CN117857224B - DNS authorization dependency security assessment method based on multiple POVs - Google Patents
DNS authorization dependency security assessment method based on multiple POVs Download PDFInfo
- Publication number
- CN117857224B CN117857224B CN202410261261.2A CN202410261261A CN117857224B CN 117857224 B CN117857224 B CN 117857224B CN 202410261261 A CN202410261261 A CN 202410261261A CN 117857224 B CN117857224 B CN 117857224B
- Authority
- CN
- China
- Prior art keywords
- authorization
- dns
- dependent
- security
- dependency
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000013475 authorization Methods 0.000 title claims abstract description 125
- 238000000034 method Methods 0.000 title claims abstract description 47
- 230000001419 dependent effect Effects 0.000 claims abstract description 86
- 238000011156 evaluation Methods 0.000 claims abstract description 42
- 238000012502 risk assessment Methods 0.000 claims abstract description 32
- 238000010801 machine learning Methods 0.000 claims abstract description 31
- 238000002372 labelling Methods 0.000 claims abstract description 26
- 238000012549 training Methods 0.000 claims abstract description 19
- 238000013210 evaluation model Methods 0.000 claims abstract description 14
- 238000010187 selection method Methods 0.000 claims abstract description 11
- 238000004364 calculation method Methods 0.000 claims abstract description 6
- 238000004590 computer program Methods 0.000 claims description 10
- 230000008569 process Effects 0.000 claims description 7
- 238000007637 random forest analysis Methods 0.000 claims description 5
- 238000013278 delphi method Methods 0.000 claims description 4
- 238000012545 processing Methods 0.000 claims description 4
- 238000004891 communication Methods 0.000 description 5
- 238000004458 analytical method Methods 0.000 description 4
- 238000007726 management method Methods 0.000 description 4
- 238000010276 construction Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 239000007787 solid Substances 0.000 description 2
- 239000008186 active pharmaceutical agent Substances 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000019771 cognition Effects 0.000 description 1
- 238000013523 data management Methods 0.000 description 1
- 239000006185 dispersion Substances 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000007774 longterm Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N20/00—Machine learning
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4505—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
- H04L61/4511—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- Medical Informatics (AREA)
- General Physics & Mathematics (AREA)
- Mathematical Physics (AREA)
- Evolutionary Computation (AREA)
- Data Mining & Analysis (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Artificial Intelligence (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention discloses a DNS authorization dependency security assessment method based on multiple POVs, and relates to the field of network security. The method comprises the following steps: acquiring a DNS authorization dependency sample comprising authorization dependency elements of multiple POVs; evaluating and labeling the DNS authorization dependent sample by using expert experience, and constructing a security risk evaluation data set; selecting a multi-POV feature subset from the security risk assessment dataset based on the feature selection method; training a machine learning model by utilizing the multi-POV feature subsets to obtain a DNS authorized security assessment model; and acquiring DNS authorization information to be evaluated, and outputting a DNS authorization dependent security evaluation result by using a DNS authorization security evaluation model. Compared with the prior art, the method has the advantages of high calculation speed, high evaluation accuracy and strong interpretability, and the constructed DNS authorization security evaluation model has the characteristics of high efficiency and high robustness.
Description
Technical Field
The invention relates to the technical field of network security, in particular to a DNS authorization dependent security assessment method based on multiple POVs.
Background
DNS (Domain NAME SYSTEM) is one of the most important infrastructures of the internet, and improving the security, stability and operation efficiency of the Domain name system has important significance for maintaining the overall security, stability and efficiency of the internet.
Based on the hierarchical authorization mode, the DNS ensures the uniqueness and the expandability of the name space, and as the upper layer application of the Internet is continuously developed and the network management function is continuously evolved, the DNS is rapidly developed in the aspects of the name space scale and the functional performance. The current global domain name space already includes nearly 1600 top-level domain names and nearly 4 billion secondary domain names, and the name resolution service system is about 2000 tens of thousands of sets. Among the many internet base protocol standards established by the internet engineering task Force (THE INTERNET ENGINEERING TASK Force, IETF), DNS-related protocols are the highest in terms of their duty cycle, with about 10 working groups and over 300 core standards.
The original DNS establishes association between father subdomains through an authorization mechanism, supports an extensible mode of hierarchical management of namespaces, has wider meaning in terms of functions as DNS protocols are continuously evolved, and different names can be established by authorization to analyze association, for example, CNAME resource records can map names to other areas (zones) for analysis so as to isolate name management domains and service domains; DNS extension protocols also require that a complete data chain be established by authorization, such as Domain name system security extensions (Domain NAME SYSTEM Security Extensions, DNSSEC), establish top-down authorization trust through DS/DNSKEY resource records. The complexity of DNS authorized data management has a great challenge to DNS daily operation maintenance and data resolution security, and is also a major concern for long-term use in industry and academia.
The domain name resolution has the characteristics of multisource, dispersibility, randomness and the like, the authorization dependency forms are various, the complexity is high, and the potential safety risk of the DNS authorization can be effectively and accurately evaluated, so that the DNS operation management and safety capability are improved, and a corresponding solution is not available.
Disclosure of Invention
The invention provides a DNS authorization dependency security assessment method based on multiple POVs for solving the problem of how to efficiently and accurately assess the potential security risk of DNS authorization.
In order to solve the technical problems, the technical scheme of the invention is as follows:
in a first aspect, a DNS authorization dependent security assessment method based on multiple POVs includes:
Acquiring a DNS authorization dependency sample comprising authorization dependency elements of multiple POVs;
using expert experience to evaluate and label the DNS authorization dependent sample to construct a security risk evaluation data set;
Selecting a multi-POV feature subset from the security risk assessment dataset based on a feature selection method;
training a machine learning model by utilizing the multi-POV feature subset to obtain a DNS authorized security assessment model;
and acquiring DNS authorization information to be evaluated, and outputting a DNS authorization dependent security evaluation result by using the DNS authorization security evaluation model.
In a second aspect, a DNS grant dependent security assessment system based on multiple POVs, configured to implement the method in the first aspect, includes:
the system comprises a sample acquisition module, a data acquisition module and a data processing module, wherein the sample acquisition module is used for acquiring a DNS authorization dependent sample comprising authorization dependent elements of multiple POVs;
The evaluation labeling module is used for assisting in evaluating and labeling the DNS authorization dependent sample by using expert experience, and constructing a security risk evaluation data set;
a feature selection module for selecting a multi-POV feature subset from the security risk assessment dataset based on a feature selection method;
the model training module is used for establishing a machine learning model, and training the machine learning model by utilizing the multi-POV feature subsets to obtain a DNS authorization security assessment model;
The on-line evaluation module is used for carrying the DNS authorization security evaluation model; and the system is also used for acquiring DNS authorization information to be evaluated, and outputting a DNS authorization dependent security evaluation result by utilizing the DNS authorization security evaluation model.
In a third aspect, a computer readable storage medium has stored thereon at least one instruction, at least one program, code set, or instruction set that is loaded and executed by a processor to implement the method of the first aspect.
In a fourth aspect, a computer program product comprising a computer program or computer-executable instructions which, when executed by a processor, implement the method of the first aspect.
Compared with the prior art, the technical scheme of the invention has the beneficial effects that:
the invention provides a DNS authorization dependence security assessment method based on multiple POVs, which constructs a full-flow solution of DNS authorization dependence security risk assessment, uses expert group wisdom for the construction of a security risk assessment data set, and reduces personal bias and uncertainty; the multi-POV feature subset with high identification capability is further selected by adopting a feature selection method and used for training a plurality of machine learning models, so that a DNS authorization security assessment model is obtained for DNS authorization dependent security assessment. Compared with the prior art, the method has the advantages of high calculation speed, high evaluation accuracy and strong interpretability, and the constructed DNS authorization security evaluation model has the characteristics of high efficiency and high robustness.
Drawings
Fig. 1 is a flow chart of a DNS authorization dependent security assessment method based on multiple POVs in embodiment 1 of the present invention;
fig. 2 is a schematic structural diagram of a DNS authorization-dependent security assessment system based on multiple POVs in embodiment 2 of the present invention;
fig. 3 is a schematic diagram of a hardware entity of an electronic device in embodiment 3 of the present invention.
Detailed Description
The terms first, second and the like in the description and in the claims and in the above-described figures, are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the terms so used are interchangeable under appropriate circumstances and are merely illustrative of the manner in which embodiments of the application have been described in connection with the description of the objects having the same attributes. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of elements is not necessarily limited to those elements, but may include other elements not expressly listed or inherent to such process, method, article, or apparatus.
The drawings are for illustrative purposes only and are not to be construed as limiting the present patent;
For the purpose of better illustrating the embodiments, certain elements of the drawings may be omitted, enlarged or reduced and do not represent the actual product dimensions;
it will be appreciated by those skilled in the art that certain well-known structures in the drawings and descriptions thereof may be omitted.
The technical scheme of the invention is further described below with reference to the accompanying drawings and examples.
Example 1
The present embodiment provides a DNS authorization dependent security assessment method based on multiple POVs (Point-Of-View), referring to fig. 1, including:
Acquiring a DNS authorization dependency sample comprising authorization dependency elements of multiple POVs;
using expert experience to evaluate and label the DNS authorization dependent sample to construct a security risk evaluation data set;
Selecting a multi-POV feature subset from the security risk assessment dataset based on a feature selection method;
training a machine learning model by utilizing the multi-POV feature subset to obtain a DNS authorized security assessment model;
and acquiring DNS authorization information to be evaluated, and outputting a DNS authorization dependent security evaluation result by using the DNS authorization security evaluation model.
The embodiment creatively provides a full-flow solution of DNS authorization-dependent security risk assessment aiming at natural complexity caused by domain name authorization-dependent path multisource, service globality, data dispersion, single analysis randomness and the like, and uses expert group wisdom for the construction of a security risk assessment data set, so that personal bias and uncertainty are reduced to a great extent; the multi-POV feature subset with high identification capability is further selected by adopting a feature selection method and used for training a plurality of machine learning models, so that a DNS authorization security assessment model is obtained and used for DNS authorization dependent security assessment. Compared with the prior art, the NS authorized security evaluation model constructed by the embodiment has the advantages of high calculation speed, high evaluation accuracy, strong interpretability and high efficiency and robustness.
It should be emphasized that, in this embodiment, by adopting the feature selection method, a feature subset that is more conducive to evaluation can be selected, so as to greatly improve the practicability of the DNS authorization security evaluation model.
In some preferred embodiments, the authorization dependency element includes DNS authorization dependency information, DNS authorization dependent facility performance information, DNS authorization dependent facility attribution information, and/or DNS authorization dependent host attribute information.
In some examples, the DNS authority dependency information includes, but is not limited to, one or more of NS (Name Server), CNAME (Canonical Name), DNAME, DNS Glue, parent-child dependencies, and the like.
In some examples, the DNS grant dependent facility performance information refers to resolving performance information of a dependent physical facility on a link, including, but not limited to, one or more of response time, packet loss rate, and the like.
In some examples, the DNS authority-dependent facility attribution information includes, but is not limited to, one or more of the attributes of the authority-dependent resources, cross-domain, cross-operator, cross-AS, and the like.
In some preferred embodiments, the constructing a security risk assessment dataset includes:
Adopting a Delphi method, carrying out multiple-round evaluation labeling on the DNS authorization dependency sample according to the authorization dependency element by an expert group in an anonymous mode, summarizing the domain name authorization dependency security risk level evaluation labeling results obtained in each round, and submitting the results to the expert group for further evaluation labeling until the evaluation is finished so as to enable the opinions to be consistent;
And combining the DNS authorization dependent sample and the corresponding final domain name authorization dependent security risk level assessment labeling result into the security risk assessment data set.
It should be noted that, in the preferred embodiment, by means of the Delphi method, the collective experience wisdom of DNS specialists is fully mined, personal bias and uncertainty are reduced gradually to a great extent, objective and reasonable cognition is formed for various dependencies, and a labeling data set (namely the security risk assessment data set) with relatively comprehensive coverage is formed.
In some examples, the DNS expert group is selected and then anonymously asks the expert for multiple rounds of authorized security risk assessment labeling. After summarizing and sorting the expert labels of each round, returning the label result to each expert for analysis and judgment by the expert, and labeling the expert on the basis of the label result of each round. And repeating the steps for a plurality of times, so that the evaluation opinions gradually tend to be consistent, and an authorized security risk evaluation labeling result which is consistent and high in reliability is obtained.
In some alternative embodiments, the subset of multi-POV features is selected from the security risk assessment dataset using an information gain method.
It should be noted that, the above embodiment combines the expert consultation method, the information theory feature selection method and the mode judgment method, so that efficient and accurate DNS authorization dependent security assessment can be realized.
Further, the information gain method includes:
Computing the security risk assessment dataset Information entropy/>The formula is as follows:
In the method, in the process of the invention, The representation belongs to the/>A DNS authority dependent sample of class domain authority dependent security risk level;
Constructing a plurality of dependent feature sets by taking the authorization dependent elements as indexes;
Calculating the conditional entropy of each dependency feature set on the security risk assessment dataset The formula is as follows:
wherein a represents the multi-scale set of dependent features; Represents the/> Individual dependency feature set/>Belongs to the category/>DNS grant dependent sample set;
according to the information entropy And the conditional entropy/>Calculating the information gain/>, of each of the dependent feature setsThe calculation formula is as follows:
And sorting according to the information gains, and selecting at least two dependence feature sets to be combined into the multi-POV feature subset.
In some examples, according to a preset gain threshold, several dependent feature sets with information gain exceeding the preset gain threshold are selected from the information gain sorting result to be combined into the multi-POV feature subset.
In a specific implementation process, selecting a dependence feature set constructed based on CNAME, a dependence feature set constructed based on DNAME and a dependence feature set constructed based on packet loss rate, and combining the three dependence feature sets into the multi-POV feature subset. It will be appreciated by those skilled in the art that the multi-POV feature subset includes a union of DNS grant dependency samples in three dependency feature sets, the DNS grant dependency samples being labeled with corresponding domain name grant dependent security risk levels, and at least one type of grant dependent element in CNAME, DNAME, and packet loss rate.
It should be noted that, the efficient and high-robustness evaluation model needs to fully mine various associated element data to perform high-distinction authorization-dependent security evaluation feature selection. In the above embodiment, the information gain method is used to measure the security risk assessment importance of the feature elements of each POV, each feature will obtain a value, and the higher the value is, the greater the contribution of the feature to the assessment result is, so that the most distinguishable feature is selected from a plurality of related authorization dependent elements, and thus the most distinguishable multi-POV feature labeling dataset (i.e. the multi-POV feature subset) is obtained.
In some preferred embodiments, the training a machine learning model using the subset of multi-POV features comprises:
Establishing at least two machine learning models and initializing the machine learning models;
Training the machine learning model on the multi-POV feature subset, comparing performance on the security risk assessment data set, and selecting the machine learning model with optimal performance as the DNS authorization security assessment model.
It should be understood by those skilled in the art that the initialization settings include settings for training parameters and weight parameters of the machine learning model; in addition, a person skilled in the art may select a machine learning model with optimal performance as the DNS authorization security assessment model based on one or more of model performance indexes such as Accuracy (Accuracy), precision (Precision), recall (Recall), F1 score, ROC curve, AUC curve, and the like.
It should be noted that the preferred embodiment employs a supervised machine learning model.
In some alternative embodiments, the machine learning model includes a random forest model, XGBoost model, and/or Adaboost model.
In some examples, two types of machine learning models, namely a random forest model and a XGBoost model, are adopted for initialization setting, and after training is carried out on the multi-POV feature subset, the machine learning model with the optimal performance is selected.
In the preferred embodiment, the features of fast training speed, less parameter adjustment, good interpretability and excellent performance in complex classification and evaluation tasks of the models such as random forests and XGBoost, adaboost are fully utilized, so that accurate and efficient evaluation of the DNS authorization-dependent discrete feature analysis scene is realized.
It should be further noted that, besides the random forest model, XGBoost model, adaboost model, those skilled in the art may also use other supervised machine learning models to train on the multi-POV feature subset, and finally select the machine learning model with the optimal performance as the DNS authorization security assessment model.
In a specific implementation process, the DNS authorization security assessment model constructed by the method of the embodiment shows the authorization dependent security state risk assessment capability for millions of important domain names and millions of sub domain names within 4 hours.
Example 2
The present embodiment provides a DNS authorization dependent security assessment system based on multiple POVs, configured to implement the method described in embodiment 1, referring to fig. 2, including:
the system comprises a sample acquisition module, a data acquisition module and a data processing module, wherein the sample acquisition module is used for acquiring a DNS authorization dependent sample comprising authorization dependent elements of multiple POVs;
The evaluation labeling module is used for assisting in evaluating and labeling the DNS authorization dependent sample by using expert experience, and constructing a security risk evaluation data set;
a feature selection module for selecting a multi-POV feature subset from the security risk assessment dataset based on a feature selection method;
the model training module is used for establishing a machine learning model, and training the machine learning model by utilizing the multi-POV feature subsets to obtain a DNS authorization security assessment model;
The on-line evaluation module is used for carrying the DNS authorization security evaluation model; and the system is also used for acquiring DNS authorization information to be evaluated, and outputting a DNS authorization dependent security evaluation result by utilizing the DNS authorization security evaluation model.
It should be noted that, the system described in this embodiment may implement online learning.
It will be appreciated that the apparatus/system of this embodiment corresponds to the method of embodiment 1, and the alternatives in embodiment 1 are equally applicable to this embodiment, so the description will not be repeated here, and reference will be made to the description of embodiment 1 where relevant.
Example 3
The present embodiment provides a computer-readable storage medium having stored thereon at least one instruction, at least one program, a set of codes, or a set of instructions, which are loaded and executed by a processor of an electronic device, so that the processor performs some or all of the steps of the method provided in embodiment 1 of the present application.
It will be appreciated that the storage medium may be transitory or non-transitory. Illustratively, the storage medium includes, but is not limited to, a U disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a solid state disk (solid statedisk, SSD), a magnetic disk or an optical disk, and other various media in which program codes can be stored.
The processor may be a Central processing unit (Central ProcessingUnit, CPU), a microprocessor (Microprocessor Unit, MPU), a Digital signal processor (Digital SignalProcessor, DSP), a field programmable gate array (Field Programmable GATE ARRAY, FPGA), or the like, for example.
In some examples a computer program product is provided, which may be embodied in hardware, software, or a combination thereof. As a non-limiting example, the computer program product may be embodied as the storage medium, but also as a software product, such as an SDK (Software Development Kit ), or the like.
By way of non-limiting example, a computer program product is provided that includes a computer program or computer-executable instructions stored in a computer-readable storage medium. The processor of the electronic device reads the computer program or computer-executable instructions from the computer-readable storage medium, and the processor executes the computer-executable instructions to cause the electronic device to perform some or all of the steps of the methods described in embodiments of the present application.
In some examples, a computer program is provided comprising computer readable code which, when run in a computer device, causes a processor in the computer device to perform some or all of the steps for carrying out the method.
The present embodiment also proposes an electronic device comprising a memory storing at least one instruction, at least one program, a set of codes or a set of instructions, and a processor implementing part or all of the steps of the method as described in embodiment 1 when the processor executes the at least one instruction, at least one program, set of codes or set of instructions.
In some examples, a hardware entity of the electronic device is provided, referring to fig. 3, including: a processor, a memory, and a communication interface; wherein the processor generally controls the overall operation of the electronic device; the communication interface is used for enabling the electronic equipment to communicate with other terminals or servers through a network; the memory is configured to store instructions and applications executable by the processor, and may also cache data to be processed or processed by various modules in the processor and the electronic device, including but not limited to image data, audio data, voice communication data, and video communication data, may be implemented by FLASH memory (FLASH) or random access memory (RAM, random Access Memory).
Further, data transfer between the processor, the communication interface, and the memory may be via a bus, which may include any number of interconnected buses and bridges, which connect various circuits of the one or more processors and the memory together.
It will be appreciated that the alternatives in embodiment 1 described above are equally applicable to this embodiment and will not be repeated here.
The same or similar reference numerals correspond to the same or similar components;
The terms describing the positional relationship in the drawings are merely illustrative, and are not to be construed as limiting the application;
It should be noted that, without conflict, the embodiments of the present application and features of the embodiments may be combined with each other.
It is to be understood that the above examples of the present application are provided for clarity of illustration only and are not intended to limit the embodiments of the present application. It will be apparent to those skilled in the art from this disclosure that various changes and modifications can be made, and the functional modules or units can be integrated together to form a single unit, or the modules can reside individually or two or more modules can be integrated to form a single unit. It is not necessary here nor is it exhaustive of all embodiments. Any modification, equivalent replacement, improvement, etc. which come within the spirit and principles of the application are desired to be protected by the following claims.
Claims (6)
1. A DNS authorization-dependent security assessment method based on multi-POVs, comprising:
Acquiring a DNS authorization dependency sample comprising authorization dependency elements of multiple POVs; the authorization dependent elements comprise DNS authorization dependent relationship information, DNS authorization dependent facility performance information, DNS authorization dependent facility attribution information and/or DNS authorization dependent host attribute information;
Using expert experience to evaluate and label the DNS authorization dependent sample to construct a security risk evaluation data set; wherein said constructing a security risk assessment dataset comprises: adopting a Delphi method, carrying out multiple rounds of evaluation labeling on the DNS authorization dependency sample by an expert group in an anonymous mode according to the authorization dependency element, summarizing the evaluation labeling results of the domain authorization dependency security risk level obtained in each round, and submitting the summarized evaluation labeling results to the expert group for further evaluation labeling until the evaluation is finished so as to enable the opinions to be consistent; combining the DNS authorization dependent sample and the corresponding final domain name authorization dependent security risk level assessment labeling result into the security risk assessment data set;
Selecting a multi-POV feature subset from the security risk assessment dataset based on a feature selection method; wherein selecting the subset of multi-POV features from the security risk assessment dataset using an information gain method comprises:
Computing the security risk assessment dataset Information entropy/>The formula is as follows:
In the method, in the process of the invention, The representation belongs to the/>A DNS authority dependent sample of class domain authority dependent security risk level;
Constructing a plurality of dependent feature sets by taking the authorization dependent elements as indexes;
Calculating the conditional entropy of each dependency feature set on the security risk assessment dataset The formula is as follows:
wherein a represents the multi-scale set of dependent features; Represents the/> Individual dependency feature set/>Belongs to the category/>Is a set of DNS grant dependent samples;
according to the information entropy And the conditional entropy/>Calculating the information gain/>, of each of the dependent feature setsThe calculation formula is as follows:
Sorting according to the information gains, and selecting at least two dependency feature sets to be combined into the multi-POV feature subset;
training a machine learning model by utilizing the multi-POV feature subset to obtain a DNS authorized security assessment model;
and acquiring DNS authorization information to be evaluated, and outputting a DNS authorization dependent security evaluation result by using the DNS authorization security evaluation model.
2. The multi-POV based DNS authorization-dependent security assessment method of claim 1, wherein the training a machine learning model with the subset of multi-POV features includes:
Establishing at least two machine learning models and initializing the machine learning models;
Training the machine learning model on the multi-POV feature subset, comparing performance on the security risk assessment data set, and selecting the machine learning model with optimal performance as the DNS authorization security assessment model.
3. A DNS authorization dependency security assessment method based on multi-POV according to claim 2, wherein the machine learning model comprises a random forest model, XGBoost model and/or Adaboost model.
4. A multi-POV based DNS authorization-dependent security assessment system for implementing the method of any of claims 1-3, comprising:
The system comprises a sample acquisition module, a data acquisition module and a data processing module, wherein the sample acquisition module is used for acquiring a DNS authorization dependent sample comprising authorization dependent elements of multiple POVs; the authorization dependent elements comprise DNS authorization dependent relationship information, DNS authorization dependent facility performance information, DNS authorization dependent facility attribution information and/or DNS authorization dependent host attribute information;
The evaluation labeling module is used for assisting in evaluating and labeling the DNS authorization dependent sample by using expert experience, and constructing a security risk evaluation data set; wherein said constructing a security risk assessment dataset comprises: adopting a Delphi method, carrying out multiple rounds of evaluation labeling on the DNS authorization dependency sample by an expert group in an anonymous mode according to the authorization dependency element, summarizing the evaluation labeling results of the domain authorization dependency security risk level obtained in each round, and submitting the summarized evaluation labeling results to the expert group for further evaluation labeling until the evaluation is finished so as to enable the opinions to be consistent; combining the DNS authorization dependent sample and the corresponding final domain name authorization dependent security risk level assessment labeling result into the security risk assessment data set;
A feature selection module for selecting a multi-POV feature subset from the security risk assessment dataset based on a feature selection method; wherein selecting the subset of multi-POV features from the security risk assessment dataset using an information gain method comprises:
Computing the security risk assessment dataset Information entropy/>The formula is as follows:
In the method, in the process of the invention, The representation belongs to the/>A DNS authority dependent sample of class domain authority dependent security risk level;
Constructing a plurality of dependent feature sets by taking the authorization dependent elements as indexes;
Calculating the conditional entropy of each dependency feature set on the security risk assessment dataset The formula is as follows:
wherein a represents the multi-scale set of dependent features; Represents the/> Individual dependency feature set/>Belongs to the category/>Is a set of DNS grant dependent samples;
according to the information entropy And the conditional entropy/>Calculating the information gain/>, of each of the dependent feature setsThe calculation formula is as follows:
Sorting according to the information gains, and selecting at least two dependency feature sets to be combined into the multi-POV feature subset;
the model training module is used for establishing a machine learning model, and training the machine learning model by utilizing the multi-POV feature subsets to obtain a DNS authorization security assessment model;
The on-line evaluation module is used for carrying the DNS authorization security evaluation model; and the DNS authorization security assessment module is also used for acquiring DNS authorization information to be assessed and outputting a DNS authorization dependent security assessment result by utilizing the DNS authorization security assessment model.
5. A computer readable storage medium having stored thereon at least one instruction, at least one program, code set or instruction set, the at least one instruction, at least one program, code set or instruction set being loaded and executed by a processor to implement the method of any of claims 1-3.
6. A computer program product comprising a computer program or computer-executable instructions which, when executed by a processor, implement the method of any one of claims 1-3.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410261261.2A CN117857224B (en) | 2024-03-07 | 2024-03-07 | DNS authorization dependency security assessment method based on multiple POVs |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410261261.2A CN117857224B (en) | 2024-03-07 | 2024-03-07 | DNS authorization dependency security assessment method based on multiple POVs |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN117857224A CN117857224A (en) | 2024-04-09 |
| CN117857224B true CN117857224B (en) | 2024-06-25 |
Family
ID=90548291
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202410261261.2A Active CN117857224B (en) | 2024-03-07 | 2024-03-07 | DNS authorization dependency security assessment method based on multiple POVs |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117857224B (en) |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111181950A (en) * | 2019-12-26 | 2020-05-19 | 下一代互联网关键技术和评测北京市工程研究中心有限公司 | Authoritative DNS server authorization method and system |
| CN113259399A (en) * | 2021-07-08 | 2021-08-13 | 中国人民解放军国防科技大学 | Domain name server security threat analysis method and device based on heterogeneous information network |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20160255012A1 (en) * | 2015-02-26 | 2016-09-01 | Check Point Software Technologies Ltd. | Method for mitigation of unauthorized data transfer over domain name service (dns) |
| US9705851B2 (en) * | 2015-07-06 | 2017-07-11 | Verisign, Inc. | Extending DNSSEC trust chains to objects outside the DNS |
| CN114430382B (en) * | 2021-11-30 | 2024-06-04 | 中国科学院信息工程研究所 | Authoritative domain name server redundancy reduction detection method and device based on passive DNS traffic |
-
2024
- 2024-03-07 CN CN202410261261.2A patent/CN117857224B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111181950A (en) * | 2019-12-26 | 2020-05-19 | 下一代互联网关键技术和评测北京市工程研究中心有限公司 | Authoritative DNS server authorization method and system |
| CN113259399A (en) * | 2021-07-08 | 2021-08-13 | 中国人民解放军国防科技大学 | Domain name server security threat analysis method and device based on heterogeneous information network |
Also Published As
| Publication number | Publication date |
|---|---|
| CN117857224A (en) | 2024-04-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10757101B2 (en) | Using hash signatures of DOM objects to identify website similarity | |
| US7937336B1 (en) | Predicting geographic location associated with network address | |
| US9686283B2 (en) | Using hash signatures of DOM objects to identify website similarity | |
| Zhang et al. | User profile preserving social network embedding | |
| EP2988230A1 (en) | Data processing method and computer system | |
| CN104486461A (en) | Domain name classification method and device and domain name recognition method and system | |
| CN108366012B (en) | Social relationship establishing method and device and electronic equipment | |
| CN103631787A (en) | Webpage type recognition method and webpage type recognition device | |
| CN110648172A (en) | Identity recognition method and system fusing multiple mobile devices | |
| Yang et al. | A novel detection method for word-based DGA | |
| Chen et al. | Predicting quality of service via leveraging location information | |
| CN101447995A (en) | Method for identifying P2P data stream, device and system thereof | |
| CN114676423A (en) | Data processing method and server for dealing with cloud computing office threats | |
| CN115130542A (en) | Model training method, text processing device and electronic equipment | |
| CN117857224B (en) | DNS authorization dependency security assessment method based on multiple POVs | |
| CN112837140A (en) | Data processing method, device, equipment and storage medium | |
| CN112348041B (en) | Log classification and log classification training method and device, equipment and storage medium | |
| CN109241249B (en) | Method and device for determining burst problem | |
| CN110597977A (en) | Data processing method, data processing device, computer equipment and storage medium | |
| Lin et al. | Smart building uncertainty analysis via adaptive Lasso | |
| Suchacka et al. | Modeling A Session-Based Bots' Arrival Process At A Web Server. | |
| Patel et al. | Pattern classification based on web usage mining using neural network technique | |
| CN113612639B (en) | Method and device for analyzing and predicting file downloading behavior based on website access record | |
| CN114925279B (en) | Recommendation model training method, recommendation method and recommendation device | |
| CN116383883B (en) | Big data-based data management authority processing method and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |