CN116455620A - Malicious domain name access analysis and determination method - Google Patents
Malicious domain name access analysis and determination method Download PDFInfo
- Publication number
- CN116455620A CN116455620A CN202310342943.1A CN202310342943A CN116455620A CN 116455620 A CN116455620 A CN 116455620A CN 202310342943 A CN202310342943 A CN 202310342943A CN 116455620 A CN116455620 A CN 116455620A
- Authority
- CN
- China
- Prior art keywords
- domain name
- malicious
- behavior
- access
- analyzing
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 47
- 230000006399 behavior Effects 0.000 claims abstract description 184
- 230000002159 abnormal effect Effects 0.000 claims description 27
- 238000013139 quantization Methods 0.000 claims description 6
- 238000005516 engineering process Methods 0.000 claims description 5
- 238000007418 data mining Methods 0.000 claims description 4
- 238000012545 processing Methods 0.000 claims description 4
- 239000013598 vector Substances 0.000 claims description 4
- 238000004140 cleaning Methods 0.000 claims description 3
- 238000001514 detection method Methods 0.000 abstract description 5
- 238000010586 diagram Methods 0.000 description 5
- 238000012986 modification Methods 0.000 description 4
- 230000004048 modification Effects 0.000 description 4
- 238000004891 communication Methods 0.000 description 3
- 238000011161 development Methods 0.000 description 2
- 238000011002 quantification Methods 0.000 description 2
- 238000006467 substitution reaction Methods 0.000 description 2
- 241000282414 Homo sapiens Species 0.000 description 1
- 230000004075 alteration Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000012790 confirmation Methods 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 238000007781 pre-processing Methods 0.000 description 1
- 230000001737 promoting effect Effects 0.000 description 1
Classifications
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a malicious domain name access analysis and determination method, which comprises the following steps: collecting malicious domain names and malicious behaviors, and establishing a malicious domain name blacklist and a malicious behavior model library; extracting DNS traffic data packets in the traffic data packets; analyzing the DNS traffic data packet to obtain a domain name record set; analyzing each domain name in the domain name record set according to the malicious domain name blacklist to obtain a domain name analysis result, and analyzing access behaviors corresponding to each domain name in the domain name record set according to the malicious behavior model library to obtain an access behavior analysis result; and comprehensively judging and determining malicious domain names in the domain name record set according to the domain name analysis result and the access behavior analysis result, and warning. According to the method, whether the domain name is a malicious domain name or not is determined through comprehensive analysis of the domain name and the corresponding behavior of the domain name, so that the accuracy of confirming the malicious domain name is improved, the malicious domain name is prevented from escaping from detection, warning identification is carried out on the malicious domain name, and the malicious domain name is ensured to be found in time.
Description
Technical Field
The invention relates to the technical field of network security, in particular to a malicious domain name access analysis and determination method.
Background
The domain name system is one of the current internet-important infrastructures, and a large number of network services are developed depending on domain name services. The domain name resolution service (DNS) maps abstract IP addresses to domain names that are easy to remember, so that internet users can access various network resources more conveniently, and the domain name resolution service (DNS) is one of important basic services in the internet architecture. The malicious domain name is also called a malicious website, and is a website which utilizes the loopholes of a browser or application software to embed malicious codes and tamper or destroy the machine of the user under the condition that the user does not know. For web sites that pop up plug-ins or prompt the user whether to set them as top pages, they are not defined as malicious domain names because user confirmation is required. For a web site with illegal and unhealthy content, it is not defined as a malicious domain name if it is not tampered with or destroyed by the user's machine. But for impersonation of other websites such as banking websites, e-commerce websites, the user's machine is not tampered with or destroyed, but is also defined as a malicious domain name.
At present, with the rapid development of network technology and the arrival of network age, the scale of the Internet is continuously enlarged, the Internet application is deep in the aspects of people's life, and the Internet becomes a huge motive force for promoting social progress and economic development. Particularly, in recent years, smart phones are widely popularized, so that the life of human beings is closely connected with the Internet. But the Internet provides possibility for network attack, network crime, information leakage and privacy snooping while bringing the public to span space time, fast and convenient and interactive communication. Because the domain name system does not detect the service behaviors developed by the domain name system, the DNS service lacks malicious behavior detection capability, so that the DNS service is often utilized by malicious programs, a considerable part of known malicious programs in the network steal network information in a domain name association mode, and after the computer is implanted with the malicious programs, the computer actively sends information to domain names appointed by an implanting party of the malicious programs continuously, so that the malicious domain names need to be analyzed and determined in order to reduce the occurrence of the malicious events.
Disclosure of Invention
The invention aims to solve the technical problems that: the prior art is difficult to analyze the access of the malicious domain name and can not determine the malicious domain name.
In order to solve the technical problems, the invention provides a malicious domain name access analysis and determination method, which comprises the following steps:
collecting malicious domain names and malicious behaviors, and respectively establishing a malicious domain name blacklist and a malicious behavior model library;
acquiring all flow data packets captured by a network card, and extracting DNS flow data packets in the flow data packets;
resolving the DNS traffic data packet to obtain a domain name record set;
analyzing each domain name in the domain name record set according to the malicious domain name blacklist to obtain a domain name analysis result, and analyzing access behaviors corresponding to each domain name in the domain name record set according to the malicious behavior model library to obtain an access behavior analysis result;
and comprehensively judging according to the domain name analysis result and the access behavior analysis result, determining a malicious domain name in the domain name record set, and carrying out warning identification on the malicious domain name.
Further, the collecting the malicious domain name and the malicious behavior respectively establishes a malicious domain name blacklist and a malicious behavior model library, which specifically comprises:
the method comprises the steps of collecting and timely updating a public threat information source by utilizing a big data mining technology, and analyzing and processing domain names and behaviors in the collected threat information by utilizing big data;
judging whether the domain name in the collected threat information is a malicious domain name or not, and judging whether the behavior in the collected threat information is a malicious behavior or not;
if the domain name in the threat information is a malicious domain name, extracting the malicious domain name in the threat information, and establishing a malicious domain name blacklist;
if the behavior in the threat information is malicious behavior, extracting the malicious behavior in the threat information, and establishing a malicious behavior model library.
Further, the obtaining all the traffic data packets captured by the network card and extracting DNS traffic data packets in the traffic data packets specifically includes:
all the flow data packets captured by the network card are stored in an internal storage in a mirror image mode;
determining DNS traffic data packets in all traffic data packets captured by the network card;
and separating the DNS traffic data packets from all traffic data packets captured by the network card.
Further, the analyzing the DNS traffic packet to obtain a domain name record set specifically includes:
analyzing the DNS traffic data packet to obtain DNS analysis data;
performing data cleaning on the DNS analysis data, removing the fields which are not affected in the DNS analysis data, and reserving the fields which are affected in the system;
extracting all domain names from the fields with the influence system, and collecting to obtain all domain name record sets.
Further, the analyzing each domain name in the domain name record set according to the malicious domain name blacklist to obtain a domain name analysis result specifically includes:
obtaining each domain name, and matching each domain name with the domain name in the malicious domain name blacklist to obtain a matching degree value;
judging whether the domain name is a suspected malicious domain name or not according to the matching degree value and a preset matching degree value;
if the matching degree value is smaller than or equal to the preset matching degree value, the domain name is not a suspected malicious domain name, and the next domain name behavior is continuously judged;
and if the access domain name is an abnormal access domain name, recording the domain name as a suspected malicious domain name into the domain name analysis result.
Further, the judging whether the domain name is a suspected malicious domain name according to the matching value and the preset matching value specifically includes:
invoking a malicious domain name model in the malicious domain name blacklist, and calculating a matching degree value of the domain name and the malicious domain name model to judge whether the domain name is a suspected malicious domain name.
Further, the analyzing the access behavior corresponding to each domain name in the domain name record set according to the malicious behavior model library to obtain an access behavior analysis result specifically includes:
acquiring access behaviors corresponding to each domain name, and extracting characteristic information of the access behaviors;
performing entropy quantization on the characteristic information, and inputting an entropy vector obtained after quantization into a classifier to obtain a behavior type corresponding to the access behavior;
judging whether the access behavior is abnormal access behavior according to the behavior type;
if the access behavior is not the abnormal access behavior, continuing to judge the access behavior corresponding to the next domain name;
and if the access behavior is abnormal access behavior, recording the abnormal access behavior of the access behavior into the behavior analysis result.
Further, the determining whether the access behavior is an abnormal access behavior according to the behavior type specifically includes:
invoking a malicious behavior model in the malicious behavior model library, and matching the access behavior with the malicious behavior model to judge whether the access behavior is an abnormal access behavior.
Further, the comprehensively judging according to the domain name analysis result and the access behavior analysis result, determining a malicious domain name in the domain name record set, and performing warning identification on the malicious domain name, specifically including:
according to the importance of the domain name analysis result and the access behavior analysis result, a first weight value is allocated to the domain name analysis result, and a second weight value is allocated to the access behavior analysis result;
adding the first weight value and the second weight value to obtain a malicious value;
if the malicious value does not exceed the preset malicious value, the domain name in the domain name record set is not a malicious domain name;
if the malicious value exceeds the preset malicious value, the domain name in the domain name record set is a malicious domain name, and the malicious domain name is warned through color identification.
Compared with the prior art, the malicious domain name access analysis and determination method has the beneficial effects that:
according to the method, whether the domain name is a malicious domain name or not is determined through comprehensive analysis of the domain name and the corresponding behavior of the domain name, so that the accuracy of confirming the malicious domain name is improved, the malicious domain name is prevented from escaping from detection, warning identification is carried out on the malicious domain name, and the malicious domain name is ensured to be found in time.
Drawings
FIG. 1 is a general flow diagram of a malicious domain name access analysis and determination method in an embodiment of the present invention;
FIG. 2 is a schematic flow diagram of a method for analyzing and determining access to malicious domain names according to an embodiment of the present invention;
FIG. 3 is a schematic flow diagram of a method for analyzing and determining access to malicious domain names according to an embodiment of the present invention;
FIG. 4 is a schematic flow diagram of a portion of a method for analyzing and determining access to malicious domain names according to an embodiment of the present invention;
FIG. 5 is a schematic flow chart of a method for analyzing and determining access to malicious domain names according to an embodiment of the present invention;
FIG. 6 is a schematic diagram of a portion of a method for analyzing and determining access to malicious domain names according to an embodiment of the present invention;
fig. 7 is a schematic partial flow chart of a malicious domain name access analysis and determination method in an embodiment of the invention.
Detailed Description
The following describes in further detail the embodiments of the present invention with reference to the drawings and examples. The following examples are illustrative of the invention and are not intended to limit the scope of the invention.
In the description of the present application, it should be understood that the terms "center," "upper," "lower," "front," "rear," "left," "right," "vertical," "horizontal," "top," "bottom," "inner," "outer," and the like indicate orientations or positional relationships based on the orientation or positional relationships shown in the drawings, merely to facilitate description of the present application and simplify the description, and do not indicate or imply that the devices or elements referred to must have a specific orientation, be configured and operated in a specific orientation, and therefore should not be construed as limiting the present application.
The terms "", "second" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defining "", "second" may explicitly or implicitly include one or more such feature. In the description of the present application, unless otherwise indicated, the meaning of "a plurality" is two or more.
In the description of the present application, it should be noted that, unless explicitly specified and limited otherwise, the terms "mounted," "connected," and "connected" are to be construed broadly, and may be either fixedly connected, detachably connected, or integrally connected, for example; can be mechanically or electrically connected; can be directly connected or indirectly connected through an intermediate medium, and can be communication between two elements. The specific meaning of the terms in this application will be understood by those of ordinary skill in the art in a specific context.
As shown in fig. 1, in an embodiment of the present application, a malicious domain name access analysis and determination method is provided, including: collecting malicious domain names and malicious behaviors, and respectively establishing a malicious domain name blacklist and a malicious behavior model library; acquiring all flow data packets captured by a network card, and extracting DNS flow data packets in the flow data packets; resolving the DNS traffic data packet to obtain a domain name record set; analyzing each domain name in the domain name record set according to the malicious domain name blacklist to obtain a domain name analysis result, and analyzing access behaviors corresponding to each domain name in the domain name record set according to the malicious behavior model library to obtain an access behavior analysis result; and comprehensively judging according to the domain name analysis result and the access behavior analysis result, determining a malicious domain name in the domain name record set, and carrying out warning identification on the malicious domain name.
Further, whether the domain name is a malicious domain name or not is determined through comprehensive analysis of the domain name and the corresponding behavior of the domain name, so that accuracy of confirming the malicious domain name is improved, escape detection of the malicious domain name is avoided, warning identification is carried out on the malicious domain name, and the malicious domain name is guaranteed to be found in time.
As shown in fig. 2, in an embodiment of the present application, a malicious domain name access analysis and determination method is provided, where the collecting malicious domain names and malicious behaviors respectively establishes a malicious domain name blacklist and a malicious behavior model library, and specifically includes: the method comprises the steps of collecting and timely updating a public threat information source by utilizing a big data mining technology, and analyzing and processing domain names and behaviors in the collected threat information by utilizing big data; judging whether the domain name in the collected threat information is a malicious domain name or not, and judging whether the behavior in the collected threat information is a malicious behavior or not; if the domain name in the threat information is a malicious domain name, extracting the malicious domain name in the threat information, and establishing a malicious domain name blacklist; if the behavior in the threat information is malicious behavior, extracting the malicious behavior in the threat information, and establishing a malicious behavior model library.
Specifically, the existing published threat information sources are collected and updated in time through a big data mining technology, the collected threat information is analyzed and processed through big data, whether the domain names and behaviors in the threat information are malicious domain names and malicious behaviors or not is judged, if yes, the threat information is extracted, a malicious domain name blacklist and a malicious behavior model library are respectively built and established, and early data support is provided for judging the domain names and the behaviors in the future.
As shown in fig. 3, in an embodiment of the present application, a method for analyzing and determining malicious domain name access is provided, where the method includes obtaining all traffic data packets captured by a network card, and extracting DNS traffic data packets in the traffic data packets, specifically including: all the flow data packets captured by the network card are stored in an internal storage in a mirror image mode; determining DNS traffic data packets in all traffic data packets captured by the network card; and separating the DNS traffic data packets from all traffic data packets captured by the network card.
Specifically, the network card captures a to-be-identified traffic data packet from a preset network device, and pulls or mirrors all captured traffic data packets, so that the to-be-identified traffic data packet can be introduced, and a DNS data packet is separated from the to-be-identified traffic data packet, wherein the to-be-identified traffic data packet is subjected to seventh layer application layer preprocessing of an OSI reference model to obtain UDP request data from a 53 port, and other data packets can be discarded or transferred to other protocol modules for processing.
As shown in fig. 4, in an embodiment of the present application, a method for analyzing and determining a malicious domain name access is provided, where the analyzing the DNS traffic packet to obtain a domain name record set specifically includes: analyzing the DNS traffic data packet to obtain DNS analysis data; performing data cleaning on the DNS analysis data, removing the fields which are not affected in the DNS analysis data, and reserving the fields which are affected in the system; extracting all domain names from the fields with the influence system, and collecting to obtain all domain name record sets.
Specifically, the communication data is resolved to extract the IP of the source host, the domain name queried by the querying source host, and the time for querying the domain name, which are related in the DNS traffic data packet.
As shown in fig. 5, in an embodiment of the present application, a method for analyzing and determining a malicious domain name access is provided, where the analyzing, according to the malicious domain name blacklist, each domain name in a domain name record set to obtain a domain name analysis result specifically includes: obtaining each domain name, and matching each domain name with the domain name in the malicious domain name blacklist to obtain a matching degree value; judging whether the domain name is a suspected malicious domain name or not according to the matching degree value and a preset matching degree value; if the matching degree value is smaller than or equal to the preset matching degree value, the domain name is not a suspected malicious domain name, and the next domain name behavior is continuously judged; and if the access domain name is an abnormal access domain name, recording the domain name as a suspected malicious domain name into the domain name analysis result.
Specifically, the obtained domain names are matched with the domain names in the malicious domain name blacklist to judge whether the domain names are suspected malicious domain names or not, and if the access domain names are abnormal access domain names, the domain names are suspected malicious domain names and are recorded into the domain name analysis results.
In an embodiment of the present application, a method for analyzing and determining access to a malicious domain name is provided, where the determining, according to the magnitude of the matching value and a preset matching value, whether the domain name is a suspected malicious domain name specifically includes: invoking a malicious domain name model in the malicious domain name blacklist, and calculating a matching degree value of the domain name and the malicious domain name model to judge whether the domain name is a suspected malicious domain name.
Specifically, a malicious domain name model is built in the malicious domain name blacklist, the malicious domain name model in the malicious domain name blacklist is called, the matching degree value of the domain name and the malicious domain name model is calculated, and if the matching degree reaches a preset value, the domain name is judged to be a suspected malicious domain name.
As shown in fig. 6, in an embodiment of the present application, a malicious domain name access analysis and determination method is provided, and according to the malicious behavior model library, the access behavior corresponding to each domain name in the domain name record set is analyzed to obtain an access behavior analysis result, which specifically includes: acquiring access behaviors corresponding to each domain name, and extracting characteristic information of the access behaviors; performing entropy quantization on the characteristic information, and inputting an entropy vector obtained after quantization into a classifier to obtain a behavior type corresponding to the access behavior; judging whether the access behavior is abnormal access behavior according to the behavior type; if the access behavior is not the abnormal access behavior, continuing to judge the access behavior corresponding to the next domain name; and if the access behavior is abnormal access behavior, recording the abnormal access behavior of the access behavior into the behavior analysis result.
Specifically, each domain name has a corresponding access behavior, the characteristic information of the access behavior is extracted, entropy quantification is carried out on the characteristic information, entropy vectors obtained after quantification are input into a classifier, and a behavior type corresponding to the access behavior is obtained, wherein the behavior type can determine whether the access behavior is an abnormal access behavior or not, the behavior type is a mark for judging whether the access behavior is an abnormal access behavior, and if the access behavior is an abnormal access behavior, the abnormal access behavior of the access behavior is recorded into the behavior analysis result.
In an embodiment of the present application, a method for analyzing and determining access to a malicious domain name is provided, where the determining, according to the behavior type, whether the access behavior is an abnormal access behavior specifically includes: invoking a malicious behavior model in the malicious behavior model library, and matching the access behavior with the malicious behavior model to judge whether the access behavior is an abnormal access behavior.
Establishing a malicious behavior model in the malicious behavior model library, calling the malicious behavior model in the malicious behavior model library, calculating the matching degree value of the access behavior and the malicious behavior model, and judging that the access behavior is abnormal access behavior if the matching degree reaches a preset value.
As shown in fig. 7, in an embodiment of the present application, a method for analyzing and determining access to a malicious domain name is provided, where the method includes comprehensively determining, according to the domain name analysis result and the access behavior analysis result, a malicious domain name in a domain name record set, and performing warning identification on the malicious domain name, and specifically includes: according to the importance of the domain name analysis result and the access behavior analysis result, a first weight value is allocated to the domain name analysis result, and a second weight value is allocated to the access behavior analysis result; adding the first weight value and the second weight value to obtain a malicious value; if the malicious value does not exceed the preset malicious value, the domain name in the domain name record set is not a malicious domain name; if the malicious value exceeds the preset malicious value, the domain name in the domain name record set is a malicious domain name, and the malicious domain name is warned through color identification.
Specifically, a first weight value and a second weight value are allocated to the domain name analysis result and the access behavior analysis result, the first weight value and the second weight value are added to obtain a malicious value, whether the domain name is a malicious domain name is judged according to the size relation between the malicious value and a preset malicious value, and the malicious domain name is warned through color identification.
In summary, the embodiment of the invention provides a malicious domain name access analysis and determination method, which comprises the following steps: collecting malicious domain names and malicious behaviors, and respectively establishing a malicious domain name blacklist and a malicious behavior model library; acquiring all flow data packets captured by a network card, and extracting DNS flow data packets in the flow data packets; analyzing the DNS traffic data packet to obtain a domain name record set; analyzing each domain name in the domain name record set according to the malicious domain name blacklist to obtain a domain name analysis result, and analyzing access behaviors corresponding to each domain name in the domain name record set according to the malicious behavior model library to obtain an access behavior analysis result; and comprehensively judging according to the domain name analysis result and the access behavior analysis result, determining the malicious domain name in the domain name record set, and carrying out warning identification on the malicious domain name. According to the method, whether the domain name is a malicious domain name or not is determined through comprehensive analysis of the domain name and the corresponding behavior of the domain name, so that the accuracy of confirming the malicious domain name is improved, the malicious domain name is prevented from escaping from detection, warning identification is carried out on the malicious domain name, and the malicious domain name is ensured to be found in time.
Finally, it should be noted that: it will be apparent to those skilled in the art that various modifications and variations can be made to the present invention without departing from the spirit or scope of the invention. Thus, it is intended that the present invention also include such modifications and alterations insofar as they come within the scope of the appended claims or the equivalents thereof.
The foregoing is merely an example of the present invention and is not intended to limit the scope of the present invention, and all changes made in the structure according to the present invention should be considered as falling within the scope of the present invention without departing from the gist of the present invention. It will be clear to those skilled in the art that, for convenience and brevity of description, the specific working process of the system described above and the related description may refer to the corresponding process in the foregoing method embodiment, which is not repeated here.
The terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus/apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus/apparatus.
Thus far, the technical solution of the present invention has been described in connection with the further embodiments shown in the drawings, but it is readily understood by those skilled in the art that the scope of protection of the present invention is not limited to these specific embodiments. Equivalent modifications and substitutions for related technical features may be made by those skilled in the art without departing from the principles of the present invention, and such modifications and substitutions will fall within the scope of the present invention.
The foregoing description is only of the preferred embodiments of the present invention, and is not intended to limit the scope of the present invention.
Claims (9)
1. A malicious domain name access analysis and determination method, comprising:
collecting malicious domain names and malicious behaviors, and respectively establishing a malicious domain name blacklist and a malicious behavior model library;
acquiring all flow data packets captured by a network card, and extracting DNS flow data packets in the flow data packets;
resolving the DNS traffic data packet to obtain a domain name record set;
analyzing each domain name in the domain name record set according to the malicious domain name blacklist to obtain a domain name analysis result, and analyzing access behaviors corresponding to each domain name in the domain name record set according to the malicious behavior model library to obtain an access behavior analysis result;
and comprehensively judging according to the domain name analysis result and the access behavior analysis result, determining a malicious domain name in the domain name record set, and carrying out warning identification on the malicious domain name.
2. The method for analyzing and determining malicious domain name access according to claim 1, wherein the collecting malicious domain names and malicious behaviors respectively establishes a malicious domain name blacklist and a malicious behavior model library, and specifically comprises:
the method comprises the steps of collecting and timely updating a public threat information source by utilizing a big data mining technology, and analyzing and processing domain names and behaviors in the collected threat information by utilizing big data;
judging whether the domain name in the collected threat information is a malicious domain name or not, and judging whether the behavior in the collected threat information is a malicious behavior or not;
if the domain name in the threat information is a malicious domain name, extracting the malicious domain name in the threat information, and establishing a malicious domain name blacklist;
if the behavior in the threat information is malicious behavior, extracting the malicious behavior in the threat information, and establishing a malicious behavior model library.
3. The method for analyzing and determining access to a malicious domain name according to claim 1, wherein the steps of obtaining all traffic data packets captured by a network card and extracting DNS traffic data packets in the traffic data packets include:
all the flow data packets captured by the network card are stored in an internal storage in a mirror image mode;
determining DNS traffic data packets in all traffic data packets captured by the network card;
and separating the DNS traffic data packets from all traffic data packets captured by the network card.
4. The method for analyzing and determining a malicious domain name access according to claim 1, wherein the analyzing the DNS traffic packet to obtain a domain name record set specifically includes:
analyzing the DNS traffic data packet to obtain DNS analysis data;
performing data cleaning on the DNS analysis data, removing the fields which are not affected in the DNS analysis data, and reserving the fields which are affected in the system;
extracting all domain names from the fields with the influence system, and collecting to obtain all domain name record sets.
5. The method for analyzing and determining access to malicious domain names according to claim 1, wherein the analyzing each domain name in the domain name record set according to the malicious domain name blacklist to obtain a domain name analysis result specifically includes:
obtaining each domain name, and matching each domain name with the domain name in the malicious domain name blacklist to obtain a matching degree value;
judging whether the domain name is a suspected malicious domain name or not according to the matching degree value and a preset matching degree value;
if the matching degree value is smaller than or equal to the preset matching degree value, the domain name is not a suspected malicious domain name, and the next domain name behavior is continuously judged;
and if the access domain name is an abnormal access domain name, recording the domain name as a suspected malicious domain name into the domain name analysis result.
6. The method for analyzing and determining access to a malicious domain name according to claim 1, wherein the determining whether the domain name is a suspected malicious domain name according to the magnitude of the matching value and a preset matching value specifically includes:
invoking a malicious domain name model in the malicious domain name blacklist, and calculating a matching degree value of the domain name and the malicious domain name model to judge whether the domain name is a suspected malicious domain name.
7. The method for analyzing and determining access to malicious domain names according to claim 1, wherein the analyzing access behaviors corresponding to each domain name in the domain name record set according to the malicious behavior model library to obtain an access behavior analysis result specifically comprises:
acquiring access behaviors corresponding to each domain name, and extracting characteristic information of the access behaviors;
performing entropy quantization on the characteristic information, and inputting an entropy vector obtained after quantization into a classifier to obtain a behavior type corresponding to the access behavior;
judging whether the access behavior is abnormal access behavior according to the behavior type;
if the access behavior is not the abnormal access behavior, continuing to judge the access behavior corresponding to the next domain name;
and if the access behavior is abnormal access behavior, recording the abnormal access behavior of the access behavior into the behavior analysis result.
8. The method for analyzing and determining access to a malicious domain name according to claim 7, wherein the determining whether the access behavior is an abnormal access behavior according to the behavior type specifically includes:
invoking a malicious behavior model in the malicious behavior model library, and matching the access behavior with the malicious behavior model to judge whether the access behavior is an abnormal access behavior.
9. The method for analyzing and determining the access of the malicious domain name according to claim 1, wherein the comprehensively judging according to the domain name analysis result and the access behavior analysis result determines the malicious domain name in the domain name record set, and performs warning identification on the malicious domain name, specifically comprising:
according to the importance of the domain name analysis result and the access behavior analysis result, a first weight value is allocated to the domain name analysis result, and a second weight value is allocated to the access behavior analysis result;
adding the first weight value and the second weight value to obtain a malicious value;
if the malicious value does not exceed the preset malicious value, the domain name in the domain name record set is not a malicious domain name;
if the malicious value exceeds the preset malicious value, the domain name in the domain name record set is a malicious domain name, and the malicious domain name is warned through color identification.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310342943.1A CN116455620A (en) | 2023-03-31 | 2023-03-31 | Malicious domain name access analysis and determination method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310342943.1A CN116455620A (en) | 2023-03-31 | 2023-03-31 | Malicious domain name access analysis and determination method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116455620A true CN116455620A (en) | 2023-07-18 |
Family
ID=87129569
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310342943.1A Pending CN116455620A (en) | 2023-03-31 | 2023-03-31 | Malicious domain name access analysis and determination method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116455620A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116886414A (en) * | 2023-08-09 | 2023-10-13 | 华能信息技术有限公司 | DGA domain name detection method, system and storage medium |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105024969A (en) * | 2014-04-17 | 2015-11-04 | 北京启明星辰信息安全技术有限公司 | Method and device for realizing malicious domain name identification |
| CN105915555A (en) * | 2016-06-29 | 2016-08-31 | 北京奇虎科技有限公司 | Method and system for detecting network anomalous behavior |
| CN109450886A (en) * | 2018-10-30 | 2019-03-08 | 杭州安恒信息技术股份有限公司 | A kind of domain name recognition methods, system and electronic equipment and storage medium |
| CN112929326A (en) * | 2019-12-05 | 2021-06-08 | 华为技术有限公司 | Malicious domain name access detection method and device and computer readable storage medium |
| CN113691540A (en) * | 2021-08-25 | 2021-11-23 | 杭州安恒信息技术股份有限公司 | Abnormal domain name detection method, system and related components |
| CN114050912A (en) * | 2021-09-30 | 2022-02-15 | 中国科学院信息工程研究所 | Malicious domain name detection method and device based on deep reinforcement learning |
-
2023
- 2023-03-31 CN CN202310342943.1A patent/CN116455620A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105024969A (en) * | 2014-04-17 | 2015-11-04 | 北京启明星辰信息安全技术有限公司 | Method and device for realizing malicious domain name identification |
| CN105915555A (en) * | 2016-06-29 | 2016-08-31 | 北京奇虎科技有限公司 | Method and system for detecting network anomalous behavior |
| CN109450886A (en) * | 2018-10-30 | 2019-03-08 | 杭州安恒信息技术股份有限公司 | A kind of domain name recognition methods, system and electronic equipment and storage medium |
| CN112929326A (en) * | 2019-12-05 | 2021-06-08 | 华为技术有限公司 | Malicious domain name access detection method and device and computer readable storage medium |
| CN113691540A (en) * | 2021-08-25 | 2021-11-23 | 杭州安恒信息技术股份有限公司 | Abnormal domain name detection method, system and related components |
| CN114050912A (en) * | 2021-09-30 | 2022-02-15 | 中国科学院信息工程研究所 | Malicious domain name detection method and device based on deep reinforcement learning |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116886414A (en) * | 2023-08-09 | 2023-10-13 | 华能信息技术有限公司 | DGA domain name detection method, system and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11399288B2 (en) | Method for HTTP-based access point fingerprint and classification using machine learning | |
| EP3125147B1 (en) | System and method for identifying a phishing website | |
| WO2007089943A2 (en) | Detecting online abuse in images | |
| EP3101580B1 (en) | Website information extraction device, system, website information extraction method, and website information extraction program | |
| CN112491864A (en) | Method, device, equipment and medium for detecting phishing deep victim user | |
| CN109450690B (en) | Method and device for quickly locking lost host in networking | |
| CN116455620A (en) | Malicious domain name access analysis and determination method | |
| CN111478892A (en) | Attacker portrait multi-dimensional analysis method based on browser fingerprints | |
| CN111147490A (en) | Directional fishing attack event discovery method and device | |
| CN113328990A (en) | Internet route hijacking detection method based on multiple filtering and electronic equipment | |
| CN111756874A (en) | Method and device for identifying type of DNS tunnel upper layer protocol | |
| CN112685255A (en) | Interface monitoring method and device, electronic equipment and storage medium | |
| CN115314271B (en) | Access request detection method, system and computer storage medium | |
| CN115987687A (en) | Network attack evidence obtaining method, device, equipment and storage medium | |
| JP5639535B2 (en) | Benign domain name exclusion device, benign domain name exclusion method, and program | |
| CN111314326A (en) | Method, device, equipment and medium for confirming HTTP vulnerability scanning host | |
| CN113726826B (en) | Threat information generation method and device | |
| CN113364780B (en) | Network attack victim determination method, equipment, storage medium and device | |
| CN115913634A (en) | Network security abnormity detection method and system based on deep learning | |
| CN115883258B (en) | IP information processing method, device, electronic equipment and storage medium | |
| CN113132340B (en) | Phishing website identification method based on vision and host characteristics and electronic device | |
| CN109391626B (en) | Method and related device for judging whether network attack result is unsuccessful | |
| KR100687725B1 (en) | Method and apparatus for secure authentication of fingerprint data | |
| EP2114050A1 (en) | Method and system for allocating resources of a Web-server based on classified usage behavior also for identifying and blocking bot generated HTTP-GET attacks | |
| US20220109688A1 (en) | Method for assessing the quality of network-related indicators of compromise |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |