Unlock instant, AI-driven research and patent intelligence for your innovation.

A botnet detection method based on netflow and dns logs

A botnet, DNS query technology, applied in transmission systems, electrical components, etc., can solve the problems of unable to find the control domain name of FFSN network, high misjudgment rate, unable to accurately locate FFSN dynamic malicious domain name, etc. Effectiveness, the effect of reducing the false positive rate

Active Publication Date: 2019-12-13
广州赛讯信息技术有限公司
View PDF9 Cites 0 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0003] With the continuous evolution of the FFSN botnet and the enhancement of the concealment of DNS traffic attacks and the emergence of attack forms, the existing Netflow traffic analysis solutions can only detect DDos (Distributed Denial of Service, distributed denial of service) initiated by the FFSN network. The source IP address, target IP address and attack characteristics of the attack, but the control domain name controlling the FFSN network cannot be found. The existing DNS log analysis solution uses the DGA algorithm to find the abnormal domain name, but this method has a high misjudgment rate and cannot be accurate Locating FFSN dynamic malicious domain names

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • A botnet detection method based on netflow and dns logs
  • A botnet detection method based on netflow and dns logs

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0020] Existing botnet detection methods usually use a certain dimension of detection technology, the recognition accuracy of FFSN dynamic malicious domain names is low, and the positioning effect is not good, and the present invention is aimed at a large number of DDoS generated by FFSN networks such as Botnet and Fast-Flux Attack, providing a botnet detection method based on Netflow and DNS logs, using multi-dimensional (including source IP address, source port, destination IP address, destination port and protocol type) fusion detection technology, which can automatically detect FFSN dynamic malicious The domain name greatly improves the positioning accuracy and effectiveness of FFSN dynamic malicious domain names, and restrains the spread of FFSN network from the source, reduces the bandwidth congestion, denial of service duration and occurrence probability of basic network facilities of operators and users, and guarantees It improves the security of Internet basic network ...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The invention discloses a botnet detection method based on Netflow and DNS logs, comprising: performing quintuple association analysis on the collected Netflow data through abnormal flow monitoring technology, and analyzing the IP address of the infected host in the operator network, The IP address and attack characteristics of the attack target initiated by the IP address of the infected host; on the DNS server, collect DNS query request logs, and the domain name requests initiated by the IP addresses of multiple infected hosts during the attack on the carrier network Carry out association analysis, find common domain name access records and exclude normal common domain names, and obtain FFSN dynamic malicious domain names. The invention can quickly locate the FFSN dynamic malicious domain name, greatly improves the positioning accuracy and effectiveness of the FFSN dynamic malicious domain name, and reduces the misjudgment rate.

Description

technical field [0001] The invention relates to the field of network security, in particular to a botnet detection method based on Netflow and DNS logs. Background technique [0002] Fast-Flux is used to allocate multiple (hundreds or even thousands) IP addresses for a legal domain name (such as flux.example.com). These IP addresses are changed very quickly. Through a rotating IP address resource pool and A resolution mapping implementation with a short life cycle is set for a specific DNS domain name resource. Website domains can assign new IP addresses every three minutes, and browsers that connect to these same websites may actually be connecting to different infected hosts. [0003] With the continuous evolution of the FFSN botnet and the enhanced concealment of DNS traffic attacks and the emergence of attack forms, the existing Netflow traffic analysis solutions can only detect DDos (Distributed Denial of Service, Distributed Denial of Service) initiated by the FFSN ne...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
Patent Type & Authority Patents(China)
IPC IPC(8): H04L29/06H04L29/12
CPCH04L63/1425H04L2463/144H04L61/4511
Inventor 刘洋
Owner 广州赛讯信息技术有限公司