CN109462612B - Method and device for determining attack domain name in botnet - Google Patents

Method and device for determining attack domain name in botnet Download PDF

Info

Publication number
CN109462612B
CN109462612B CN201811609145.6A CN201811609145A CN109462612B CN 109462612 B CN109462612 B CN 109462612B CN 201811609145 A CN201811609145 A CN 201811609145A CN 109462612 B CN109462612 B CN 109462612B
Authority
CN
China
Prior art keywords
domain name
cluster set
domain
temporary
determining
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201811609145.6A
Other languages
Chinese (zh)
Other versions
CN109462612A (en
Inventor
梁莎
皮靖
李景
周旭康
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nsfocus Technologies Inc
Nsfocus Technologies Group Co Ltd
Original Assignee
Nsfocus Technologies Inc
Nsfocus Technologies Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nsfocus Technologies Inc, Nsfocus Technologies Group Co Ltd filed Critical Nsfocus Technologies Inc
Priority to CN201811609145.6A priority Critical patent/CN109462612B/en
Publication of CN109462612A publication Critical patent/CN109462612A/en
Application granted granted Critical
Publication of CN109462612B publication Critical patent/CN109462612B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/23Clustering techniques
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/144Detection or countermeasures against botnets
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/146Tracing the source of attacks

Landscapes

  • Engineering & Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Theoretical Computer Science (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Evolutionary Computation (AREA)
  • Physics & Mathematics (AREA)
  • Evolutionary Biology (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Artificial Intelligence (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application provides a method and a device for determining an attack domain name in a botnet, wherein the method comprises the following steps: and acquiring domain names which are respectively requested to be accessed by N hosts through respective network protocol IP addresses, wherein N is a positive integer. And then clustering the domain names which are requested to be accessed by the N hosts to obtain at least one cluster set, wherein one cluster set comprises a plurality of domain names, and the association degree between the domain names in one cluster set meets a preset condition. And determining an attack domain name family corresponding to each cluster set, wherein one attack domain name family comprises a plurality of domain names with the same domain name characteristics. According to the scheme, the domain names with the association degrees meeting the preset conditions are two variable domain names in an attack domain name family, the domain names with the association degrees meeting the preset conditions are clustered together, the attack domain name family corresponding to each cluster set is determined according to the characteristics of the domain names in each cluster set, and the attack domain names in the botnet can be determined more accurately and efficiently.

