Suspicious domain name detection method and device

Abstract

A suspicious domain name detection method and a device relate to the network safety field; the embodiment of the application can utilize a zombie Trojan system detection log and a DNS log to detect the IP address of a suspicious domain name; the method comprises the following steps: obtaining the IP address of an active zombie Trojan control end according to the zombie Trojan system detection log;obtaining a corresponding relation between the IP address and the domain name in a detection period according to the DNS log; obtaining an IP address with a corresponding domain name number bigger than a second threshold; extracting a key domain name string of each domain name corresponding to the IP address, calculating the appearance frequency of the character in a preset scope, wherein the preset scope comprises key domain name strings of all domain names corresponding to the IP address; using a cluster algorithm to cluster the IP addresses; determining a suspicious point cluster accordingto the number of active zombie Trojan points contained by each point cluster; determining the IP address included by the suspicious point cluster as the IP address corresponding to the suspicious domain name. The method and device are used for detecting suspicious domain names.

Description

technical field [0001] The present application relates to the field of network security, in particular to a suspicious domain name detection method and device. Background technique [0002] With the development of social informatization, the Internet has penetrated into all aspects of social life. Subsequently, problems such as botnets and malicious software in the network pose a great threat to network security. At the same time, controllers of security threats such as botnets and malware often use DGA (Domain generate algorithm, domain name generation algorithm) to generate multiple domain names, and then evade the defender's monitoring and security by constantly changing their domain names and IP addresses for domain name resolution. Blocking, which makes network security defense more difficult. [0003] Currently, classification-based algorithms are mainly used in the prior art, and domain name classification rules are obtained by using known normal domain name sample ...

AI Technical Summary

Problems solved by technology

[0004] Based on the above content, the inventors of the present application have found that when using the existing rules for normal domain names and abnormal domain names in the prior art to identify domain names, it is often difficult to find comprehensive and accurate samples of normal domain names and abnormal domain names. Collection training, that is, there may be undiscovered malicious domain name samples in the normal sample domain name, resulting in wrong classification in the normal domain name and malicious domain name collection samples, resulting in the inability to accurately identify abnormal domain names

Images