Method and device for detecting anomaly of domain name system
What is Al technical title?
Al technical title is built by PatSnap Al team. It summarizes the technical point description of the patent document.
A domain name system and abnormal technology, applied in the field of computer networks, can solve the problems of high missed detection rate and DNS lag in detection, and achieve the effect of low missed detection rate and reduced loss.
Active Publication Date: 2010-10-06
CHINA INTERNET NETWORK INFORMATION CENTER
View PDF3 Cites 15 Cited by
Summary
Abstract
Description
Claims
Application Information
AI Technical Summary
This helps you quickly interpret patents by identifying the three key elements:
Problems solved by technology
Method used
Benefits of technology
Problems solved by technology
[0006] The present invention provides a method and device for detecting DNS anomalies to solve the problems in the prior art that the detection of DNS anomalies is lagging behind and the rate of missed detection is high
Method used
the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more
Image
Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
Click on the blue label to locate the original text in one second.
Reading with bidirectional positioning of images and text.
Smart Image
Examples
Experimental program
Comparison scheme
Effect test
Embodiment 1
[0032] figure 1 It is a schematic flow chart of an embodiment of the method for detecting DNS anomalies in the present invention, such as figure 1 As shown, the method includes:
[0033] Step 101: dividing the DNS query data flow into multiple data blocks;
[0034] It should be noted that: the larger the divided data block, that is to say, the more query data each data block contains, the more gentle the change of the entropy value of the data block, which can effectively reduce the occurrence of false detection, but at the same time It also reduces the sensitivity to abnormal traffic, and the missed detection rate increases; on the contrary, the smaller the data block, that is to say, the smaller the amount of query data included in each data block, the higher the sensitivity of detecting DNS anomalies, but the accuracy is lower. will decrease accordingly.
[0035] In practical applications, the DNS query data flow can be divided into multiple data blocks according to a sp...
Embodiment 2
[0070] Figure 5 It is a schematic diagram of an embodiment of a device for detecting DNS anomalies in the present invention, such as Figure 5 As shown, the device includes: a division module 201, a calculation module 202 and a judgment module 203;
[0071] Wherein, the division module 201 is used to divide the DNS query data flow into a plurality of data blocks;
[0072] Specifically, the division module 201 is configured to divide the DNS query data flow into multiple data blocks according to a specified time and / or according to a specified query volume.
[0073] A calculation module 202, configured to calculate entropy values of multiple data blocks divided by the division module 201 according to preset query attributes, and obtain corresponding multiple entropy values;
[0074] Wherein, the calculation module 202 includes a first calculation unit and a second calculation unit;
[0075] The first calculation unit is used to calculate the probability that each element ...
the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more
PUM
Login to view more
Abstract
The invention provides a method and device for detecting the anomaly of a domain name system, belonging to the technical field of computer network. The method comprises the following steps: dividing the inquiry data stream of the domain name system into a plurality of data blocks; calculating the entropy values of the data blocks according to the preset inquiry attribute to obtain the corresponding entropy values; judging whether preset quantity of entropy values in the obtained entropy values are more than a preset threshold; and if so, determining that the domain name system is abnormal. The device of the invention comprises a dividing module, a calculating module and a judging module. The device of the invention calculates the entropy values of a plurality of data blocks in the inquirydata stream of the domain name system and determines that the domain name system is abnormal when preset quantity of entropy values in the obtained entropy values are more than the preset threshold; the device of the invention can perform early warning to the anomaly of the domain name system, thus reducing loss after the anomaly of domain name system appears; and compared with the prior art, themethod of the invention has high detection accuracy degree and low omission ratio.
Description
technical field [0001] The invention relates to computer network security technology, in particular to a method and device for detecting domain name system anomalies, and belongs to the technical field of computer networks. Background technique [0002] The Domain Name System (DNS for short) is a distributed database system, which is used to convert domain names into IP addresses that can be recognized by the network. Since the DNS is the foundation of the Internet, if the DNS is abnormal, it will have a serious impact on the entire network, so it is very important to detect the DNS anomaly. [0003] The methods for detecting DNS anomalies in the prior art mainly include determining whether the DNS is abnormal based on changes in query traffic or values of query attributes. Determining whether the DNS is abnormal based on the change of the query traffic refers to: when the query traffic is extremely large or extremely small, it is considered that the DNS is abnormal. [...
Claims
the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more
Application Information
Patent Timeline
Application Date:The date an application was filed.
Publication Date:The date a patent or application was officially published.
First Publication Date:The earliest publication date of a patent with the same application number.
Issue Date:Publication date of the patent grant document.
PCT Entry Date:The Entry date of PCT National Phase.
Estimated Expiry Date:The statutory expiry date of a patent right according to the Patent Law, and it is the longest term of protection that the patent right can achieve without the termination of the patent right due to other reasons(Term extension factor has been taken into account ).
Invalid Date:Actual expiry date is based on effective date or publication date of legal transaction data of invalid patent.
Login to view more 
Login to view more