Description

Method and device for determining attack domain name in botnet
Technical Field
The present application relates to the field of network security, and in particular, to a method and an apparatus for determining an attack domain name in a botnet.
Background
In the internet, an attacker propagates bots through various ways to infect a large number of hosts on the internet, and the infected hosts in the same botnet receive the instructions of the attacker in the same way.
The controlled host usually initiates a large number of domain name requests to find a truly available domain name, and communicates with the host of the attacker to obtain an attack instruction. After the attack domain names are determined, the host of the attacker can be further determined, and then communication between the host of the user and the host of the attacker can be blocked, so that the host of the user is protected. How to effectively determine these attack domains is a problem that needs to be solved at present.
Disclosure of Invention
The application provides a method and a device for determining an attack domain name in a botnet, which are used for accurately and efficiently determining the attack domain name in the botnet.
In a first aspect, the present application provides a method for determining an attack domain name in a botnet, including: and acquiring domain names which are respectively requested to be accessed by N hosts through respective network protocol IP addresses, wherein N is a positive integer. And then clustering the domain names which are requested to be accessed by the N hosts to obtain at least one cluster set, wherein one cluster set comprises a plurality of domain names, and the association degree between the domain names in one cluster set meets a preset condition. And determining an attack domain name family corresponding to each cluster set, wherein one attack domain name family comprises a plurality of domain names with the same domain name characteristics. According to the scheme, the domain names with the association degrees meeting the preset conditions are two variable domain names in an attack domain name family, the domain names with the association degrees meeting the preset conditions are clustered together, the attack domain name family corresponding to each cluster set is determined according to the characteristics of the domain names in each cluster set, and the attack domain names in the botnet can be determined more accurately and efficiently.
In a possible implementation manner, the determining the attack domain name family corresponding to each cluster set includes: and determining the domain name characteristics of the domain names in the cluster set aiming at one cluster set, and if the domain name characteristics of the domain names in the cluster set are the same as the domain name characteristics of a first attack domain name family in the attack domain name family set, determining that the attack domain name family corresponding to the cluster set is the first attack domain name family. And if the domain name characteristics of the domain names in the cluster set are different from the domain name characteristics of all the attacking domain name families in the attacking domain name family set, determining the attacking domain name family corresponding to the cluster set according to the domain name characteristics of the domain names in the cluster set. The attack domain name family set comprises at least one attack domain name family, and one attack domain name family corresponds to one domain name feature. In the scheme, the attack domain name family set is a set of known attack domain name families, the domain name in each attack domain name family has the domain name characteristics of the respective family, if the domain name in a cluster set has the same domain name characteristics with the domain name of a known attack domain name family, the domain name in the cluster set is determined to be the known attack domain name family, otherwise, the domain name in the cluster set is marked as a new attack domain name family.
In a possible implementation manner, the clustering the domain names requested to be accessed by the N hosts to obtain at least one cluster set may be implemented by the following steps:
step A1: repeating the following steps B1 to B2 to obtain L temporary cluster sets, wherein the domain name characteristics of the domain names in one temporary cluster set are the same, i is taken over from 1 to K, and K is the total number of the domain names which are requested to be accessed by the N hosts:
step B1: aiming at the ith domain name in domain names which are requested to be accessed by N hosts, determining the jth domain name with the largest association degree with the ith domain name;
step B2: dividing the ith domain name into a cluster set where the jth domain name is located, wherein j is a positive integer not greater than K;
step A2: if the step a1 obtains a temporary cluster set, determining that the temporary cluster set is at least one obtained cluster set.
Step A3: if the step a1 obtains at least two temporary cluster sets, repeatedly executing the following steps C1 to C2 to obtain at least one cluster set, where the domain name in one cluster set belongs to an attack domain name family, and p is taken throughout 1 to L:
step C1: aiming at a pth temporary cluster set in the L temporary cluster sets, determining a qth temporary cluster set with the highest association degree with the pth temporary cluster set;
step C2: and if the clustering condition is met between the pth temporary cluster set and the qth temporary cluster set, dividing the pth temporary cluster set into the qth temporary cluster set, wherein q is a positive integer not greater than L.
Through the clustering method, the finally obtained domain names in each cluster set have higher association degree, namely the probability that the domain names in each cluster set have the same domain name characteristics is higher, so that the domain name characteristics of the domain names in each cluster set can be determined more quickly and accurately.
In a possible implementation manner, the clustering condition is that the degree of aggregation Δ Q between the pth temporary cluster set and the qth temporary cluster set is greater than 0, wherein the degree of aggregation may be determined by:
determining the relevance K between the pth temporary cluster set and the qth temporary cluster setpq
Determining the sum sigma tot of the association degrees between each domain name in the qth temporary clustering set and other domain names in the qth temporary clustering set;
determining a sum K of degrees of association between the qth set of temporary clusters and other sets of temporary clustersq
Determining the sum m of the association degrees between each domain name requested to be accessed by the N hosts and other domain names in the domain names requested to be accessed by the N hosts;
computing
Figure GDA0002923061820000031
In a possible implementation manner, after obtaining the domain names that the N hosts respectively request to access through their respective IP addresses, before clustering the domain names that the N hosts request to access to obtain at least one cluster set, the method further includes: and filtering a white list domain name and/or a Content Delivery Network (CDN) domain name in the domain names which are requested to be accessed by the N hosts. Because the white list domain name is not an attack domain name, and the request quantity of the white list domain name is large, the subsequent clustering is influenced, and the white list domain name is filtered, so that the efficiency and the accuracy of determining the attack domain name can be improved. Moreover, the attack domain name does not generally adopt a CDN domain name, so that the CDN domain name is filtered, and the efficiency and the accuracy of determining the attack domain name can be improved.
In a second aspect, the present application provides a device for determining an attack domain name in a botnet, which includes a domain name obtaining unit, a clustering unit, and a family determining unit. The domain name obtaining unit is used for obtaining domain names which are respectively requested to be accessed by N hosts through respective IP addresses, and N is a positive integer. The clustering unit is used for clustering the domain names which the N hosts request to access to obtain at least one cluster set, wherein one cluster set comprises a plurality of domain names, and the association degree between the domain names in one cluster set meets a preset condition. And the family determining unit is used for determining an attack domain name family corresponding to each cluster set, and one attack domain name family comprises a plurality of domain names with the same domain name characteristics. According to the scheme, the domain names with the association degrees meeting the preset conditions are two variable domain names in an attack domain name family, the domain names with the association degrees meeting the preset conditions are clustered together, the attack domain name family corresponding to each cluster set is determined according to the characteristics of the domain names in each cluster set, and the attack domain names in the botnet can be determined more accurately and efficiently.
In a possible implementation manner, the family determining unit may be specifically configured to: and determining the domain name characteristics of the domain names in the cluster set aiming at one cluster set, and if the domain name characteristics of the domain names in the cluster set are the same as the domain name characteristics of a first attack domain name family in the attack domain name family set, determining that the attack domain name family corresponding to the cluster set is the first attack domain name family. And if the domain name characteristics of the domain names in the cluster set are different from the domain name characteristics of all the attacking domain name families in the attacking domain name family set, determining the attacking domain name family corresponding to the cluster set according to the domain name characteristics of the domain names in the cluster set. The attack domain name family set comprises at least one attack domain name family, and one attack domain name family corresponds to one domain name feature. In the scheme, the attack domain name family set is a set of known attack domain name families, the domain name in each attack domain name family has the domain name characteristics of the respective family, if the domain name in a cluster set has the same domain name characteristics with the domain name of a known attack domain name family, the domain name in the cluster set is determined to be the known attack domain name family, otherwise, the domain name in the cluster set is marked as a new attack domain name family.
In a possible implementation manner, the clustering unit may be specifically configured to perform the following steps to obtain at least one cluster set:
step A1: repeating the following steps B1 to B2 to obtain L temporary cluster sets, wherein the domain name characteristics of the domain names in one temporary cluster set are the same, i is taken over from 1 to K, and K is the total number of the domain names which are requested to be accessed by the N hosts:
step B1: aiming at the ith domain name in domain names which are requested to be accessed by N hosts, determining the jth domain name with the largest association degree with the ith domain name;
step B2: dividing the ith domain name into a cluster set where the jth domain name is located, wherein j is a positive integer not greater than K;
step A2: if the step a1 obtains a temporary cluster set, determining that the temporary cluster set is at least one obtained cluster set.
Step A3: if the step a1 obtains at least two temporary cluster sets, repeatedly executing the following steps C1 to C2 to obtain at least one cluster set, where the domain name in one cluster set belongs to an attack domain name family, and p is taken throughout 1 to L:
step C1: aiming at a pth temporary cluster set in the L temporary cluster sets, determining a qth temporary cluster set with the highest association degree with the pth temporary cluster set;
step C2: and if the clustering condition is met between the pth temporary cluster set and the qth temporary cluster set, dividing the pth temporary cluster set into the qth temporary cluster set, wherein q is a positive integer not greater than L.
By executing the steps, the finally obtained domain names in each cluster set have higher association degree, that is, the probability that the domain names in each cluster set have the same domain name characteristics is higher, so that the domain name characteristics of the domain names in each cluster set can be determined more quickly and accurately.
In a possible implementation manner, the clustering condition is that the degree of aggregation Δ Q between the pth temporary cluster set and the qth temporary cluster set is greater than 0, wherein the degree of aggregation may be determined by:
determining the relevance K between the pth temporary cluster set and the qth temporary cluster setpq
Determining the sum sigma tot of the association degrees between each domain name in the qth temporary clustering set and other domain names in the qth temporary clustering set;
determining a sum K of degrees of association between the qth set of temporary clusters and other sets of temporary clustersq
Determining the sum m of the association degrees between each domain name requested to be accessed by the N hosts and other domain names in the domain names requested to be accessed by the N hosts;
computing
Figure GDA0002923061820000061
In a possible implementation manner, the apparatus may further include a domain name filtering unit, configured to filter a white list domain name and/or a CDN domain name from the domain names requested to be accessed by the N hosts. Because the white list domain name is not an attack domain name, and the request quantity of the white list domain name is large, the subsequent clustering is influenced, and the white list domain name is filtered, so that the efficiency and the accuracy of determining the attack domain name can be improved. Moreover, the attack domain name does not generally adopt a CDN domain name, so that the CDN domain name is filtered, and the efficiency and the accuracy of determining the attack domain name can be improved.
In a third aspect, the present application provides a network device, comprising:
a memory for storing program instructions;
a processor, configured to call the program instructions stored in the memory, and execute the method according to any of the foregoing first aspect or embodiments of the first aspect according to the obtained program.
In a fourth aspect, the present application provides a computer-readable storage medium having stored thereon computer-executable instructions for causing a computer to perform the method of any of the preceding first aspect or embodiments thereof.
Drawings
Fig. 1 is a schematic flow chart of an attack domain name determination method in a botnet according to the present application;
FIG. 2a is a schematic diagram of a domain name association degree provided by the present application;
fig. 2b is a schematic diagram of another domain name association degree provided in the present application;
FIG. 2c is a schematic diagram of a temporary cluster set provided herein;
FIG. 2d is a schematic diagram of another temporary cluster set provided herein;
fig. 3 is a schematic diagram of an attack domain name determining apparatus in a botnet according to the present application;
fig. 4 is a schematic structural diagram of a network device provided in the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more clear, the present application will be further described in detail with reference to the accompanying drawings. The particular methods of operation in the method embodiments may also be applied to apparatus embodiments or system embodiments. In the description of the present application, the term "plurality" means two or more unless otherwise specified.
Fig. 1 is a method for determining an attack domain name provided by the present application, and as shown in fig. 1, the method includes:
step 101, acquiring domain names which are respectively requested to be accessed by N hosts through respective IP addresses.
Step 102, clustering the domain names requested to be accessed by the N hosts to obtain at least one cluster set.
A cluster set comprises a plurality of domain names, and the association degree between the domain names in the cluster set meets a preset condition.
And 103, determining attack domain name families corresponding to each cluster set respectively.
An attacking domain name family includes a plurality of domain names having the same domain name characteristics.
In the above steps, the domain names whose association degrees meet the preset conditions are two rapidly-changed domain names in one attacking domain name family, the domain names whose association degrees meet the preset conditions are clustered together, and the attacking domain name family corresponding to each cluster set is determined according to the characteristics of the domain names in each cluster set, so that the attacking domain names in the botnet can be determined more accurately and efficiently.
For step 101, in a possible implementation manner, network communication traffic may be collected through a deployed network probe or a security device, and then the network communication traffic is analyzed, so that the domain name accessed by each host of the N hosts may be obtained. The domain names usually include a white list domain name and/or a CDN domain name, and since the white list domain name itself is not an attack domain name, and the request amount of the white list domain name is large, an impact may be generated on subsequent clustering, and the attack domain name generally does not adopt the CDN domain name, it is necessary to filter the white list domain name and/or the CDN domain name after acquiring domain names that N hosts respectively request access through their respective network protocol IP addresses. The white list domain name here may be, for example, the domain name of a common website such as hundredths, new waves, etc.
In a possible implementation manner, the obtaining of the domain names requested to be accessed by the N hosts in step 101 is obtained within a preset time, for example, the domain names requested to be accessed by the N hosts within the last 24 hours are obtained.
In a possible implementation manner, between step 101 and step 102, the method may further include: and determining the association degree between every two domain names which are requested to be accessed by the N hosts. The association degree between two domain names means that the two domain names are accessed by the same host, and the higher the association degree is, the larger the number of hosts accessing the two domain names in a period of time is. For example, when host 1 has accessed domain name D1, domain name D2, domain name D3, and host 2 has accessed domain name D1 and domain name D2, then there is a degree of association between domain name D1 and domain name D2, a degree of association between domain name D1 and domain name D3, a degree of association between domain name D2 and domain name D3, and a degree of association between domain name D1 and domain name D2 is relatively higher.
In the following, a specific example is described to determine the magnitude of the association, as shown in table 1, a domain name information table (taking N as an example of 5) which is requested to be accessed by N hosts in a period of time, where IP1 to IP5 respectively represent 5 different hosts, D1 to D6 represent 6 different domain names, and a value "1" in the table indicates that an IP (which may also be referred to as a host) in a row where the value "1" is located has accessed a domain name in a column where the value "1" is located.
Table 1 table of domain name information accessed
D1 D2 D3 D4 D5 D6
IP1 1 1 1 0 0 1
IP2 1 1 0 1 0 1
IP3 1 1 1 0 1 0
IP4 1 0 0 0 1 1
IP5 1 1 0 1 0 1
As can be seen from table 1, there are 4 IP addresses, i.e., IP1, IP2, IP3 and IP5, which access D1 and D2, respectively, so that there is a correlation between domain names D1 and D2, and the correlation between D1 and D2 can be counted as 4, so that the correlation between D1 and D3 is 2, and the correlation between D1 and D4 is 2 … …, and the correlation between any two domain names is known from the table and is not listed again here.
As shown in fig. 2a, a schematic diagram of domain name association degree provided by the present application is obtained after determining the association degree between domain names. In FIG. 2a, D1To D9The domain names are 9 different domain names, and the number on the line between the two domain names represents the association degree between the two domain names. For example, as can be seen from FIG. 2a, D1And D2The degree of correlation between the two is 10, D2And D3The degree of correlation between is 2, D2And D5The degree of association between them is 2.
After the determining the association degree between the domain names, before step 102, the method may further include: and determining the two domain names with the association degree not greater than the threshold value as the non-association degree. Taking the schematic diagram of the association degree shown in fig. 2a as an example, if the threshold is 1, after determining that two domain names with the association degree not greater than 1 in fig. 2a are no association degree, the schematic diagram of the association degree of the domain names shown in fig. 2b can be obtained. In the step, the association degree between two domain names with the association degree lower than the threshold value is determined as the non-association degree, and in the subsequent step 102, calculation during clustering can be reduced, so that the efficiency of determining the attack domain name is improved.
In a possible implementation manner, the step 102 may be implemented by:
step A1: repeating the following steps B1 to B2 to obtain L temporary cluster sets, wherein the domain name characteristics of the domain names in one temporary cluster set are the same, i is taken over from 1 to K, and K is the total number of the domain names which are requested to be accessed by the N hosts:
step B1: aiming at the ith domain name in domain names which are requested to be accessed by N hosts, determining the jth domain name with the largest association degree with the ith domain name;
step B2: and dividing the ith domain name into a cluster set where the jth domain name is located, wherein j is a positive integer not greater than K.
The following describes the above step a1 by taking the schematic diagram of domain name association degree shown in fig. 2b as an example, and first, the step D is directed to the 9 domain names shown in fig. 2b1Determining the sum of D1The domain name with the largest association degree, as can be seen from FIG. 2b, is associated with D1The domain name with the maximum degree of association between is D2Thus will D1Division into D2And obtaining 1 temporary cluster set. For D2To D9The step B1 and the step B2 are repeatedly executed, and finally: d2Division into D1,D3Division into D8,D4Division into D5,D5Division into D4,D6Division into D8,D7Division into D5,D8Division into D6,D9Division into D3That is, a temporary cluster set diagram as shown in FIG. 2c can be obtained finally, where D11Is formed by D1And D2Temporary clustered collections of constituents, D22Is formed by D3、D6、D8And D9Form a temporary cluster set, D33Is formed by D4、D5And D7A set of temporary clusters.
Then, if L is equal to 1, step a2 is executed: and determining the temporary cluster set as the obtained at least one cluster set. Otherwise, if the step a1 obtains at least two temporary cluster sets, then step A3 is executed: repeating the following steps C1 to C2 to obtain at least one cluster set, wherein the domain names in one cluster set belong to an attack domain name family, and p is taken from 1 to L:
step C1: aiming at a pth temporary cluster set in the L temporary cluster sets, determining a qth temporary cluster set with the highest association degree with the pth temporary cluster set;
step C2: and if the clustering condition is met between the pth temporary cluster set and the qth temporary cluster set, dividing the pth temporary cluster set into the qth temporary cluster set, wherein q is a positive integer not greater than L.
Wherein, in step C1, the association degree between two temporary cluster sets is determined according to the sum of all association degrees existing between all domain names in one temporary cluster set and all domain names in the other temporary cluster set. Taking the temporary cluster set diagram shown in FIG. 2c as an example, D11All the domain names in (1) and (D)33The degree of association between all domain names in (1) is: d2And D4Degree of correlation between and D2And D5Degree of correlation between them, and thus, D11And D33The degree of association between 2+2 and 4. By the same token, D11And D22The degree of correlation between the two is 2, and the same can be obtained by D22And D33The degree of association between them is 2.
After performing steps C1 and C2 on each temporary cluster set, if all temporary cluster sets are clustered into one cluster set, resulting in one cluster set, step A3 is stopped, and the finally determined one cluster set is determined as the at least one cluster set obtained in step 102. Otherwise, step a3 is repeated until any of the following termination conditions occur:
in condition 1, the number of temporary cluster sets is less than or equal to the threshold of the number of sets. If the threshold of the number of sets is 2, stopping clustering when the number of temporary cluster sets is 1 or 2, and determining the 1 or 2 temporary cluster sets as the at least one cluster set obtained in step 102.
Conditional 2, the number of times step a3 is repeated is greater than the iteration number threshold. And (3) clustering the obtained temporary cluster sets again, stopping clustering when the repetition times of the process of obtaining a new temporary cluster set is greater than the threshold value of the iteration times, and determining all temporary cluster sets at the moment as at least one cluster set obtained in the step (102).
And 3, any two temporary clustering sets cannot meet the clustering condition. That is, any one temporary cluster set cannot be divided into another temporary cluster set, and when the temporary cluster set does not change any more, the clustering is stopped, and all temporary cluster sets at this time are determined as at least one cluster set obtained in step 102.
In a possible implementation manner, the clustering condition is that the degree of aggregation Δ Q between the pth temporary cluster set and the qth temporary cluster set is greater than 0, wherein the degree of aggregation may be determined by:
determining the relevance K between the pth temporary cluster set and the qth temporary cluster setpq
Determining the sum sigma tot of the association degrees between each domain name in the qth temporary clustering set and other domain names in the qth temporary clustering set;
determining qth temporary cluster set and other temporary clustersSum of degrees of association K between setsq
Determining the sum m of the association degrees between each domain name requested to be accessed by the N hosts and other domain names in the domain names requested to be accessed by the N hosts;
computing
Figure GDA0002923061820000111
D shown below in FIG. 2c33For example, the above clustering conditions are explained, and can be seen from FIG. 2c, and D33The temporary cluster set with the maximum correlation degree between is D11And the degree of association is 4, thus Kpq4.Σ tot denotes D11Each domain name in (1) and (D)11Sum of degrees of association between other domain names in (1), D11The domain name in (1) is D1And D2And D is1And D2The degree of correlation between the two is 10, D2And D1The degree of correlation between (a) and (b) is 10, and thus, Σ tot is 10+10 — 20. KqRepresents D11The sum of the degrees of association with the other temporary sets, i.e., 2+ 4-6. m represents D1To D9The sum of the association degrees between all the domain names in between, i.e. the sum of the values on all the lines shown in fig. 2b, 49. Thus, it is possible to provide
Figure GDA0002923061820000112
Satisfy the clustering condition, i.e. D can be33Division into D11In (1). And D22Cannot be classified into D11Nor can it be classified into D33Thus obtaining two temporary cluster sets D22And D333As shown in FIG. 2D, wherein D333Comprising the above D11And D33All domain names in (1).
After the temporary cluster set diagram shown in fig. 2D is obtained, if the threshold of the number of sets is 2, clustering is stopped, and two temporary cluster sets D are aggregated22And D333The determination is at least one cluster set obtained in step 102. Or when the threshold value of the iteration times is 1, stopping clustering, and collecting two temporary clusters D22And D333The determination is at least one cluster set obtained in step 102. Otherwise, continue to pair D22And D333Step a3 is performed.
Through the clustering method, the finally obtained domain names in each cluster set have higher association degree, namely the probability that the domain names in each cluster set have the same domain name characteristics is higher, so that the domain name characteristics of the domain names in each cluster set can be determined more quickly and accurately.
In a possible implementation manner, the step 103 may specifically include: and determining the domain name characteristics of the domain names in the cluster set aiming at one cluster set, and if the domain name characteristics of the domain names in the cluster set are the same as the domain name characteristics of a first attack domain name family in the attack domain name family set, determining that the attack domain name family corresponding to the cluster set is the first attack domain name family. And if the domain name characteristics of the domain names in the cluster set are different from the domain name characteristics of all the attacking domain name families in the attacking domain name family set, determining the attacking domain name family corresponding to the cluster set according to the domain name characteristics of the domain names in the cluster set. The attack domain name family set comprises at least one attack domain name family, and one attack domain name family corresponds to one domain name feature.
The attacking domain name family in the attacking domain name family set is generally some attacking domain name families with known domain name characteristics, such as a Conflicker domain name family, which uses a current region time as a random seed to produce a current domain name list. Assume that two sets of clusters, D, are determined in step 10222And D333Wherein D is22All the domain names in (A) satisfy the characteristics of the Conflicker domain name family, namely D22The domain names in the list are all produced by taking the current certain area time as a random seed, and D is22The domain name in (b) is determined to be a domain name in the Conflicker domain name family. And D333Does not satisfy the domain name characteristics of the Conflicker domain name family, and D333If the domain name in (A) is different from the domain name characteristics of any known domain name family, then D is333Is determined as a new family domain name, e.g. asTo be called D333Family of domain names, and D333All the domain names in the domain name family satisfy D333Domain name characteristics of the domain name family.
According to the scheme, firstly, the obtained domain names which are requested to be accessed by the N hosts are filtered to a certain extent so as to leave domain names for determining attack domain names, then the association degree between the domain names is determined, the domain names are clustered according to the association degree between the domain names, the attack domain names are determined according to the domain name characteristics of the domain names in each clustered set, and the attack domain names in the botnet can be determined more accurately and efficiently.
Based on the same inventive concept, fig. 3 exemplarily shows a determination apparatus for an attack domain name in a botnet provided by the present application, and the apparatus may execute a flow of the determination method for an attack domain name in a botnet. As shown in fig. 3, the apparatus includes:
a domain name obtaining unit 301, configured to obtain domain names that are respectively requested to be accessed by N hosts through respective IP addresses, where N is a positive integer.
The clustering unit 302 is configured to cluster the domain names requested to be accessed by the N hosts to obtain at least one cluster set. The cluster set comprises a plurality of domain names, and the association degree between the domain names in the cluster set meets a preset condition.
A family determining unit 303, configured to determine an attack domain name family corresponding to each cluster set. Wherein, an attack domain name family comprises a plurality of domain names with the same domain name characteristics.
According to the scheme, the domain names with the association degrees meeting the preset conditions are two variable domain names in an attack domain name family, the domain names with the association degrees meeting the preset conditions are clustered together, the attack domain name family corresponding to each cluster set is determined according to the characteristics of the domain names in each cluster set, and the attack domain names in the botnet can be determined more accurately and efficiently.
In a possible implementation manner, the family determining unit 303 may be specifically configured to: and determining the domain name characteristics of the domain names in the cluster set aiming at one cluster set, and if the domain name characteristics of the domain names in the cluster set are the same as the domain name characteristics of a first attack domain name family in the attack domain name family set, determining that the attack domain name family corresponding to the cluster set is the first attack domain name family. And if the domain name characteristics of the domain names in the cluster set are different from the domain name characteristics of all the attacking domain name families in the attacking domain name family set, determining the attacking domain name family corresponding to the cluster set according to the domain name characteristics of the domain names in the cluster set. The attack domain name family set comprises at least one attack domain name family, and one attack domain name family corresponds to one domain name feature.
In a possible implementation manner, the clustering unit 302 may be specifically configured to perform the following steps to obtain at least one cluster set:
step A1: repeating the following steps B1 to B2 to obtain L temporary cluster sets, wherein the domain name characteristics of the domain names in one temporary cluster set are the same, i is taken over from 1 to K, and K is the total number of the domain names which are requested to be accessed by the N hosts:
step B1: aiming at the ith domain name in domain names which are requested to be accessed by N hosts, determining the jth domain name with the largest association degree with the ith domain name;
step B2: dividing the ith domain name into a cluster set where the jth domain name is located, wherein j is a positive integer not greater than K;
step A2: if the step a1 obtains a temporary cluster set, determining that the temporary cluster set is at least one obtained cluster set.
Step A3: if the step a1 obtains at least two temporary cluster sets, repeatedly executing the following steps C1 to C2 to obtain at least one cluster set, where the domain name in one cluster set belongs to an attack domain name family, and p is taken throughout 1 to L:
step C1: aiming at a pth temporary cluster set in the L temporary cluster sets, determining a qth temporary cluster set with the highest association degree with the pth temporary cluster set;
step C2: and if the clustering condition is met between the pth temporary cluster set and the qth temporary cluster set, dividing the pth temporary cluster set into the qth temporary cluster set, wherein q is a positive integer not greater than L.
By executing the steps, the finally obtained domain names in each cluster set have higher association degree, that is, the probability that the domain names in each cluster set have the same domain name characteristics is higher, so that the domain name characteristics of the domain names in each cluster set can be determined more quickly and accurately.
In a possible implementation manner, the clustering condition is that the degree of aggregation Δ Q between the pth temporary cluster set and the qth temporary cluster set is greater than 0, wherein the degree of aggregation may be determined by:
determining the relevance K between the pth temporary cluster set and the qth temporary cluster setpq
Determining the sum sigma tot of the association degrees between each domain name in the qth temporary clustering set and other domain names in the qth temporary clustering set;
determining a sum K of degrees of association between the qth set of temporary clusters and other sets of temporary clustersq
Determining the sum m of the association degrees between each domain name requested to be accessed by the N hosts and other domain names in the domain names requested to be accessed by the N hosts;
computing
Figure GDA0002923061820000141
In a possible implementation manner, the apparatus may further include a domain name filtering unit 304, configured to filter a white list domain name and/or a CDN domain name from the domain names requested to be accessed by the N hosts. Because the white list domain name is not an attack domain name, and the request quantity of the white list domain name is large, the subsequent clustering is influenced, and the white list domain name is filtered, so that the efficiency and the accuracy of determining the attack domain name can be improved. Moreover, the attack domain name does not generally adopt a CDN domain name, so that the CDN domain name is filtered, and the efficiency and the accuracy of determining the attack domain name can be improved.
For the concepts, explanations, detailed descriptions and other steps related to the above device and related to the technical solution provided in the present application, please refer to the determination method of the attack domain name in the botnet or the descriptions related to these contents in other embodiments, which are not described herein again.
Based on the same concept as the embodiment, the application also provides a network device.
Fig. 4 is a schematic structural diagram of a network device provided in the present application. As shown in fig. 4, the network device 400 includes:
a memory 401 for storing program instructions;
a processor 402, configured to invoke the program instructions stored in the memory, and execute the method for determining an attack domain name in a botnet according to any of the foregoing embodiments according to the obtained program.
Based on the same concept as that of the above embodiments, the present application also provides a computer storage medium storing computer-executable instructions for causing a computer to execute the method for determining an attack domain name in a botnet described in any one of the foregoing embodiments.
It should be noted that the division of the units in the present application is schematic, and is only one division of logic functions, and there may be another division manner in actual implementation. In the present application, each functional unit may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one module. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
In the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. The procedures or functions according to the present application are generated in whole or in part when the computer program instructions are loaded and executed on a computer. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored in a computer readable storage medium or transmitted from one computer readable storage medium to another, for example, the computer instructions may be transmitted from one website, computer, server, or data center to another website, computer, server, or data center by wire (e.g., coaxial cable, fiber optic, Digital Subscriber Line (DSL)) or wirelessly (e.g., infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device, such as a server, a data center, etc., that incorporates one or more of the available media. The usable medium may be a magnetic medium (e.g., floppy Disk, hard Disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., Solid State Disk (SSD)), among others.
As will be appreciated by one skilled in the art, the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present application without departing from the spirit and scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims of the present application and their equivalents, the present application is intended to include such modifications and variations as well.

Claims (8)

1. A method for determining an attack domain name in a botnet, comprising:
acquiring domain names which are respectively requested to be accessed by N hosts through respective network protocol IP addresses, wherein N is a positive integer;
clustering the domain names requested to be accessed by the N hosts to obtain at least one cluster set, wherein one cluster set comprises a plurality of domain names, and the association degree between the domain names in one cluster set meets a preset condition;
determining an attack domain name family corresponding to each cluster set, wherein one attack domain name family comprises a plurality of domain names with the same domain name characteristics;
the clustering the domain names requested to be accessed by the N hosts to obtain at least one cluster set includes:
step A1: repeating the following steps B1 to B2 to obtain L temporary cluster sets, where domain name features of domain names in one temporary cluster set are the same, and i is taken over from 1 to K, where K is the total number of domain names requested to be accessed by the N hosts:
step B1: aiming at the ith domain name in the domain names which are requested to be accessed by the N hosts, determining the jth domain name with the highest association degree with the ith domain name;
step B2: dividing the ith domain name into a cluster set where the jth domain name is located, wherein j is a positive integer not greater than K;
step A2: if a temporary cluster set is obtained in step a1, determining that the temporary cluster set is the obtained at least one cluster set;
step A3: if the step a1 obtains at least two temporary cluster sets, repeatedly executing the following steps C1 to C2 to obtain the at least one cluster set, where the domain name in one cluster set belongs to an attack domain name family, and p is taken over 1 to L:
step C1: for a pth temporary cluster set in the L temporary cluster sets, determining a qth temporary cluster set with the highest association degree with the pth temporary cluster set;
step C2: if the clustering condition is met between the pth temporary cluster set and the qth temporary cluster set, dividing the pth temporary cluster set into the qth temporary cluster set, wherein q is a positive integer not greater than L.
2. The method of claim 1, wherein determining the attacking domain name family to which each cluster set corresponds respectively comprises:
determining the domain name characteristics of the domain names in a cluster set aiming at the cluster set, and if the domain name characteristics of the domain names in the cluster set are the same as the domain name characteristics of a first attack domain name family in an attack domain name family set, determining that the attack domain name family corresponding to the cluster set is the first attack domain name family; if the domain name characteristics of the domain names in the cluster set are different from the domain name characteristics of all the attacking domain name families in the attacking domain name family set, determining the attacking domain name family corresponding to the cluster set according to the domain name characteristics of the domain names in the cluster set, wherein the attacking domain name family set comprises at least one attacking domain name family, and one attacking domain name family corresponds to one domain name characteristic.
3. The method of claim 1, wherein the clustering condition is a degree of cohesion Δ Q > 0 between the pth temporary cluster set and the qth temporary cluster set, wherein the degree of cohesion is determined by:
determining a degree of association K between the pth temporary cluster set and the qth temporary cluster setpq
Determining the sum sigma tot of the association degrees between each domain name in the qth temporary clustering set and other domain names in the qth temporary clustering set;
determining a sum K of the degrees of association between the qth temporary cluster set and other temporary cluster setsq
Determining the sum m of the association degrees between each domain name requested to be accessed by the N hosts and other domain names in the domain names requested to be accessed by the N hosts;
calculating the said
Figure FDA0002923061810000021
4. The method according to any one of claims 1 to 3, wherein after obtaining the domain names that the N hosts respectively request to access through their respective IP addresses, before clustering the domain names that the N hosts request to access to obtain at least one cluster set, the method further comprises:
and filtering the white list domain name and/or the Content Delivery Network (CDN) domain name in the domain names which the N hosts request to access.
5. An apparatus for determining an attack domain name in a botnet, comprising:
the domain name acquisition unit is used for acquiring domain names which are respectively requested to be accessed by N hosts through respective network protocol IP addresses, and N is a positive integer;
the clustering unit is used for clustering the domain names which the N hosts request to access to obtain at least one cluster set, wherein one cluster set comprises a plurality of domain names, and the association degree between the domain names in one cluster set meets a preset condition;
the family determining unit is used for determining an attack domain name family corresponding to each cluster set, and one attack domain name family comprises a plurality of domain names with the same domain name characteristics;
the clustering unit is specifically configured to perform the following steps to obtain the at least one cluster set:
step A1: repeating the following steps B1 to B2 to obtain L temporary cluster sets, where domain name features of domain names in one temporary cluster set are the same, and i is taken over from 1 to K, where K is the total number of domain names requested to be accessed by the N hosts:
step B1: aiming at the ith domain name in the domain names which are requested to be accessed by the N hosts, determining the jth domain name with the highest association degree with the ith domain name;
step B2: dividing the ith domain name into a cluster set where the jth domain name is located, wherein j is a positive integer not greater than K;
step A2: if a temporary cluster set is obtained in step a1, determining that the temporary cluster set is the obtained at least one cluster set;
step A3: if the step a1 obtains at least two temporary cluster sets, repeatedly executing the following steps C1 to C2 to obtain the at least one cluster set, where the domain name in one cluster set belongs to an attack domain name family, and p is taken over 1 to L:
step C1: for a pth temporary cluster set in the L temporary cluster sets, determining a qth temporary cluster set with the highest association degree with the pth temporary cluster set;
step C2: if the clustering condition is met between the pth temporary cluster set and the qth temporary cluster set, dividing the pth temporary cluster set into the qth temporary cluster set, wherein q is a positive integer not greater than L.
6. The apparatus of claim 5, wherein the family determination unit is specifically configured to:
determining the domain name characteristics of the domain names in a cluster set aiming at the cluster set, and if the domain name characteristics of the domain names in the cluster set are the same as the domain name characteristics of a first attack domain name family in an attack domain name family set, determining that the attack domain name family corresponding to the cluster set is the first attack domain name family; if the domain name characteristics of the domain names in the cluster set are different from the domain name characteristics of all the attacking domain name families in the attacking domain name family set, determining the attacking domain name family corresponding to the cluster set according to the domain name characteristics of the domain names in the cluster set, wherein the attacking domain name family set comprises at least one attacking domain name family, and one attacking domain name family corresponds to one domain name characteristic.
7. The apparatus of claim 5, wherein the clustering condition is a degree of cohesion Δ Q > 0 between the pth temporary cluster set and the qth temporary cluster set, wherein the degree of cohesion is determined by:
determining a degree of association K between the pth temporary cluster set and the qth temporary cluster setpq
Determining the sum sigma tot of the association degrees between each domain name in the qth temporary clustering set and other domain names in the qth temporary clustering set;
determining a sum K of the degrees of association between the qth temporary cluster set and other temporary cluster setsq
Determining the sum m of the association degrees between each domain name requested to be accessed by the N hosts and other domain names in the domain names requested to be accessed by the N hosts;
calculating the said
Figure FDA0002923061810000041
8. The apparatus according to any of claims 5-7, wherein the apparatus further comprises a domain name filtering unit for filtering a whitelisted domain name and/or a Content Delivery Network (CDN) domain name among the domain names to which the N hosts request access.
CN201811609145.6A 2018-12-27 2018-12-27 Method and device for determining attack domain name in botnet Active CN109462612B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811609145.6A CN109462612B (en) 2018-12-27 2018-12-27 Method and device for determining attack domain name in botnet

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811609145.6A CN109462612B (en) 2018-12-27 2018-12-27 Method and device for determining attack domain name in botnet

Publications (2)

Publication Number Publication Date
CN109462612A CN109462612A (en) 2019-03-12
CN109462612B true CN109462612B (en) 2021-06-11

Family

ID=65614897

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811609145.6A Active CN109462612B (en) 2018-12-27 2018-12-27 Method and device for determining attack domain name in botnet

Country Status (1)

Country Link
CN (1) CN109462612B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112448911B (en) * 2019-08-27 2022-02-11 四川大学 K-Means-based normal Server IP white list mining method
CN111314379B (en) * 2020-03-20 2022-07-08 深圳市腾讯计算机***有限公司 Attacked domain name identification method and device, computer equipment and storage medium
CN113497791B (en) * 2020-04-01 2023-11-07 中移动信息技术有限公司 Botnet identification method, device, equipment and storage medium
CN113746952B (en) * 2021-09-14 2024-04-16 京东科技信息技术有限公司 DGA domain name detection method and device, electronic equipment and computer storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2611101A1 (en) * 2011-12-29 2013-07-03 Verisign, Inc. Systems and methods for detecting similarities in network traffic
CN103297433A (en) * 2013-05-29 2013-09-11 中国科学院计算技术研究所 HTTP botnet detection method and system based on net data stream
CN106060067A (en) * 2016-06-29 2016-10-26 上海交通大学 Passive DNS iterative clustering-based malicious domain name detection method
CN106411951A (en) * 2016-11-29 2017-02-15 神州网云(北京)信息技术有限公司 Network attack behavior detection method and device

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2611101A1 (en) * 2011-12-29 2013-07-03 Verisign, Inc. Systems and methods for detecting similarities in network traffic
CN103297433A (en) * 2013-05-29 2013-09-11 中国科学院计算技术研究所 HTTP botnet detection method and system based on net data stream
CN106060067A (en) * 2016-06-29 2016-10-26 上海交通大学 Passive DNS iterative clustering-based malicious domain name detection method
CN106411951A (en) * 2016-11-29 2017-02-15 神州网云(北京)信息技术有限公司 Network attack behavior detection method and device

Also Published As

Publication number Publication date
CN109462612A (en) 2019-03-12

Similar Documents

Publication Publication Date Title
CN109462612B (en) Method and device for determining attack domain name in botnet
CN106998317B (en) Abnormal access requests recognition methods and device
JP5851648B2 (en) Network virtual user risk control method and system
US20180069883A1 (en) Detection of Known and Unknown Malicious Domains
CN110033302B (en) Malicious account identification method and device
CN107222511B (en) Malicious software detection method and device, computer device and readable storage medium
CN107454039B (en) Network attack detection system, method and computer readable storage medium
EP3684025B1 (en) Web page request identification
CN104980402B (en) Method and device for identifying malicious operation
CN113726783B (en) Abnormal IP address identification method and device, electronic equipment and readable storage medium
CN110222790B (en) User identity identification method and device and server
CN110830445A (en) Method and device for identifying abnormal access object
CN102510400A (en) Method, apparatus and equipment used for determining user suspectableness degree
EP2650787A2 (en) Method and system for reclaiming unused resources in a networked application environment
US10579676B2 (en) Highly scalable fine grained rate limiting
CN110876072B (en) Batch registered user identification method, storage medium, electronic device and system
CN107092650B (en) Weblog analysis method and device
CN107231383A (en) The detection method and device of CC attacks
CN106657128B (en) Data packet filtering method and device based on wildcard mask rule
CN108463813B (en) Method and device for processing data
CN109995834A (en) Massive dataflow processing method, calculates equipment and storage medium at device
CN107528859B (en) Defense method and device for DDoS attack
CN116527389A (en) Port scan detection
CN113472825B (en) NB-IoT terminal transaction processing method and device based on block chain
CN109800823B (en) Clustering method and device for POS terminals

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information
CB02 Change of applicant information

Address after: 100089 Beijing city Haidian District Road No. 4 North wa Yitai three storey building

Applicant after: NSFOCUS Technologies Group Co.,Ltd.

Applicant after: NSFOCUS TECHNOLOGIES Inc.

Address before: 100089 Beijing city Haidian District Road No. 4 North wa Yitai three storey building

Applicant before: NSFOCUS INFORMATION TECHNOLOGY Co.,Ltd.

Applicant before: NSFOCUS TECHNOLOGIES Inc.

GR01 Patent grant
GR01 Patent grant