Cyber theft behavior detection method based on DNS traffic analysis and device

A flow analysis and network technology, applied in the direction of electrical components, transmission systems, etc., can solve the problems that firewalls cannot completely control malware infection and data leakage, and achieve the effect of relatively low detection cost, simple specification, and small DNS protocol traffic

Active Publication Date: 2018-03-23
上海安恒智慧城市安全技术有限公司
View PDF4 Cites 18 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

But Firewalls Can't Fully Control M

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Cyber theft behavior detection method based on DNS traffic analysis and device
  • Cyber theft behavior detection method based on DNS traffic analysis and device
  • Cyber theft behavior detection method based on DNS traffic analysis and device

Examples

Experimental program
Comparison scheme
Effect test

Example

[0026] First embodiment

[0027] Please refer to figure 2 , figure 2 It is a flowchart of a method for detecting network theft behavior based on DNS traffic analysis according to the first embodiment of the present invention, and the method is applied to a detection device. The following will figure 2 The illustrated process is elaborated, and the method includes:

[0028] Step S110: The detection device obtains network traffic data in real time.

[0029] The detection equipment can directly collect data from the network card, and can also directly receive network traffic data sent by other systems.

[0030] Step S120: The detection device analyzes the network traffic data and determines whether the analysis is successful.

[0031] The detection device can parse network traffic data based on the RFC protocol specification, and restore the original network behavior information of the operator. Further, the protocol analysis module can parse out the information of the communicating ...

Example Embodiment

[0039] As an implementation manner, the detection device may obtain in advance the IP address and domain name of the C&C (Command and Control) server accessed by the target malware, and use the IP address and domain name of the C&C server as a domain name blacklist Save to the blacklist library.

[0040] The preset condition may be: the IP address and domain name accessed by the data to be analyzed are the IP address and domain name of the C&C server in the blacklist database.

[0041] As another implementation manner, before step S110, the detection device may also obtain multiple normal domain name data accessed by the target network device in daily work within a preset time, and the domain name data includes a domain name and a subdomain name.

[0042] The preset time may be one week or half a month. It is worth pointing out that during this period of time, the target network device (computer device in the internal network of the unit) must be in a daily working state, so that th...

Example

[0071] Second embodiment

[0072] Please refer to image 3 , image 3 It is a structural block diagram of a device 400 for detecting network theft behavior based on DNS traffic analysis according to the second embodiment of the present invention. The following will image 3 The structure block diagram shown is illustrated, and the device shown includes:

[0073] The first obtaining module 410 is configured to obtain network traffic data in real time;

[0074] The first judgment module 420 is configured to analyze the network traffic data, and obtain the data to be analyzed when the analysis is successful;

[0075] The second judgment module 430 is configured to judge whether the data to be analyzed meets the preset condition based on the pre-saved data index, and if yes, save the data to be analyzed, and generate warning information so that the detection device can Perform risk analysis on the data to be analyzed and the warning information.

[0076] As an implementation, please see ...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention provides a cyber theft behavior detection method based on DNS traffic analysis and a device. The method comprises the following steps: detection equipment acquires network traffic data in real time; the detection equipment analyzes the network traffic data, and obtains to-be-analyzed data after judging that the analysis is successful; the detection equipment judges whether the to-be-analyzed data satisfies a preset condition based on the pre-stored data index; if the to-be-analyzed data satisfies the preset condition, the to-be-analyzed data is saved to generate alarm information, thereby facilitating the detection equipment to perform risk analysis on the to-be-analyzed data and the alarm information. Through the method provided by the invention, the disadvantage of the existing firewall technology can be overcome, and the possible behavior of transmitting the sensitive data is identified.

Description

technical field [0001] The invention relates to the field of network security detection, in particular to a method and device for detecting network stealing behavior based on DNS flow analysis. Background technique [0002] Domain Name System (Domain Name System, DNS), one of the important infrastructures of Internet business, is a distributed database that maps domain names and IP addresses to each other, making it easier for users to connect and access the Internet without having to remember that it can be accessed by a machine. A string of IP address numbers to read directly. At present, most Internet applications need to use the domain name system to complete address conversion from domain name to IP address before carrying out specific services. [0003] The firewall is an important tool in the network security system. It always checks the data packets entering and leaving the protected network. The data packets that threaten the protected network will be intercepted b...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
IPC IPC(8): H04L29/06H04L29/12
CPCH04L61/10H04L63/1416H04L63/145H04L63/1466H04L63/0236H04L61/4511
Inventor 程华才范渊李凯
Owner 上海安恒智慧城市安全技术有限公司
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap