CN114363060B - Domain name detection method, system, equipment and computer readable storage medium - Google Patents
Domain name detection method, system, equipment and computer readable storage medium Download PDFInfo
- Publication number
- CN114363060B CN114363060B CN202111679384.0A CN202111679384A CN114363060B CN 114363060 B CN114363060 B CN 114363060B CN 202111679384 A CN202111679384 A CN 202111679384A CN 114363060 B CN114363060 B CN 114363060B
- Authority
- CN
- China
- Prior art keywords
- target
- domain name
- file
- byte
- section table
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 96
- 238000000034 method Methods 0.000 claims description 38
- 238000004590 computer program Methods 0.000 claims description 11
- 238000012216 screening Methods 0.000 claims description 8
- 238000012545 processing Methods 0.000 claims description 6
- 230000004931 aggregating effect Effects 0.000 claims description 4
- 230000009467 reduction Effects 0.000 claims description 3
- 238000012163 sequencing technique Methods 0.000 claims 2
- 230000008569 process Effects 0.000 description 15
- 230000001360 synchronised effect Effects 0.000 description 9
- 230000005291 magnetic effect Effects 0.000 description 6
- 238000010586 diagram Methods 0.000 description 4
- 230000003287 optical effect Effects 0.000 description 4
- 230000003068 static effect Effects 0.000 description 4
- 244000035744 Hura crepitans Species 0.000 description 3
- 230000009471 action Effects 0.000 description 3
- 238000004891 communication Methods 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 230000003993 interaction Effects 0.000 description 2
- 241000700605 Viruses Species 0.000 description 1
- 230000005856 abnormality Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000005294 ferromagnetic effect Effects 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- 238000007689 inspection Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000003672 processing method Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2463/00—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
- H04L2463/144—Detection or countermeasures against botnets
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The application discloses a domain name detection method, a domain name detection system, domain name detection equipment and a computer readable storage medium, wherein a target PE file in target equipment is obtained; analyzing a target domain name carried in the target PE file; and detecting the target domain name to obtain a corresponding detection result. In the application, the target domain name can be resolved from the target PE file in the target equipment, and the target domain name can be detected to obtain the corresponding detection result, so that the function of detecting the domain name based on the PE file is realized, the detection mode of the domain name is expanded, and the accuracy of domain name detection can be improved. The domain name detection system, the electronic equipment and the computer readable storage medium provided by the application also solve the corresponding technical problems.
Description
Technical Field
The present application relates to the field of network security technologies, and in particular, to a domain name detection method, system, device, and computer readable storage medium.
Background
In the running process of devices such as a server, an attacker attacks the devices, for example, through a botnet, which refers to a network formed between a controller and an infected host and capable of one-to-many control by adopting one or more propagation means to infect a large number of hosts with bot program (bot program) viruses. Therefore, in order to protect the security of the device, it is necessary to detect domain names of botnets and the like in order to secure based on the corresponding domain names.
For example, malicious domain names can be extracted by analyzing abnormality of the flow released by the sandbox, but the method is limited by the sandbox environment and countermeasures of the sample itself, such as shelling, code confusion, and execution link inspection, so that the flow release condition of the sandbox on the file sample is inaccurate, and the domain names cannot be detected accurately.
In summary, how to improve the accuracy of domain name detection is a problem to be solved by those skilled in the art.
Disclosure of Invention
The application aims to provide a domain name detection method which can solve the technical problem of how to improve the accuracy of domain name detection to a certain extent. The application also provides a domain name detection system, electronic equipment and a computer readable storage medium.
In order to achieve the above object, the present application provides the following technical solutions:
a domain name detection method, comprising:
acquiring a target PE file in target equipment;
Analyzing a target domain name carried in the target PE file;
and detecting the target domain name to obtain a corresponding detection result.
Preferably, the analyzing the target domain name carried in the target PE file includes:
determining a target section table for recording domain name information in the target PE file;
reading target data stored in a storage space of the target section table;
And screening the target domain name from the target data.
Preferably, the determining the target section table for recording domain name information in the target PE file includes:
Determining the head address of the target PE file;
determining each section table in the target PE file based on the header address;
determining the section table carrying the target character string in the section name as the target section table;
the target character string comprises a data character string.
Preferably, the determining each section table in the target PE file based on the header address includes:
determining a node table starting position in the target PE file based on the head address;
Determining a numerical value of a section table in the target PE file based on the header address;
And determining each section table based on the section table starting position, the section table size value and the numerical value.
Preferably, the reading the target data stored in the storage space of the target node table includes:
Determining a node starting position of a target node corresponding to the target node table in the storage space in the target node table;
determining byte values of the target section and initialized data size values of the target section in the storage space in the target section table;
Determining the maximum value of the byte value and the data size value as a length value of the target data;
and in the storage space, determining the data corresponding to the length value from the beginning and after the section starting position as the target data.
Preferably, the detecting the target domain name to obtain a corresponding detection result includes:
And if the target domain name does not contain words and/or pinyin, obtaining the detection result representing that the target domain name is the botnet domain name.
Preferably, the detecting the target domain name to obtain a corresponding detection result includes:
aggregating a plurality of target domain names to obtain various aggregated domain names;
And if the grammar patterns of the target domain names in the aggregated domain names are the same, obtaining the detection result representing that the target domain names in the aggregated domain names are botnet domain names.
Preferably, the detecting the target domain name to obtain a corresponding detection result includes:
And if the occurrence times of the target domain name in different target PE files are larger than the preset times, obtaining the detection result representing that the target domain name is the botnet domain name.
Preferably, after detecting the target domain name and obtaining a corresponding detection result, the method further includes:
performing false alarm reduction processing on the target domain name based on a preset white domain name library;
the white domain name library is a domain name library for storing safe domain names.
A domain name detection system, comprising:
the PE file acquisition module is used for acquiring a target PE file in target equipment;
the domain name resolution module is used for resolving a target domain name carried in the target PE file;
and the domain name detection module is used for detecting the target domain name to obtain a corresponding detection result.
An electronic device, comprising:
a memory for storing a computer program;
a processor for implementing the steps of any of the domain name detection methods described above when executing the computer program.
A computer readable storage medium having stored therein a computer program which when executed by a processor performs the steps of any of the domain name detection methods described above.
The application provides a domain name detection method, which is used for acquiring a target PE file in target equipment; analyzing a target domain name carried in the target PE file; and detecting the target domain name to obtain a corresponding detection result. In the application, the target domain name can be resolved from the target PE file in the target equipment, and the target domain name can be detected to obtain the corresponding detection result, so that the function of detecting the domain name based on the PE file is realized, the detection mode of the domain name is expanded, and the accuracy of domain name detection can be improved. The domain name detection system, the electronic equipment and the computer readable storage medium provided by the application also solve the corresponding technical problems.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings that are required to be used in the embodiments or the description of the prior art will be briefly described below, and it is obvious that the drawings in the following description are only embodiments of the present application, and that other drawings can be obtained according to the provided drawings without inventive effort for a person skilled in the art.
FIG. 1 is a first flowchart of a domain name detection method according to an embodiment of the present application;
FIG. 2 is a second flowchart of a domain name detection method according to an embodiment of the present application;
FIG. 3 is a third flowchart of a domain name detection method according to an embodiment of the present application;
Fig. 4 is a schematic structural diagram of a domain name detection system according to an embodiment of the present application;
fig. 5 is a schematic diagram of a hardware composition structure of an electronic device according to an embodiment of the present invention.
Detailed Description
The following description of the embodiments of the present application will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present application, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
Referring to fig. 1, fig. 1 is a first flowchart of a domain name detection method according to an embodiment of the present application.
The domain name detection method provided by the embodiment of the application can comprise the following steps:
step S101: and obtaining a target PE file in the target equipment.
In practical application, the target PE file in the target device may be acquired first, for example, the PE file in the target device may be acquired in real time to obtain the target PE file, etc. It should be noted that, in the present application, the format of the PE file (Portable Executable, portable executable file) may be determined according to a specific application scenario, for example, the format of the PE file may be EXE, DLL, OCX, SYS, COM or the like.
Step S102: and analyzing the target domain name carried in the target PE file.
Step S103: and detecting the target domain name to obtain a corresponding detection result.
In practical application, after the target PE file in the target device is obtained, the target domain name carried in the target PE file can be resolved, and the target domain name is detected, so that a corresponding detection result is obtained.
It can be understood that the detection manner of the target domain name can be determined according to a specific application scenario, for example, whether the target domain name contains words and/or pinyin can be directly detected, if the target domain name does not contain words and/or pinyin, the target domain name is considered to be composed of random characters, and at this time, a detection result representing that the target domain name is a botnet domain name can be generated; the method comprises the steps of obtaining a plurality of target domain names, aggregating the target domain names to obtain various aggregated domain names, analyzing grammar patterns of the target domain names in the aggregated domain names, generating detection results representing that the target domain names in the aggregated domain names are botnet domain names if the grammar patterns of the target domain names in the aggregated domain names are the same, for example, each target domain name in one type of aggregated domain names is abc123.Com, bcd456.Com, qwe147.Com, which are patterns of 3 letters and 3 numbers, and considering that all the three domain names are botnet domain names; the target domain name may also be detected according to the number of occurrences of the target domain name, for example, the target domain name whose number of occurrences in different target PE files is greater than a preset number of occurrences is marked as a botnet domain name, which is not specifically limited herein.
In a specific application scene, after detecting the target domain name and obtaining a corresponding detection result, in order to further ensure the accuracy of the detected botnet domain name, the target domain name can be subjected to false alarm reduction processing based on a preset white domain name library; the white domain name library is a domain name library for storing safe domain names, such as a domain name stored with an ICP record, a domain name with a master station network, a common functional domain name, and the like, wherein the common functional domain name can be an NTP type, a query self IP type, a microsoft type, and the like. That is, if the detection result is that the target domain name of the botnet domain name appears in the white domain name library, the detection result of the target domain name may be adjusted to be the non-botnet domain name or the like.
The application provides a domain name detection method, which is used for acquiring a target PE file in target equipment; analyzing a target domain name carried in the target PE file; and detecting the target domain name to obtain a corresponding detection result. In the application, the target domain name can be resolved from the target PE file in the target equipment, and the target domain name can be detected to obtain the corresponding detection result, so that the function of detecting the domain name based on the PE file is realized, the detection mode of the domain name is expanded, and the accuracy of domain name detection can be improved.
Referring to fig. 2, fig. 2 is a second flowchart of a domain name detection method according to an embodiment of the present application.
The domain name detection method provided by the embodiment of the application can comprise the following steps:
Step S201: and obtaining a target PE file in the target equipment.
Step S202: and determining a target section table for recording domain name information in the target PE file.
Step S203: and reading target data stored in the storage space by the target section table.
Step S204: and screening out the target domain name from the target data.
In the actual application scene, considering that the real content of the PE file is divided into blocks, which are called sections, the target domain name is recorded in the storage space corresponding to the corresponding section, so that in the process of resolving the target domain name carried in the target PE file, the target section table for recording the domain name information in the target PE file can be determined first; reading target data stored in the storage space of the target section table; and finally, screening the target domain name from the target data so as to rapidly screen the target domain name.
It should be noted that, because the section names of the section tables recording the domain names in the PE files all carry the data character string, the header address of the target PE file can be determined in the process of determining the target section table recording the domain name information in the target PE file; determining each section table in the target PE file based on the header address; determining a section table carrying a target character string in the section name as a target section table; the target string includes a data string.
Step S205: and detecting the target domain name to obtain a corresponding detection result.
Referring to fig. 3, fig. 3 is a third flowchart of a domain name detection method according to an embodiment of the present application.
The domain name detection method provided by the embodiment of the application can comprise the following steps:
Step S301: and obtaining a target PE file in the target equipment.
Step S302: and determining the head address of the target PE file.
In practical application, in the process of determining the header address of the target PE file, the header address of the target PE file may be obtained by sorting the data corresponding to the 37 th, 38 th, 39 th and 40 th bytes in reverse order from the beginning position (i.e., DOS header) of the target PE file, and assuming that the data corresponding to the 37 th, 38 th, 39 th and 40 th bytes is 01, 02, 03 and 04, the header address of the target PE file is 04030201.
Step S303: and determining the starting position of the section table in the target PE file based on the head address.
Step S304: the numerical value of the section table in the target PE file is determined based on the header address.
Step S305: each section table is determined based on the section table start position, the section table size value and the numerical value.
In practical application, in the process of determining each section table in the target PE file based on the header address, the starting position of the section table in the target PE file can be determined based on the header address; determining the numerical value of a section table in the target PE file based on the head address; each section table is determined based on the section table start position, the section table size value and the numerical value.
Specifically, in the process of determining the starting position of the section table in the target PE file based on the header address, the header may be determined based on the header address and the header size value, and then the data corresponding to the 17 th byte and the 18 th byte after the header may be concatenated to obtain the starting position of the section table in the target PE file.
Specifically, in the process of determining the numerical value of the section table in the target PE file based on the header address, the data corresponding to the 3 rd byte and the 4 th byte after the header of the file may be concatenated to obtain the numerical value of the section table in the target PE file.
Specifically, in the process of determining each section table based on the section table starting position, the section table size value and the numerical value, since the section table starting position is the starting position of the first section table and the section table size value is also known, the data corresponding to the bytes of the section table size value can be read from the section table starting position, and the data information of the first section table is obtained; then, starting from the end of the first section table, reading the data corresponding to the bytes of the size value of the section table, namely the data information of the second section table; and so on, each section table can be obtained.
Step S306: determining a section table carrying a target character string in the section name as a target section table; the target string includes a data string.
Step S307: and determining the node starting position of the target node corresponding to the target node table in the storage space in the target node table.
Step S308: in the target section table, the byte value of the target section and the initialized data size value of the target section in the storage space are determined.
Step S309: the maximum value of the byte value and the data size value is determined as the length value of the target data.
Step S310: in the storage space, data corresponding to the length values after and at the beginning of the section start position are determined as target data.
In practical application, in the process of reading the target data stored in the storage space of the target section table, the section starting position of the target section corresponding to the target section table in the storage space can be determined in the target section table; in the target section table, determining the byte value of the target section and the initialized data size value of the target section in the storage space; determining the maximum value of the byte value and the data size value as the length value of the target data; in the storage space, data corresponding to the length values after and at the beginning of the section start position are determined as target data.
Specifically, in the process of determining the node starting position of the target node corresponding to the target node table in the storage space in the target node table, the data corresponding to the 21 st, 22 nd, 23 nd and 24 th bytes in the target node table can be connected in series, so as to obtain the node starting position.
Specifically, in the process of determining the byte value of the target section and the initialized data size value of the target section in the storage space in the target section table, the data corresponding to the 9 th, 10 th, 11 th and 12 th bytes in the target section table can be connected in series to obtain the byte value of the target section; and connecting the data corresponding to the 17 th, 18 th, 19 th and 20 th bytes in the target section table in series to obtain the initialized data size value of the target section in the storage space.
Step S311: and screening out the target domain name from the target data.
In practical application, in the process of screening out the target domain name from the target data, the data with the Host as the domain name in the suffix (general/country, etc.) and the URL (Uniform Resource Locator ) belonging to the domain name in the target data can be filtered and reserved, and the common file suffix is removed, so that the target domain name can be obtained. In addition, domain name filtering may be performed based on Root Zone Database given by IANA (INTERNET ASSIGNED Numbers Authority), which is not specifically limited herein, wherein Root Zone Database records all top-level domain name suffixes recorded.
Step S312: and detecting the target domain name to obtain a corresponding detection result.
Referring to fig. 4, fig. 4 is a schematic structural diagram of a domain name detection system according to an embodiment of the present application.
The domain name detection system provided by the embodiment of the application can comprise:
the PE file acquisition module 101 is configured to acquire a target PE file in a target device;
the domain name resolution module 102 is configured to resolve a target domain name carried in the target PE file;
the domain name detection module 103 is configured to detect a target domain name, and obtain a corresponding detection result.
The domain name detection system provided by the embodiment of the application, the domain name resolution module can be specifically used for: determining a target section table for recording domain name information in a target PE file; reading target data stored in a storage space of a target section table; and screening out the target domain name from the target data.
The domain name detection system provided by the embodiment of the application, the domain name resolution module can be specifically used for: determining the head address of a target PE file; determining each section table in the target PE file based on the header address; determining a section table carrying a target character string in the section name as a target section table; the target string includes a data string.
The domain name detection system provided by the embodiment of the application, the domain name resolution module can be specifically used for: determining the starting position of a section table in the target PE file based on the head address; determining the numerical value of a section table in the target PE file based on the head address; each section table is determined based on the section table start position, the section table size value and the numerical value.
The domain name detection system provided by the embodiment of the application, the domain name resolution module can be specifically used for: determining a node starting position of a target node corresponding to a target node table in a storage space in the target node table; in the target section table, determining the byte value of the target section and the initialized data size value of the target section in the storage space; determining the maximum value of the byte value and the data size value as the length value of the target data; in the storage space, data corresponding to the length values after and at the beginning of the section start position are determined as target data.
The domain name detection system provided by the embodiment of the application, the domain name detection module can be specifically used for: and if the target domain name does not contain words and pinyin, obtaining a detection result representing that the target domain name is the botnet domain name.
The domain name detection system provided by the embodiment of the application, the domain name detection module can be specifically used for: aggregating the plurality of target domain names to obtain various aggregated domain names; and if the grammar patterns of the target domain names in the aggregated domain names are the same, obtaining a detection result indicating that the target domain names in the aggregated domain names are botnet domain names.
The domain name detection system provided by the embodiment of the application, the domain name detection module can be specifically used for: and if the occurrence times of the target domain name in different target PE files are greater than the preset times, obtaining a detection result representing that the target domain name is the botnet domain name.
The domain name detection system provided by the embodiment of the application can also comprise a false alarm reducing module, which is used for detecting the target domain name by the domain name detection module, and performing false alarm reducing processing on the target domain name based on a preset white domain name library after a corresponding detection result is obtained; the white domain name library is a domain name library for storing safe domain names.
Based on the hardware implementation of the program module, and in order to implement the method of the embodiment of the present invention, the embodiment of the present invention further provides an electronic device, and fig. 5 is a schematic diagram of a hardware composition structure of the electronic device of the embodiment of the present invention, as shown in fig. 5, where the electronic device includes:
a communication interface 1 capable of information interaction with other devices such as network devices and the like;
And the processor 2 is connected with the communication interface 1 to realize information interaction with other devices and is used for executing the user operation processing method provided by one or more technical schemes when running the computer program. And the computer program is stored on the memory 3.
Of course, in practice, the various components in the electronic device are coupled together by a bus system 4. It will be appreciated that the bus system 4 is used to enable connected communications between these components. The bus system 4 comprises, in addition to a data bus, a power bus, a control bus and a status signal bus. But for clarity of illustration the various buses are labeled as bus system 4 in fig. 5.
The memory 3 in the embodiment of the present invention is used to store various types of data to support the operation of the electronic device. Examples of such data include: any computer program for operating on an electronic device.
It will be appreciated that the memory 3 may be either volatile memory or nonvolatile memory, and may include both volatile and nonvolatile memory. The non-volatile Memory may be, among other things, a Read Only Memory (ROM), a programmable Read Only Memory (PROM, programmable Read-Only Memory), erasable programmable Read-Only Memory (EPROM, erasable Programmable Read-Only Memory), electrically erasable programmable Read-Only Memory (EEPROM, ELECTRICALLY ERASABLE PROGRAMMABLE READ-Only Memory), Magnetic random access Memory (FRAM, ferromagnetic random access Memory), flash Memory (Flash Memory), magnetic surface Memory, optical disk, or compact disk-Only (CD-ROM, compact Disc Read-Only Memory); The magnetic surface memory may be a disk memory or a tape memory. The volatile memory may be random access memory (RAM, random Access Memory) which acts as external cache memory. by way of example and not limitation, many forms of RAM are available, such as static random access memory (SRAM, static Random Access Memory), synchronous static random access memory (SSRAM, synchronous Static Random Access Memory), dynamic random access memory (DRAM, dynamic Random Access Memory), synchronous dynamic random access memory (SDRAM, synchronous Dynamic Random Access Memory), and, double data rate synchronous dynamic random access memory (DDRSDRAM, double Data Rate Synchronous Dynamic Random Access Memory), enhanced synchronous dynamic random access memory (ESDRAM, enhanced Synchronous Dynamic Random Access Memory), synchronous link dynamic random access memory (SLDRAM, syncLink Dynamic RandomAccess Memory), direct memory bus random access memory (DRRAM, direct Rambus Random Access Memory). The memory 3 described in the embodiments of the present invention is intended to comprise, without being limited to, these and any other suitable types of memory.
The method disclosed in the above embodiment of the present invention may be applied to the processor 2 or implemented by the processor 2. The processor 2 may be an integrated circuit chip with signal processing capabilities. In implementation, the steps of the above method may be performed by integrated logic circuits of hardware in the processor 2 or by instructions in the form of software. The processor 2 described above may be a general purpose processor, DSP, or other programmable logic device, discrete gate or transistor logic device, discrete hardware components, or the like. The processor 2 may implement or perform the methods, steps and logic blocks disclosed in embodiments of the present invention. The general purpose processor may be a microprocessor or any conventional processor or the like. The steps of the method disclosed in the embodiment of the invention can be directly embodied in the hardware of the decoding processor or can be implemented by combining hardware and software modules in the decoding processor. The software modules may be located in a storage medium in the memory 3 and the processor 2 reads the program in the memory 3 to perform the steps of the method described above in connection with its hardware.
The corresponding flow in each method of the embodiments of the present invention is implemented when the processor 2 executes the program, and for brevity, will not be described in detail herein.
In an exemplary embodiment, the present invention also provides a storage medium, i.e. a computer storage medium, in particular a computer readable storage medium, for example comprising a memory 3 storing a computer program executable by the processor 2 for performing the steps of the method described above. The computer readable storage medium may be FRAM, ROM, PROM, EPROM, EEPROM, flash Memory, magnetic surface Memory, optical disk, or CD-ROM.
In the several embodiments provided in the present application, it should be understood that the disclosed apparatus, terminal and method may be implemented in other manners. The above described device embodiments are only illustrative, e.g. the division of the units is only one logical function division, and there may be other divisions in practice, such as: multiple units or components may be combined or may be integrated into another system, or some features may be omitted, or not performed. In addition, the various components shown or discussed may be coupled or directly coupled or communicatively coupled to each other via some interface, whether indirectly coupled or communicatively coupled to devices or units, whether electrically, mechanically, or otherwise.
The units described as separate units may or may not be physically separate, and units displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units; some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in each embodiment of the present invention may be integrated in one processing unit, or each unit may be separately used as one unit, or two or more units may be integrated in one unit; the integrated units may be implemented in hardware or in hardware plus software functional units.
Those of ordinary skill in the art will appreciate that: all or part of the steps for implementing the above method embodiments may be implemented by hardware associated with program instructions, where the foregoing program may be stored in a computer readable storage medium, and when executed, the program performs steps including the above method embodiments; and the aforementioned storage medium includes: a removable storage device, ROM, RAM, magnetic or optical disk, or other medium capable of storing program code.
Or the above-described integrated units of the invention may be stored in a computer-readable storage medium if implemented in the form of software functional modules and sold or used as separate products. Based on such understanding, the technical solutions of the embodiments of the present invention may be embodied in essence or a part contributing to the prior art in the form of a software product stored in a storage medium, including several instructions for causing an electronic device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the methods described in the embodiments of the present invention. And the aforementioned storage medium includes: a removable storage device, ROM, RAM, magnetic or optical disk, or other medium capable of storing program code.
The description of the related parts in the domain name detection system, the electronic device and the computer readable storage medium provided in the embodiments of the present application refers to the detailed description of the corresponding parts in the domain name detection method provided in the embodiments of the present application, and will not be repeated here. In addition, the parts of the above technical solutions provided in the embodiments of the present application, which are consistent with the implementation principles of the corresponding technical solutions in the prior art, are not described in detail, so that redundant descriptions are avoided.
It is further noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the application. Thus, the present application is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (9)
1. A domain name detection method, comprising:
acquiring a target PE file in target equipment;
Analyzing a target domain name carried in the target PE file;
detecting the target domain name to obtain a corresponding detection result;
the analyzing the target domain name carried in the target PE file includes:
From the beginning position of the target PE file, carrying out reverse order sequencing on data corresponding to the 37 th byte, the 38 th byte, the 39 th byte and the 40 th byte to obtain the head address of the target PE file;
determining a file header based on the header address and the file header size value, and concatenating data corresponding to the 17 th byte and the 18 th byte after the file header to obtain a section table starting position in the target PE file;
the data corresponding to the 3 rd byte and the 4 th byte after the file header are connected in series to obtain a numerical value of a section table in the target PE file;
Determining each section table in the target PE file based on the section table starting position, the section table size value and the number value;
determining the section table carrying a target character string in a section name as a target section table recording domain name information in the target PE file, wherein the target character string comprises a data character string;
reading target data stored in a storage space of the target section table;
And screening the target domain name from the target data.
2. The method of claim 1, wherein the reading the target data stored in the storage space of the target section table comprises:
Determining a node starting position of a target node corresponding to the target node table in the storage space in the target node table;
determining byte values of the target section and initialized data size values of the target section in the storage space in the target section table;
Determining the maximum value of the byte value and the data size value as a length value of the target data;
and in the storage space, determining the data corresponding to the length value from the beginning and after the section starting position as the target data.
3. The method according to any one of claims 1 to 2, wherein the detecting the target domain name to obtain a corresponding detection result includes:
And if the target domain name does not contain words and/or pinyin, obtaining the detection result representing that the target domain name is the botnet domain name.
4. The method according to any one of claims 1 to 2, wherein the detecting the target domain name to obtain a corresponding detection result includes:
aggregating a plurality of target domain names to obtain various aggregated domain names;
And if the grammar patterns of the target domain names in the aggregated domain names are the same, obtaining the detection result representing that the target domain names in the aggregated domain names are botnet domain names.
5. The method according to any one of claims 1 to 2, wherein the detecting the target domain name to obtain a corresponding detection result includes:
And if the occurrence times of the target domain name in different target PE files are larger than the preset times, obtaining the detection result representing that the target domain name is the botnet domain name.
6. The method according to claim 1, wherein after detecting the target domain name to obtain a corresponding detection result, further comprising:
performing false alarm reduction processing on the target domain name based on a preset white domain name library;
the white domain name library is a domain name library for storing safe domain names.
7. A domain name detection system, comprising:
the PE file acquisition module is used for acquiring a target PE file in target equipment;
the domain name resolution module is used for resolving a target domain name carried in the target PE file;
the domain name detection module is used for detecting the target domain name to obtain a corresponding detection result;
The domain name resolution module is specifically configured to: from the beginning position of the target PE file, carrying out reverse order sequencing on data corresponding to the 37 th byte, the 38 th byte, the 39 th byte and the 40 th byte to obtain the head address of the target PE file; determining a file header based on the header address and the file header size value, and concatenating data corresponding to the 17 th byte and the 18 th byte after the file header to obtain a section table starting position in the target PE file; the data corresponding to the 3 rd byte and the 4 th byte after the file header are connected in series to obtain a numerical value of a section table in the target PE file; determining each section table in the target PE file based on the section table starting position, the section table size value and the number value; determining the section table carrying a target character string in a section name as a target section table recording domain name information in the target PE file, wherein the target character string comprises a data character string; reading target data stored in a storage space of the target section table; and screening the target domain name from the target data.
8. An electronic device, comprising:
a memory for storing a computer program;
a processor for implementing the steps of the domain name detection method according to any one of claims 1 to 6 when executing said computer program.
9. A computer readable storage medium, wherein a computer program is stored in the computer readable storage medium, which computer program, when being executed by a processor, implements the steps of the domain name detection method according to any of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111679384.0A CN114363060B (en) | 2021-12-31 | 2021-12-31 | Domain name detection method, system, equipment and computer readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111679384.0A CN114363060B (en) | 2021-12-31 | 2021-12-31 | Domain name detection method, system, equipment and computer readable storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114363060A CN114363060A (en) | 2022-04-15 |
| CN114363060B true CN114363060B (en) | 2024-08-20 |
Family
ID=81105837
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111679384.0A Active CN114363060B (en) | 2021-12-31 | 2021-12-31 | Domain name detection method, system, equipment and computer readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114363060B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115051861B (en) * | 2022-06-17 | 2024-01-23 | 北京天融信网络安全技术有限公司 | Domain name detection method, device, system and medium |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106713312A (en) * | 2016-12-21 | 2017-05-24 | 深圳市深信服电子科技有限公司 | Method and device for detecting illegal domain name |
| CN110135153A (en) * | 2018-11-01 | 2019-08-16 | 哈尔滨安天科技股份有限公司 | The credible detection method and device of software |
Family Cites Families (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR100620313B1 (en) * | 2005-06-15 | 2006-09-06 | (주)이월리서치 | The system for detecting malicious code using the structural features of microsoft portable executable and its using method |
| US10181035B1 (en) * | 2016-06-16 | 2019-01-15 | Symantec Corporation | System and method for .Net PE file malware detection |
| CN107392023A (en) * | 2017-07-28 | 2017-11-24 | 浙江九州量子信息技术股份有限公司 | It is a kind of based on evade in penetration testing antivirus software upload PE files method |
| CN110336789A (en) * | 2019-05-28 | 2019-10-15 | 北京邮电大学 | Domain-flux Botnet detection method based on blended learning |
| EP3840338A1 (en) * | 2019-12-20 | 2021-06-23 | Barclays Execution Services Limited | Domain name security in cloud computing environment |
| CN112597494A (en) * | 2020-12-21 | 2021-04-02 | 成都安思科技有限公司 | Behavior white list automatic collection method for malicious program detection |
| CN113449301A (en) * | 2021-06-22 | 2021-09-28 | 深信服科技股份有限公司 | Sample detection method, device, equipment and computer readable storage medium |
-
2021
- 2021-12-31 CN CN202111679384.0A patent/CN114363060B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106713312A (en) * | 2016-12-21 | 2017-05-24 | 深圳市深信服电子科技有限公司 | Method and device for detecting illegal domain name |
| CN110135153A (en) * | 2018-11-01 | 2019-08-16 | 哈尔滨安天科技股份有限公司 | The credible detection method and device of software |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114363060A (en) | 2022-04-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11973799B2 (en) | Domain name processing systems and methods | |
| CN112818307B (en) | User operation processing method, system, equipment and computer readable storage medium | |
| CN111800490B (en) | Method, device and terminal equipment for acquiring network behavior data | |
| CN112769775B (en) | Threat information association analysis method, system, equipment and computer medium | |
| CN114363062B (en) | Domain name detection method, system, equipment and computer readable storage medium | |
| JP5863973B2 (en) | Program execution device and program analysis device | |
| US20110283358A1 (en) | Method and system to detect malware that removes anti-virus file system filter driver from a device stack | |
| KR20090090685A (en) | Method and system for determining vulnerability of web application | |
| US20200314135A1 (en) | Method for determining duplication of security vulnerability and analysis apparatus using same | |
| CN114363060B (en) | Domain name detection method, system, equipment and computer readable storage medium | |
| US20200342095A1 (en) | Rule generaton apparatus and computer readable medium | |
| CN114189390B (en) | Domain name detection method, system, equipment and computer readable storage medium | |
| CN107135199B (en) | Method and device for detecting webpage backdoor | |
| CN106911635B (en) | Method and device for detecting whether backdoor program exists in website | |
| CN106911636B (en) | Method and device for detecting whether backdoor program exists in website | |
| US11729246B2 (en) | Apparatus and method for determining types of uniform resource locator | |
| CN106446687B (en) | Malicious sample detection method and device | |
| KR20190070583A (en) | Apparatus and method for generating integrated representation specification data for cyber threat information | |
| CN109088859B (en) | Method, device, server and readable storage medium for identifying suspicious target object | |
| CN116451189B (en) | Code feature hiding method and device | |
| CN115987530A (en) | Log detection method, system, equipment and computer readable storage medium | |
| CN115118464B (en) | Method and device for detecting collapse host, electronic equipment and storage medium | |
| CN116166205B (en) | File system storage and mounting method, device, equipment and storage medium | |
| CN112118260B (en) | OPCDA message processing method, device, electronic equipment and storage medium | |
| CN115134164B (en) | Uploading behavior detection method, system, equipment and computer storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |