Botnet detection method based on Netflow and DNS blog

A botnet, DNS query technology, applied in electrical components, transmission systems, etc., can solve the problems of unable to find the control domain name of the FFSN network, high misjudgment rate, unable to accurately locate the FFSN dynamic malicious domain name, etc., to improve the positioning accuracy and Effectiveness, the effect of reducing the false positive rate

Active Publication Date: 2017-05-10
广州赛讯信息技术有限公司
View PDF9 Cites 27 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0003] With the continuous evolution of the FFSN botnet and the enhancement of the concealment of DNS traffic attacks and the emergence of attack forms, the existing Netflow traffic analysis solutions can only detect DDos (Distributed Denial of Service, distributed denial of service) initiated by the FFSN network. The source IP address, target IP address and attack characteristics of the attack, but the control domain name controlling the FFSN network cannot be found. The existing DNS log analysis solution uses the DGA algorithm to find the abnormal domain name, but this method has a high misjudgment rate and cannot be accurate Locating FFSN dynamic malicious domain names

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Botnet detection method based on Netflow and DNS blog
  • Botnet detection method based on Netflow and DNS blog

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0020] Existing botnet detection methods usually use a certain dimension of detection technology, the recognition accuracy of FFSN dynamic malicious domain names is low, and the positioning effect is not good, and the present invention is aimed at a large number of DDoS generated by FFSN networks such as Botnet and Fast-Flux Attack, providing a botnet detection method based on Netflow and DNS logs, using multi-dimensional (including source IP address, source port, destination IP address, destination port and protocol type) fusion detection technology, which can automatically detect FFSN dynamic malicious The domain name greatly improves the positioning accuracy and effectiveness of FFSN dynamic malicious domain names, and restrains the spread of FFSN network from the source, reduces the bandwidth congestion, denial of service duration and occurrence probability of basic network facilities of operators and users, and guarantees It improves the security of Internet basic network ...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention discloses a Botnet detection method based on Netflow and DNS blogs. The method includes the following steps: conducting quintuple correlation analysis on acquired Netflow data through an abnormal flow monitoring technique, and analyzing IP addresses of infected hosts of a service provider network, IP addresses of attack targets initiated by the IP addresses of the infected hosts and attack characteristics; and in a DNS server, acquiring DNS query request blogs, conducting correlation analysis on domain name request situations initiated when the IP addresses of the infected hosts attack the service provider network, searching for common domain name access records and eliminating normal common domain names, and obtaining FFSN dynamic malicious domain names. According to the method, the FFSN dynamic malicious domain names can be located quickly, locating precision and timeliness of the FFSN dynamic malicious domain names are greatly improved, and misjudgement rates are reduced.

Description

technical field [0001] The invention relates to the field of network security, in particular to a botnet detection method based on Netflow and DNS logs. Background technique [0002] Fast-Flux is used to allocate multiple (hundreds or even thousands) IP addresses for a legal domain name (such as flux.example.com). These IP addresses are changed very quickly. Through a rotating IP address resource pool and A resolution mapping implementation with a short life cycle is set for a specific DNS domain name resource. Website domains can assign new IP addresses every three minutes, and browsers that connect to these same websites may actually be connecting to different infected hosts. [0003] With the continuous evolution of the FFSN botnet and the enhanced concealment of DNS traffic attacks and the emergence of attack forms, the existing Netflow traffic analysis solutions can only detect DDos (Distributed Denial of Service, Distributed Denial of Service) initiated by the FFSN ne...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
Patent Type & Authority Applications(China)
IPC IPC(8): H04L29/06H04L29/12
CPCH04L63/1425H04L2463/144H04L61/4511
Inventor 刘洋
Owner 广州赛讯信息技术有限公司
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap