Method for detecting quick-changing attack domain name based on host group characteristics

Abstract

The invention relates to a method for detecting quick-changing attack domain name based on host group characteristics, which mainly comprises the following steps of 1, capturing a network data package and extracting a DNS (domain name server) message characteristic; 2, detecting the quick-changing attack domain name; and 3, performing misjudgment detection, wherein detection of the quick-changing attack domain name comprises the steps of computing an IP (internet protocol) distribution program of the host group which corresponds to the domain name, assessing service availability, and detecting network wave, and is the core of the invention; and misjudgment detection gets rid of the normal large scale network domain name in the process of detection of the quick-changing attack domain name and a detection result when a local network is not good in the process of detection of online rate. According to the invention, set of the DNS message in a local area network is analyzed; the problem of the accuracy rate of analysis of the single DNS message is avoided based on the characteristics of IP degree of dispersion of the host group which corresponds to the domain name and online rate; and the scale that the domain name corresponds to the host group is considered when an IP distance is computed, so that the misjudgment of a large scale fine quick-changing network is avoided.

Description

technical field [0001] The invention relates to the field of network anomaly detection, and is a method for rapidly changing attack domain name detection based on the host group characteristics corresponding to the domain name. Background technique [0002] In recent years, with the rapid development of the Internet, network security is also facing enormous challenges. The emergence of botnets will undoubtedly make the situation of network security worse. [0003] The botnet parent (control server) needs to communicate with the infected bot in order to update the client module of the bot in time, or to control the newly infected bot, which is the so-called C&C (Command&Control) communication. To protect the parent body of the botnet, the botnet often adopts domain name rapid change technology, so that the domain name accessed by the botnet corresponds to different current online proxy hosts, and the proxy host is responsible for communicating with the botnet parent as an int...

AI Technical Summary

Problems solved by technology

These methods can detect whether a specific domain name is a domain name of a fast-changing attack network, but there is a problem with timely discovering whether a host in a large local area network is infected by a botnet

In addition, the detection method based on network availability has a large error in the results and is easily affected by real-time changes in the network status. The detection method based on the update frequency of web page content has a long detection cycle, and it is difficult to detect and control rapid-changing attacks on network domain names in time.

Images