Controlled host detection method and device based on knowledge graph

A technology of knowledge graph and detection method, which is applied in the field of controlled host detection to achieve the effects of reducing costs, improving detection capabilities, and improving processing efficiency

Active Publication Date: 2020-12-18
北京金睛云华科技有限公司 +1
View PDF5 Cites 17 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0006] In order to solve the above technical problems, the present invention provides a controlled host detection method and device based on knowledge graph, which solves the performance, precision and engineering problems existing in the detection of vocabulary splicing DGA domain names in the prior art, and can further More accurate discovery of controlled hosts, reducing the risk of user assets

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Controlled host detection method and device based on knowledge graph
  • Controlled host detection method and device based on knowledge graph
  • Controlled host detection method and device based on knowledge graph

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0060] The following will clearly and completely describe the technical solutions in the embodiments of the present invention with reference to the accompanying drawings in the embodiments of the present invention. Obviously, the described embodiments are only some, not all, embodiments of the present invention. Based on the embodiments of the present invention, all other embodiments obtained by persons of ordinary skill in the art without making creative efforts belong to the protection scope of the present invention.

[0061] Various malware families need to communicate with command and control (C&C) servers in order to receive instructions, eavesdrop on gathered intelligence, or engage in other malicious activities. Since the hard-coded domain name address is easily reversed, the C&C communication fails. For this reason, malware often uses a Domain Generation Algorithm (DGA) to generate a large number of pseudo-random domain names, from which it attempts to connect. Such b...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention provides a controlled host detection method and device based on a knowledge graph, and the method comprises the steps: filtering extracted feature data by adopting data, in a response state of NXDOMAIN, in DNS flow, describing the data based on a knowledge graph construction framework, constructing an NXDOMAINIP knowledge graph; and finally, analyzing the knowledge graph by utilizinga community discovery algorithm and a community judgment algorithm to obtain a controlled host list and mark a suspected malicious code family. Based on a distributed data flow processing framework,real-time DNS request flow is analyzed on a large scale, and the analysis efficiency is greatly improved through a multi-stage data preprocessing process; and through NXDOMAINIP knowledge graph construction, community discovery and community judgment, word list splicing DGA domain names are detected, controlled hosts and related malicious code families are determined, victims are reminded in timeto carry out AV upgrading and full-disk scanning on the hosts, and host vulnerabilities are reinforced.

Description

technical field [0001] The invention belongs to the technical field of controlled host detection, and in particular relates to a controlled host detection method and device based on a knowledge map. Background technique [0002] In highly sophisticated cyberattacks, the command and control (C&C) server consistently uses a Domain Generation Algorithm (DGA) to dynamically generate multiple candidate domain names, rather than static IP addresses or hard-coded lists of domain names. Distinguishing domain names generated by DGA from legitimate domain names is crucial for discovering controlled hosts or further locating hidden attackers. Compared with the traditional character-based DGA domain names, the word-based DGA domain names disclosed in the recent cyber attack incidents show significantly stronger stealth and adversarial resistance. In word-based DGA domain names, two or more words are randomly selected from one or more specific dictionaries to form dynamic domain names, ...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
Patent Type & Authority Applications(China)
IPC IPC(8): H04L29/06H04L29/12G06F16/36G06F21/57
CPCH04L63/101H04L63/1416H04L63/1433H04L63/145H04L63/20G06F16/367G06F21/577H04L61/4511
Inventor 曲武
Owner 北京金睛云华科技有限公司
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap