Method and device for detecting domain name record hijacking with large-scale resolver orientation

By combining baseline detection and differential detection, along with multi-level data acquisition and multi-step screening, the accuracy and false alarm rate issues of domain name hijacking detection in large-scale resolvers are resolved, achieving a hijacking detection effect with high efficiency and low false alarm rate.

CN120546902BActive Publication Date: 2026-06-26TSINGHUA UNIVERSITY +1

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
TSINGHUA UNIVERSITY
Filing Date
2025-04-17
Publication Date
2026-06-26

AI Technical Summary

Technical Problem

Existing technologies are difficult to effectively detect domain hijacking in large-scale scenarios, especially due to the high false alarm rate caused by data collection limitations and changes in domain name services, making them unsuitable for targeted domain hijacking detection using large-scale resolvers.

Method used

By combining baseline detection algorithms and differential detection algorithms, and through multi-level data acquisition and multi-step screening, including multi-level anomaly screening by parsing IP addresses, certificates, and page content, and by using relational and non-relational databases to store data, hijacked domains are gradually identified.

Benefits of technology

It improves detection accuracy and reduces false alarm rate, and can effectively identify hijacking behavior in large-scale deployment scenarios of content delivery networks, with high accuracy and low false alarm rate.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN120546902B_ABST
    Figure CN120546902B_ABST
Patent Text Reader

Abstract

The application provides a large-scale resolver-oriented directional domain name record hijacking detection method and device, wherein the method comprises the following steps: resolving each domain name in a monitoring list, and sequentially obtaining multi-level data corresponding to the domain name through a set priority; detecting the domain name resolution result by using a baseline detection algorithm and a differential detection algorithm to output an abnormal domain name set in the current detection, wherein if both algorithms determine that the domain name is abnormal, it is determined that the domain name is abnormal; and iteratively detecting the abnormal domain name set, sequentially performing multi-level abnormal screening through certificates and pages, and regarding the domain name with abnormalities in multiple levels as a hijacked domain name. The application firstly determines whether the resolver has a hijacking behavior by fusing the baseline detection and the differential detection, and then iteratively determines the hijacking detection result in multiple levels, so that the problem of high false positive rate and low detection efficiency of the prior art in a large-scale scene can be solved.
Need to check novelty before this filing date? Find Prior Art