Abnormal domain name detection method and system

Abstract

The present invention relates to a method and system for detecting an abnormal domain name. The method includes: step 1, receiving and analyzing a DNS response message, performing statistics with a preset statistical time interval as a statistical cycle, and generating a DNS response message containing DNS within the statistical cycle The DNS analysis statistics vector set of the information of the document and the statistical value of the number; Step 2, detect with the preset detection time interval as the detection cycle, and generate the detection cycle according to the preset detection characteristics in the detection cycle The DNS analysis statistical vectors in the DNS resolution statistical vector set are used to perform detection feature statistics to generate a detection feature vector set, each detection feature vector in the detection feature vector set corresponds to the same domain name; step 3, the detection feature vectors in the detection feature vector set Detect and generate abnormal domain names. The invention can detect unknown abnormal domain names.

Description

technical field [0001] The invention relates to the field of network security, in particular to a method and system for detecting abnormal domain names. Background technique [0002] With the development of network technology, domain name (DNS, Domain Name System) technology has been widely used, and security incidents related to domain names are also increasing, such as botnets (BotNet), domain name amplification distributed denial of service attacks (DNS Amplification DDoS Attack ), linked to horse sites and so on. [0003] Taking botnets as an example, in order to avoid detection and blocking, botnets often use the method of dynamic domain name (DDNS, Dynamic DNS) to specify the IP address of the control server (C&C, Command-and-Controlserver), so as to achieve concealment and migration control The purpose of the server address, and the bot (Bot) dynamically obtains the address of the control server through the analysis of these domain names, so as to obtain the informat...

AI Technical Summary

Problems solved by technology

[0005] The method based on the number of query requests, Botnet Detection and Response, The Network is the Infection, OARC Workshop, 2005. The URL is http: / / www.caida.org / projects / oarc / 200507 / slides / oarc0507-Dagon.pdf, This method utilizes the abnormal number of query requests and the temporary concentration of query requests to determine that the requested domain name is an abnormal domain name, but the document Identifying Botnets Using AnomalyDetection Techniques Applied to DNS Traffic.In Proceedings of the 5thIEEE Consumer Communications and Networking Conference.2008 : In 476-481, the experimental evaluation pointed out that the false alarm rate of this method is relatively high, and the effect is not ideal

[0006] Document The Domain Name Service as an IDS, Master's Project, University of Amsterdam, Netherlands, Feb.2006, available at http: / / staff.science.uva.nl / ~delaat / snb-2005-2006 / p12 / report. pdf discloses a method based on repeated requests based on the number of query requests based on the non-existent domain name (NXDOMAIN). This method has a low false positive rate, but only domain names that match this situation can be found and cannot be detected A large number of abnormal domain names

[0007] The document Botnet Detection by Monitoring Group Activities in DNSTraffic.In Proceedings of the 7th IEEE International Conference on Computer and Information Technology table of contents.2007: 715-720 discloses a method for IP address distribution based on initiating query requests, which mainly utilizes The similarity of the IP address of the request and the similarity of the size of the IP address list in a continuous period of time are used to determine the abnormality of the domain name. However, the domain name request with a forged source IP address will seriously affect the detection effect of this method.

[0008] The document Bayesian bot detection based on DNS traffic similarity. In Proceedings of the 2009 ACM Symposium on Applied Computing (SAC). Hawaii, USA. 2009: 2035-2041 discloses a method based on known bot DNS request traffic, but the Method lacks discovery of unknown anomalous domain names

Images