[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN106713312A - Method and device for detecting illegal domain name - Google Patents

Method and device for detecting illegal domain name Download PDF

Info

Publication number
CN106713312A
CN106713312A CN201611195849.4A CN201611195849A CN106713312A CN 106713312 A CN106713312 A CN 106713312A CN 201611195849 A CN201611195849 A CN 201611195849A CN 106713312 A CN106713312 A CN 106713312A
Authority
CN
China
Prior art keywords
domain name
randomness
characteristic value
illegal
degree
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201611195849.4A
Other languages
Chinese (zh)
Inventor
邓永
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Shenxinfu Electronic Technology Co Ltd
Original Assignee
Shenzhen Shenxinfu Electronic Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Shenxinfu Electronic Technology Co Ltd filed Critical Shenzhen Shenxinfu Electronic Technology Co Ltd
Priority to CN201611195849.4A priority Critical patent/CN106713312A/en
Publication of CN106713312A publication Critical patent/CN106713312A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/144Detection or countermeasures against botnets

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention discloses a method and device for detecting an illegal domain name. The method includes the following steps that: a domain name to be detected is obtained, character composition in the domain name is analyzed, so that the feature value of the domain name can be obtained, and the degree of randomness of the domain name is obtained according to the feature value; and if the degree of randomness of the domain name is larger than a preset threshold value, it is determined that the domain name is an illegal domain name. The present invention also provides a device for detecting an illegal domain name. With the method and device for detecting the illegal domain name of the invention adopted, the technical problem that an existing botnet monitoring technology cannot detect newly-emerging illegal domain names can be solved, and the accuracy rate of the detection of illegal domain names can be improved.

Description

Detect the method and device of illegal domain name
Technical field
The present invention relates to technical field of network security, more particularly to a kind of method and device for detecting illegal domain name.
Background technology
Botnet virus is one of current important viral species, and Botnet can initiate DDoS (Distributed Denial of Service, distributed denial of service) malicious act such as attack, fishing mail, download and transmitted virus software. By Botnet virus control main frame need and Botnet control server to be communicated, with obtain new attack target, Download new virus, obtain new attack instruction, upper transmitting file etc., meat machine is referred to as by the main frame that Botnet is controlled.
Meat machine and C&C servers are communicated, and just must be known by C&C servers (Command and Control Server, remote command and control server) IP address, early stage Botnet virus the IP address of C&C servers is direct In write-in Virus, but directly communicated using IP address and be easily employed fire wall detection.
Most current Botnet program does not use IP address direct communication, will not be led to using fixed domain name yet Letter, because if fixed domain name is encoded in Botnet Virus, professional can obtain C&C by conversed analysis The domain name of server.Therefore, Botnet but control server generates a large amount of DGA (Domain Generated Algorithm, domain name generating algorithm) domain name, select to register one of them or several domain names.Meat machine equally sends a large amount of DGA The DNS request of domain name, one of them or several servers can return to IP address, IP address and C&C that meat machine is responded by DNS Server communication.Meat machine can hide WAF and detect and specialty to a certain extent using DGA domain names and C&C control server communications Personnel's conversed analysis, the domain name that C&C servers are generated using DGA algorithms can also quick-replaceable domain name and IP so that application fire prevention Wall is more difficult from for the detection of Botnet.
The mode of existing detection Botnet is mainly, and is filtered using the blacklist of domain name or IP address, by Domain expert obtains IP address or domain name that Botnet controls server by analyzing Botnet virus, pre-builds black List, application firewall is detected when main frame communicates with corresponding blacklist and prevented.This method not only put into manpower it is many, into This height;And it is merely able to detect existing Botnet virus, it is impossible to detect emerging Botnet, i.e., cannot detect new The illegal domain name of appearance, causes the Detection accuracy of illegal domain name low.
The content of the invention
The present invention provides a kind of method and device for detecting illegal domain name, and its main purpose is to solve existing corpse net The technical problem of emerging illegal domain name cannot be detected in network monitoring technology, the accuracy rate of detection illegal domain name is improved.
To achieve the above object, the present invention provides a kind of method for detecting illegal domain name, the method for the detection illegal domain name Including:
Domain name to be detected is obtained, the character composition in domain name is analyzed to obtain the characteristic value of domain name, root The degree of randomness of domain name is obtained according to the characteristic value;
If the degree of randomness of domain name is more than predetermined threshold value, judge that domain name is illegal domain name.
Alternatively, it is described to obtain domain name to be detected, the character composition in domain name is analyzed to obtain domain name Characteristic value, according to the characteristic value obtain domain name degree of randomness the step of include:
Domain name in crawl DNS daily records is used as domain name to be detected;
Character composition is analyzed based on the randomness detected rule for pre-setting, generation is examined with the randomness Gauge then corresponding characteristic value;
Degree of randomness of the characteristic value that will be generated as domain name.
Alternatively, when the characteristic value has multiple, acquisition domain name to be detected, to the character group in domain name Include into being analyzed to obtain the characteristic value of domain name, the step of obtain the degree of randomness of domain name according to the characteristic value:
Domain name in crawl DNS daily records is used as domain name to be detected;
Character composition is analyzed based on the randomness detected rule for pre-setting, generation is examined with the randomness Gauge then corresponding multiple characteristic values;
The multiple characteristic value normalization is processed according to disaggregated model, obtains the degree of randomness, wherein, based on it is described with Machine detected rule and predetermined threshold value training grader generate the disaggregated model, and include in the disaggregated model Respectively with the one-to-one multiple characteristic coefficient of the multiple characteristic value.
Alternatively, when the randomness detected rule includes 1 dimension to N-dimensional transition probability matrix, based on described 1 dimension to N Dimension transition probability matrix includes N number of characteristic coefficient in generating N number of characteristic value, and the disaggregated model of generation;
It is described to be processed the multiple characteristic value normalization according to disaggregated model, include the step of obtain the degree of randomness:
N number of characteristic value is multiplied with corresponding characteristic coefficient respectively, using the sum of products as the random of domain name Degree.
Alternatively, it is described the step of judge domain name as illegal domain name before, the method for the detection illegal domain name is also Including:
If the degree of randomness of domain name is more than predetermined threshold value, judge whether the equipment in current network in predetermined period The number of times for accessing domain name is more than in preset times, and the network number of devices for accessing domain name more than present count Amount;
If so, then judging that domain name is illegal domain name, and domain name is added to domain name blacklist;
If it is not, then judging that domain name is legitimate domain name.
Alternatively, the equipment judged whether in current network accesses the number of times of domain name in predetermined period and is more than Before the step of number of devices that domain name is accessed in preset times, and the network is more than predetermined number, the detection is non- The method of method domain name also includes:
If the degree of randomness of domain name is more than predetermined threshold value, judge whether domain name meets preset character combination rule Then;
If not meeting, execution judges whether that the equipment in current network accesses the number of times of domain name in predetermined period The step of being more than predetermined number more than the number of devices that domain name is accessed in preset times, and the network;
If meeting, judge that domain name is legitimate domain name.
Alternatively, the step of character composition in domain name is analyzed the characteristic value to obtain domain name it Before, the method for the detection illegal domain name includes:
After domain name to be detected is got, detection domain name is with the presence or absence of white in domain name blacklist or domain name In list;
If it is not, then perform the character composition in domain name to be analyzed to obtain the step of the characteristic value of domain name Suddenly.
Additionally, to achieve the above object, the present invention also provides a kind of device for detecting illegal domain name, the detection illegal domain name Device include:
Degree of randomness acquisition module, for obtaining domain name to be detected, in domain name character composition be analyzed with The characteristic value of domain name is obtained, the degree of randomness of domain name is obtained according to the characteristic value;
Domain name judge module, if being more than predetermined threshold value for the degree of randomness of domain name, judges domain name as illegal Domain name.
Alternatively, when the characteristic value has multiple, the degree of randomness acquisition module includes:
Domain Name acquisition unit, for capturing the domain name in DNS daily records as domain name to be detected;
Characteristic value acquiring unit, for being divided character composition based on the randomness detected rule for pre-setting Analysis, generates multiple characteristic values corresponding with the randomness detected rule;
Normalization unit, for processing the multiple characteristic value normalization according to disaggregated model, obtains the degree of randomness, Wherein, the disaggregated model is generated based on the randomness detected rule and predetermined threshold value training grader, and it is described Include multiple characteristic coefficients one-to-one with the multiple characteristic value respectively in disaggregated model.
Alternatively, the device of the detection illegal domain name also includes access detection module and list management module;
The access detection module is used for:If the degree of randomness of domain name is more than predetermined threshold value, judge whether current net Equipment in network accesses the number of times of domain name more than access domain name in preset times, and the network in predetermined period Number of devices be more than predetermined number;
Domain name judge module is additionally operable to:Equipment in preceding network accesses the number of times of domain name in predetermined period When the number of devices that domain name is accessed more than preset times, and in the network is more than predetermined number, judge domain name as Illegal domain name, otherwise, it is determined that domain name is legitimate domain name;
The list management module is used for:The domain name that domain name judge module is judged to illegal domain name is added to the black name of domain name It is single.
The method and device of detection illegal domain name proposed by the present invention, obtains domain name to be detected, to the word in the domain name Symbol composition is analyzed to obtain the characteristic value of domain name, the degree of randomness of domain name is obtained according to the characteristic value for getting, in degree of randomness During more than predetermined threshold value, the entitled illegal domain name of decision space, by the solution of the present invention, can not only detect existing non-legal order Name, even if occurring in that new Botnet and generating new illegal domain name, it is also possible to domain name character in itself is constituted into Row analysis, detects the illegal domain name, to solve and cannot detect emerging non-legal order in existing Botnet monitoring technology The technical problem of name, improves the accuracy rate of detection illegal domain name.
Brief description of the drawings
Fig. 1 is the flow chart of the method first embodiment of present invention detection illegal domain name;
Fig. 2 is the refinement procedure Procedure of degree of randomness obtaining step in the method first embodiment for detecting illegal domain name of the invention Figure;
Fig. 3 is the flow chart of the method second embodiment of present invention detection illegal domain name;
Fig. 4 is the high-level schematic functional block diagram of the device first embodiment of present invention detection illegal domain name;
Fig. 5 is the refinement functional module of degree of randomness acquisition module in the device first embodiment for detecting illegal domain name of the invention Schematic diagram;
Fig. 6 is the high-level schematic functional block diagram of the device second embodiment of present invention detection illegal domain name.
The realization of the object of the invention, functional characteristics and advantage will be described further referring to the drawings in conjunction with the embodiments.
Specific embodiment
It should be appreciated that the specific embodiments described herein are merely illustrative of the present invention, it is not intended to limit the present invention.
The present invention provides a kind of method for detecting illegal domain name.It is the side of present invention detection illegal domain name shown in reference picture 1 The flow chart of method first embodiment.
In the present embodiment, the method for the detection illegal domain name includes:
Step S10, obtains domain name to be detected, and the character composition in domain name is analyzed to obtain the spy of domain name Value indicative, the degree of randomness of domain name is obtained according to the characteristic value.
Step S20, if the degree of randomness of domain name is more than predetermined threshold value, judges that domain name is illegal domain name.
The method of the detection illegal domain name that the embodiment of the present invention is proposed can apply to various gateway devices, for example, exchanging Machine, router, firewall box etc..Illustrated by taking LAN as an example, the main frame in the corresponding LAN of gateway device is accessed The domain name crossed can be recorded in DNS daily records.Domain name can be captured from the new DNS daily records for producing at interval of prefixed time interval, Domain name to grabbing detects, determines whether illegal domain name, and then judge whether the main frame for accessing the domain name infects Corpse virus, wherein, illegal domain name can be DGA domain names;Or, in other examples, it is also possible to obtained from other channels Take the domain name that main frame in LAN is accessed, the domain name that will be got is used as domain name to be detected.
Because the domain name generated based on DGA is typically to randomly choose some characters compositions, such as bdqjkxk.cn, Stxhyxvyiws.ws etc.;And legitimate domain name, such as bookstore.com, stackoverflow.com, for convenience user note Recall, its character composition typically has certain meaning or rule.Therefore, in the present embodiment, the character in domain name is constituted into Row is analyzed to obtain the characteristic value of domain name, and characteristic value is the index for measuring domain name randomness, can reflect the domain name Random degree, the random degree of domain name is higher, then the domain name for the possibility of DGA domain names it is higher, due to normal legitimate domains Character composition in name typically has certain meaning or rule, therefore random degree than relatively low.
In this embodiment, being analyzed the characteristic value for getting to the character composition in domain name to be detected can have one Individual or multiple.
One), when the characteristic value only one of which for getting, step S10 can include following refinement step:Crawl DNS days Domain name in will is used as domain name to be detected;Character composition is divided based on the randomness detected rule for pre-setting Analysis, generates characteristic value corresponding with the randomness detected rule;The characteristic value that will be generated is used as the random of domain name Degree.
Wherein, above-mentioned randomness detected rule can be the computation rule of any random degree that can reflect domain name, example Such as a gram language model, comentropy.The characteristic value of the domain name can be calculated according to a gram language model, it is assumed that wrapped in the domain name Containing m character, then the probability of each character appearance is obtained respectively, the value that the m probable value that will be got is obtained after being multiplied, then M powers are opened, then obtains the characteristic value that the domain name is based on a gram language model, wherein, the probability that each character occurs in domain name Can be learnt by the data set to legitimate domain name, all probable value sums that possibly be present at the character in domain name It is 1.Characteristic value is lower, and the random degree of the domain name is higher, then the domain name for illegal domain name possibility it is higher.Or, calculate The comentropy of the domain name, using comentropy as the domain name characteristic value, comentropy reflects the uncertainty degree of the domain name, comentropy Value it is bigger, then the uncertainty degree of the domain name is higher, the domain name for illegal domain name possibility it is also higher.
In this embodiment, the characteristic value that will can be calculated as domain name degree of randomness, and it is possible to set in advance A threshold value is put as judgment standard, i.e. predetermined threshold value, when the characteristic value being calculated is less than the predetermined threshold value, then it is assumed that the domain Entitled illegal domain name, otherwise, it is determined that domain name is legitimate domain name.
Two), as another embodiment, when the characteristic value for getting has multiple, according to the multiple features for getting Value obtains the degree of randomness of domain name.Randomness detected rule is pre-set, domain name can be obtained according to the randomness detected rule Multiple characteristic values.Two kinds of randomness detected rules are exemplified below to illustrate.
1), randomness detected rule includes 1 dimension to N-dimensional transition probability matrix, one in N >=2, i.e. the randomness detected rule Include altogether from 1 dimension to N-dimensional multiple transition probability matrix, wherein, N-dimensional transition probability matrix corresponds to many gram language models, one As two gram language models be referred to as single order Markov Chain, corresponding to two-dimentional transition probability matrix;Three gram language models are referred to as two Rank Markov Chain, corresponding to three-dimensional transition probability matrix;Four gram language models are referred to as three rank Markov Chains, corresponding to the four-dimension Transition probability matrix, by that analogy.
Below so that the multiple letters during the character string of domain name is by a to z this 26 English alphabets are constituted as an example, illustrate that multidimensional turns The composition of probable value in probability matrix is moved, the first dimension of the multidimensional transition probability matrix reflects this 26 English words mother stocks of a to z Do not appear in the probable value in character string, have 26 probable values, itself and be 1;The reflection of second dimension is when upper character difference During for a to z, character late adjacent thereto is respectively the probable value of a to z, has 676 probable values, itself and be 1;3rd Dimension reflection is respectively aa to zz (aa, ab, ac ... ba, bb, bc ... za, zb, zc ... zz) when two adjacent characters When, character late adjacent thereto is respectively the probable value of a to z, has 17567 probable values, itself and be 1;By that analogy. The dimension of transition probability matrix is higher, and the accuracy finally for the judgement of the random degree of domain name is higher, in addition, it is desirable to meter Calculation amount is also bigger.In this embodiment, it is preferred that, randomness detected rule is set to 1 dimension to 4 dimension transition probability matrixs.
It should be noted that randomness detected rule includes that 1 dimension is somebody's turn to do to during N-dimensional transition probability matrix, it is necessary to calculate respectively Domain name is from 1 dimension to the corresponding characteristic value of N-dimensional transition probability matrix, that is to say, that the characteristic value of the domain name for obtaining has N number of, wherein, The characteristic value that the corresponding characteristic value of 1 dimension transition probability matrix is namely calculated according to a gram language model.Additionally, multidimensional turns The probable value moved in probability matrix can be by the word to commonly using, English name, place name, phonetic, abbreviation and legal domain name The data set of composition is learnt.
Below so that the multiple letters during the character string of domain name is by a to z this 26 English alphabets are constituted as an example, the domain name is illustrated Characteristic value in the second dimension of N-dimensional transition probability matrix.
1st row:When a upper character is a in the character string of domain name, character late adjacent thereto is respectively a-z Probable value, has 26 probable values.
2nd row:When a upper character is b in the character string of domain name, character late adjacent thereto is respectively a-z Probable value, has 26 probable values.
By that analogy, the 26th row:When a upper character is z in the character string of domain name, character late adjacent thereto is Not Wei a-z probable value, have 26 probable values.
The side of characteristic value of the calculating domain name in the second dimension of N-dimensional transition probability matrix is illustrated by taking google.com as an example Formula, obtains next adjacent with o of probability that the character late adjacent with g is o from above-mentioned two-dimentional transition probability matrix respectively Individual character is for the probability of the o character late adjacent with o for the probability of the g character late adjacent with g is the probability and l of l Adjacent character late is the probability of e, and above-mentioned 5 probable values that will be got open 5 powers after being multiplied, and the numerical value for obtaining is Characteristic value of the domain name in the second dimension of N-dimensional transition probability matrix.From said process as can be seen that calculating characteristic value When, the probability number and the number of times of evolution that are got from transition probability matrix are equal to the quantity of the character in domain name.
It is understood that above-mentioned probable value and letter are for example, in actual applications, constituting the word of domain name Symbol is not limited to above-mentioned 26 English alphabets, can also be the combination of other characters or English alphabet and other types character Deng such as numeral.
2), randomness detected rule includes rule is calculated as below:Calculate the word in comentropy, the domain name of domain name Digital accounting in female accounting, domain name;Comentropy, alphabetical accounting and the numeral of domain name are obtained according to above-mentioned computation rule Accounting, using comentropy, alphabetical accounting and digital accounting as domain name characteristic value, in other examples, can be with The computation rule of more character combination probable values is added, for example, calculating vowel accounting, calculating consonant accounting etc..
In this embodiment, the characteristic value that will be calculated in itself as degree of randomness, and according in advance be each with Whether the predetermined threshold value that machine degree is set, be all higher than predetermined threshold value, if so, then decision space is entitled in the multiple characteristic values for judging domain name Illegal domain name.
Further, when characteristic value has multiple, in order to more accurately judge whether domain name is illegal domain name, using returning One change algorithm by multiple characteristic value normalizations be one value, using the value as domain name degree of randomness.For example, using weighting algorithm, Or, processed multiple characteristic value normalizations using the disaggregated model of grader etc..
Below by taking grader as an example, shown in reference picture 2, step S10 can include following refinement step:
Step S11, the domain name in crawl DNS daily records is used as domain name to be detected;
Step S12, based on the randomness detected rule for pre-setting to the character composition be analyzed, generation with it is described The corresponding multiple characteristic values of randomness detected rule;
Step S13, is processed the multiple characteristic value normalization according to disaggregated model, obtains the degree of randomness, wherein, base The disaggregated model, and the disaggregated model are generated in the randomness detected rule and predetermined threshold value training grader In include multiple characteristic coefficients one-to-one with the multiple characteristic value respectively.
Using known illegal domain name as positive sample, known legitimate domain name as negative sample, examined according to the randomness Gauge then extracts the characteristic value of the positive sample and negative sample respectively, the characteristic value based on the positive sample and negative sample, and Predetermined threshold value is trained grader and generates characteristic coefficient, and the characteristic coefficient constitutes the disaggregated model, and in disaggregated model The number of characteristic coefficient is equal with the number of the characteristic value obtained according to randomness detected rule.Obtain multiple characteristic values it Afterwards, the disaggregated model according to the grader processes multiple characteristic value normalizations, obtains the degree of randomness of domain name, is sentenced according to degree of randomness Whether disconnected domain name is illegal domain name, and the characteristic coefficient in the disaggregated model of training grader generation is matched with predetermined threshold value.
It is general to N-dimensional transfer based on described 1 dimension when the randomness detected rule includes 1 dimension to N-dimensional transition probability matrix Rate matrix includes N number of characteristic coefficient in generating N number of characteristic value, and the disaggregated model of generation;The step S13 includes: By N number of characteristic value respectively with corresponding characteristic coefficient be multiplied, using the sum of products as domain name degree of randomness.
By taking four-dimensional transition probability matrix as an example, the characteristic value of domain name is calculated according to four-dimensional transition probability matrix, four can be obtained Individual characteristic value, respectively P1, P2, P3, P4, are that grader sets four characteristic coefficients, respectively A1, A2, A3, A4, according to Lower formula calculates the degree of randomness E of domain name:
E=P1 × A1+P2 × A2+P3 × A3+P3 × A3
Feature extraction is carried out to positive sample and negative sample according to four-dimensional transition probability matrix respectively, and will be used as judgment standard Predetermined threshold value be set to 0, with " E > 0 are illegal domain name, E≤0 for legitimate domain name " and the spy of positive and negative samples for extracting Value indicative trains grader, obtains the value of A1, A2, A3, A4, the value composition and classification model of four for obtaining characteristic coefficient.
Further, as a kind of implementation method, after the entitled illegal domain name of decision space, the domain name is added to and is built in advance In vertical domain name blacklist, and intercept process is made in the access of main frame in local area network to domain name in domain name blacklist;If domain name Degree of randomness less or greater than predetermined threshold value, then the entitled legitimate domain name of decision space.
Further, as a kind of implementation method, domain name blacklist and domain name white list are pre-build, will be known illegal Domain name is added to domain name blacklist, and known legitimate domain name is added into domain name white list, after domain name to be detected is got, First detection domain name whether there is in domain name blacklist or domain name white list, tentatively to judge whether domain name closes Method, when domain name to be detected is neither in domain name blacklist, when also not in domain name white list, performs step S10, if domain name In domain name white list, then legitimate domain name is determined that it is, do not make intercept process, if domain name is in domain name blacklist, decision space Entitled illegal domain name, intercepts access of the main frame for the domain name.
The probable value in multidimensional transition probability matrix is entered it is possible to further renewal regularly according to domain name white list Row updates;Or, grader is trained according to the domain name white list and domain name blacklist that update, to update disaggregated model, The accuracy rate for detecting illegal domain name is improved with further.
The method of the detection illegal domain name that the present embodiment is proposed, obtains domain name to be detected, to the character group in the domain name Into being analyzed to obtain the characteristic value of domain name, the degree of randomness of domain name is obtained according to the characteristic value for getting, be more than in degree of randomness During predetermined threshold value, the entitled illegal domain name of decision space, by the solution of the present invention, can not only detect existing illegal domain name, i.e., Make to occur in that new Botnet and generate new illegal domain name, it is also possible to which domain name character composition in itself is divided Analysis, detects the illegal domain name, to solve and cannot detect emerging illegal domain name in existing Botnet monitoring technology Technical problem, improves the accuracy rate of detection illegal domain name.
The second embodiment of the method for present invention detection illegal domain name is proposed based on first embodiment.Shown in reference picture 3, In the present embodiment, before step S20, the method for the detection illegal domain name also includes:
If the degree of randomness of domain name is more than predetermined threshold value, judge whether the equipment in current network in predetermined period The number of times for accessing domain name is more than in preset times, and the network number of devices for accessing domain name more than present count Amount;
Step S20, if so, then judging that domain name is illegal domain name;
Step S40, domain name blacklist is added to by domain name;
Step S50, if it is not, then judging that domain name is legitimate domain name.
In this embodiment, in order to reduce the erroneous judgement to illegal domain name, the accuracy rate that illegal domain name judges further is improved, After the degree of randomness for detecting domain name is more than predetermined threshold value, one is entered for the access situation of the domain name according to the main frame in LAN Step judges whether domain name is illegal domain name, for example, work as separate unit main frame in LAN accesses the domain name at a certain time interval Number of times exceeded preset times;The host number of the access domain name in the LAN has exceeded predetermined number, when occurring in that Any one in above-mentioned two situations, then judge that the domain name is illegal domain name.Additionally, judging the access domain in LAN When the host number of name has exceeded predetermined number, can also judge that these access whether above-mentioned domain host has DNS request to return Return, if so, while decision space entitled illegal domain name, judge that the IP address for returning controls the IP of server as Botnet, The IP of return is added in the IP blacklists that pre-build, access that subsequently can be with the main frame in local area network to the IP address Make intercept process.
Further, as a kind of implementation method, in order to further reduce the erroneous judgement to illegal domain name, in step Before S30, the method also includes:
If the degree of randomness of domain name is more than predetermined threshold value, judge whether domain name meets preset character combination rule Then;
If not meeting, execution judges whether that the equipment in current network accesses the number of times of domain name in predetermined period The step of being more than predetermined number more than the number of devices that domain name is accessed in preset times, and the network;
If meeting, judge that domain name is legitimate domain name.
Because domain name may have various different types of character combinations to form, such as by the alphabetical, digital etc. of different language Combine, but different language it is alphabetical, digital between transition probability it is relatively low, therefore, in this embodiment, in order to subtract Few erroneous judgement to illegal domain name, after the degree of randomness for detecting domain name is more than predetermined threshold value, whether detection domain name meets preset Character combination rule, for example, character combination rule can include:Domain name is formed by combining by common word, phonetic, numeral. When detecting domain name and meeting preset character combination rule, the entitled legitimate domain name of decision space, otherwise, it is determined that domain name is non-legal order Name, or, step S30 is further performed, judge whether domain name is non-for the access of the domain name according to main frame in LAN Method domain name.
The present invention also proposes a kind of device for detecting illegal domain name.
It is the high-level schematic functional block diagram of the device first embodiment of present invention detection illegal domain name shown in reference picture 4.
In this embodiment, the device of the detection illegal domain name includes:
Degree of randomness acquisition module 10, for obtaining domain name to be detected, is analyzed to the character composition in domain name To obtain the characteristic value of domain name, the degree of randomness of domain name is obtained according to the characteristic value;
Domain name judge module 20, if being more than predetermined threshold value for the degree of randomness of domain name, judges domain name as non- Method domain name.
The device of the detection illegal domain name that the embodiment of the present invention is proposed can apply to various gateway devices, for example, exchanging Machine, router, firewall box etc..Illustrated by taking LAN as an example, the main frame in the corresponding LAN of gateway device is accessed The domain name crossed can be recorded in DNS daily records.Domain name can be captured from the new DNS daily records for producing at interval of prefixed time interval, Domain name to grabbing detects, determines whether illegal domain name, and then judge whether the main frame for accessing the domain name infects Corpse virus, wherein, illegal domain name can be DGA domain names;Or, in other examples, it is also possible to obtained from other channels Take the domain name that main frame in LAN is accessed, the domain name that will be got is used as domain name to be detected.
Because the domain name generated based on DGA is typically to randomly choose some characters compositions, such as bdqjkxk.cn, Stxhyxvyiws.ws etc.;And legitimate domain name, such as bookstore.com, stackoverflow.com, for convenience user note Recall, its character composition typically has certain meaning or rule.Therefore, in the present embodiment, the character in domain name is constituted into Row is analyzed to obtain the characteristic value of domain name, and characteristic value is the index for measuring domain name randomness, can reflect the domain name Random degree, the random degree of domain name is higher, then the domain name for the possibility of DGA domain names it is higher, due to normal legitimate domains Character composition in name typically has certain meaning or rule, therefore random degree than relatively low.
In this embodiment, being analyzed the characteristic value for getting to the character composition in domain name to be detected can have one Individual or multiple.
One), when the characteristic value only one of which for getting, degree of randomness acquisition module 10 is additionally operable to:In crawl DNS daily records Domain name is used as domain name to be detected;Character composition is analyzed based on the randomness detected rule for pre-setting, is generated Characteristic value corresponding with the randomness detected rule;Degree of randomness of the characteristic value that will be generated as domain name.
Wherein, above-mentioned randomness detected rule can be the computation rule of any random degree that can reflect domain name, example Such as a gram language model, comentropy.The characteristic value of the domain name can be calculated according to a gram language model, it is assumed that wrapped in the domain name Containing m character, then the probability of each character appearance is obtained respectively, the value that the m probable value that will be got is obtained after being multiplied, then M powers are opened, then obtains the characteristic value that the domain name is based on a gram language model, wherein, the probability that each character occurs in domain name Can be learnt by the data set to legitimate domain name, all probable value sums that possibly be present at the character in domain name It is 1.Characteristic value is lower, and the random degree of the domain name is higher, then the domain name for illegal domain name possibility it is higher.Or, calculate The comentropy of the domain name, using comentropy as the domain name characteristic value, comentropy reflects the uncertainty degree of the domain name, comentropy Value it is bigger, then the uncertainty degree of the domain name is higher, the domain name for illegal domain name possibility it is also higher.
In this embodiment, the characteristic value that will can be calculated as domain name degree of randomness, and it is possible to set in advance A threshold value is put as judgment standard, i.e. predetermined threshold value, when the characteristic value being calculated is less than the predetermined threshold value, then it is assumed that the domain Entitled illegal domain name, otherwise, it is determined that domain name is legitimate domain name.
Two), as another embodiment, when the characteristic value for getting has multiple, according to the multiple features for getting Value obtains the degree of randomness of domain name.Randomness detected rule is pre-set, domain name can be obtained according to the randomness detected rule Multiple characteristic values.Two kinds of randomness detected rules are exemplified below to illustrate.
1), randomness detected rule includes 1 dimension to N-dimensional transition probability matrix, one in N >=2, i.e. the randomness detected rule Include altogether from 1 dimension to N-dimensional multiple transition probability matrix, wherein, N-dimensional transition probability matrix corresponds to many gram language models, one As two gram language models be referred to as single order Markov Chain, corresponding to two-dimentional transition probability matrix;Three gram language models are referred to as two Rank Markov Chain, corresponding to three-dimensional transition probability matrix;Four gram language models are referred to as three rank Markov Chains, corresponding to the four-dimension Transition probability matrix, by that analogy.
Below so that the multiple letters during the character string of domain name is by a to z this 26 English alphabets are constituted as an example, illustrate that multidimensional turns The composition of probable value in probability matrix is moved, the first dimension of the multidimensional transition probability matrix reflects this 26 English words mother stocks of a to z Do not appear in the probable value in character string, have 26 probable values, itself and be 1;The reflection of second dimension is when upper character difference During for a to z, character late adjacent thereto is respectively the probable value of a to z, has 676 probable values, itself and be 1;3rd Dimension reflection is respectively aa to zz (aa, ab, ac ... ba, bb, bc ... za, zb, zc ... zz) when two adjacent characters When, character late adjacent thereto is respectively the probable value of a to z, has 17567 probable values, itself and be 1;By that analogy. The dimension of transition probability matrix is higher, and the accuracy finally for the judgement of the random degree of domain name is higher, in addition, it is desirable to meter Calculation amount is also bigger.In this embodiment, it is preferred that, randomness detected rule is set to 1 dimension to 4 dimension transition probability matrixs.
It should be noted that randomness detected rule includes that 1 dimension is somebody's turn to do to during N-dimensional transition probability matrix, it is necessary to calculate respectively Domain name is from 1 dimension to the corresponding characteristic value of N-dimensional transition probability matrix, that is to say, that the characteristic value of the domain name for obtaining has N number of, wherein 1 The characteristic value that the corresponding characteristic value of dimension transition probability matrix is namely calculated according to a gram language model.Additionally, multidimensional turns The probable value moved in probability matrix can be by the word to commonly using, English name, place name, phonetic, abbreviation and legal domain name The data set of composition is learnt.
Below so that the multiple letters during the character string of domain name is by a to z this 26 English alphabets are constituted as an example, the domain name is illustrated Characteristic value in the second dimension of N-dimensional transition probability matrix.
1st row:When a upper character is a in the character string of domain name, character late adjacent thereto is respectively a-z Probable value, has 26 probable values.
2nd row:When a upper character is b in the character string of domain name, character late adjacent thereto is respectively a-z Probable value, has 26 probable values.
By that analogy, the 26th row:When a upper character is z in the character string of domain name, character late adjacent thereto is Not Wei a-z probable value, have 26 probable values.
The side of characteristic value of the calculating domain name in the second dimension of N-dimensional transition probability matrix is illustrated by taking google.com as an example Formula, obtains next adjacent with o of probability that the character late adjacent with g is o from above-mentioned two-dimentional transition probability matrix respectively Individual character is for the probability of the o character late adjacent with o for the probability of the g character late adjacent with g is the probability and l of l Adjacent character late is the probability of e, and above-mentioned 5 probable values that will be got open 5 powers after being multiplied, and the numerical value for obtaining is Characteristic value of the domain name in the second dimension of N-dimensional transition probability matrix.From said process as can be seen that calculating characteristic value When, the probability number and the number of times of evolution that are got from transition probability matrix are equal to the quantity of the character in domain name.
It is understood that above-mentioned probable value and letter are for example, in actual applications, constituting the word of domain name Symbol is not limited to above-mentioned 26 English alphabets, can also be the combination of other characters or English alphabet and other types character Deng such as numeral.
2), randomness detected rule includes rule is calculated as below:Calculate the word in comentropy, the domain name of domain name Digital accounting in female accounting, domain name;Comentropy, alphabetical accounting and the numeral of domain name are obtained according to above-mentioned computation rule Accounting, using comentropy, alphabetical accounting and digital accounting as domain name characteristic value, in other examples, can be with The computation rule of more character combination probable values is added, for example, calculating vowel accounting, calculating consonant accounting etc..
In this embodiment, degree of randomness acquisition module 10 is additionally operable to the characteristic value that will be calculated in itself as at random Degree, domain name judge module 20 is due to according to being in advance the predetermined threshold value that each degree of randomness is set, judging multiple features of domain name Whether predetermined threshold value is all higher than in value, if so, the then entitled illegal domain name of decision space.
Further, when characteristic value has multiple, in order to more accurately judge whether domain name is illegal domain name, using returning One change algorithm by multiple characteristic value normalizations be one value, using the value as domain name degree of randomness.For example, using weighting algorithm, Or, processed multiple characteristic value normalizations using the disaggregated model of grader etc..
Below by taking grader as an example, shown in reference picture 5, degree of randomness acquisition module 10 is included with lower unit:
Domain Name acquisition unit 11, for capturing the domain name in DNS daily records as domain name to be detected;
Characteristic value acquiring unit 12, for being divided character composition based on the randomness detected rule for pre-setting Analysis, generates multiple characteristic values corresponding with the randomness detected rule;
Normalization unit 13, for processing the multiple characteristic value normalization according to disaggregated model, obtains described random Degree, wherein, the disaggregated model, and institute are generated based on the randomness detected rule and predetermined threshold value training grader State include in disaggregated model respectively with the one-to-one multiple characteristic coefficients of the multiple characteristic value.
Using known illegal domain name as positive sample, known legitimate domain name as negative sample, examined according to the randomness Gauge then extracts the characteristic value of the positive sample and negative sample respectively, the characteristic value based on the positive sample and negative sample, and Predetermined threshold value is trained grader and generates characteristic coefficient, and the characteristic coefficient constitutes the disaggregated model, and in disaggregated model The number of characteristic coefficient is equal with the number of the characteristic value obtained according to randomness detected rule.Obtain multiple characteristic values it Afterwards, the disaggregated model according to the grader processes multiple characteristic value normalizations, obtains the degree of randomness of domain name, is sentenced according to degree of randomness Whether disconnected domain name is illegal domain name, and the characteristic coefficient in the disaggregated model of training grader generation is matched with predetermined threshold value.
It is general to N-dimensional transfer based on described 1 dimension when the randomness detected rule includes 1 dimension to N-dimensional transition probability matrix Rate matrix includes N number of characteristic coefficient in generating N number of characteristic value, and the disaggregated model of generation;Normalization unit 13 is also used In:By N number of characteristic value respectively with corresponding characteristic coefficient be multiplied, using the sum of products as domain name degree of randomness.
By taking four-dimensional transition probability matrix as an example, the characteristic value of domain name is calculated according to four-dimensional transition probability matrix, four can be obtained Individual characteristic value, respectively P1, P2, P3, P4, are that grader sets four characteristic coefficients, respectively A1, A2, A3, A4, according to Lower formula calculates the degree of randomness E of domain name:
E=P1 × A1+P2 × A2+P3 × A3+P3 × A3
Feature extraction is carried out to positive sample and negative sample according to four-dimensional transition probability matrix respectively, and will be used as judgment standard Predetermined threshold value be set to 0, with " E > 0 are illegal domain name, E≤0 for legitimate domain name " and the spy of positive and negative samples for extracting Value indicative trains grader, obtains the value of A1, A2, A3, A4, the value composition and classification model of four for obtaining characteristic coefficient.
Further, as a kind of implementation method, be added to for the domain name after the entitled illegal domain name of decision space by the device In the domain name blacklist for pre-building, and intercept process is made in the access of main frame in local area network to domain name in domain name blacklist; If the degree of randomness of domain name is less or greater than predetermined threshold value, the entitled legitimate domain name of decision space.
Further, as a kind of implementation method, domain name blacklist and domain name white list are pre-build, will be known illegal Domain name is added to domain name blacklist, and known legitimate domain name is added into domain name white list, and the device also includes list filter module Block, for after domain name to be detected is got, detection domain name to be with the presence or absence of white in domain name blacklist or domain name It is also not white in domain name when domain name to be detected is neither in domain name blacklist tentatively to judge whether domain name is legal in list When in list, degree of randomness acquisition module 10 is analyzed to obtain the characteristic value of domain name, root to the character composition in domain name The degree of randomness of domain name is obtained according to the characteristic value, if domain name is in domain name white list, domain name judge module 20 judges it It is legitimate domain name, does not make intercept process, if domain name is in domain name blacklist, the entitled non-legal order of the decision space of domain name judge module 20 Name, intercepts access of the main frame for the domain name.
It is possible to further regularly be entered to the probable value in multidimensional transition probability matrix according to the domain name white list for updating Row updates;Or, grader is trained according to the domain name white list and domain name blacklist that update, to update disaggregated model, The accuracy rate for detecting illegal domain name is improved with further.
The device of the detection illegal domain name that the present embodiment is proposed, obtains domain name to be detected, to the character group in the domain name Into being analyzed to obtain the characteristic value of domain name, the degree of randomness of domain name is obtained according to the characteristic value for getting, be more than in degree of randomness During predetermined threshold value, the entitled illegal domain name of decision space, by the solution of the present invention, can not only detect existing illegal domain name, i.e., Make to occur in that new Botnet and generate new illegal domain name, it is also possible to which domain name character composition in itself is divided Analysis, detects the illegal domain name, to solve and cannot detect emerging illegal domain name in existing Botnet monitoring technology Technical problem, improves the accuracy rate of detection illegal domain name.
The second embodiment of the device of present invention detection illegal domain name is proposed based on first embodiment.Shown in reference picture 6, In the present embodiment, the device of the detection illegal domain name also includes access detection module 30 and list management module 40, wherein,
Access detection module 30 is used for:If the degree of randomness of domain name is more than predetermined threshold value, judge whether current network Interior equipment accesses the number of times of domain name more than access domain name in preset times, and the network in predetermined period Number of devices is more than predetermined number;
Domain name judge module 20 is additionally operable to:The number of times that equipment in preceding network accesses domain name in predetermined period is big When the number of devices that domain name is accessed in preset times, and the network is more than predetermined number, judge domain name as non- Method domain name, otherwise, it is determined that domain name is legitimate domain name;
List management module 40 is used for:The domain name that domain name judge module 20 is judged to illegal domain name is added to the black name of domain name It is single.
In this embodiment, in order to reduce the erroneous judgement to illegal domain name, the accuracy rate that illegal domain name judges further is improved, After the degree of randomness for detecting domain name is more than predetermined threshold value, one is entered for the access situation of the domain name according to the main frame in LAN Step judges whether domain name is illegal domain name, for example, work as separate unit main frame in LAN accesses the domain name at a certain time interval Number of times exceeded preset times;The host number of the access domain name in the LAN has exceeded predetermined number, when occurring in that Any one in above-mentioned two situations, then judge that the domain name is illegal domain name.Additionally, judging the access domain in LAN When the host number of name has exceeded predetermined number, can also judge that these access whether above-mentioned domain host has DNS request to return Return, if so, while decision space entitled illegal domain name, judge that the IP address for returning controls the IP of server as Botnet, The IP of return is added in the IP blacklists that pre-build, access that subsequently can be with the main frame in local area network to the IP address Make intercept process.
Further, as a kind of implementation method, in order to further reduce the erroneous judgement to illegal domain name, the device is also Including:
Rule judgment module, if being more than predetermined threshold value for the degree of randomness of domain name, judges whether domain name accords with Close preset character combination rule;
Access detection module 30 is additionally operable to:If not meeting, judge whether the equipment in current network in predetermined period The number of times for accessing domain name is more than in preset times, and the network number of devices for accessing domain name more than present count Amount;
Domain name judge module 20 is additionally operable to:When judging that domain name meets preset character combination rule, the entitled conjunction of decision space Method domain name.
Because domain name may have various different types of character combinations to form, such as by the alphabetical, digital etc. of different language Combine, but different language it is alphabetical, digital between transition probability it is relatively low, therefore, in this embodiment, in order to subtract Few erroneous judgement to illegal domain name, after the degree of randomness for detecting domain name is more than predetermined threshold value, whether detection domain name meets preset Character combination rule, for example, character combination rule can include:Domain name is formed by combining by common word, phonetic, numeral. When detecting domain name and meeting preset character combination rule, the entitled legitimate domain name of decision space, otherwise, it is determined that domain name is non-legal order Name, or, further by access detection module 30 according to main frame in LAN for the access of the domain name judge domain name whether be Illegal domain name.
The preferred embodiments of the present invention are these are only, the scope of the claims of the invention is not thereby limited, it is every to utilize this hair Equivalent structure or equivalent flow conversion that bright specification and accompanying drawing content are made, or directly or indirectly it is used in other related skills Art field, is included within the scope of the present invention.

Claims (10)

1. it is a kind of detect illegal domain name method, it is characterised in that the method for the detection illegal domain name includes:
Domain name to be detected is obtained, the character composition in domain name is analyzed to obtain the characteristic value of domain name, according to institute State the degree of randomness that characteristic value obtains domain name;
If the degree of randomness of domain name is more than predetermined threshold value, judge that domain name is illegal domain name.
2. it is according to claim 1 detection illegal domain name method, it is characterised in that acquisition domain name to be detected, Character composition in domain name is analyzed to obtain the characteristic value of domain name, domain name is obtained according to the characteristic value The step of degree of randomness, includes:
Domain name in crawl domain name system DNS daily record is used as domain name to be detected;
Character composition is analyzed based on the randomness detected rule for pre-setting, generation is detected with the randomness and advised Then corresponding characteristic value;
Degree of randomness of the characteristic value that will be generated as domain name.
3. it is according to claim 1 detection illegal domain name method, it is characterised in that when the characteristic value has multiple, It is described to obtain domain name to be detected, the character composition in domain name is analyzed to obtain the characteristic value of domain name, according to institute Stating the step of characteristic value obtains the degree of randomness of domain name includes:
Domain name in crawl DNS daily records is used as domain name to be detected;
Character composition is analyzed based on the randomness detected rule for pre-setting, generation is detected with the randomness and advised Then corresponding multiple characteristic values;
The multiple characteristic value normalization is processed according to disaggregated model, obtains the degree of randomness, wherein, based on the randomness Detected rule and predetermined threshold value training grader generate the disaggregated model, and include difference in the disaggregated model With the one-to-one multiple characteristic coefficient of the multiple characteristic value.
4. it is according to claim 3 detection illegal domain name method, it is characterised in that when the randomness detected rule bag When including 1 dimension to N-dimensional transition probability matrix, N number of characteristic value, and the institute for generating are generated based on described 1 dimension to N-dimensional transition probability matrix State and include N number of characteristic coefficient in disaggregated model;
It is described to be processed the multiple characteristic value normalization according to disaggregated model, include the step of obtain the degree of randomness:
By N number of characteristic value respectively with corresponding characteristic coefficient be multiplied, using the sum of products as domain name degree of randomness.
5. it is according to any one of claim 1 to 4 detection illegal domain name method, it is characterised in that the judgement institute Before the step of domain name is stated for illegal domain name, the method for the detection illegal domain name also includes:
If the degree of randomness of domain name is more than predetermined threshold value, judge whether that the equipment in current network is accessed in predetermined period The number of times of domain name is more than in preset times, and the network number of devices for accessing domain name more than predetermined number;
If so, then judging that domain name is illegal domain name, and domain name is added to domain name blacklist;
If it is not, then judging that domain name is legitimate domain name.
6. it is according to claim 5 detection illegal domain name method, it is characterised in that it is described to judge whether in current network Equipment the number of times of domain name is accessed in predetermined period more than accessing setting for domain name in preset times, and the network Before the step of standby quantity is more than predetermined number, the method for the detection illegal domain name also includes:
If the degree of randomness of domain name is more than predetermined threshold value, judge whether domain name meets preset character combination rule;
If not meeting, the number of times that the equipment that execution judges whether in current network accesses domain name in predetermined period is more than The step of number of devices that domain name is accessed in preset times, and the network is more than predetermined number;
If meeting, judge that domain name is legitimate domain name.
7. it is according to claim 6 detection illegal domain name method, it is characterised in that the character in domain name Before the step of composition is analyzed the characteristic value to obtain domain name, the method for the detection illegal domain name includes:
After domain name to be detected is got, detection domain name whether there is in domain name blacklist or domain name white list In;
If it is not, then performing the character in domain name constitutes the step of being analyzed the characteristic value to obtain domain name.
8. it is a kind of detect illegal domain name device, it is characterised in that the device of the detection illegal domain name includes:
Degree of randomness acquisition module, for obtaining domain name to be detected, is analyzed to obtain to the character composition in domain name The characteristic value of domain name, the degree of randomness of domain name is obtained according to the characteristic value;
Domain name judge module, if being more than predetermined threshold value for the degree of randomness of domain name, judges that domain name is illegal domain name.
9. it is according to claim 8 detection illegal domain name device, it is characterised in that when the characteristic value has multiple, The degree of randomness acquisition module includes:
Domain Name acquisition unit, for capturing the domain name in DNS daily records as domain name to be detected;
Characteristic value acquiring unit, it is raw for being analyzed to character composition based on the randomness detected rule for pre-setting Into multiple characteristic values corresponding with the randomness detected rule;
Normalization unit, for processing the multiple characteristic value normalization according to disaggregated model, obtains the degree of randomness, its In, the disaggregated model, and described point are generated based on the randomness detected rule and predetermined threshold value training grader Include multiple characteristic coefficients one-to-one with the multiple characteristic value respectively in class model.
10. according to claim 8 or claim 9 detection illegal domain name device, it is characterised in that the detection illegal domain name Device also includes access detection module and list management module;
The access detection module is used for:If the degree of randomness of domain name is more than predetermined threshold value, judge whether in current network Equipment the number of times of domain name is accessed in predetermined period more than accessing setting for domain name in preset times, and the network Standby quantity is more than predetermined number;
Domain name judge module is additionally operable to:The number of times that equipment in preceding network accesses domain name in predetermined period is more than When the number of devices that domain name is accessed in preset times, and the network is more than predetermined number, judge domain name as illegal Domain name, otherwise, it is determined that domain name is legitimate domain name;
The list management module is used for:The domain name that domain name judge module is judged to illegal domain name is added to domain name blacklist.
CN201611195849.4A 2016-12-21 2016-12-21 Method and device for detecting illegal domain name Pending CN106713312A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201611195849.4A CN106713312A (en) 2016-12-21 2016-12-21 Method and device for detecting illegal domain name

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201611195849.4A CN106713312A (en) 2016-12-21 2016-12-21 Method and device for detecting illegal domain name

Publications (1)

Publication Number Publication Date
CN106713312A true CN106713312A (en) 2017-05-24

Family

ID=58938746

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201611195849.4A Pending CN106713312A (en) 2016-12-21 2016-12-21 Method and device for detecting illegal domain name

Country Status (1)

Country Link
CN (1) CN106713312A (en)

Cited By (46)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107645503A (en) * 2017-09-20 2018-01-30 杭州安恒信息技术有限公司 A kind of detection method of the affiliated DGA families of rule-based malice domain name
CN107682348A (en) * 2017-10-19 2018-02-09 杭州安恒信息技术有限公司 DGA domain name Quick method and devices based on machine learning
CN108337259A (en) * 2018-02-01 2018-07-27 南京邮电大学 A kind of suspicious web page identification method based on HTTP request Host information
CN108449349A (en) * 2018-03-23 2018-08-24 新华三大数据技术有限公司 The method and device for preventing malice domain name from attacking
CN109246074A (en) * 2018-07-23 2019-01-18 北京奇虎科技有限公司 Identify method, apparatus, server and the readable storage medium storing program for executing of suspicious domain name
CN109391599A (en) * 2017-08-10 2019-02-26 蓝盾信息安全技术股份有限公司 A kind of detection system of the Botnet communication signal based on HTTPS traffic characteristics analysis
CN109391602A (en) * 2017-08-11 2019-02-26 北京金睛云华科技有限公司 A kind of zombie host detection method
CN109889616A (en) * 2018-05-21 2019-06-14 新华三信息安全技术有限公司 A kind of method and device identifying domain name
CN109936560A (en) * 2018-12-27 2019-06-25 上海银行股份有限公司 Malware means of defence and device
CN110233830A (en) * 2019-05-20 2019-09-13 中国银行股份有限公司 Domain name identification and domain name identification model generation method, device and storage medium
CN110392064A (en) * 2019-09-04 2019-10-29 中国工商银行股份有限公司 Risk Identification Method, calculates equipment and computer readable storage medium at device
CN110401632A (en) * 2019-06-20 2019-11-01 国网辽宁省电力有限公司信息通信分公司 A kind of malice domain name infection host source tracing method
US10581880B2 (en) 2016-09-19 2020-03-03 Group-Ib Tds Ltd. System and method for generating rules for attack detection feedback system
CN111078860A (en) * 2019-11-27 2020-04-28 北京小米移动软件有限公司 Text screening method, text screening device and electronic equipment
CN111181937A (en) * 2019-12-20 2020-05-19 北京丁牛科技有限公司 Domain name detection method, device, equipment and system
US10721271B2 (en) 2016-12-29 2020-07-21 Trust Ltd. System and method for detecting phishing web pages
US10721251B2 (en) 2016-08-03 2020-07-21 Group Ib, Ltd Method and system for detecting remote access during activity on the pages of a web resource
US10762352B2 (en) 2018-01-17 2020-09-01 Group Ib, Ltd Method and system for the automatic identification of fuzzy copies of video content
CN111654504A (en) * 2020-06-10 2020-09-11 北京天融信网络安全技术有限公司 DGA domain name detection method and device
US10778719B2 (en) 2016-12-29 2020-09-15 Trust Ltd. System and method for gathering information to detect phishing activity
CN111935097A (en) * 2020-07-16 2020-11-13 上海斗象信息科技有限公司 Method for detecting DGA domain name
US10958684B2 (en) 2018-01-17 2021-03-23 Group Ib, Ltd Method and computer device for identifying malicious web resources
CN112771523A (en) * 2018-08-14 2021-05-07 北京嘀嘀无限科技发展有限公司 System and method for detecting a generated domain
US11005779B2 (en) 2018-02-13 2021-05-11 Trust Ltd. Method of and server for detecting associated web resources
CN112929370A (en) * 2021-02-08 2021-06-08 丁牛信息安全科技(江苏)有限公司 Domain name system hidden channel detection method and device
CN113098989A (en) * 2020-01-09 2021-07-09 深信服科技股份有限公司 Dictionary generation method, domain name detection method, device, equipment and medium
CN113329035A (en) * 2021-06-29 2021-08-31 深信服科技股份有限公司 Method and device for detecting attack domain name, electronic equipment and storage medium
US11122061B2 (en) 2018-01-17 2021-09-14 Group IB TDS, Ltd Method and server for determining malicious files in network traffic
US11153351B2 (en) 2018-12-17 2021-10-19 Trust Ltd. Method and computing device for identifying suspicious users in message exchange systems
US11151581B2 (en) 2020-03-04 2021-10-19 Group-Ib Global Private Limited System and method for brand protection based on search results
US11250129B2 (en) 2019-12-05 2022-02-15 Group IB TDS, Ltd Method and system for determining affiliation of software to software families
CN114285627A (en) * 2021-12-21 2022-04-05 安天科技集团股份有限公司 Flow detection method and device, electronic equipment and computer readable storage medium
CN114363060A (en) * 2021-12-31 2022-04-15 深信服科技股份有限公司 Domain name detection method, system, equipment and computer readable storage medium
US11356470B2 (en) 2019-12-19 2022-06-07 Group IB TDS, Ltd Method and system for determining network vulnerabilities
US11431749B2 (en) 2018-12-28 2022-08-30 Trust Ltd. Method and computing device for generating indication of malicious web resources
US11451580B2 (en) 2018-01-17 2022-09-20 Trust Ltd. Method and system of decentralized malware identification
US11503044B2 (en) 2018-01-17 2022-11-15 Group IB TDS, Ltd Method computing device for detecting malicious domain names in network traffic
US11526608B2 (en) 2019-12-05 2022-12-13 Group IB TDS, Ltd Method and system for determining affiliation of software to software families
CN116599861A (en) * 2023-07-18 2023-08-15 海马云(天津)信息技术有限公司 Method for detecting cloud service abnormality, server device and storage medium
US11755700B2 (en) 2017-11-21 2023-09-12 Group Ib, Ltd Method for classifying user action sequence
US11847223B2 (en) 2020-08-06 2023-12-19 Group IB TDS, Ltd Method and system for generating a list of indicators of compromise
US11934498B2 (en) 2019-02-27 2024-03-19 Group Ib, Ltd Method and system of user identification
US11947572B2 (en) 2021-03-29 2024-04-02 Group IB TDS, Ltd Method and system for clustering executable files
US11985147B2 (en) 2021-06-01 2024-05-14 Trust Ltd. System and method for detecting a cyberattack
US12088606B2 (en) 2021-06-10 2024-09-10 F.A.C.C.T. Network Security Llc System and method for detection of malicious network resources
US12135786B2 (en) 2020-03-10 2024-11-05 F.A.C.C.T. Network Security Llc Method and system for identifying malware

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101702660A (en) * 2009-11-12 2010-05-05 中国科学院计算技术研究所 Abnormal domain name detection method and system
US20130232574A1 (en) * 2012-03-02 2013-09-05 Cox Communications, Inc. Systems and Methods of DNS Grey Listing
CN105577660A (en) * 2015-12-22 2016-05-11 国家电网公司 DGA domain name detection method based on random forest
CN105827594A (en) * 2016-03-08 2016-08-03 北京航空航天大学 Suspicion detection method based on domain name readability and domain name analysis behavior

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101702660A (en) * 2009-11-12 2010-05-05 中国科学院计算技术研究所 Abnormal domain name detection method and system
US20130232574A1 (en) * 2012-03-02 2013-09-05 Cox Communications, Inc. Systems and Methods of DNS Grey Listing
CN105577660A (en) * 2015-12-22 2016-05-11 国家电网公司 DGA domain name detection method based on random forest
CN105827594A (en) * 2016-03-08 2016-08-03 北京航空航天大学 Suspicion detection method based on domain name readability and domain name analysis behavior

Cited By (58)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10721251B2 (en) 2016-08-03 2020-07-21 Group Ib, Ltd Method and system for detecting remote access during activity on the pages of a web resource
US10581880B2 (en) 2016-09-19 2020-03-03 Group-Ib Tds Ltd. System and method for generating rules for attack detection feedback system
US10778719B2 (en) 2016-12-29 2020-09-15 Trust Ltd. System and method for gathering information to detect phishing activity
US10721271B2 (en) 2016-12-29 2020-07-21 Trust Ltd. System and method for detecting phishing web pages
CN109391599A (en) * 2017-08-10 2019-02-26 蓝盾信息安全技术股份有限公司 A kind of detection system of the Botnet communication signal based on HTTPS traffic characteristics analysis
CN109391602B (en) * 2017-08-11 2021-04-09 北京金睛云华科技有限公司 Zombie host detection method
CN109391602A (en) * 2017-08-11 2019-02-26 北京金睛云华科技有限公司 A kind of zombie host detection method
CN107645503B (en) * 2017-09-20 2020-01-24 杭州安恒信息技术股份有限公司 Rule-based method for detecting DGA family to which malicious domain name belongs
CN107645503A (en) * 2017-09-20 2018-01-30 杭州安恒信息技术有限公司 A kind of detection method of the affiliated DGA families of rule-based malice domain name
CN107682348A (en) * 2017-10-19 2018-02-09 杭州安恒信息技术有限公司 DGA domain name Quick method and devices based on machine learning
US11755700B2 (en) 2017-11-21 2023-09-12 Group Ib, Ltd Method for classifying user action sequence
US10762352B2 (en) 2018-01-17 2020-09-01 Group Ib, Ltd Method and system for the automatic identification of fuzzy copies of video content
US11503044B2 (en) 2018-01-17 2022-11-15 Group IB TDS, Ltd Method computing device for detecting malicious domain names in network traffic
US11122061B2 (en) 2018-01-17 2021-09-14 Group IB TDS, Ltd Method and server for determining malicious files in network traffic
US11451580B2 (en) 2018-01-17 2022-09-20 Trust Ltd. Method and system of decentralized malware identification
US11475670B2 (en) 2018-01-17 2022-10-18 Group Ib, Ltd Method of creating a template of original video content
US10958684B2 (en) 2018-01-17 2021-03-23 Group Ib, Ltd Method and computer device for identifying malicious web resources
CN108337259A (en) * 2018-02-01 2018-07-27 南京邮电大学 A kind of suspicious web page identification method based on HTTP request Host information
US11005779B2 (en) 2018-02-13 2021-05-11 Trust Ltd. Method of and server for detecting associated web resources
CN108449349B (en) * 2018-03-23 2021-01-26 新华三大数据技术有限公司 Method and device for preventing malicious domain name attack
CN108449349A (en) * 2018-03-23 2018-08-24 新华三大数据技术有限公司 The method and device for preventing malice domain name from attacking
CN109889616A (en) * 2018-05-21 2019-06-14 新华三信息安全技术有限公司 A kind of method and device identifying domain name
CN109246074A (en) * 2018-07-23 2019-01-18 北京奇虎科技有限公司 Identify method, apparatus, server and the readable storage medium storing program for executing of suspicious domain name
CN112771523A (en) * 2018-08-14 2021-05-07 北京嘀嘀无限科技发展有限公司 System and method for detecting a generated domain
US11153351B2 (en) 2018-12-17 2021-10-19 Trust Ltd. Method and computing device for identifying suspicious users in message exchange systems
CN109936560A (en) * 2018-12-27 2019-06-25 上海银行股份有限公司 Malware means of defence and device
US11431749B2 (en) 2018-12-28 2022-08-30 Trust Ltd. Method and computing device for generating indication of malicious web resources
US11934498B2 (en) 2019-02-27 2024-03-19 Group Ib, Ltd Method and system of user identification
CN110233830A (en) * 2019-05-20 2019-09-13 中国银行股份有限公司 Domain name identification and domain name identification model generation method, device and storage medium
CN110401632A (en) * 2019-06-20 2019-11-01 国网辽宁省电力有限公司信息通信分公司 A kind of malice domain name infection host source tracing method
CN110401632B (en) * 2019-06-20 2022-02-15 国网辽宁省电力有限公司信息通信分公司 Malicious domain name infected host tracing method
CN110392064A (en) * 2019-09-04 2019-10-29 中国工商银行股份有限公司 Risk Identification Method, calculates equipment and computer readable storage medium at device
CN110392064B (en) * 2019-09-04 2022-03-15 中国工商银行股份有限公司 Risk identification method and device, computing equipment and computer readable storage medium
CN111078860A (en) * 2019-11-27 2020-04-28 北京小米移动软件有限公司 Text screening method, text screening device and electronic equipment
CN111078860B (en) * 2019-11-27 2023-04-11 北京小米移动软件有限公司 Text screening method, text screening device and electronic equipment
US11526608B2 (en) 2019-12-05 2022-12-13 Group IB TDS, Ltd Method and system for determining affiliation of software to software families
US11250129B2 (en) 2019-12-05 2022-02-15 Group IB TDS, Ltd Method and system for determining affiliation of software to software families
US11356470B2 (en) 2019-12-19 2022-06-07 Group IB TDS, Ltd Method and system for determining network vulnerabilities
CN111181937A (en) * 2019-12-20 2020-05-19 北京丁牛科技有限公司 Domain name detection method, device, equipment and system
CN113098989B (en) * 2020-01-09 2023-02-03 深信服科技股份有限公司 Dictionary generation method, domain name detection method, device, equipment and medium
CN113098989A (en) * 2020-01-09 2021-07-09 深信服科技股份有限公司 Dictionary generation method, domain name detection method, device, equipment and medium
US11151581B2 (en) 2020-03-04 2021-10-19 Group-Ib Global Private Limited System and method for brand protection based on search results
US12135786B2 (en) 2020-03-10 2024-11-05 F.A.C.C.T. Network Security Llc Method and system for identifying malware
CN111654504A (en) * 2020-06-10 2020-09-11 北京天融信网络安全技术有限公司 DGA domain name detection method and device
CN111935097A (en) * 2020-07-16 2020-11-13 上海斗象信息科技有限公司 Method for detecting DGA domain name
CN111935097B (en) * 2020-07-16 2022-07-19 上海斗象信息科技有限公司 Method for detecting DGA domain name
US11847223B2 (en) 2020-08-06 2023-12-19 Group IB TDS, Ltd Method and system for generating a list of indicators of compromise
CN112929370A (en) * 2021-02-08 2021-06-08 丁牛信息安全科技(江苏)有限公司 Domain name system hidden channel detection method and device
CN112929370B (en) * 2021-02-08 2022-10-18 丁牛信息安全科技(江苏)有限公司 Domain name system hidden channel detection method and device
US11947572B2 (en) 2021-03-29 2024-04-02 Group IB TDS, Ltd Method and system for clustering executable files
US11985147B2 (en) 2021-06-01 2024-05-14 Trust Ltd. System and method for detecting a cyberattack
US12088606B2 (en) 2021-06-10 2024-09-10 F.A.C.C.T. Network Security Llc System and method for detection of malicious network resources
CN113329035A (en) * 2021-06-29 2021-08-31 深信服科技股份有限公司 Method and device for detecting attack domain name, electronic equipment and storage medium
CN114285627B (en) * 2021-12-21 2023-12-22 安天科技集团股份有限公司 Flow detection method and device, electronic equipment and computer readable storage medium
CN114285627A (en) * 2021-12-21 2022-04-05 安天科技集团股份有限公司 Flow detection method and device, electronic equipment and computer readable storage medium
CN114363060B (en) * 2021-12-31 2024-08-20 深信服科技股份有限公司 Domain name detection method, system, equipment and computer readable storage medium
CN114363060A (en) * 2021-12-31 2022-04-15 深信服科技股份有限公司 Domain name detection method, system, equipment and computer readable storage medium
CN116599861A (en) * 2023-07-18 2023-08-15 海马云(天津)信息技术有限公司 Method for detecting cloud service abnormality, server device and storage medium

Similar Documents

Publication Publication Date Title
CN106713312A (en) Method and device for detecting illegal domain name
CN111428231B (en) Safety processing method, device and equipment based on user behaviors
CN106790019B (en) Encryption method for recognizing flux and device based on feature self study
CN105827594B (en) A kind of dubiety detection method based on domain name readability and domain name mapping behavior
CN107579956B (en) User behavior detection method and device
CN111262722A (en) Safety monitoring method for industrial control system network
CN112019651B (en) DGA domain name detection method using depth residual error network and character-level sliding window
CN106790023A (en) Network security Alliance Defense method and apparatus
CN110830490B (en) Malicious domain name detection method and system based on area confrontation training deep network
CN107360145B (en) Multi-node honeypot system and data analysis method thereof
CN106961419A (en) WebShell detection methods, apparatus and system
CN109005145A (en) A kind of malice URL detection system and its method extracted based on automated characterization
CN105072214B (en) C&C domain name recognition methods based on domain name feature
CN104615760A (en) Phishing website recognizing method and phishing website recognizing system
CN110149266A (en) Spam filtering method and device
CN112073550B (en) DGA domain name detection method fusing character-level sliding window and depth residual error network
CN113905016A (en) DGA domain name detection method, detection device and computer storage medium
CN112073551A (en) DGA domain name detection system based on character-level sliding window and depth residual error network
CN110365636B (en) Method and device for judging attack data source of industrial control honeypot
CN115021997B (en) Network intrusion detection system based on machine learning
CN114553523A (en) Attack detection method and device based on attack detection model, medium and equipment
CN117478433B (en) Network and information security dynamic early warning system
CN111224941A (en) Threat type identification method and device
Harbola et al. Improved intrusion detection in DDoS applying feature selection using rank & score of attributes in KDD-99 data set
CN110855716B (en) Self-adaptive security threat analysis method and system for counterfeit domain names

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20170524

RJ01 Rejection of invention patent application after publication