CN114363060A - Domain name detection method, system, equipment and computer readable storage medium - Google Patents
Domain name detection method, system, equipment and computer readable storage medium Download PDFInfo
- Publication number
- CN114363060A CN114363060A CN202111679384.0A CN202111679384A CN114363060A CN 114363060 A CN114363060 A CN 114363060A CN 202111679384 A CN202111679384 A CN 202111679384A CN 114363060 A CN114363060 A CN 114363060A
- Authority
- CN
- China
- Prior art keywords
- target
- domain name
- file
- determining
- section
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 96
- 238000000034 method Methods 0.000 claims description 43
- 238000004590 computer program Methods 0.000 claims description 10
- 238000012216 screening Methods 0.000 claims description 7
- 238000012545 processing Methods 0.000 claims description 6
- 230000009467 reduction Effects 0.000 claims description 6
- 230000004931 aggregating effect Effects 0.000 claims description 4
- 230000008569 process Effects 0.000 description 16
- 230000001360 synchronised effect Effects 0.000 description 8
- 230000002776 aggregation Effects 0.000 description 5
- 238000004220 aggregation Methods 0.000 description 5
- 238000004891 communication Methods 0.000 description 5
- 238000010586 diagram Methods 0.000 description 4
- 230000003287 optical effect Effects 0.000 description 4
- 244000035744 Hura crepitans Species 0.000 description 3
- 230000009471 action Effects 0.000 description 3
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 230000003993 interaction Effects 0.000 description 2
- 230000003068 static effect Effects 0.000 description 2
- 241000700605 Viruses Species 0.000 description 1
- 230000002159 abnormal effect Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- 238000007689 inspection Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000003672 processing method Methods 0.000 description 1
- 230000000717 retained effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2463/00—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
- H04L2463/144—Detection or countermeasures against botnets
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The application discloses a domain name detection method, a system, a device and a computer readable storage medium, which are provided for obtaining a target PE file in target equipment; analyzing a target domain name carried in the target PE file; and detecting the target domain name to obtain a corresponding detection result. According to the domain name detection method and device, the target domain name can be analyzed from the target PE file in the target device, the target domain name can be detected, the corresponding detection result is obtained, the function of detecting the domain name based on the PE file is achieved, the domain name detection mode is expanded, and the domain name detection accuracy can be improved. The domain name detection system, the electronic device and the computer readable storage medium provided by the application also solve the corresponding technical problems.
Description
Technical Field
The present application relates to the field of network security technologies, and in particular, to a method, a system, a device, and a computer-readable storage medium for domain name detection.
Background
In the operation process of a device such as a server, an attacker may attack the device, for example, attack the device through a botnet or the like, which means that a large number of hosts infect bot programs (bots) viruses by using one or more propagation means, so that a one-to-many controllable network is formed between a controller and the infected host. Therefore, in order to secure the device, it is necessary to detect the domain name of the botnet or the like, so as to perform security protection based on the corresponding domain name.
For example, malicious domain names can be extracted by analyzing the abnormal flow released by the sandbox, but the malicious domain names are limited by the sandbox environment and the sample countermeasure means, such as shell adding, code confusion, execution link inspection and the like, so that the sandbox cannot accurately detect the flow released condition of the file sample, and the domain names cannot be accurately detected.
In summary, how to improve the accuracy of domain name detection is a problem to be solved urgently by those skilled in the art.
Disclosure of Invention
The application aims to provide a domain name detection method which can solve the technical problem of improving the accuracy of domain name detection to a certain extent. The application also provides a domain name detection system, an electronic device and a computer readable storage medium.
In order to achieve the above purpose, the present application provides the following technical solutions:
a domain name detection method, comprising:
acquiring a target PE file in target equipment;
analyzing a target domain name carried in the target PE file;
and detecting the target domain name to obtain a corresponding detection result.
Preferably, the analyzing the target domain name carried in the target PE file includes:
determining a target node table for recording domain name information in the target PE file;
reading target data stored in a storage space by the target section table;
and screening the target domain name from the target data.
Preferably, the determining a target node table recording domain name information in the target PE file includes:
determining a header address of the target PE file;
determining each section table in the target PE file based on the head address;
determining the section table carrying the target character string in the section name as the target section table;
the target character string comprises a data character string.
Preferably, the determining, based on the header address, each section table in the target PE file includes:
determining a starting position of a section table in the target PE file based on the head address;
determining individual values of a section table in the target PE file based on the header address;
and determining each section table based on the starting position of the section table, the size value of the section table and the numerical value.
Preferably, the reading of the target data stored in the storage space by the target section table includes:
determining the section starting position of a target section corresponding to the target section table in the storage space in the target section table;
determining the byte value of the target section and the initialized data size value of the target section in the storage space in the target section table;
determining a maximum value of the byte value and the data size value as a length value of the target data;
and determining data corresponding to the length value at the beginning and after the starting position of the section as the target data in the storage space.
Preferably, the detecting the target domain name to obtain a corresponding detection result includes:
and if the target domain name does not contain words and/or pinyin, obtaining the detection result representing that the target domain name is the botnet domain name.
Preferably, the detecting the target domain name to obtain a corresponding detection result includes:
aggregating the target domain names to obtain various aggregated domain names;
and if the grammatical modes of the target domain name in the aggregated domain name are the same, obtaining the detection result representing that the target domain name in the aggregated domain name is a botnet domain name.
Preferably, the detecting the target domain name to obtain a corresponding detection result includes:
and if the occurrence frequency of the target domain name in different target PE files is greater than a preset frequency, obtaining the detection result representing that the target domain name is the botnet domain name.
Preferably, after the detecting the target domain name and obtaining the corresponding detection result, the method further includes:
carrying out false alarm reduction processing on the target domain name based on a preset white domain name library;
the white domain name library is a domain name library for storing safe domain names.
A domain name detection system, comprising:
the PE file acquisition module is used for acquiring a target PE file in target equipment;
the domain name analyzing module is used for analyzing a target domain name carried in the target PE file;
and the domain name detection module is used for detecting the target domain name to obtain a corresponding detection result.
An electronic device, comprising:
a memory for storing a computer program;
a processor for implementing the steps of the domain name detection method as described in any one of the above when executing the computer program.
A computer-readable storage medium, in which a computer program is stored which, when being executed by a processor, carries out the steps of the domain name detection method according to any one of the preceding claims.
According to the domain name detection method, a target PE file in target equipment is obtained; analyzing a target domain name carried in the target PE file; and detecting the target domain name to obtain a corresponding detection result. According to the domain name detection method and device, the target domain name can be analyzed from the target PE file in the target device, the target domain name can be detected, the corresponding detection result is obtained, the function of detecting the domain name based on the PE file is achieved, the domain name detection mode is expanded, and the domain name detection accuracy can be improved. The domain name detection system, the electronic device and the computer readable storage medium provided by the application also solve the corresponding technical problems.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, it is obvious that the drawings in the following description are only embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
Fig. 1 is a first flowchart of a domain name detection method according to an embodiment of the present disclosure;
fig. 2 is a second flowchart of a domain name detection method according to an embodiment of the present disclosure;
fig. 3 is a third flowchart of a domain name detection method according to an embodiment of the present disclosure;
fig. 4 is a schematic structural diagram of a domain name detection system according to an embodiment of the present application;
fig. 5 is a schematic diagram of a hardware component structure of an electronic device according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
Referring to fig. 1, fig. 1 is a first flowchart of a domain name detection method according to an embodiment of the present disclosure.
The domain name detection method provided by the embodiment of the application can comprise the following steps:
step S101: and acquiring a target PE file in the target equipment.
In practical application, the target PE file in the target device may be obtained first, for example, the PE file in the target device may be collected in real time to obtain the target PE file. It should be noted that the format of the PE file (Portable Executable file) in the present application may be determined according to a specific application scenario, for example, the format of the PE file may be EXE, DLL, OCX, SYS, COM, or the like.
Step S102: and analyzing the target domain name carried in the target PE file.
Step S103: and detecting the target domain name to obtain a corresponding detection result.
In practical application, after the target PE file in the target device is obtained, the target domain name carried in the target PE file can be analyzed, and the target domain name is detected to obtain a corresponding detection result.
