Cyber theft behavior detection method based on DNS traffic analysis and device
A flow analysis and network technology, applied in the direction of electrical components, transmission systems, etc., can solve the problems that firewalls cannot completely control malware infection and data leakage, and achieve the effect of relatively low detection cost, simple specification, and small DNS protocol traffic
- Summary
- Abstract
- Description
- Claims
- Application Information
AI Technical Summary
Problems solved by technology
Method used
Image
Examples
Example
[0026] First embodiment
[0027] Please refer to figure 2 , figure 2 It is a flowchart of a method for detecting network theft behavior based on DNS traffic analysis according to the first embodiment of the present invention, and the method is applied to a detection device. The following will figure 2 The illustrated process is elaborated, and the method includes:
[0028] Step S110: The detection device obtains network traffic data in real time.
[0029] The detection equipment can directly collect data from the network card, and can also directly receive network traffic data sent by other systems.
[0030] Step S120: The detection device analyzes the network traffic data and determines whether the analysis is successful.
[0031] The detection device can parse network traffic data based on the RFC protocol specification, and restore the original network behavior information of the operator. Further, the protocol analysis module can parse out the information of the communicating ...
Example Embodiment
[0039] As an implementation manner, the detection device may obtain in advance the IP address and domain name of the C&C (Command and Control) server accessed by the target malware, and use the IP address and domain name of the C&C server as a domain name blacklist Save to the blacklist library.
[0040] The preset condition may be: the IP address and domain name accessed by the data to be analyzed are the IP address and domain name of the C&C server in the blacklist database.
[0041] As another implementation manner, before step S110, the detection device may also obtain multiple normal domain name data accessed by the target network device in daily work within a preset time, and the domain name data includes a domain name and a subdomain name.
[0042] The preset time may be one week or half a month. It is worth pointing out that during this period of time, the target network device (computer device in the internal network of the unit) must be in a daily working state, so that th...
Example
[0071] Second embodiment
[0072] Please refer to image 3 , image 3 It is a structural block diagram of a device 400 for detecting network theft behavior based on DNS traffic analysis according to the second embodiment of the present invention. The following will image 3 The structure block diagram shown is illustrated, and the device shown includes:
[0073] The first obtaining module 410 is configured to obtain network traffic data in real time;
[0074] The first judgment module 420 is configured to analyze the network traffic data, and obtain the data to be analyzed when the analysis is successful;
[0075] The second judgment module 430 is configured to judge whether the data to be analyzed meets the preset condition based on the pre-saved data index, and if yes, save the data to be analyzed, and generate warning information so that the detection device can Perform risk analysis on the data to be analyzed and the warning information.
[0076] As an implementation, please see ...
PUM
Abstract
Description
Claims
Application Information
- R&D Engineer
- R&D Manager
- IP Professional
- Industry Leading Data Capabilities
- Powerful AI technology
- Patent DNA Extraction
Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.
© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap