CN106533829A - Bit entropy-based domain name system (DNS) flow identification method - Google Patents
Bit entropy-based domain name system (DNS) flow identification method Download PDFInfo
- Publication number
- CN106533829A CN106533829A CN201610970282.7A CN201610970282A CN106533829A CN 106533829 A CN106533829 A CN 106533829A CN 201610970282 A CN201610970282 A CN 201610970282A CN 106533829 A CN106533829 A CN 106533829A
- Authority
- CN
- China
- Prior art keywords
- bit
- byte
- log
- dns
- statistics
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/18—Protocol analysers
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4505—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
- H04L61/4511—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/16—Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
- H04L69/164—Adaptation or special uses of UDP protocol
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention relates to a bit entropy-based DNS flow identification method. The method is based on the principle that the DNS messages all have the DNS format structures, and the byte bit entropies are closer; the non-DNS messages of which the port numbers are 53 are not the DNS message structures, so that the bit entropy distances are farer, and is characterized by firstly acquiring a part of DNS messages as samples before measurement, calculating the byte bit entropies of the DNS message samples, similarly calculating the byte bit entropies of the detected messages of which the port numbers are 53, comparing the distances of the byte bit entropies of the messages of which the port numbers are 53 and bit entropies of the DNS message samples, if the distances between the bit entropies are detected to be greater than a set threshold value, defining the messages of which the port numbers are 53 as the non-DNS messages, otherwise, defining as the DNS messages. Compared with a conventional method, the bit entropy-based DNS flow identification method of the present invention is fast in calculation speed, uses very little system storage, at the same time, saves the time of processing the network flow.
Description
Technical field
The present invention relates to network flow programming method analysis field, more particularly to the knowledge method for distinguishing of DNS flows.
Background technology
Internet communication adopts IP address, user to be difficult to the IP address for remembeing to be made up of numeral, adopts and is easy to user to remember
Domain name, DNS (Domain Name System, domain name system) is a kind of skill that domain name is become IP address for the Internet
Art, deposits the mapping of substantial amounts of machine name and IP address on each dns server, and dynamic updates, networking client
Program inquires about the IP address of destination host all using DNS Protocol to dns server.Query script is client to dns server
53 ports send UDP/TCP messages, dns server processed after receiving, and result is recorded still with UDP/TCP messages
Form returns, and has specification to say DNS Protocol during the documents such as RFC2191, RFC2136, RFC2308 for providing are organized in IETF
It is bright.Have to open in the fire wall of LAN No. 53 ports of UDP so that main frame of surfing the Net can carry out domain name mapping.
Traffic traverses are realized in order to carry out covert communications between network attack person, is carried out using No. 53 ports of UDP
Data communication, to hide the interception of fire wall, carries out passing through for fire wall, to become a kind of main side of current network attack
Formula.That is No. 53 port races is not DNS flows, but other types of flow.Main frame and local inside LAN
The port of message is set to main frame outside net No. 53 ports of UDP messages, and realization is directly passed through fire wall and communicated, non-
Method carries out data transmission.It is the important place for ensureing network security and network performance to the quick identification of No. 53 port flows.
The existing method to DNS flow detection mainly has two methods, and first method is matched using protocol contents, will
The message of No. 53 ports for reaching is matched according to the message format of DNS Protocol, if it is possible to normal matching and parsing, then
Transmission is DNS flows, else if normally can not match, then it is assumed that be not DNS flows.Second method is to extract DNS streams
The feature such as message length, message number, byte number in amount, message flow interval time, is entered using the method for the machine learning such as C4.5
Row classification.
There are following difficulties in prior art:First method is imitated due to being parsed using agreement to each message
Rate is very low, has a strong impact on the network filtering performance of fire wall;Change be there occurs because of individual bit or field in addition, it is impossible to
Normal to parse, this flow has also been treated as exception and has passed through flow.Second method needs to gather substantial amounts of data on flows in advance, together
When to be carried out higher-dimension discharge pattern feature matching and analysis, and in different network environments, its traffic statistics behavior meeting
Change, secondly the firewall resources required for sorting algorithm require higher.
Invention thought is DNS flows due to obviously format character, byte bit entropy in DNS flows
It is distributed closely, therefore each byte in No. 53 port flows is counted by the present invention, counts each in each byte
The distribution of the entropy of bit, then calculates the distance of byte bit entropy, if byte bit entropy distance is fixed more than one in flow
The threshold values of justice, then it is assumed that No. 53 port flows are to pass through flow, otherwise it is assumed that the flow is normal DNS flows.Therefore and
Existing similar approach is compared, and the characteristics of this method makes full use of DNS format characters stable, algorithm performance is high, can have in resource
Configure the method No. 53 port flows are filtered and detected in the fire wall of limit, switch resource.
The content of the invention
Method used in the present invention, using the method for the bit entropy distance in No. 53 port flows for calculating udp protocol,
The identification to normal DNS flows and non-DNS flows is realized, it is so as to improve the efficient identification to No. 53 port flows, concrete to invent
Content is as follows:
Step one:Arrange DNS to classify threshold values H, collection DNS message sample size m be set, arrange detection source port or
Egress mouth is the end time T of 53 message, into step 2;
Step 2:The source port or egress mouth that message is gathered from network traffics is 53 message, is recognized using DNS Protocol
Method capture m DNS message, into step 3;
Step 3:Load byte number k of the statistics gatherer to m DNS message, each byte have 8 bits, count this 8
Each bit entropy of bit,
In cumulative this k byte of statistics, the 1st bit and value of each byte is 1 appearance number b1,
1st bit entropy e1=- (b1/k) * log2(b1/k)-(1-b1/k)*log2(1-b1/k),
In cumulative this k byte of statistics, the 2nd bit and value of each byte is 1 appearance number b2,
2nd bit entropy e2=- (b2/k) * log2(b2/k)-(1-b2/k)*log2(1-b2/k),
In cumulative this k byte of statistics, the 3rd bit and value of each byte is 1 appearance number b3,
3rd bit entropy e3=- (b3/k) * log2(b3/k)-(1-b3/k)*log2(1-b3/k),
In cumulative this k byte of statistics, the 4th bit and value of each byte is 1 appearance number b4,
4th bit entropy e4=- (b4/k) * log2(b4/k)-(1-b4/k)*log2(1-b4/k),
In cumulative this k byte of statistics, the 5th bit and value of each byte is 1 appearance number b5,
5th bit entropy e5=- (b5/k) * log2(b5/k)-(1-b5/k)*log2(1-b5/k),
In cumulative this k byte of statistics, the 6th bit and value of each byte is 1 appearance number b6,
6th bit entropy e6=- (b6/k) * log2(b6/k)-(1-b6/k)*log2(1-b6/k),
In cumulative this k byte of statistics, the 7th bit and value of each byte is 1 appearance number b7,
7th bit entropy e7=- (b7/k) * log2(b7/k)-(1-b7/k)*log2(1-b7/k),
In cumulative this k byte of statistics, the 8th bit and value of each byte is 1 appearance number b8,
8th bit entropy e8=- (b8/k) * log2(b8/k)-(1-b8/k)*log2(1-b8/k),
Wherein log2It is the logarithm with 2 as bottom,
Into step 4;
Step 4:Gather a pending source port or egress mouth be 53 message, into step 5;
Step 5:Statistics gatherer to the message load byte number h that source port or egress mouth are 53,
In cumulative this h byte of statistics, the 1st bit and value of each byte is 1 appearance number p1,
1st bit entropy f1=- (p1/h) * log2(p1/h)-(1-p1/h)*log2(1-p1/h),
In cumulative this k byte of statistics, the 2nd bit and value of each byte is 1 appearance number p2,
2nd bit entropy f2=- (p2/h) * log2(p2/h)-(1-p2/h)*log2(1-p2/h),
In cumulative this h byte of statistics, the 3rd bit and value of each byte is 1 appearance number p3,
3rd bit entropy f3=- (p3/h) * log2(p3/h)-(1-p3/h)*log2(1-p3/h),
In cumulative this h byte of statistics, the 4th bit and value of each byte is 1 appearance number p4,
4th bit entropy f4=- (p4/h) * log2(p4/h)-(1-p4/h)*log2(1-p4/h),
In cumulative this h byte of statistics, the 5th bit and value of each byte is 1 appearance number p5,
5th bit entropy f5=- (p5/h) * log2(p5/h)-(1-p5/h)*log2(1-p5/h),
In cumulative this h byte of statistics, the 6th bit and value of each byte is 1 appearance number p6,
6th bit entropy f6=- (p6/h) * log2(p6/h)-(1-p6/h)*log2(1-p6/h),
In cumulative this h byte of statistics, the 7th bit and value of each byte is 1 appearance number p7,
7th bit entropy f7=- (p7/h) * log2(p7/h)-(1-p7/h)*log2(1-p7/h),
In cumulative this h byte of statistics, the 8th bit and value of each byte is 1 appearance number p8,
8th bit entropy f8=- (p8/h) * log2(p8/h)-(1-p8/h)*log2(1-p8/h),
Into step 6;
Step 6:Calculate source port to be detected or egress mouth be bit entropy between 53 message and DNS messages away from
From a,
Aa=(e1-f1)2+(e2-f2)2+(e3-f3)2+(e4-f4)2+(e5-f5)2+(e6-f6)2+(e7-f7)2+(e8-
f8)2,
A=sqrt (aa/8),
Wherein, aa represents intermediate value,
Into step 7;
Step 7:Compared apart from a and DNS classification threshold values H according to bit entropy, if a is less than H, the source being detected
It is DNS messages that mouth or egress mouth are 53 messages, and No. 53 otherwise detected port messages are not DNS messages, into step 8;
Step 8:If time of measuring is less than end time T, otherwise return to step four, ending method now.
Compared with prior art, collecting part DNS messages first, as sample, calculate DNS reports to the present invention before measuring
The bit entropy of literary sample byte, then to No. 53 port messages for detecting, calculates its byte bit entropy, compares No. 53 port messages
Byte bit entropy and DNS message bit entropys distance judging whether detected No. 53 port message is DNS messages;This
It is all that, with DNS format structures, therefore its byte bit entropy is also relatively that the principle of bright employing is DNS messages, and No. 53 ends
Mouthful non-DNS messages are not that, using DNS message structure forms, therefore the bit entropy of non-DNS messages and DNS messages is apart from distant;
The bit entropy of message of the present invention by No. 53 ports of simple computation, one side calculating speed are fast, on the other hand using fire wall
System storage it is also considerably less, save fire wall process network traffics time, improve system detectio process efficiency;Its
Secondary to compare with existing machine learning method, existing method is surveyed as a result of message time period, message mean size etc.
Degree needs to measure one group of No. 53 port message and can just be detected, and this method can be examined to No. 53 port messages
Survey, there is provided the real-time of this method detection.
Description of the drawings
Fig. 1 is the flow chart of the present invention;
Fig. 2 is embodiment of the present invention one;
Fig. 3 is embodiment of the present invention two.
Specific embodiment
Technical scheme of the present invention is described in further detail with specific embodiment below in conjunction with the accompanying drawings, so that this
The technical staff in field can be better understood from the present invention and can be practiced, but illustrated embodiment is not as the limit to the present invention
It is fixed.
Fig. 2 is embodiment of the present invention one, specifically includes following steps:
Step 201:One DNS classification threshold values H is set, collection DNS message sample size m is set, detection source port is set
Or egress mouth is the end time T of 53 message, into step 202;
Step 202:The source port or egress mouth that message is gathered from network traffics is 53 message, is known using DNS Protocol
Method for distinguishing captures m DNS message, DNS is assisted during the documents such as RFC2191, RFC2136, RFC2308 for providing are organized in IETF
View has specification to illustrate, the content to producing message in DNS Protocol interaction is analyzed, and has DNS Protocol to assist different from other
The pattern feature of view, determines the affiliated protocol type of flow according to the distinctive pattern feature of DNS Protocol, based on DNS content loads
Protocol identification mainly has using fixed character string and regular expression come presentation protocol feature two ways, such as DNS Protocol definition
Each DNS message has DNS stems of 12 bytes, the mark of 2 bytes, the mark of 2 bytes, the problem number of 2 bytes,
The resource record number of 2 bytes, the authorization resources record number of 2 bytes, extra resource record number of 2 bytes etc., according to DNS
The definition of agreement, the content of the content and DNS Protocol definition to No. 53 port messages are matched, if meeting DNS Protocol institute
The form of regulation, then can recognize that No. 53 messages are DNS messages, and all No. 53 port flows to gathering are identified, and grab
M DNS message is played,
Into step 203;
Step 203:Load byte number k of the statistics gatherer to m DNS message, each byte have 8 bits, count this 8
Each bit entropy of bit,
In cumulative this k byte of statistics, the 1st bit and value of each byte is 1 appearance number b1,
1st bit entropy e1=- (b1/k) * log2(b1/k)-(1-b1/k)*log2(1-b1/k),
In cumulative this k byte of statistics, the 2nd bit and value of each byte is 1 appearance number b2,
2nd bit entropy e2=- (b2/k) * log2(b2/k)-(1-b2/k)*log2(1-b2/k),
In cumulative this k byte of statistics, the 3rd bit and value of each byte is 1 appearance number b3,
3rd bit entropy e3=- (b3/k) * log2(b3/k)-(1-b3/k)*log2(1-b3/k),
In cumulative this k byte of statistics, the 4th bit and value of each byte is 1 appearance number b4,
4th bit entropy e4=- (b4/k) * log2(b4/k)-(1-b4/k)*log2(1-b4/k),
In cumulative this k byte of statistics, the 5th bit and value of each byte is 1 appearance number b5,
5th bit entropy e5=- (b5/k) * log2(b5/k)-(1-b5/k)*log2(1-b5/k),
In cumulative this k byte of statistics, the 6th bit and value of each byte is 1 appearance number b6,
6th bit entropy e6=- (b6/k) * log2(b6/k)-(1-b6/k)*log2(1-b6/k),
In cumulative this k byte of statistics, the 7th bit and value of each byte is 1 appearance number b7,
7th bit entropy e7=- (b7/k) * log2(b7/k)-(1-b7/k)*log2(1-b7/k),
In cumulative this k byte of statistics, the 8th bit and value of each byte is 1 appearance number b8,
8th bit entropy e8=- (b8/k) * log2(b8/k)-(1-b8/k)*log2(1-b8/k),
Wherein log2It is the logarithm with 2 as bottom,
Into step 204;
Step 204:Gather a pending source port or egress mouth be 53 message, into step 205;
Step 205:Statistics gatherer to the message load byte number h that source port or egress mouth are 53,
In cumulative this h byte of statistics, the 1st bit and value of each byte is 1 appearance number p1,
1st bit entropy f1=- (p1/h) * log2(p1/h)-(1-p1/h)*log2(1-p1/h),
In cumulative this k byte of statistics, the 2nd bit and value of each byte is 1 appearance number p2,
2nd bit entropy f2=- (p2/h) * log2(p2/h)-(1-p2/h)*log2(1-p2/h),
In cumulative this h byte of statistics, the 3rd bit and value of each byte is 1 appearance number p3,
3rd bit entropy f3=- (p3/h) * log2(p3/h)-(1-p3/h)*log2(1-p3/h),
In cumulative this h byte of statistics, the 4th bit and value of each byte is 1 appearance number p4,
4th bit entropy f4=- (p4/h) * log2(p4/h)-(1-p4/h)*log2(1-p4/h),
In cumulative this h byte of statistics, the 5th bit and value of each byte is 1 appearance number p5,
5th bit entropy f5=- (p5/h) * log2(p5/h)-(1-p5/h)*log2(1-p5/h),
In cumulative this h byte of statistics, the 6th bit and value of each byte is 1 appearance number p6,
6th bit entropy f6=- (p6/h) * log2(p6/h)-(1-p6/h)*log2(1-p6/h),
In cumulative this h byte of statistics, the 7th bit and value of each byte is 1 appearance number p7,
7th bit entropy f7=- (p7/h) * log2(p7/h)-(1-p7/h)*log2(1-p7/h),
In cumulative this h byte of statistics, the 8th bit and value of each byte is 1 appearance number p8,
8th bit entropy f8=- (p8/h) * log2(p8/h)-(1-p8/h)*log2(1-p8/h),
Into step 206;
Step 206:Calculate source port to be detected or egress mouth be bit entropy between 53 message and DNS messages away from
From a,
Aa=(e1-f1)2+(e2-f2)2+(e3-f3)2+(e4-f4)2+(e5-f5)2+(e6-f6)2+(e7-f7)2+(e8-
f8)2,
A=sqrt (aa/8),
Wherein, aa represents intermediate value,
Into step 207;
Step 207:Compared apart from a and DNS classification threshold values H according to bit entropy, if a is less than H, the source being detected
It is DNS messages that mouth or egress mouth are 53 messages, and No. 53 otherwise detected port messages are not DNS messages, into step
208;
Step 208:If time of measuring is less than end time T, otherwise return to step four, ending method now.
Fig. 3 is embodiment of the present invention two, specifically includes following steps:
Step 301:One DNS classification threshold values H is set, and H spans are that, between 0 to 1, arranging H in the present example is
0.1, collection DNS messages sample size 1 is set, the end time T for arranging the message for detecting that source port or egress mouth are 53 is 3s,
Into step 302;
Step 302:The source port or egress mouth that message is gathered from network traffics is 53 message, is known using DNS Protocol
Method for distinguishing captures 1 DNS message, into step 303;
Step 303:The load byte number k of statistics gatherer to 1 DNS message is 186, and each byte has 8 bits, statistics
Each bit entropy of this 8 bits,
In cumulative this 186 bytes of statistics, the 1st bit and value of each byte is 1 appearance number 27,
1st bit entropy e1=- (27/186) * log2(27/186)-(1-27/186)*log2(1-27/186)=
0.597,
In cumulative this 186 bytes of statistics, the 2nd bit and value of each byte is 1 appearance number 61,
2nd bit entropy e2=- (61/186) * log2(61/186)-(1-61/186)*log2(1-61/186)=
0.913,
In cumulative this 186 bytes of statistics, the 3rd bit and value of each byte is 1 appearance number 67,
3rd bit entropy e3=- (67/186) * log2(67/186)-(1-67/186)*log2(1-67/186)=
0.943,
In cumulative this 186 bytes of statistics, the 4th bit and value of each byte is 1 appearance number 34,
4th bit entropy e4=- (34/186) * log2(34/186)-(1-34/186)*log2(1-34/186)=
0.686,
In cumulative this 186 bytes of statistics, the 5th bit and value of each byte is 1 appearance number 47,
5th bit entropy e5=- (47/186) * log2(47/186)-(1-47/186)*log2(1-47/186)=
0.816,
In cumulative this 186 bytes of statistics, the 6th bit and value of each byte is 1 appearance number 43,
6th bit entropy e6=- (43/186) * log2(43/186)-(1-43/186)*log2(1-43/186)=
0.780,
In cumulative this 186 bytes of statistics, the 7th bit and value of each byte is 1 appearance number 56,
7th bit entropy e7=- (56/186) * log2(56/186)-(1-56/186)*log2(1-56/186)=
0.883,
In cumulative this 186 bytes of statistics, the 8th bit and value of each byte is 1 appearance number 68,
8th bit entropy e8=- (68/186) * log2(68/186)-(1-68/186)*log2(1-68/186)=
0.947,
Wherein log2 be 2 be bottom logarithm,
Into step 304;
Step 304:Gather a pending source port or egress mouth be 53 message, into step 305;
Step 305:Statistics gatherer to the message load byte number 110 that source port or egress mouth are 53,
In cumulative this 110 bytes of statistics, the 1st bit and value of each byte is 1 appearance number 56,
1st bit entropy
F1=- (56/110) * log2(56/110)-(1-56/110)*log2(1-56/110)=0.999,
In cumulative this 110 bytes of statistics, the 2nd bit and value of each byte is 1 appearance number 49,
2nd bit entropy
F2=- (49/110) * log2(49/110)-(1-49/110)*log2(1-49/110)=0.991,
In cumulative this 110 bytes of statistics, the 3rd bit and value of each byte is 1 appearance number 50,
3rd bit entropy
F3=- (50/110) * log2(50/110)-(1-50/110)*log2(1-50/110)=0.994,
In cumulative this 110 bytes of statistics, the 4th bit and value of each byte is 1 appearance number 44,
4th bit entropy
F4=- (44/110) * log2(44/110)-(1-44/110)*log2(1-44/110)=0.971,
In cumulative this 110 bytes of statistics, the 5th bit and value of each byte is 1 appearance number 46,
5th bit entropy
F5=- (46/110) * log2(46/110)-(1-46/110)*log2(1-46/110)=0.981,
In cumulative this 110 bytes of statistics, the 6th bit and value of each byte is 1 appearance number 52,
6th bit entropy
F6=- (52/110) * log2(52/110)-(1-52/110)*log2(1-52/110)=0.998,
In cumulative this 110 bytes of statistics, the 7th bit and value of each byte is 1 appearance number 55,
7th bit entropy
F7=- (55/110) * log2(55/110)-(1-55/110)*log2(1-55/110)=1,
In cumulative this 110 bytes of statistics, the 8th bit and value of each byte is 1 appearance number 57,
8th bit entropy
F8=- (57/110) * log2(57/110)-(1-57/110)*log2(1-57/110)=0.999,
Into step 306;
Step 306:Source port to be detected or egress mouth are the bit entropy distances between 53 message and DNS messages
A,
Aa=(e1-f1)2+(e2-f2)2+(e3-f3)2+(e4-f4)2+(e5-f5)2+(e6-f6)2+(e7-f7)2+(e8-
f8)2
=(0.597-0.999)2+(0.913-0.991)2+(0.943-0.994)2+(0.686-0.971)2+(0.816-
0.981)2+(0.780-0.998)2+(0.883-1)2+(0.947-0.999)2=0.343
A=sqrt (aa/8)=sqrt (0.343/8)=0.207,
Wherein, aa represents intermediate value,
Into step 307;
Step 307:Compared equal to 0.207 and DNS classification threshold values H0.1 apart from a according to bit entropy, a is more than H, then tested
It is not DNS messages that the source port or egress mouth of survey is 53 message, into step 308;
Step 308:If time of measuring 2s is less than end time 3s now, into step 309;
Step 309:Gather a pending source port or egress mouth be 53 message, into step 310;
Step 310:Statistics gatherer to the message load byte number 30 that source port or egress mouth are 53,
In cumulative this 30 bytes of statistics, the 1st bit and value of each byte is 1 appearance number 3,
1st bit entropy
F1=- (3/30) * log2(3/30)-(1-3/30)*log2(1-3/30)=0.469,
In cumulative this 30 bytes of statistics, the 2nd bit and value of each byte is 1 appearance number 9,
2nd bit entropy
F2=- (9/30) * log2(9/30)-(1-9/30)*log2(1-9/30)=0.881,
In cumulative this 30 bytes of statistics, the 3rd bit and value of each byte is 1 appearance number 12,
3rd bit entropy
F3=- (12/30) * log2(12/30)-(1-12/30)*log2(1-12/30)=0.971,
In cumulative this 30 bytes of statistics, the 4th bit and value of each byte is 1 appearance number 4,
4th bit entropy
F4=- (4/30) * log2(4/30)-(1-4/30)*log2(1-4/30)=0.567,
In cumulative this 30 bytes of statistics, the 5th bit and value of each byte is 1 appearance number 6,
5th bit entropy
F5=- (6/30) * log2(6/30)-(1-6/30)*log2(1-6/30)=0.722,
In cumulative this 30 bytes of statistics, the 6th bit and value of each byte is 1 appearance number 5,
6th bit entropy
F6=- (5/30) * log2(5/30)-(1-5/30)*log2(1-5/30)=0.650,
In cumulative this 30 bytes of statistics, the 7th bit and value of each byte is 1 appearance number 9,
7th bit entropy
F7=- (9/30) * log2(9/30)-(1-9/30)*log2(1-9/30)=0.881,
In cumulative this 30 bytes of statistics, the 8th bit and value of each byte is 1 appearance number 12,
8th bit entropy
F8=- (12/30) * log2(12/30)-(1-12/30)*log2(1-12/30)=0.971,
Into step 311;
Step 311:The bit entropy between No. 53 port messages and DNS messages of detection is calculated apart from a,
Aa=(e 1-f1)2+(e2-f2)2+(e3-f3)2+(e4-f4)2+(e5-f5)2+(e6-f6)2+(e7-f7)2+
(e8-f8) 2=(0.597-0.469)2+(0.913-0.881)2+(0.943-0.971)2+(0.686-0.567)2+(0.816-
0.722)2+(0.780-0.650)2+(0.883-0.881)2+(0.947-0.971)2=0.059
A=sqrt (aa/8)=sqrt (0.059/8)=0.086,
Wherein, aa represents intermediate value,
Into step 312;
Step 312:Compared equal to the value 0.1 of 0.086 and DNS classification threshold values H apart from a according to bit entropy, 0.086 is less than
0.1, then it is DNS messages that the source port or egress mouth being detected is 53 message, into step 313;
Step 313:Present time of measuring 4s, more than end time 3s, ending method.
Claims (1)
1. a kind of DNS method for recognizing flux based on bit entropy, it is characterised in that
Step one:One DNS classification threshold values H is set, collection DNS message sample size m is set, detection source port or egress is set
Mouth is the end time T of 53 message, into step 2;
Step 2:The source port or egress mouth that message is gathered from network traffics is 53 message, using the side of DNS Protocol identification
Method captures m DNS message, into step 3;
Step 3:Load byte number k of the statistics gatherer to m DNS message, each byte have 8 bits, count this 8 bits
Each bit entropy,
In cumulative this k byte of statistics, the 1st bit and value of each byte is 1 appearance number b1,
1st bit entropy e1=- (b1/k) * log2(b1/k)-(1-b1/k)*log2(1-b1/k),
In cumulative this k byte of statistics, the 2nd bit and value of each byte is 1 appearance number b2,
2nd bit entropy e2=- (b2/k) * log2(b2/k)-(1-b2/k)*log2(1-b2/k),
In cumulative this k byte of statistics, the 3rd bit and value of each byte is 1 appearance number b3,
3rd bit entropy e3=- (b3/k) * log2(b3/k)-(1-b3/k)*log2(1-b3/k),
In cumulative this k byte of statistics, the 4th bit and value of each byte is 1 appearance number b4,
4th bit entropy e4=- (b4/k) * log2(b4/k)-(1-b4/k)*log2(1-b4/k),
In cumulative this k byte of statistics, the 5th bit and value of each byte is 1 appearance number b5,
5th bit entropy e5=- (b5/k) * log2(b5/k)-(1-b5/k)*log2(1-b5/k),
In cumulative this k byte of statistics, the 6th bit and value of each byte is 1 appearance number b6,
6th bit entropy e6=- (b6/k) * log2(b6/k)-(1-b6/k)*log2(1-b6/k),
In cumulative this k byte of statistics, the 7th bit and value of each byte is 1 appearance number b7,
7th bit entropy e7=- (b7/k) * log2(b7/k)-(1-b7/k)*log2(1-b7/k),
In cumulative this k byte of statistics, the 8th bit and value of each byte is 1 appearance number b8,
8th bit entropy e8=- (b8/k) * log2(b8/k)-(1-b8/k)*log2(1-b8/k),
Wherein log2It is the logarithm with 2 as bottom,
Into step 4;
Step 4:Gather a pending source port or egress mouth be 53 message, into step 5;
Step 5:Statistics gatherer to the message load byte number h that source port or egress mouth are 53,
In cumulative this h byte of statistics, the 1st bit and value of each byte is 1 appearance number p1,
1st bit entropy f1=- (p1/h) * log2(p1/h)-(1-p1/h)*log2(1-p1/h),
In cumulative this k byte of statistics, the 2nd bit and value of each byte is 1 appearance number p2,
2nd bit entropy f2=- (p2/h) * log2(p2/h)-(1-p2/h)*log2(1-p2/h),
In cumulative this h byte of statistics, the 3rd bit and value of each byte is 1 appearance number p3,
3rd bit entropy f3=- (p3/h) * log2(p3/h)-(1-p3/h)*log2(1-p3/h),
In cumulative this h byte of statistics, the 4th bit and value of each byte is 1 appearance number p4,
4th bit entropy f4=- (p4/h) * log2(p4/h)-(1-p4/h)*log2(1-p4/h),
In cumulative this h byte of statistics, the 5th bit and value of each byte is 1 appearance number p5,
5th bit entropy f5=- (p5/h) * log2(p5/h)-(1-p5/h)*log2(1-p5/h),
In cumulative this h byte of statistics, the 6th bit and value of each byte is 1 appearance number p6,
6th bit entropy f6=- (p6/h) * log2(p6/h)-(1-p6/h)*log2(1-p6/h),
In cumulative this h byte of statistics, the 7th bit and value of each byte is 1 appearance number p7,
7th bit entropy f7=- (p7/h) * log2(p7/h)-(1-p7/h)*log2(1-p7/h),
In cumulative this h byte of statistics, the 8th bit and value of each byte is 1 appearance number p8,
8th bit entropy f8=- (p8/h) * log2(p8/h)-(1-p8/h)*log2(1-p8/h),
Into step 6;
Step 6:Calculate source port to be detected or egress mouth be bit entropy between 53 message and DNS messages apart from a,
Aa=(e1-f1)2+(e2-f2)2+(e3-f3)2+(e4-f4)2+(e5-f5)2+(e6-f6)2+(e7-f7)2+(e8-f8)2,
A=sqrt (aa/8),
Wherein, aa represents intermediate value,
Into step 7;
Step 7:According to bit entropy apart from a and DNS classification threshold values H compare, if a be less than H, be detected source port or
It is DNS messages that egress mouth is 53 message, and No. 53 otherwise detected port messages are not DNS messages, into step 8;
Step 8:If time of measuring is less than end time T, otherwise return to step four, ending method now.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610970282.7A CN106533829B (en) | 2016-11-04 | 2016-11-04 | A kind of DNS method for recognizing flux based on bit entropy |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610970282.7A CN106533829B (en) | 2016-11-04 | 2016-11-04 | A kind of DNS method for recognizing flux based on bit entropy |
Publications (2)
Publication Number | Publication Date |
---|---|
CN106533829A true CN106533829A (en) | 2017-03-22 |
CN106533829B CN106533829B (en) | 2019-04-30 |
Family
ID=58327098
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610970282.7A Active CN106533829B (en) | 2016-11-04 | 2016-11-04 | A kind of DNS method for recognizing flux based on bit entropy |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106533829B (en) |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101505219A (en) * | 2009-03-18 | 2009-08-12 | 杭州华三通信技术有限公司 | Method and protecting apparatus for defending denial of service attack |
CN101547129A (en) * | 2009-05-05 | 2009-09-30 | 中国科学院计算技术研究所 | Method and system for detecting distributed denial of service attack |
CN101854404A (en) * | 2010-06-04 | 2010-10-06 | 中国科学院计算机网络信息中心 | Method and device for detecting anomaly of domain name system |
CN102577303A (en) * | 2009-04-20 | 2012-07-11 | 思杰***有限公司 | Systems and methods for generating a dns query to improve resistance against a dns attack |
CN103905456A (en) * | 2014-04-08 | 2014-07-02 | 上海交通大学 | DNS inverse solution attack detecting system and method based on entropy model |
US9363282B1 (en) * | 2014-01-28 | 2016-06-07 | Infoblox Inc. | Platforms for implementing an analytics framework for DNS security |
CN105897714A (en) * | 2016-04-11 | 2016-08-24 | 天津大学 | Botnet detection method based on DNS (Domain Name System) flow characteristics |
-
2016
- 2016-11-04 CN CN201610970282.7A patent/CN106533829B/en active Active
Patent Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101505219A (en) * | 2009-03-18 | 2009-08-12 | 杭州华三通信技术有限公司 | Method and protecting apparatus for defending denial of service attack |
CN102577303A (en) * | 2009-04-20 | 2012-07-11 | 思杰***有限公司 | Systems and methods for generating a dns query to improve resistance against a dns attack |
CN101547129A (en) * | 2009-05-05 | 2009-09-30 | 中国科学院计算技术研究所 | Method and system for detecting distributed denial of service attack |
CN101854404A (en) * | 2010-06-04 | 2010-10-06 | 中国科学院计算机网络信息中心 | Method and device for detecting anomaly of domain name system |
US9363282B1 (en) * | 2014-01-28 | 2016-06-07 | Infoblox Inc. | Platforms for implementing an analytics framework for DNS security |
US20160308833A1 (en) * | 2014-01-28 | 2016-10-20 | Infoblox Inc. | Platforms for implementing an analytics framework for dns security |
CN103905456A (en) * | 2014-04-08 | 2014-07-02 | 上海交通大学 | DNS inverse solution attack detecting system and method based on entropy model |
CN105897714A (en) * | 2016-04-11 | 2016-08-24 | 天津大学 | Botnet detection method based on DNS (Domain Name System) flow characteristics |
Also Published As
Publication number | Publication date |
---|---|
CN106533829B (en) | 2019-04-30 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN107483455B (en) | Flow-based network node anomaly detection method and system | |
CN102307123B (en) | NAT (Network Address Translation) flow identification method based on transmission layer flow characteristic | |
CN108282497B (en) | DDoS attack detection method for SDN control plane | |
CN102315974B (en) | Stratification characteristic analysis-based method and apparatus thereof for on-line identification for TCP, UDP flows | |
CN104580173B (en) | A kind of SDN abnormality detections are with stopping method and system | |
CN101562534B (en) | Network behavior analytic system | |
CN106657141A (en) | Android malware real-time detection method based on network flow analysis | |
CN101729389B (en) | Flow control device and method based on flow prediction and trusted network address learning | |
CN107370752B (en) | Efficient remote control Trojan detection method | |
CN105577679A (en) | Method for detecting anomaly traffic based on feature selection and density peak clustering | |
CN111817982A (en) | Encrypted flow identification method for category imbalance | |
CN107404400A (en) | A kind of network situation awareness implementation method and device | |
CN101645806A (en) | Network flow classifying system and network flow classifying method combining DPI and DFI | |
CN102271068A (en) | Method for detecting DOS/DDOS (denial of service/distributed denial of service) attack | |
CN110611640A (en) | DNS protocol hidden channel detection method based on random forest | |
CN105187437B (en) | A kind of centralized detecting system of SDN network Denial of Service attack | |
CN110177115A (en) | LDoS attack detection method based on multi-feature fusion | |
CN111294342A (en) | Method and system for detecting DDos attack in software defined network | |
CN111600876B (en) | Slow denial of service attack detection method based on MFOPA algorithm | |
CN104021348B (en) | Real-time detection method and system of dormant P2P (Peer to Peer) programs | |
CN112995202A (en) | SDN-based DDoS attack detection method | |
CN109450957A (en) | A kind of low speed Denial of Service attack detection method based on cloud model | |
CN105959321A (en) | Passive identification method and apparatus for network remote host operation system | |
CN107209834A (en) | Malicious communication pattern extraction apparatus, malicious communication schema extraction system, malicious communication schema extraction method and malicious communication schema extraction program | |
CN111818049B (en) | Botnet flow detection method and system based on Markov model |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |