CN112929370A - Domain name system hidden channel detection method and device - Google Patents
Domain name system hidden channel detection method and device Download PDFInfo
- Publication number
- CN112929370A CN112929370A CN202110171658.9A CN202110171658A CN112929370A CN 112929370 A CN112929370 A CN 112929370A CN 202110171658 A CN202110171658 A CN 202110171658A CN 112929370 A CN112929370 A CN 112929370A
- Authority
- CN
- China
- Prior art keywords
- domain name
- name system
- detected
- flow
- sub
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4505—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
- H04L61/4511—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a domain name system hidden channel detection method and a device, which are used for acquiring the flow of a domain name system to be detected; detecting whether a sub-domain of the domain name system flow to be detected has structural characteristics, wherein the structural characteristics represent a target structure adopted by using domain name system data leakage time domain names; if the structural characteristics exist, analyzing whether the sub domain name of the domain name system flow to be detected has randomness characteristics, wherein the randomness characteristics represent the random characteristics of the coding field when the domain name system sub domain name is used for data leakage; if yes, generating a detection result of the domain name system abnormity; and if the sub-domain name of the domain name system flow to be detected does not have structural characteristics or the sub-domain name does not have random characteristics, generating a normal detection result of the domain name system. According to the invention, the attack characteristics of the leakage of the domain name system data are utilized for detection, so that the detection accuracy is improved.
Description
Technical Field
The invention relates to the technical field of domain name detection, in particular to a method and a device for detecting a hidden channel of a domain name system.
Background
The Domain Name System (DNS) is a service of the internet. It acts as a distributed database that maps domain names and IP addresses to each other, enabling people to more conveniently access the internet. The domain name system is used for realizing data leakage in various fields, and the leakage of the domain name system is still a hot spot concerned by the security field.
At present, the method for detecting leakage of a domain name system is mainly embodied in the evolution of detection features, data sets and algorithms. Wherein, the extraction of the detection features is an important part in the detection process. The features extracted by researchers are classified into features based on a single domain name and multiple domain names, although feature selection is based on a few features of a common malicious domain name, the features are not analyzed and extracted according to real DNS hidden channel attacks, so that the false alarm rate is high, and the detection effect is poor.
Disclosure of Invention
Aiming at the problems, the invention provides a domain name system hidden channel detection method and device, which improve the detection accuracy of the domain name system hidden channel.
In order to achieve the purpose, the invention provides the following technical scheme:
a domain name system covert channel detection method comprises the following steps:
acquiring the domain name system flow to be detected;
detecting whether structural characteristics exist in the sub domain of the domain name system flow to be detected, wherein the structural characteristics represent a target structure adopted by using domain name system data leakage time domain names;
if the structural characteristics exist, detecting whether the sub domain name of the domain name system flow to be detected has randomness characteristics, wherein the randomness characteristics represent the random characteristics of a coding field when the domain name system sub domain name is used for data leakage;
if yes, generating a detection result of the domain name system abnormity;
and if the sub-domain name of the to-be-detected domain name system flow does not have structural characteristics or the sub-domain name does not have random characteristics, generating a normal detection result of the domain name system.
Optionally, the acquiring the domain name system traffic to be detected includes:
acquiring domain name system flow;
filtering the domain name system flow to obtain filtered flow;
intercepting the filtered flow to obtain the flow of the domain name system to be detected.
Optionally, the detecting whether the sub domain name of the domain name system traffic to be detected has structural features includes:
performing structural detection on the sub domain name of the domain name system flow to be detected to obtain a first detection result;
and if the first detection result meets a first target condition, detecting that the sub-domain name of the to-be-detected domain name system flow has structural characteristics, wherein the first target condition comprises that the sub-domain name has a common substring and/or the sub-domain name has an incremental substring.
Optionally, the detecting whether the sub domain name of the domain name system traffic to be detected has a randomness characteristic includes:
detecting whether random word strings exist in the sub domain names of the domain name system flow to be detected;
if so, judging that the sub domain name of the domain name system flow to be detected has randomness characteristics.
Optionally, the intercepting the filtered traffic to obtain the traffic of the domain name system to be detected includes:
intercepting the filtered flow by using a target intercepting and analyzing unit to obtain the flow of the domain name system to be detected;
and responding to the current flow of the domain name system to be detected to obtain a detection result, and acquiring the flow of the domain name system to be detected based on a next target intercepting and analyzing unit so as to perform abnormal detection on the flow of the domain name system to be detected.
A domain name system hidden channel detection device comprises:
the acquisition unit is used for acquiring the domain name system flow to be detected;
the first detection unit is used for detecting whether structural characteristics exist in the sub domain name of the domain name system flow to be detected, and the structural characteristics represent a target structure adopted by the domain name system data leakage time domain name;
the second detection unit is used for detecting whether the sub domain name of the domain name system flow to be detected has randomness characteristics if the structural characteristics exist, and the randomness characteristics represent the random characteristics of the coding field when the sub domain name of the domain name system is used for data leakage;
the first generating unit is used for generating a detection result of the domain name system abnormity if the domain name system abnormity occurs;
and the second generating unit is used for generating a normal detection result of the domain name system if the sub-domain name of the to-be-detected domain name system flow does not have structural characteristics or the sub-domain name does not have random characteristics.
Optionally, the obtaining unit includes:
the acquisition subunit is used for acquiring the domain name system flow;
the filtering subunit is used for filtering the domain name system flow to obtain a filtered flow;
and the intercepting subunit is used for intercepting the filtered flow to obtain the flow of the domain name system to be detected.
Optionally, the first detecting unit is specifically configured to:
performing structural detection on the sub domain name of the domain name system flow to be detected to obtain a first detection result;
and if the first detection result meets a first target condition, detecting that the sub-domain name of the to-be-detected domain name system flow has structural characteristics, wherein the first target condition comprises that the sub-domain name has a common substring and/or the sub-domain name has an incremental substring.
Optionally, the second detecting unit is specifically configured to:
detecting whether random word strings exist in the sub domain names of the domain name system flow to be detected;
if so, judging that the sub domain name of the domain name system flow to be detected has randomness characteristics.
Optionally, the intercepting subunit is specifically configured to:
intercepting the filtered flow by using a target intercepting and analyzing unit to obtain the flow of the domain name system to be detected;
and responding to the current flow of the domain name system to be detected to obtain a detection result, and acquiring the flow of the domain name system to be detected based on a next target intercepting and analyzing unit so as to perform abnormal detection on the flow of the domain name system to be detected.
Compared with the prior art, the invention provides a domain name system hidden channel detection method and device, which are used for acquiring the flow of a domain name system to be detected; detecting whether a sub-domain of the domain name system flow to be detected has structural characteristics, wherein the structural characteristics represent a target structure adopted by using domain name system data leakage time domain names; if the structural characteristics exist, analyzing whether the sub domain name of the domain name system flow to be detected has randomness characteristics, wherein the randomness characteristics represent the random characteristics of the coding field when the domain name system sub domain name is used for data leakage; if yes, generating a detection result of the domain name system abnormity; and if the sub-domain name of the domain name system flow to be detected does not have structural characteristics or the sub-domain name does not have random characteristics, generating a normal detection result of the domain name system. According to the invention, the attack characteristics of the leakage of the domain name system data are utilized for detection, so that the detection accuracy is improved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
Fig. 1 is a schematic flowchart of a hidden channel detection method of a domain name system according to an embodiment of the present invention;
fig. 2 is a schematic diagram of a DNS query request domain name of APT34 according to an embodiment of the present invention;
fig. 3 is a schematic structural diagram of a hidden channel detection apparatus of a domain name system according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The terms "first" and "second," and the like in the description and claims of the present invention and the above-described drawings are used for distinguishing between different objects and not for describing a particular order. Furthermore, the terms "comprising" and "having," as well as any variations thereof, are intended to cover non-exclusive inclusions. For example, a process, method, system, article, or apparatus that comprises a list of steps or elements is not set forth for a listed step or element but may include steps or elements not listed.
In an embodiment of the present invention, a method for detecting a hidden channel in a domain name system is provided, and referring to fig. 1, the method may include the following steps:
s101, obtaining the domain name system flow to be detected.
The stable operation of the domain name system is the premise of realizing the normal service of the internet, and as the DNS (domain name system) server realizes the external domain name resolution service by responding to the received DNS query request, the DNS query data flow directly reflects the whole process of the external service of the DNS server. Therefore, the service state of the DNS server is effectively evaluated by detecting the DNS traffic, and detection of abnormal behavior of the domain name system is further implemented, that is, whether the domain name system has an abnormal condition of data leakage is detected.
Therefore, in order to implement the anomaly detection of the domain name system, the domain name system traffic to be detected needs to be acquired first, and the DNS traffic obtained by real-time monitoring can be used as the domain name system traffic to be detected. For example, the domain name determined to have no abnormal risk may be filtered, or a fixed intercepting interval may be adopted to detect the traffic of the intercepting interval.
S102, detecting whether the sub domain name of the domain name system flow to be detected has structural characteristics, if so, executing S103, and if not, executing S105;
s103, detecting whether the sub domain name of the domain name system flow to be detected has randomness characteristics, if so, executing S104, and if not, executing S105;
s104, generating a detection result of domain name system abnormity;
and S105, generating a normal detection result of the domain name system.
The structural feature represents a target structure adopted by a domain name system data leakage time domain name, and the randomness feature represents the random feature of a coding field when the domain name system sub-domain name is used for data leakage. The structural features and the randomness features can also be collectively referred to as domain name structural features and randomness features, that is, the domain name structural features and the randomness features refer to the structural features of the sub-domain name features used for DNS data leakage, and include structural features and randomness features. The structural property means that in one attack, a batch of domain names used for leakage have similar structures, for example, have the same common substring and incremental marking bits; the randomness refers to that when data leakage is carried out by using a DNS sub-domain name, leakage information is coded in the domain name, so that a field of a coded file has certain randomness.
Referring to fig. 2, a schematic diagram of a DNS query request domain name of APT34 according to an embodiment of the present invention is shown, wherein a domain name piece has a similar structure, such as the same functional string "5624 b81 f" in a rectangular box, incremental number strings "001" and "002", and the same file name string (e.g. in an oval box) "33333210100 a", which are different from the features of a general malicious domain name, such as a DGA domain name and a normal domain name, i.e. structural features. The middle box part in fig. 2 is the transmission file information coding, and after coding, certain randomness rather than daily readable information is presented, namely the randomness characteristic.
The structural and random characteristics are two important characteristics, one for assisting transmission and one for encoding the actual information transmitted. In the embodiment of the invention, the structuredness and the randomness in the sub domain names of the domain name system flow to be detected are detected, if both the structuredness and the randomness are both possessed, the characteristic of DNS data leakage is met, and the judgment is abnormal, otherwise, the judgment is normal. Therefore, the DNS data leakage abnormity can be accurately and timely found. It should be noted that the domain name system can be judged to be normal as long as no structural feature or no randomness feature exists.
According to the invention, the detection is carried out by utilizing the attacking characteristics of DNS data leakage, so that the detection is more targeted, and the accuracy of the detection is improved; the judgment is carried out by analyzing the abnormity of the sub-domain name, so that the detection is more efficient; the method can be applied to other application layer protocol leakage or data leakage detection.
The following describes a specific process that can implement the above detection in the embodiment of the present invention.
The method for acquiring the domain name system flow to be detected comprises the following steps:
acquiring domain name system flow;
filtering the domain name system flow to obtain filtered flow;
intercepting the filtered flow to obtain the flow of the domain name system to be detected.
The DNS probe is used for filtering the network traffic to obtain the DNS traffic to be detected, meanwhile, a white list filter can be used for filtering, and after filtering is carried out through a corresponding filtering mode, the filtered DNS traffic is obtained, wherein the DNS traffic can be real-time traffic or offline traffic. And then intercepting the filtered flow by using a target intercepting and analyzing unit to obtain the flow of the domain name system to be detected. In this way, a detection result is obtained in response to the current flow of the domain name system to be detected, and the flow of the domain name system to be detected next is obtained based on the next target intercepting and analyzing unit, so as to perform abnormal detection on the flow of the domain name system to be detected next. For example, a suitable window is set, the intercepting analysis unit, along with the input of the flow to be detected, a window with a suitable size is set to receive the input, the window can accommodate a plurality of flows, the flows flow through, and the intercepting window is one analysis unit in size each time. And the subsequent analysis units have consistent processing modes, and the next analysis unit is continuously judged along with the movement of the flow.
Specifically, the detecting whether the sub domain name of the domain name system flow to be detected has structural features includes: performing structural detection on the sub domain name of the domain name system flow to be detected to obtain a first detection result; and if the first detection result meets a first target condition, detecting that the sub-domain name of the to-be-detected domain name system flow has structural characteristics, wherein the first target condition comprises that the sub-domain name has a common substring and/or the sub-domain name has an incremental substring.
The detecting whether the sub domain name of the domain name system flow to be detected has the randomness characteristic comprises the following steps: detecting whether random word strings exist in the sub domain names of the domain name system flow to be detected; if so, judging that the sub domain name of the domain name system flow to be detected has randomness characteristics.
Taking the example of intercepting the domain name system flow to be detected by the analysis unit, extracting and comparing sub domain names of the flow in the analysis unit to determine whether the domain name system flow has structuredness. If the sub-domain name in the analysis unit has the common sub-string or the incremental string or both, the sub-domain name has the structuredness, and if the sub-domain name does not have the common sub-string or the incremental string, the sub-domain name is judged to have no structuredness and is directly output normally. A common substring means that, for example, two domain names have the same substring, as in the first rectangle in fig. 2; the incremental string is a string formed by ensuring that no packet is lost during transmission of information one by one, and meanwhile, the receiving end can splice and reply in sequence, such as a second rectangular frame (i.e., a first row of rectangular frames with the longest middle) in fig. 2.
Whether the random character string exists in the sub-domain for detecting the domain name system flow to be detected or not can be judged according to an n-gram character frequency analysis method, and it should be noted that the embodiment of the present invention does not limit the specific way for detecting whether the random character string exists or not. Also taking the above as an example, if the analysis unit is structured, the judgment of the existence of the subdomain randomness is continued. And judging whether the domain name has random word strings except the common substring. And (3) using an n-gram character frequency analysis method for the rest part, wherein the natural language follows Zipf law, and the character frequency distribution of the random word string is more uniform to judge whether the random word string has randomness. If yes, the output is abnormal, otherwise, the output is normal.
If the sub-domain name of the analysis unit has both structurality and randomness, judging the domain name to be a possible domain name, and outputting early warning and logs; otherwise, outputting the log for the normal domain name.
The invention provides a domain name system hidden channel detection method, which comprises the steps of obtaining the flow of a domain name system to be detected; detecting whether a sub-domain of the domain name system flow to be detected has structural characteristics, wherein the structural characteristics represent a target structure adopted by using domain name system data leakage time domain names; if the structural characteristics exist, analyzing whether the sub domain name of the domain name system flow to be detected has randomness characteristics, wherein the randomness characteristics represent the random characteristics of the coding field when the domain name system sub domain name is used for data leakage; if yes, generating a detection result of the domain name system abnormity; and if the sub-domain name of the domain name system flow to be detected does not have structural characteristics or the sub-domain name does not have random characteristics, generating a normal detection result of the domain name system. According to the invention, the attack characteristics of the leakage of the domain name system data are utilized for detection, so that the detection accuracy is improved.
Referring to fig. 3, it shows a domain name system hidden channel detection apparatus provided in an embodiment of the present invention, which is characterized in that the apparatus includes:
the acquiring unit 10 is used for acquiring the domain name system flow to be detected;
the first detecting unit 20 is configured to detect whether a structural feature exists in a sub-domain of the domain name system traffic to be detected, where the structural feature represents a target structure adopted by a domain name system data leakage time domain name;
the second detecting unit 30 is configured to detect whether a stochastic feature exists in the sub-domain of the domain name system traffic to be detected if the structural feature exists, where the stochastic feature represents a stochastic characteristic of an encoding field when the sub-domain of the domain name system is used for data leakage;
a first generating unit 40, configured to generate a detection result of the domain name system anomaly if the domain name system anomaly is detected;
a second generating unit 50, configured to generate a normal detection result of the domain name system if the sub-domain name of the domain name system traffic to be detected does not have structural features or the sub-domain name does not have stochastic features.
On the basis of the above embodiment, the acquiring unit includes:
the acquisition subunit is used for acquiring the domain name system flow;
the filtering subunit is used for filtering the domain name system flow to obtain a filtered flow;
and the intercepting subunit is used for intercepting the filtered flow to obtain the flow of the domain name system to be detected.
Optionally, the first detecting unit is specifically configured to:
performing structural detection on the sub domain name of the domain name system flow to be detected to obtain a first detection result;
and if the first detection result meets a first target condition, detecting that the sub-domain name of the to-be-detected domain name system flow has structural characteristics, wherein the first target condition comprises that the sub-domain name has a common substring and/or the sub-domain name has an incremental substring.
Optionally, the second detecting unit is specifically configured to:
detecting whether random word strings exist in the sub domain names of the domain name system flow to be detected;
if so, judging that the sub domain name of the domain name system flow to be detected has randomness characteristics.
Optionally, the intercepting subunit is specifically configured to:
intercepting the filtered flow by using a target intercepting and analyzing unit to obtain the flow of the domain name system to be detected;
and responding to the current flow of the domain name system to be detected to obtain a detection result, and acquiring the flow of the domain name system to be detected based on a next target intercepting and analyzing unit so as to perform abnormal detection on the flow of the domain name system to be detected.
The invention provides a domain name system hidden channel detection device.A obtaining unit obtains the flow of a domain name system to be detected; the device comprises a first detection unit, a second detection unit and a third detection unit, wherein the first detection unit is used for detecting whether structural characteristics exist in the sub domain of the domain name system flow to be detected, and the structural characteristics represent a target structure adopted by the domain name system data leakage time domain name; the second detection unit is used for analyzing whether the sub domain name of the domain name system flow to be detected has randomness characteristics if the structural characteristics exist, and the randomness characteristics represent the random characteristics of the coding field when the domain name system sub domain name is used for data leakage; the first generating unit is used for generating a detection result of the domain name system abnormity if the domain name system abnormity occurs; the second generating unit is used for generating a normal detection result of the domain name system if the sub-domain name of the domain name system flow to be detected does not have structural characteristics or the sub-domain name does not have random characteristics. According to the invention, the attack characteristics of the leakage of the domain name system data are utilized for detection, so that the detection accuracy is improved.
Based on the foregoing embodiments, embodiments of the present application provide a computer-readable storage medium storing one or more programs, which are executable by one or more processors to implement the steps of a domain name system covert channel detection method as in any one of the above.
The embodiment of the present invention further provides an electronic device, which includes a memory, a processor, and a computer program stored in the memory and executable on the processor, and is characterized in that the processor executes the program to implement the steps of the method for detecting the hidden channel in the domain name system. Specifically, the processor may implement:
acquiring the domain name system flow to be detected;
detecting whether structural characteristics exist in the sub domain of the domain name system flow to be detected, wherein the structural characteristics represent a target structure adopted by using domain name system data leakage time domain names;
if the structural characteristics exist, detecting whether the sub domain name of the domain name system flow to be detected has randomness characteristics, wherein the randomness characteristics represent the random characteristics of a coding field when the domain name system sub domain name is used for data leakage;
if yes, generating a detection result of the domain name system abnormity;
and if the sub-domain name of the to-be-detected domain name system flow does not have structural characteristics or the sub-domain name does not have random characteristics, generating a normal detection result of the domain name system.
Further, the acquiring the domain name system flow to be detected includes:
acquiring domain name system flow;
filtering the domain name system flow to obtain filtered flow;
intercepting the filtered flow to obtain the flow of the domain name system to be detected.
Further, the detecting whether the sub domain name of the domain name system flow to be detected has structural features includes:
performing structural detection on the sub domain name of the domain name system flow to be detected to obtain a first detection result;
and if the first detection result meets a first target condition, detecting that the sub-domain name of the to-be-detected domain name system flow has structural characteristics, wherein the first target condition comprises that the sub-domain name has a common substring and/or the sub-domain name has an incremental substring.
Further, the detecting whether the sub domain name of the domain name system flow to be detected has the randomness characteristic includes:
detecting whether random word strings exist in the sub domain names of the domain name system flow to be detected;
if so, judging that the sub domain name of the domain name system flow to be detected has randomness characteristics.
Further, intercepting the filtered flow to obtain the flow of the domain name system to be detected includes:
intercepting the filtered flow by using a target intercepting and analyzing unit to obtain the flow of the domain name system to be detected;
and responding to the current flow of the domain name system to be detected to obtain a detection result, and acquiring the flow of the domain name system to be detected based on a next target intercepting and analyzing unit so as to perform abnormal detection on the flow of the domain name system to be detected.
The Processor or the CPU may be at least one of an Application Specific Integrated Circuit (ASIC), a Digital Signal Processor (DSP), a Digital Signal Processing Device (DSPD), a Programmable Logic Device (PLD), a Field Programmable Gate Array (FPGA), a Central Processing Unit (CPU), a controller, a microcontroller, and a microprocessor. It is understood that the electronic device implementing the above-mentioned processor function may be other electronic devices, and the embodiments of the present application are not particularly limited.
The computer storage medium/Memory may be a Read Only Memory (ROM), a Programmable Read Only Memory (PROM), an Erasable Programmable Read Only Memory (EPROM), an Electrically Erasable Programmable Read Only Memory (EEPROM), a magnetic Random Access Memory (FRAM), a Flash Memory (Flash Memory), a magnetic surface Memory, an optical Disc, or a Compact Disc Read-Only Memory (CD-ROM); but may also be various terminals such as mobile phones, computers, tablet devices, personal digital assistants, etc., that include one or any combination of the above-mentioned memories.
In the several embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. The above-described device embodiments are merely illustrative, for example, the division of a unit is only one logical function division, and there may be other division ways in actual implementation, such as: multiple units or components may be combined, or may be integrated into another system, or some features may be omitted, or not implemented. In addition, the coupling, direct coupling or communication connection between the components shown or discussed may be through some interfaces, and the indirect coupling or communication connection between the devices or units may be electrical, mechanical or other forms.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed on a plurality of network units; some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, all functional units in the embodiments of the present application may be integrated into one processing module, or each unit may be separately regarded as one unit, or two or more units may be integrated into one unit; the integrated unit can be realized in a form of hardware, or in a form of hardware plus a software functional unit. Those of ordinary skill in the art will understand that: all or part of the steps for implementing the method embodiments may be implemented by hardware related to program instructions, and the program may be stored in a computer readable storage medium, and when executed, the program performs the steps including the method embodiments; and the aforementioned storage medium includes: various media capable of storing program codes, such as a removable Memory device, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, and an optical disk.
The methods disclosed in the several method embodiments provided in the present application may be combined arbitrarily without conflict to obtain new method embodiments.
Features disclosed in several of the product embodiments provided in the present application may be combined in any combination to yield new product embodiments without conflict.
The features disclosed in the several method or apparatus embodiments provided in the present application may be combined arbitrarily, without conflict, to arrive at new method embodiments or apparatus embodiments.
The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
The embodiments in the present description are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (10)
1. A method for detecting a hidden channel of a domain name system is characterized by comprising the following steps:
acquiring the domain name system flow to be detected;
detecting whether structural characteristics exist in the sub domain of the domain name system flow to be detected, wherein the structural characteristics represent a target structure adopted by using domain name system data leakage time domain names;
if the structural characteristics exist, detecting whether the sub domain name of the domain name system flow to be detected has randomness characteristics, wherein the randomness characteristics represent the random characteristics of a coding field when the domain name system sub domain name is used for data leakage;
if yes, generating a detection result of the domain name system abnormity;
and if the sub-domain name of the to-be-detected domain name system flow does not have structural characteristics or the sub-domain name does not have random characteristics, generating a normal detection result of the domain name system.
2. The method according to claim 1, wherein the acquiring domain name system traffic to be detected comprises:
acquiring domain name system flow;
filtering the domain name system flow to obtain filtered flow;
intercepting the filtered flow to obtain the flow of the domain name system to be detected.
3. The method according to claim 1, wherein the detecting whether the sub domain name of the domain name system traffic to be detected has structural features comprises:
performing structural detection on the sub domain name of the domain name system flow to be detected to obtain a first detection result;
and if the first detection result meets a first target condition, detecting that the sub-domain name of the to-be-detected domain name system flow has structural characteristics, wherein the first target condition comprises that the sub-domain name has a common substring and/or the sub-domain name has an incremental substring.
4. The method according to claim 1, wherein the detecting whether the sub domain name of the domain name system traffic to be detected has the randomness characteristic comprises:
detecting whether random word strings exist in the sub domain names of the domain name system flow to be detected;
if so, judging that the sub domain name of the domain name system flow to be detected has randomness characteristics.
5. The method according to claim 2, wherein the intercepting the filtered traffic to obtain the traffic of the domain name system to be detected comprises:
intercepting the filtered flow by using a target intercepting and analyzing unit to obtain the flow of the domain name system to be detected;
and responding to the current flow of the domain name system to be detected to obtain a detection result, and acquiring the flow of the domain name system to be detected based on a next target intercepting and analyzing unit so as to perform abnormal detection on the flow of the domain name system to be detected.
6. A hidden channel detection device for a domain name system, comprising:
the acquisition unit is used for acquiring the domain name system flow to be detected;
the first detection unit is used for detecting whether structural characteristics exist in the sub domain name of the domain name system flow to be detected, and the structural characteristics represent a target structure adopted by the domain name system data leakage time domain name;
the second detection unit is used for detecting whether the sub domain name of the domain name system flow to be detected has randomness characteristics if the structural characteristics exist, and the randomness characteristics represent the random characteristics of the coding field when the sub domain name of the domain name system is used for data leakage;
the first generating unit is used for generating a detection result of the domain name system abnormity if the domain name system abnormity occurs;
and the second generating unit is used for generating a normal detection result of the domain name system if the sub-domain name of the to-be-detected domain name system flow does not have structural characteristics or the sub-domain name does not have random characteristics.
7. The apparatus of claim 6, wherein the obtaining unit comprises:
the acquisition subunit is used for acquiring the domain name system flow;
the filtering subunit is used for filtering the domain name system flow to obtain a filtered flow;
and the intercepting subunit is used for intercepting the filtered flow to obtain the flow of the domain name system to be detected.
8. The system of claim 6, wherein the first detection unit is specifically configured to:
performing structural detection on the sub domain name of the domain name system flow to be detected to obtain a first detection result;
and if the first detection result meets a first target condition, detecting that the sub-domain name of the to-be-detected domain name system flow has structural characteristics, wherein the first target condition comprises that the sub-domain name has a common substring and/or the sub-domain name has an incremental substring.
9. The system of claim 6, wherein the second detection unit is specifically configured to:
detecting whether random word strings exist in the sub domain names of the domain name system flow to be detected;
if so, judging that the sub domain name of the domain name system flow to be detected has randomness characteristics.
10. The system of claim 7, wherein the truncating subunit is specifically configured to:
intercepting the filtered flow by using a target intercepting and analyzing unit to obtain the flow of the domain name system to be detected;
and responding to the current flow of the domain name system to be detected to obtain a detection result, and acquiring the flow of the domain name system to be detected based on a next target intercepting and analyzing unit so as to perform abnormal detection on the flow of the domain name system to be detected.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110171658.9A CN112929370B (en) | 2021-02-08 | 2021-02-08 | Domain name system hidden channel detection method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110171658.9A CN112929370B (en) | 2021-02-08 | 2021-02-08 | Domain name system hidden channel detection method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112929370A true CN112929370A (en) | 2021-06-08 |
| CN112929370B CN112929370B (en) | 2022-10-18 |
Family
ID=76171171
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110171658.9A Active CN112929370B (en) | 2021-02-08 | 2021-02-08 | Domain name system hidden channel detection method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112929370B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113489709A (en) * | 2021-06-30 | 2021-10-08 | 北京丁牛科技有限公司 | Flow detection method and device |
| CN114070581A (en) * | 2021-10-09 | 2022-02-18 | 北京邮电大学 | Method and device for detecting hidden channel of domain name system |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105610830A (en) * | 2015-12-30 | 2016-05-25 | 山石网科通信技术有限公司 | Method and device for detecting domain name |
| CN106713312A (en) * | 2016-12-21 | 2017-05-24 | 深圳市深信服电子科技有限公司 | Method and device for detecting illegal domain name |
| CN107786575A (en) * | 2017-11-11 | 2018-03-09 | 北京信息科技大学 | A kind of adaptive malice domain name detection method based on DNS flows |
| CN110740117A (en) * | 2018-10-31 | 2020-01-31 | 哈尔滨安天科技集团股份有限公司 | Counterfeit domain name detection method and device, electronic equipment and storage medium |
| CN111953673A (en) * | 2020-08-10 | 2020-11-17 | 深圳市联软科技股份有限公司 | DNS hidden tunnel detection method and system |
-
2021
- 2021-02-08 CN CN202110171658.9A patent/CN112929370B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105610830A (en) * | 2015-12-30 | 2016-05-25 | 山石网科通信技术有限公司 | Method and device for detecting domain name |
| CN106713312A (en) * | 2016-12-21 | 2017-05-24 | 深圳市深信服电子科技有限公司 | Method and device for detecting illegal domain name |
| CN107786575A (en) * | 2017-11-11 | 2018-03-09 | 北京信息科技大学 | A kind of adaptive malice domain name detection method based on DNS flows |
| CN110740117A (en) * | 2018-10-31 | 2020-01-31 | 哈尔滨安天科技集团股份有限公司 | Counterfeit domain name detection method and device, electronic equipment and storage medium |
| CN111953673A (en) * | 2020-08-10 | 2020-11-17 | 深圳市联软科技股份有限公司 | DNS hidden tunnel detection method and system |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113489709A (en) * | 2021-06-30 | 2021-10-08 | 北京丁牛科技有限公司 | Flow detection method and device |
| CN113489709B (en) * | 2021-06-30 | 2023-06-20 | 丁牛信息安全科技(江苏)有限公司 | Flow detection method and device |
| CN114070581A (en) * | 2021-10-09 | 2022-02-18 | 北京邮电大学 | Method and device for detecting hidden channel of domain name system |
| CN114070581B (en) * | 2021-10-09 | 2023-03-14 | 北京邮电大学 | Method and device for detecting hidden channel of domain name system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112929370B (en) | 2022-10-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111355697B (en) | Detection method, device, equipment and storage medium for botnet domain name family | |
| CN111949803B (en) | Knowledge graph-based network abnormal user detection method, device and equipment | |
| CN110351280A (en) | A kind of method, system, equipment and readable storage medium storing program for executing for threatening information to extract | |
| CN113162953B (en) | Network threat message detection and source tracing evidence obtaining method and device | |
| CN111131260B (en) | Mass network malicious domain name identification and classification method and system | |
| WO2012089005A1 (en) | Method and apparatus for phishing web page detection | |
| CN112804210B (en) | Data association method and device, electronic equipment and computer-readable storage medium | |
| CN105376217B (en) | A kind of malice jumps and the automatic judging method of malice nested class objectionable website | |
| CN112929370B (en) | Domain name system hidden channel detection method and device | |
| CN109495521B (en) | Abnormal flow detection method and device | |
| EP3913888A1 (en) | Detection method for malicious domain name in domain name system and detection device | |
| CN106850511B (en) | Method and device for identifying access attack | |
| CN113114618A (en) | Internet of things equipment intrusion detection method based on traffic classification recognition | |
| CN110135162A (en) | The recognition methods of the back door WEBSHELL, device, equipment and storage medium | |
| CN112822223A (en) | DNS hidden tunnel event automatic detection method and device and electronic equipment | |
| CN112532624A (en) | Black chain detection method and device, electronic equipment and readable storage medium | |
| CN109005181B (en) | Detection method, system and related components for DNS amplification attack | |
| CN112272175A (en) | Trojan horse virus detection method based on DNS | |
| CN112583827B (en) | Data leakage detection method and device | |
| CN107332856B (en) | Address information detection method and device, storage medium and electronic device | |
| TWI777766B (en) | System and method of malicious domain query behavior detection | |
| CN114172707B (en) | Fast-Flux botnet detection method, device, equipment and storage medium | |
| CN117354024A (en) | DNS malicious domain name detection system and method based on big data | |
| CN113965392B (en) | Malicious server detection method, system, readable medium and electronic equipment | |
| CN113792291B (en) | Host recognition method and device infected by domain generation algorithm malicious software |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |