Suspicious domain name detection method and system

Abstract

The invention discloses a suspicious domain name detection method and system. The suspicious domain name detection method includes: obtaining a first DNS data message, the first DNS data message includes user identification information, a domain name and a first analysis result corresponding to the domain name; generating the support degree of the domain name according to the domain name and the user identification information; judging the support degree is less than the first set value; if it is judged that the support degree is less than the first set value, determine the domain name as the first suspicious domain name; if it is determined that the domain name is the first suspicious domain name, according to the first suspicious domain name corresponding to An analysis result generates the instability of the first analysis result; judge whether the instability is greater than the second set value; if it is determined that the instability is greater than the second set value, determine the first suspicious domain name as the second suspicious domain name . The invention realizes double verification of the domain name, real-time automatic updating of suspicious domain names and timely interception of suspicious domain names.

Description

technical field [0001] The invention relates to the technical field of domain name analysis, in particular to a suspicious domain name detection method and system. Background technique [0002] At present, most of the viruses on the enterprise network enter the enterprise internal network through email or web browsing. Spam and various malicious links often easily cause congestion and paralysis of the enterprise network, and even cause system crashes, resulting in Huge and irreparable loss. Therefore, the security of the enterprise Internet is extremely important to the enterprise. [0003] The Domain Name System (DNS for short) is a set of mapping mechanisms that provide the correspondence between network domain names and IP addresses in the network. The client usually realizes the query from the domain name to the IP address by exchanging DNS query messages and response messages with the server, and most web services also obtain IP addresses through domain name resolutio...

AI Technical Summary

Problems solved by technology

Among them, in the sniffing technology, sniffing tools such as network packet analysis software (Wireshark), Winpcap, and SRSniffer all have powerful protocol analysis functions, but these sniffing tools are only used as network packet analysis software, and cannot analyze DNS packets. Audit monitoring

Moreover, these sniffing tools usually analyze each protocol field in the DNS message one by one, which is easy to cause a large consumption of computer resources, and in a large network environment, packet loss or crashes may also occur

The analysis and restoration technology only audits the DNS data, and cannot control the illegal activities on the network in a timely and effective manner.

[0005] The suspicious domain name interception system existing in the prior art, for example, the suspicious domain name interception system based on domain name redirection, processes the DNS domain name request packets flowing through the network, forges the response packet, and redirects the DNS domain name to the destination IP addresses, so as to block certain domain names, but the system cannot automatically update suspicious domain names in real time.

[0006] Therefore, the existing monitoring and blocking technologies for suspicious domain names are relatively simple in the analysis method of DNS domain names, and it is difficult to automatically update suspicious domain names in real time and block suspicious domain names in a timely manner.

Images