality and very high loss based on the detection scheme of query flows; The unusual method of detection provided by the invention DNS can detect unusual among the DNS in advance timely, has played the effect of early warning.
The present invention is by being divided into a plurality of data blocks with DNS data query stream, calculate the entropy of a plurality of data blocks according to default querying attributes, obtain corresponding a plurality of entropy, when the entropy that default number is arranged in these a plurality of entropy surpasses predetermined threshold value, determine that DNS has taken place unusually.Because entropy is tolerance to the querying attributes random distribution of DNS data query, when DNS takes place when unusual, for example, when DNS was subjected to attack, the random distribution of the querying attributes of DNS data query will change, thereby also can cause entropy to change.Just can learn that according to the situation of change of entropy DNS has taken place unusually, and the taking place when unusual at DNS based on the detection method of flow of prior art, when the unusual performance of DNS is not clearly the time, variation clearly can not take place in the query flows of DNS yet, thereby also just can not detect the DNS generation unusually, have only when DNS shows very seriously unusually, the network paralysis of occurrence of large-area for example, when causing a large number of users to use network, the detection method based on flow of prior art just can detect the DNS Traffic Anomaly, and then detect the DNS generation unusually, have tangible hysteresis quality; And the present invention can just can detect DNS and taken place unusually before the abnormal conditions serious as large tracts of land network failure etc. take place, can forewarning function take place to play unusually to DNS, the user can be got ready before DNS is serious unusually, the loss of having avoided serious DNS to bring to the user unusually, reduce loss, improved user's experience; And because DNS is an extremely complicated system, prior art determines based on the variation of querying attributes value whether DNS takes place when unusual, do not consider the state variation of DNS internal system complexity, thereby accuracy of detection is not high, and among the further embodiment of the present invention, when having lap between a plurality of data blocks of dividing, also reflected the variation of DNS internal system state between a plurality of entropy that obtain, make accuracy of detection improve greatly.
Embodiment 2
Fig. 5 detects the unusual device embodiment schematic diagram of DNS for the present invention, and as shown in Figure 5, this device comprises: divide module 201, computing module 202 and judge module 203;
Wherein, divide module 201, be used for DNS data query stream is divided into a plurality of data blocks;
Concrete, divide module 201 and be used for DNS data query stream is divided into a plurality of data blocks according to the fixed time and/or according to the given query amount.
Computing module 202, the entropy for calculate a plurality of data blocks of dividing module 201 divisions according to default querying attributes obtains corresponding a plurality of entropy;
Wherein, computing module 202 comprises first computing unit and second computing unit;
First computing unit is used for calculating and presets the probability that each element of querying attributes occurs in each data block;
Second computing unit is used for the probability that each element of the default querying attributes that obtains according to first computing unit occurs in each data block, calculates the entropy of dividing a plurality of data blocks that module 201 divides, obtains corresponding a plurality of entropy.
When having overlapped part between a plurality of data blocks of dividing module 201 divisions, computing module 202 comprises:
The 3rd computing unit is for the entropy H that calculates the last data piece adjacent with current data block 1
The 4th computing unit is used for the H according to the last data piece adjacent with current data block of the 3rd computing unit calculating 1, the entropy H of calculating current data block 2
Wherein, the 3rd computing unit comprises:
First computation subunit is used for when the above-mentioned last data piece adjacent with current data block is first data block that divides into, the probability that each element of the default querying attributes of calculating occurs in first data block;
Second computation subunit is used for each element of the default querying attributes of basis at the probability that first data block occurs, and calculates the entropy H of first data block 1
Judge module 203 is used for judging whether a plurality of entropy that computing module 202 obtains have the entropy of default number to surpass predetermined threshold value, if then unusual information takes place output expression DNS.
Need to prove: for detecting unusual device first embodiment of DNS, because it is substantially corresponding to method first embodiment, so relevant part gets final product referring to the part explanation of method first embodiment.
The present invention is by being divided into a plurality of data blocks with DNS data query stream, calculate the entropy of a plurality of data blocks according to default querying attributes, obtain the entropy of a plurality of correspondences, when the entropy that default number is arranged in these a plurality of entropy surpasses predetermined threshold value, determine that DNS has taken place unusually.Because entropy is tolerance to the querying attributes random distribution of DNS data query, when DNS takes place when unusual, for example, when DNS was subjected to attack, the random distribution of the querying attributes of DNS data query will change, thereby also can cause entropy to change.Just can learn that according to the situation of change of entropy DNS has taken place unusually, and the taking place when unusual at DNS based on the detection method of flow of prior art, when the unusual performance of DNS is not clearly the time, variation clearly can not take place in the query flows of DNS yet, thereby also just can not detect the DNS generation unusually, have only when DNS shows very seriously unusually, the network paralysis of occurrence of large-area for example, when causing a large number of users to use network, the detection method based on flow of prior art just can detect the DNS Traffic Anomaly, and then detect the DNS generation unusually, have tangible hysteresis quality; And the present invention can just can detect DNS and taken place unusually before the abnormal conditions serious as large tracts of land network failure etc. take place, can forewarning function take place to play unusually to DNS, the user can be got ready before DNS is serious unusually, the loss of having avoided serious DNS to bring to the user unusually, reduce loss, improved user's experience; And because DNS is an extremely complicated system, prior art determines based on the variation of querying attributes value whether DNS takes place when unusual, do not consider the state variation of DNS internal system complexity, thereby accuracy of detection is not high, and among the further embodiment of the present invention, when having lap between a plurality of data blocks of dividing, also reflected the variation of DNS internal system state between a plurality of entropy that obtain, make accuracy of detection improve greatly.
One of ordinary skill in the art will appreciate that: all or part of step that realizes said method embodiment can be finished by the relevant hardware of program command, aforesaid program can be stored in the computer read/write memory medium, this program is carried out the step that comprises said method embodiment when carrying out; And aforesaid storage medium comprises: various media that can be program code stored such as ROM, RAM, magnetic disc or CD.
It should be noted that at last: above embodiment only in order to technical scheme of the present invention to be described, is not intended to limit; Although with reference to previous embodiment the present invention is had been described in detail, those of ordinary skill in the art is to be understood that: it still can be made amendment to the technical scheme that aforementioned each embodiment puts down in writing, and perhaps part technical characterictic wherein is equal to replacement; And these modifications or replacement do not make the essence of appropriate technical solution break away from the spirit and scope of various embodiments of the present invention technical scheme.

Claims (8)

1. a method that detects anomaly of domain name system is characterized in that, described method comprises:
Domain name system data query stream is divided into a plurality of data blocks;
According to presetting the entropy that querying attributes calculates described a plurality of data blocks, obtain corresponding a plurality of entropy; Wherein, when having overlapped part between described a plurality of data blocks, then calculate the entropy of described a plurality of data blocks according to default querying attributes, comprising: the entropy that calculates the last data piece adjacent with current data block; According to the entropy of the described last data piece adjacent with current data block, calculate the entropy of described current data block;
Judge that the entropy whether default number is arranged in the described a plurality of entropy that obtain surpasses predetermined threshold value, if determine that then the domain name system has taken place unusually.
2. the method for detection anomaly of domain name system according to claim 1 is characterized in that, describedly domain name system queries data flow is divided into a plurality of data blocks comprises:
Domain name system queries data flow is divided into a plurality of data blocks according to fixed time and/or given query amount.
3. the method for detection anomaly of domain name system according to claim 1, it is characterized in that, when the described last data piece adjacent with current data block is first data block that divides into, calculate the probability that each element of described default querying attributes occurs in described first data block;
Entropy according to described first data block of described probability calculation.
4. the method for detection anomaly of domain name system according to claim 1 is characterized in that, described default querying attributes comprises: query type, type of error, inquiry source IP address and/or nslookup.
5. the method for detection anomaly of domain name system according to claim 4, it is characterized in that, when described default querying attributes comprised at least two kinds of querying attributes, described entropy was the result of at least two entropy weighted sums obtaining according to described at least two kinds of querying attributes respectively.
6. a device that detects anomaly of domain name system is characterized in that, described device comprises:
Divide module, be used for domain name system data query stream is divided into a plurality of data blocks;
Computing module is used for obtaining corresponding a plurality of entropy according to presetting the entropy that querying attributes calculates described a plurality of data blocks; Wherein, when having overlapped part between described a plurality of data blocks, described computing module comprises: the 3rd computing unit, for the entropy that calculates the last data piece adjacent with current data block; The 4th computing unit is used for the entropy according to the adjacent last data piece with current data block of described the 3rd computing unit calculating, calculates the entropy of described current data block;
Judge module is used for judging whether a plurality of entropy that obtain have the entropy of default number to surpass predetermined threshold value, if then unusual information takes place in output expression domain name system.
7. the device of detection anomaly of domain name system according to claim 6 is characterized in that, described division module, and concrete being used for is divided into a plurality of data blocks with domain name system queries data flow according to fixed time and/or given query amount.
8. the device of detection anomaly of domain name system according to claim 6 is characterized in that, described the 3rd computing unit comprises:
First computation subunit is used for when the described last data piece adjacent with current data block is first data block that divides into, calculates the probability that each element of described default querying attributes occurs in described first data block;
Second computation subunit is used for the entropy according to described first data block of described probability calculation.
CN201010198228.8A 2010-06-04 2010-06-04 Method and device for detecting anomaly of domain name system Active CN101854404B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201010198228.8A CN101854404B (en) 2010-06-04 2010-06-04 Method and device for detecting anomaly of domain name system
PCT/CN2010/074577 WO2011150579A1 (en) 2010-06-04 2010-06-28 Method and device for detecting domain name system (dns) anomaly

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201010198228.8A CN101854404B (en) 2010-06-04 2010-06-04 Method and device for detecting anomaly of domain name system

Publications (2)

Publication Number Publication Date
CN101854404A CN101854404A (en) 2010-10-06
CN101854404B true CN101854404B (en) 2013-08-07

Family

ID=42805666

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201010198228.8A Active CN101854404B (en) 2010-06-04 2010-06-04 Method and device for detecting anomaly of domain name system

Country Status (2)

Country Link
CN (1) CN101854404B (en)
WO (1) WO2011150579A1 (en)

Families Citing this family (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10069691B2 (en) 2013-11-26 2018-09-04 Telefonaktiebolaget Lm Ericsson (Publ) Method and apparatus for anomaly detection in a network
CN104268289B (en) * 2014-10-21 2017-12-12 中国建设银行股份有限公司 The abatement detecting method and device of link URL
CN105471639B (en) * 2015-11-23 2018-07-27 清华大学 Network flow entropy evaluation method based on median and device
CN106533829B (en) * 2016-11-04 2019-04-30 东南大学 A kind of DNS method for recognizing flux based on bit entropy
CN106803824A (en) * 2016-12-19 2017-06-06 互联网域名***北京市工程研究中心有限公司 A kind of means of defence attacked for random domain name inquiry
CN107707375B (en) * 2017-05-26 2018-07-20 贵州白山云科技有限公司 A kind of method and apparatus of positioning parsing failure
SG10202002125QA (en) * 2020-03-09 2020-07-29 Flexxon Pte Ltd System and method for detecting data anomalies by analysing morphologies of known and/or unknown cybersecurity threats
CN111818037A (en) * 2020-07-02 2020-10-23 上海工业控制安全创新科技有限公司 Vehicle-mounted network flow abnormity detection defense method and system based on information entropy
CN113676379B (en) * 2021-09-01 2022-08-09 上海观安信息技术股份有限公司 DNS tunnel detection method, device and system and computer storage medium

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101051952A (en) * 2007-04-18 2007-10-10 东南大学 Self adaption sampling stream measuring method under high speed multilink logic channel environment
CN101572701A (en) * 2009-02-10 2009-11-04 中科正阳信息安全技术有限公司 Security gateway system for resisting DDoS attack for DNS service

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102609640B (en) * 2004-10-25 2015-07-15 安全第一公司 Secure data parser method and system
CN101378394B (en) * 2008-09-26 2012-01-18 成都市华为赛门铁克科技有限公司 Detection defense method for distributed reject service and network appliance
CN101645884B (en) * 2009-08-26 2012-09-05 西安理工大学 Multi-measure network abnormity detection method based on relative entropy theory

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101051952A (en) * 2007-04-18 2007-10-10 东南大学 Self adaption sampling stream measuring method under high speed multilink logic channel environment
CN101572701A (en) * 2009-02-10 2009-11-04 中科正阳信息安全技术有限公司 Security gateway system for resisting DDoS attack for DNS service

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
王垚.《域名***安全性研究》.《域名***安全性研究》.2008, *

Also Published As

Publication number Publication date
WO2011150579A1 (en) 2011-12-08
CN101854404A (en) 2010-10-06

Similar Documents

Publication Publication Date Title
CN101854404B (en) Method and device for detecting anomaly of domain name system
CN101841435B (en) Method, apparatus and system for detecting abnormality of DNS (domain name system) query flow
Steinert-Threlkeld Spontaneous collective action: Peripheral mobilization during the Arab Spring
CN101826996B (en) Domain name system flow detection method and domain name server
US9189535B2 (en) Compensating for unbalanced hierarchies when generating OLAP queries from report specifications
CN110781246A (en) Enterprise association relationship construction method and system
Wen et al. Probabilistic model for contextual retrieval
WO2021068549A1 (en) Data processing method, platform and system
Gadepally et al. Big data dimensional analysis
CN103198217A (en) Fault detection method and system
CN111581202A (en) Big data exchange system
TW201820175A (en) Data base transformation server and data base transformation method thereof
CN104281684A (en) Method and system for storing and querying mass logs
RU2010128169A (en) SUPPORT ASYNCHRON MULTILEVEL CANCELING IN JAVASCRIPT GRID
CN105354272A (en) Indicator calculating method and system based on dimension combinations
Deng et al. New estimation algorithms for streaming data: Count-min can do more
CN106294468B (en) Method and device for processing service data
CN102546205B (en) Method and device for generating fault relation and determining fault
US20150220648A1 (en) Systems and Methods for Performing Machine-Implemented Tasks
CN102523286B (en) Method and device for obtaining credit degree of service
CN107291881A (en) Massive logs storage and querying method based on HBase
CN102915313A (en) Error correction relation generation method and system in web search
CN104794237A (en) Web page information processing method and device
CN103336865B (en) A kind of dynamic communication network construction method and device
Sun et al. Exploiting tail shape biases to discriminate between stable and student t alternatives

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C53 Correction of patent of invention or patent application
CB03 Change of inventor or designer information

Inventor after: Mao Wei

Inventor after: Li Xiaodong

Inventor after: Ding Senlin

Inventor after: Wang Xin

Inventor after: Wu Jun

Inventor after: Jin Jian

Inventor before: Mao Wei

Inventor before: Li Xiaodong

Inventor before: Ding Senlin

Inventor before: Wang Xin

Inventor before: Wu Jun

Inventor before: Jin Jian

Inventor before: Lu Wenzhe

COR Change of bibliographic data

Free format text: CORRECT: INVENTOR; FROM: MAO WEI LI XIAODONG DING SENLIN WANG XIN WU JUN JIN JIAN LU WENZHE TO: MAO WEI LI XIAODONG DING SENLIN WANG XIN WU JUN JIN JIAN

C14 Grant of patent or utility model
GR01 Patent grant
TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20210207

Address after: 100190 room 506, building 2, courtyard 4, South 4th Street, Zhongguancun, Haidian District, Beijing

Patentee after: CHINA INTERNET NETWORK INFORMATION CENTER

Address before: 100190 No. four, four South Street, Haidian District, Beijing, Zhongguancun

Patentee before: Computer Network Information Center, Chinese Academy of Sciences