Unlock instant, AI-driven research and patent intelligence for your innovation.
A malware domain name detection method and system based on periodic detection
What is Al technical title?
Al technical title is built by PatSnap Al team. It summarizes the technical point description of the patent document.
A malicious software and periodic technology, applied in the field of network security, can solve the problem of finding malicious domain names of such software
Active Publication Date: 2019-07-16
INST OF INFORMATION ENG CHINESE ACAD OF SCI +1
View PDF2 Cites 0 Cited by
Summary
Abstract
Description
Claims
Application Information
AI Technical Summary
This helps you quickly interpret patents by identifying the three key elements:
Problems solved by technology
Method used
Benefits of technology
Problems solved by technology
Existing research has little effect on malicious software domain names with high concealment. These domain names are very similar to normal domain names in many characteristics, and such software malicious domain names cannot be found by existing detection methods
Method used
the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more
Image
Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
Click on the blue label to locate the original text in one second.
Reading with bidirectional positioning of images and text.
Smart Image
Examples
Experimental program
Comparison scheme
Effect test
Embodiment 1
[0055] Embodiment 1, the input data is DNS log data, and its log records are as follows,
[0056] 1469728799.867867 CcR4Mx1S79oPL1RDdk 192.168.89.1 43755114.114.114.114 53 udp 30407 a.b.c.com 1 C_INTERNET 1 A 0 NOERROR F F T T 010.10.99.200 F000 500.
[0057] Extract the following fields:
[0058]
[0059] Such as figure 1 As shown, this figure represents the training stage in the scheme of the present invention, after this stage ends, generate a classifier, and distinguish the domain name with this classifier in the detection stage; figure 2 As shown, this figure represents the detection stage in the solution of the present invention. This stage needs to use the classifier obtained in the training stage. After this stage ends, a collection of malicious domain names is generated.
[0060] The processing flow of the filtering module, periodic detection module, and feature acquisition module in the detection phase and the training phase are basically the same, and the diff...
Embodiment 2
[0088] Embodiment 2, the input data is HTTP log data, and its log record is as follows,
[0089] 1469722499.521614CrswjI3seBj0Mb0mKe 192.168.115.155 22029 10.10.231.180 1 GET o.p.q.com / ka.js http: / / o.p.q.com / ciba / test / Mozilla / 5.0(Tridible; MSIE 10.0; Windows 4W / 74.1WO) Not Modified---(empty)-------
[0090] Extract the following fields:
[0091] field request domain time request domain name source IP Domain name resolution response IP example 1444410000.416519 o.p.q.com 192.168.115.155 10.10.231.1
[0092] The processing process of this embodiment is basically the same as the DNS data of Bro, except that on the source data field, the HTTP data of Bro has no destination IP field, the 11th feature and the 12th feature that cannot be used in the feature acquisition module, and the rest The processing flow is basically the same.
[0093] According to statistics, compared with the domain name detection method in the prior art, the detection efficien...
the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More
PUM
Login to View More
Abstract
The present invention proposes a malwaredomain name detection method based on periodic detection, which includes the following steps: 1) filtering the input data to obtain a rare domain name set; 2) extracting from the rare domain name set <请求主机,稀少域名>3) Obtain the feature vector of each periodic domain name in the periodic domain name set; 4) Manually mark the periodic domain name in the periodic domain name set, According to the eigenvector, use the marked legal domain name and malicious domain name to train the classifier; 5) use the new unlabeled domain name as the input of the trained classifier in step 4) to detect, and the output result is a malware domain name. Ability to detect recurring malware domains in covert communications. At the same time, a system based on the above method is proposed.< / 请求主机,稀少域名>
Description
technical field [0001] The invention relates to a method and system for detecting malicious software domain names based on periodic detection, and belongs to the field of network security. Background technique [0002] DNS (Domain NameSystem, Domain NameSystem) is a key infrastructure on the Internet, and its main function is to map domain names and IP addresses. However, many malware exploit DNS to locate remote command and control (C&C) servers for a range of malicious activities. In recent years, network security research has developed rapidly, but many attackers evade existing security strategies by developing special malware. The communication between malware and C&C servers is very hidden and difficult to be found. A small number of malicious domain name requests are mixed in a large amount of DNS data, making it difficult to discover malicious domain names. [0003] Existing research and practice have shown that the life cycle followed by many different malware is...
Claims
the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More
Application Information
Patent Timeline
Application Date:The date an application was filed.
Publication Date:The date a patent or application was officially published.
First Publication Date:The earliest publication date of a patent with the same application number.
Issue Date:Publication date of the patent grant document.
PCT Entry Date:The Entry date of PCT National Phase.
Estimated Expiry Date:The statutory expiry date of a patent right according to the Patent Law, and it is the longest term of protection that the patent right can achieve without the termination of the patent right due to other reasons(Term extension factor has been taken into account ).
Invalid Date:Actual expiry date is based on effective date or publication date of legal transaction data of invalid patent.
Login to View More 
Login to View More