It can be understood that the manner of detecting the target domain name may be determined according to a specific application scenario, for example, whether the target domain name includes a word and/or a pinyin may be directly detected, if the target domain name does not include a word and/or a pinyin, the target domain name is considered to be composed of random characters, and at this time, a detection result representing that the target domain name is a zombie network domain name may be generated; the method can also be used for aggregating a plurality of target domain names to obtain various aggregation domain names, analyzing the grammar patterns of the target domain names in the aggregation domain names, and if the grammar patterns of the target domain names in the aggregation domain names are the same, generating a detection result for representing that the target domain names in the aggregation domain names are botnet domain names, for example, each target domain name in a class of aggregation domain names is abc123.com, bcd456.com, qwe147.com, which are 3 letters with 3 numbers, the three domain names can be considered to be botnet domain names and the like; the target domain name may also be detected according to the occurrence frequency of the target domain name, for example, the target domain name whose occurrence frequency in different target PE files is greater than a preset frequency is marked as a botnet domain name, and the like, which is not specifically limited herein.
In a specific application scenario, after a target domain name is detected and a corresponding detection result is obtained, in order to further ensure the accuracy of the detected botnet domain name, false alarm reduction processing can be performed on the target domain name based on a preset white domain name library; the white domain name library is a domain name library for storing safe domain names, such as domain names for storing ICP records, domain names with a master station network, common functional domain names, and the like, wherein the common functional domain names may be NTP-type domain names, query self-IP-type domain names, microsoft-type domain names, and the like. That is, if the detection result is that the target domain name of the botnet domain name appears in the white domain name library, the detection result of the target domain name may be adjusted to a non-botnet domain name or the like.
According to the domain name detection method, a target PE file in target equipment is obtained; analyzing a target domain name carried in the target PE file; and detecting the target domain name to obtain a corresponding detection result. According to the domain name detection method and device, the target domain name can be analyzed from the target PE file in the target device, the target domain name can be detected, the corresponding detection result is obtained, the function of detecting the domain name based on the PE file is achieved, the domain name detection mode is expanded, and the domain name detection accuracy can be improved.
Referring to fig. 2, fig. 2 is a second flowchart of a domain name detection method according to an embodiment of the present application.
The domain name detection method provided by the embodiment of the application can comprise the following steps:
step S201: and acquiring a target PE file in the target equipment.
Step S202: and determining a target section table for recording the domain name information in the target PE file.
Step S203: and reading target data stored in the storage space of the target section table.
Step S204: and screening the target domain name in the target data.
In an actual application scenario, considering that the real content of the PE file is divided into blocks, which are called sections, the target domain name is recorded in the storage space corresponding to the corresponding section, so that in the process of analyzing the target domain name carried in the target PE file, a target section table for recording domain name information in the target PE file can be determined first; reading target data stored in the storage space by the target section table; and finally, screening the target domain name from the target data so as to quickly screen the target domain name.
It should be noted that, because the section names of the section table recording the domain name in each PE file all carry the data character string, the header address of the target PE file can be determined in the process of determining the target section table recording the domain name information in the target PE file; determining each section table in the target PE file based on the head address; determining a section table carrying a target character string in the section name as a target section table; the target string includes a data string.
Step S205: and detecting the target domain name to obtain a corresponding detection result.
Referring to fig. 3, fig. 3 is a third flowchart of a domain name detection method according to an embodiment of the present application.
The domain name detection method provided by the embodiment of the application can comprise the following steps:
step S301: and acquiring a target PE file in the target equipment.
Step S302: the header address of the target PE file is determined.
In practical applications, in the process of determining the header address of the target PE file, the data corresponding to the 37 th, 38 th, 39 th, and 40 th bytes are sorted in reverse order from the beginning position (i.e., DOS header) of the target PE file to obtain the header address of the target PE file, and assuming that the data corresponding to the 37 th, 38 th, 39 th, and 40 th bytes are 01, 02, 03, and 04, the header address of the target PE file is 04030201.
Step S303: a starting location of the section table in the target PE file is determined based on the header address.
Step S304: a number of the section table in the target PE file is determined based on the header address.
Step S305: and determining each section table based on the starting position of the section table, the size value and the numerical value of the section table.
In practical application, in the process of determining each section table in the target PE file based on the header address, the starting position of the section table in the target PE file may be determined based on the header address; determining the number of the section table in the target PE file based on the head address; and determining each section table based on the starting position of the section table, the size value and the numerical value of the section table.
Specifically, in the process of determining the starting position of the section table in the target PE file based on the header address, the file header may be determined based on the header address and the size value of the file header, and then the data corresponding to the 17 th byte and the 18 th byte after the file header are concatenated to obtain the starting position of the section table in the target PE file.
Specifically, in the process of determining the number of the section table in the target PE file based on the header address, the data corresponding to the 3 rd and 4 th bytes after the file header may be concatenated to obtain the number of the section table in the target PE file.
Specifically, in the process of determining each section table based on the starting position of the section table, the size value and the numerical value of the section table, since the starting position of the section table is the starting position of the first section table and the size value of the section table is also known, the data corresponding to the bytes of the size value of the section table can be read from the starting position of the section table, and the data is the data information of the first section table; then, reading data corresponding to bytes of the size value of the section table from the end of the first section table, wherein the data is the data information of the second section table; by analogy, each section table can be obtained.
Step S306: determining a section table carrying a target character string in the section name as a target section table; the target string includes a data string.
Step S307: and determining the section starting position of the target section corresponding to the target section table in the storage space in the target section table.
Step S308: and determining the byte value of the target section and the initialized data size value of the target section in the storage space in the target section table.
Step S309: determining the maximum value of the byte value and the data size value as the length value of the target data.
Step S310: and in the storage space, determining data corresponding to the length values after the start position of the section area as target data.
In practical application, in the process of reading the target data stored in the storage space by the target section table, the section starting position of the target section corresponding to the target section table in the storage space can be determined in the target section table; determining the byte value of the target section and the initialized data size value of the target section in the storage space in the target section table; determining the maximum value of the byte value and the data size value as the length value of the target data; and in the storage space, determining data corresponding to the length values after the start position of the section area as target data.
Specifically, in the process of determining the starting position of the target node in the storage space corresponding to the target node table in the target node table, the data corresponding to bytes 21, 22, 23, and 24 in the target node table may be concatenated to obtain the starting position of the node.
Specifically, in the process of determining the byte value of the target node and the initialized data size value of the target node in the storage space in the target node table, the data corresponding to the 9 th, 10 th, 11 th and 12 th bytes in the target node table may be connected in series, so as to obtain the byte value of the target node; and connecting the data corresponding to 17 th, 18 th, 19 th and 20 th bytes in the target section table in series to obtain the initialized data size value of the target section in the storage space.
Step S311: and screening the target domain name in the target data.
In practical application, in the process of screening out a target domain name from target data, data with a domain name of Host in URL (Uniform Resource Locator) and suffixes (general/national, etc.) belonging to the domain name in the target data may be filtered and retained, and common file suffixes are removed, so that the target domain name may be obtained. In addition, domain name filtering and the like may be performed based on a Root Zone Database given by iana (internet Assigned Numbers authority), which is not specifically limited herein, where the Root Zone Database records all top-level domain name suffixes included.
Step S312: and detecting the target domain name to obtain a corresponding detection result.
Referring to fig. 4, fig. 4 is a schematic structural diagram of a domain name detection system according to an embodiment of the present disclosure.
The domain name detection system provided by the embodiment of the application can include:
a PE file obtaining module 101, configured to obtain a target PE file in a target device;
the domain name resolution module 102 is configured to resolve a target domain name carried in a target PE file;
and the domain name detection module 103 is configured to detect the target domain name to obtain a corresponding detection result.
In the domain name detection system provided in the embodiment of the present application, the domain name resolution module may be specifically configured to: determining a target node table for recording domain name information in a target PE file; reading target data stored in a storage space by a target section table; and screening the target domain name in the target data.
In the domain name detection system provided in the embodiment of the present application, the domain name resolution module may be specifically configured to: determining a header address of a target PE file; determining each section table in the target PE file based on the head address; determining a section table carrying a target character string in the section name as a target section table; the target string includes a data string.
In the domain name detection system provided in the embodiment of the present application, the domain name resolution module may be specifically configured to: determining a starting position of a section table in the target PE file based on the head address; determining the number of the section table in the target PE file based on the head address; and determining each section table based on the starting position of the section table, the size value and the numerical value of the section table.
In the domain name detection system provided in the embodiment of the present application, the domain name resolution module may be specifically configured to: determining the section starting position of a target section corresponding to the target section table in a storage space in the target section table; determining the byte value of the target section and the initialized data size value of the target section in the storage space in the target section table; determining the maximum value of the byte value and the data size value as the length value of the target data; and in the storage space, determining data corresponding to the length values after the start position of the section area as target data.
In the domain name detection system provided in the embodiment of the present application, the domain name detection module may be specifically configured to: and if the target domain name does not contain words and pinyin, obtaining a detection result for representing that the target domain name is the botnet domain name.
In the domain name detection system provided in the embodiment of the present application, the domain name detection module may be specifically configured to: aggregating a plurality of target domain names to obtain various aggregated domain names; and if the grammatical modes of the target domain names in the aggregated domain names are the same, obtaining a detection result representing that the target domain names in the aggregated domain names are botnet domain names.
In the domain name detection system provided in the embodiment of the present application, the domain name detection module may be specifically configured to: and if the occurrence times of the target domain name in different target PE files are more than the preset times, obtaining a detection result representing that the target domain name is the botnet domain name.
The domain name detection system provided by the embodiment of the application can further comprise a false alarm reduction module, wherein the false alarm reduction module is used for detecting the target domain name by the domain name detection module, and performing false alarm reduction processing on the target domain name based on a preset white domain name library after a corresponding detection result is obtained; the white domain name library is a domain name library for storing safe domain names.
Based on the hardware implementation of the program module, and in order to implement the method according to the embodiment of the present invention, an embodiment of the present invention further provides an electronic device, fig. 5 is a schematic diagram of a hardware composition structure of the electronic device according to the embodiment of the present invention, and as shown in fig. 5, the electronic device includes:
a communication interface 1 capable of information interaction with other devices such as network devices and the like;
and the processor 2 is connected with the communication interface 1 to realize information interaction with other equipment, and is used for executing the user operation processing method provided by one or more technical schemes when running a computer program. And the computer program is stored on the memory 3.
In practice, of course, the various components in the electronic device are coupled together by the bus system 4. It will be appreciated that the bus system 4 is used to enable connection communication between these components. The bus system 4 comprises, in addition to a data bus, a power bus, a control bus and a status signal bus. For the sake of clarity, however, the various buses are labeled as bus system 4 in fig. 5.
The memory 3 in the embodiment of the present invention is used to store various types of data to support the operation of the electronic device. Examples of such data include: any computer program for operating on an electronic device.
It will be appreciated that the memory 3 may be either volatile memory or nonvolatile memory, and may include both volatile and nonvolatile memory. Among them, the nonvolatile Memory may be a Read Only Memory (ROM), a Programmable Read Only Memory (PROM), an Erasable Programmable Read-Only Memory (EPROM), an Electrically Erasable Programmable Read-Only Memory (EEPROM), a magnetic random access Memory (FRAM), a Flash Memory (Flash Memory), a magnetic surface Memory, an optical disk, or a Compact Disc Read-Only Memory (CD-ROM); the magnetic surface storage may be disk storage or tape storage. Volatile Memory can be Random Access Memory (RAM), which acts as external cache Memory. By way of illustration and not limitation, many forms of RAM are available, such as Static Random Access Memory (SRAM), Synchronous Static Random Access Memory (SSRAM), Dynamic Random Access Memory (DRAM), Synchronous Dynamic Random Access Memory (SDRAM), Double Data Rate Synchronous Dynamic Random Access Memory (DDRSDRAM), Enhanced Synchronous Dynamic Random Access Memory (ESDRAM), Enhanced Synchronous Dynamic Random Access Memory (Enhanced Synchronous Dynamic Random Access Memory), Synchronous link Dynamic Random Access Memory (DRAM, Synchronous Dynamic Random Access Memory), Direct Memory (DRmb Random Access Memory). The memory 2 described in the embodiments of the present invention is intended to comprise, without being limited to, these and any other suitable types of memory.
The method disclosed by the above embodiment of the present invention can be applied to the processor 2, or implemented by the processor 2. The processor 2 may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the above method may be performed by integrated logic circuits of hardware or instructions in the form of software in the processor 2. The processor 2 described above may be a general purpose processor, a DSP, or other programmable logic device, discrete gate or transistor logic device, discrete hardware components, or the like. The processor 2 may implement or perform the methods, steps, and logic blocks disclosed in embodiments of the present invention. A general purpose processor may be a microprocessor or any conventional processor or the like. The steps of the method disclosed by the embodiment of the invention can be directly implemented by a hardware decoding processor, or can be implemented by combining hardware and software modules in the decoding processor. The software modules may be located in a storage medium located in the memory 3, and the processor 2 reads the program in the memory 3 and in combination with its hardware performs the steps of the aforementioned method.
When the processor 2 executes the program, the corresponding processes in the methods according to the embodiments of the present invention are realized, and for brevity, are not described herein again.
In an exemplary embodiment, the present invention further provides a storage medium, i.e. a computer storage medium, in particular a computer readable storage medium, for example comprising a memory 3 storing a computer program, which is executable by a processor 2 to perform the steps of the aforementioned method. The computer readable storage medium may be Memory such as FRAM, ROM, PROM, EPROM, EEPROM, Flash Memory, magnetic surface Memory, optical disk, or CD-ROM.
In the several embodiments provided in the present application, it should be understood that the disclosed apparatus, terminal and method may be implemented in other manners. The above-described device embodiments are only illustrative, for example, the division of the unit is only one logical function division, and there may be other division ways in actual implementation, such as: multiple units or components may be combined, or may be integrated into another system, or some features may be omitted, or not implemented. In addition, the coupling, direct coupling or communication connection between the components shown or discussed may be through some interfaces, and the indirect coupling or communication connection between the devices or units may be electrical, mechanical or other forms.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed on a plurality of network units; some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, all the functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may be separately regarded as one unit, or two or more units may be integrated into one unit; the integrated unit can be realized in a form of hardware, or in a form of hardware plus a software functional unit.
Those of ordinary skill in the art will understand that: all or part of the steps for implementing the method embodiments may be implemented by hardware related to program instructions, and the program may be stored in a computer readable storage medium, and when executed, the program performs the steps including the method embodiments; and the aforementioned storage medium includes: a removable storage device, a ROM, a RAM, a magnetic or optical disk, or various other media that can store program code.
Alternatively, the integrated unit of the present invention may be stored in a computer-readable storage medium if it is implemented in the form of a software functional module and sold or used as a separate product. Based on such understanding, the technical solutions of the embodiments of the present invention may be essentially implemented or a part contributing to the prior art may be embodied in the form of a software product, which is stored in a storage medium and includes several instructions for enabling an electronic device (which may be a personal computer, a server, or a network device) to execute all or part of the methods described in the embodiments of the present invention. And the aforementioned storage medium includes: a removable storage device, a ROM, a RAM, a magnetic or optical disk, or various other media that can store program code.
For a description of a relevant part in the domain name detection system, the electronic device, and the computer-readable storage medium provided in the embodiment of the present application, reference is made to detailed descriptions of a corresponding part in the domain name detection method provided in the embodiment of the present application, and details are not repeated here. In addition, parts of the above technical solutions provided in the embodiments of the present application, which are consistent with the implementation principles of corresponding technical solutions in the prior art, are not described in detail so as to avoid redundant description.
It is further noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the application. Thus, the present application is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (12)
1. A domain name detection method is characterized by comprising the following steps:
acquiring a target PE file in target equipment;
analyzing a target domain name carried in the target PE file;
and detecting the target domain name to obtain a corresponding detection result.
2. The method according to claim 1, wherein the parsing out the target domain name carried in the target PE file comprises:
determining a target node table for recording domain name information in the target PE file;
reading target data stored in a storage space by the target section table;
and screening the target domain name from the target data.
3. The method of claim 2, wherein determining the target node table of the target PE file that records domain name information comprises:
determining a header address of the target PE file;
determining each section table in the target PE file based on the head address;
determining the section table carrying the target character string in the section name as the target section table;
the target character string comprises a data character string.
4. The method of claim 3, wherein determining the respective section table in the target PE file based on the header address comprises:
determining a starting position of a section table in the target PE file based on the head address;
determining individual values of a section table in the target PE file based on the header address;
and determining each section table based on the starting position of the section table, the size value of the section table and the numerical value.
5. The method of claim 4, wherein reading the target data stored in the storage space by the target node table comprises:
determining the section starting position of a target section corresponding to the target section table in the storage space in the target section table;
determining the byte value of the target section and the initialized data size value of the target section in the storage space in the target section table;
determining a maximum value of the byte value and the data size value as a length value of the target data;
and determining data corresponding to the length value at the beginning and after the starting position of the section as the target data in the storage space.
6. The method according to any one of claims 1 to 5, wherein the detecting the target domain name to obtain a corresponding detection result comprises:
and if the target domain name does not contain words and/or pinyin, obtaining the detection result representing that the target domain name is the botnet domain name.
7. The method according to any one of claims 1 to 5, wherein the detecting the target domain name to obtain a corresponding detection result comprises:
aggregating the target domain names to obtain various aggregated domain names;
and if the grammatical modes of the target domain name in the aggregated domain name are the same, obtaining the detection result representing that the target domain name in the aggregated domain name is a botnet domain name.
8. The method according to any one of claims 1 to 5, wherein the detecting the target domain name to obtain a corresponding detection result comprises:
and if the occurrence frequency of the target domain name in different target PE files is greater than a preset frequency, obtaining the detection result representing that the target domain name is the botnet domain name.
9. The method according to claim 1, wherein after detecting the target domain name and obtaining a corresponding detection result, the method further comprises:
carrying out false alarm reduction processing on the target domain name based on a preset white domain name library;
the white domain name library is a domain name library for storing safe domain names.
10. A domain name detection system, comprising:
the PE file acquisition module is used for acquiring a target PE file in target equipment;
the domain name analyzing module is used for analyzing a target domain name carried in the target PE file;
and the domain name detection module is used for detecting the target domain name to obtain a corresponding detection result.
11. An electronic device, comprising:
a memory for storing a computer program;
a processor for implementing the steps of the domain name detection method according to any one of claims 1 to 9 when executing the computer program.
12. A computer-readable storage medium, in which a computer program is stored which, when being executed by a processor, carries out the steps of the domain name detection method according to any one of claims 1 to 9.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111679384.0A CN114363060B (en) | 2021-12-31 | 2021-12-31 | Domain name detection method, system, equipment and computer readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111679384.0A CN114363060B (en) | 2021-12-31 | 2021-12-31 | Domain name detection method, system, equipment and computer readable storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114363060A true CN114363060A (en) | 2022-04-15 |
| CN114363060B CN114363060B (en) | 2024-08-20 |
Family
ID=81105837
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111679384.0A Active CN114363060B (en) | 2021-12-31 | 2021-12-31 | Domain name detection method, system, equipment and computer readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114363060B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115051861A (en) * | 2022-06-17 | 2022-09-13 | 北京天融信网络安全技术有限公司 | Domain name detection method, device, system and medium |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR100620313B1 (en) * | 2005-06-15 | 2006-09-06 | (주)이월리서치 | The system for detecting malicious code using the structural features of microsoft portable executable and its using method |
| CN106713312A (en) * | 2016-12-21 | 2017-05-24 | 深圳市深信服电子科技有限公司 | Method and device for detecting illegal domain name |
| CN107392023A (en) * | 2017-07-28 | 2017-11-24 | 浙江九州量子信息技术股份有限公司 | It is a kind of based on evade in penetration testing antivirus software upload PE files method |
| US10181035B1 (en) * | 2016-06-16 | 2019-01-15 | Symantec Corporation | System and method for .Net PE file malware detection |
| CN110135153A (en) * | 2018-11-01 | 2019-08-16 | 哈尔滨安天科技股份有限公司 | The credible detection method and device of software |
| CN110336789A (en) * | 2019-05-28 | 2019-10-15 | 北京邮电大学 | Domain-flux Botnet detection method based on blended learning |
| CN112597494A (en) * | 2020-12-21 | 2021-04-02 | 成都安思科技有限公司 | Behavior white list automatic collection method for malicious program detection |
| US20210194879A1 (en) * | 2019-12-20 | 2021-06-24 | Barclays Execution Services Limited | Domain name security in cloud computing environment |
| CN113449301A (en) * | 2021-06-22 | 2021-09-28 | 深信服科技股份有限公司 | Sample detection method, device, equipment and computer readable storage medium |
-
2021
- 2021-12-31 CN CN202111679384.0A patent/CN114363060B/en active Active
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR100620313B1 (en) * | 2005-06-15 | 2006-09-06 | (주)이월리서치 | The system for detecting malicious code using the structural features of microsoft portable executable and its using method |
| US10181035B1 (en) * | 2016-06-16 | 2019-01-15 | Symantec Corporation | System and method for .Net PE file malware detection |
| CN106713312A (en) * | 2016-12-21 | 2017-05-24 | 深圳市深信服电子科技有限公司 | Method and device for detecting illegal domain name |
| CN107392023A (en) * | 2017-07-28 | 2017-11-24 | 浙江九州量子信息技术股份有限公司 | It is a kind of based on evade in penetration testing antivirus software upload PE files method |
| CN110135153A (en) * | 2018-11-01 | 2019-08-16 | 哈尔滨安天科技股份有限公司 | The credible detection method and device of software |
| CN110336789A (en) * | 2019-05-28 | 2019-10-15 | 北京邮电大学 | Domain-flux Botnet detection method based on blended learning |
| US20210194879A1 (en) * | 2019-12-20 | 2021-06-24 | Barclays Execution Services Limited | Domain name security in cloud computing environment |
| CN112597494A (en) * | 2020-12-21 | 2021-04-02 | 成都安思科技有限公司 | Behavior white list automatic collection method for malicious program detection |
| CN113449301A (en) * | 2021-06-22 | 2021-09-28 | 深信服科技股份有限公司 | Sample detection method, device, equipment and computer readable storage medium |
Non-Patent Citations (1)
| Title |
|---|
| 杨广翔;: "ELF格式可执行程序的代码嵌入技术", 程序员, no. 03, 1 March 2008 (2008-03-01), pages 104 - 106 * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115051861A (en) * | 2022-06-17 | 2022-09-13 | 北京天融信网络安全技术有限公司 | Domain name detection method, device, system and medium |
| CN115051861B (en) * | 2022-06-17 | 2024-01-23 | 北京天融信网络安全技术有限公司 | Domain name detection method, device, system and medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114363060B (en) | 2024-08-20 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP2010182019A (en) | Abnormality detector and program | |
| CN112769775B (en) | Threat information association analysis method, system, equipment and computer medium | |
| CN112818307B (en) | User operation processing method, system, equipment and computer readable storage medium | |
| CN111800490B (en) | Method, device and terminal equipment for acquiring network behavior data | |
| CN107395650B (en) | Method and device for identifying Trojan back connection based on sandbox detection file | |
| CN114363062B (en) | Domain name detection method, system, equipment and computer readable storage medium | |
| JPWO2014021190A1 (en) | Program execution device and program analysis device | |
| JP2008167099A (en) | Device and method for managing security, and program | |
| CN109783316B (en) | Method and device for identifying tampering behavior of system security log, storage medium and computer equipment | |
| CN114189390B (en) | Domain name detection method, system, equipment and computer readable storage medium | |
| CN114363060A (en) | Domain name detection method, system, equipment and computer readable storage medium | |
| US10275595B2 (en) | System and method for characterizing malware | |
| JP2018200641A (en) | Abnormality detection program, abnormality detection method, and information processing apparatus | |
| KR20190070583A (en) | Apparatus and method for generating integrated representation specification data for cyber threat information | |
| CN109218284B (en) | XSS vulnerability detection method and device, computer equipment and readable medium | |
| CN113360902A (en) | Detection method and device of shellcode, computer equipment and computer storage medium | |
| US20150302211A1 (en) | Removable storage medium security system and method thereof | |
| CN115118464B (en) | Method and device for detecting collapse host, electronic equipment and storage medium | |
| CN107766196B (en) | Method and device for starting check of computing device | |
| CN114254331B (en) | Security protection method and device for terminal equipment, electronic equipment and storage medium | |
| JP2018198000A (en) | Monitoring program, monitoring method and information processing device | |
| WO2023175954A1 (en) | Information processing device, information processing method, and computer-readable recording medium | |
| CN115987530A (en) | Log detection method, system, equipment and computer readable storage medium | |
| CN111353155B (en) | Detection method, device, equipment and medium for process injection | |
| CN113556308B (en) | Method, system, equipment and computer storage medium for detecting flow security |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |