A method, device, equipment and system for tracing a domain name generation algorithm virus
By adding audit rules to the Domain Name System server and using security detection and response programs and extended detection and response devices to analyze and trace the source logs, the problem of being unable to locate the process of domain name generation algorithm viruses in existing technologies has been solved, achieving accurate source tracing of domain name generation algorithm viruses and improving network security.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- SANGFOR TECH INC
- Filing Date
- 2024-12-04
- Publication Date
- 2026-06-05
AI Technical Summary
Existing technologies cannot effectively locate the process of domain name generation algorithm viruses, especially in large-scale cloud-native containerized deployment environments, making it difficult for security operations personnel to further analyze and track the process of malware.
By adding audit rules to the Domain Name System server, analyzing source tracing logs using security detection and response programs and extended detection and response devices, and combining warning times and host information, the process and program of the domain name generation algorithm virus can be automatically located.
It enables precise tracing of domain name generation algorithm viruses, improves network security protection levels, optimizes security resource allocation, and enhances the security and accuracy of network ecosystem analysis.
Smart Images

Figure CN122160076A_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of network security technology, and in particular to a method, apparatus, device, and system for tracing the origin of a domain name generation algorithm virus. Background Technology
[0002] Domain Generation Algorithm (DGA) is a method of generating domain names using random characters, time, dictionaries, hard-coding, and other algorithms. Domain names generated by DGA have a high degree of randomness and are often used in centralized botnets to connect to C&C servers (remote control software used by network hackers) in order to evade domain blacklist detection.
[0003] Currently, DGA malicious domain identification and detection usually relies on domain name rules to make matching judgments to identify whether a host is infected with malware. However, in some large-scale cloud-native containerized deployment environments, simply locating the host is often not enough. Security operations personnel usually need to conduct further analysis to continuously locate the process or program. However, since the DGA domain name is unknown on the terminal, the target address cannot be determined. Using full packet capture is not only resource-intensive and highly dependent on manual analysis, but also makes it difficult to locate the process.
[0004] Therefore, there is a technical problem that it is impossible to locate the process where the domain name generation algorithm virus is located. Summary of the Invention
[0005] In view of this, the purpose of the present invention is to provide a method, apparatus, device and system for tracing the source of domain name generation algorithm viruses, which solves the technical problem in the prior art that it is impossible to locate the process where the domain name generation algorithm virus is located.
[0006] To address the aforementioned technical problems, this invention provides a method for tracing the origin of domain name generation algorithm viruses, comprising:
[0007] Use the security detection response program to obtain the Domain Name System server corresponding to the domain name generation algorithm risk request;
[0008] The security detection and response program is used to add audit rules to the Domain Name System server corresponding to the domain name generation algorithm risk request; wherein, the audit rules are rules for determining the process connecting to the Domain Name System server of the risk request;
[0009] When a virus alert is triggered by the domain name generation algorithm, the extended detection and response equipment is used to analyze the source tracing logs corresponding to the audit rules to determine the risk process and / or risk procedure.
[0010] Optionally, the step of analyzing the source logs corresponding to the audit rules using extended detection and response devices to determine risk processes and / or risk procedures includes:
[0011] The extended detection and response equipment is used to automatically correlate and analyze the source tracing logs, and the risk process and / or risk procedure are determined by combining the warning time and the audit rules.
[0012] Optionally, the step of using a security detection response program to obtain the Domain Name System server corresponding to the domain name generation algorithm risk request includes:
[0013] The security detection response program is used to obtain the Domain Name System server and event ID corresponding to the domain name generation algorithm risk request, and the event ID is used for event tracking.
[0014] Optionally, the audit rules are rules that include Domain Name System server information, host information, and execution results.
[0015] Optionally, before obtaining the Domain Name System server corresponding to the domain name generation algorithm risk request using the security detection response program, the method further includes:
[0016] Using the extended detection and response device, situational awareness is used to identify servers that pose a risk of connecting to external domain name generation algorithm viruses, thus obtaining the Domain Name System server.
[0017] Optionally, when the domain name generation algorithm triggers a virus warning, the extended detection and response device is used to analyze the source tracing logs corresponding to the audit rules to determine the risk process and / or risk procedure, including:
[0018] When the host corresponding to the domain name generation algorithm risk request triggers a domain name generation algorithm virus warning, the extended detection and response device is used to analyze the source tracing logs corresponding to the audit rules to determine the risk process and / or the risk procedure.
[0019] This application also provides a source tracing system for domain name generation algorithm viruses, including:
[0020] A security detection and response program is used to execute the steps of obtaining the Domain Name System (DNS) server corresponding to the domain name generation algorithm risk request; and adding audit rules to the DNS server of the risk request.
[0021] An extended detection and response device is used to perform the steps described above, which involve analyzing the source logs corresponding to the audit rules using the extended detection and response device to determine risk processes and / or risk procedures.
[0022] This application also provides a device for tracing the origin of a domain name generation algorithm virus, comprising:
[0023] The risk server determination module is used to obtain the Domain Name System server corresponding to the risk request of the domain name generation algorithm using the security detection response program;
[0024] An audit rule adding module is used to add audit rules to the Domain Name System server corresponding to the domain name generation algorithm risk request using the security detection response program; wherein, the audit rule is a rule for determining the process connecting to the Domain Name System server of the risk request;
[0025] The source tracing module is used to analyze the source tracing logs corresponding to the audit rules using extended detection and response devices when a virus warning is triggered by the domain name generation algorithm, in order to determine the risk process and / or risk procedure.
[0026] This application also provides a device for tracing the origin of a domain name generation algorithm virus, including:
[0027] Memory, used to store computer programs;
[0028] A processor is used to implement the steps of the method for tracing the origin of a virus, such as the domain name generation algorithm described above, when executing the computer program.
[0029] This application also provides a computer-readable storage medium storing a computer program that, when executed by a processor, implements the steps of the above-described method for tracing the origin of a domain name generation algorithm virus.
[0030] As can be seen, this invention obtains the Domain Name System (DNS) server corresponding to the domain name generation algorithm risk request using a security detection and response program; it adds audit rules to the DNS server corresponding to the risk request using the security detection and response program; wherein, the audit rules are rules for determining the process connecting to the DNS server of the risk request; when the domain name generation algorithm virus warning is triggered, the extended detection and response device analyzes the source tracing logs corresponding to the audit rules to determine the risky process and / or risky program. Compared with the current matching judgment based on domain name rules, which can only trace back to the host, this application, by adding audit rules to the DNS server, enables the precise location of the specific process where the domain name generation algorithm virus is located when a risk exists, thereby achieving a deeper level of source tracing.
[0031] In addition, the present invention also provides a source tracing device, equipment, system and storage medium for domain name generation algorithm viruses, which also have the above-mentioned beneficial effects. Attached Figure Description
[0032] To more clearly illustrate the technical solutions in the embodiments of the present invention or the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, the drawings described below are only embodiments of the present invention. For those skilled in the art, other drawings can be obtained based on the provided drawings without creative effort.
[0033] Figure 1 A flowchart illustrating a method for tracing the origin of a domain name generation algorithm virus, provided in an embodiment of the present invention;
[0034] Figure 2 A flowchart illustrating a method for tracing the origin of a domain name generation algorithm virus, provided in an embodiment of the present invention;
[0035] Figure 3 This is a schematic diagram of the structure of a domain name generation algorithm virus tracing system provided in an embodiment of the present invention;
[0036] Figure 4 This is a schematic diagram of a device for tracing the origin of a domain name generation algorithm virus, provided in an embodiment of the present invention.
[0037] Figure 5 This is a schematic diagram of the structure of a domain name generation algorithm virus tracing device provided in an embodiment of the present invention;
[0038] Figure 6 This is a schematic diagram of the structure of a domain name generation algorithm virus tracing system provided in an embodiment of the present invention. Detailed Implementation
[0039] To make the objectives, technical solutions, and advantages of the embodiments of the present invention clearer, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of the present invention, and not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of the present invention.
[0040] Some terms that appear in the description of the embodiments of this application are subject to the following interpretation:
[0041] Domain Generation Algorithm (DGA): A DGA is a method of generating domain names using random characters, time, dictionaries, hard-coding, and other algorithms. DGA-generated domains are highly random and are often used in centralized botnets to connect to C&C servers (remote control software used by hackers), thereby evading domain blacklist detection. Most DGA domains are inaccessible on the internet; malicious attackers cannot register all of them. However, malware writers will use the same seed and algorithm to generate a list of domains identical to the malware, selecting a few to use as control servers. The malware will continuously resolve these domains until it finds a usable server address. This method makes blocking malware difficult.
[0042] EDR: Endpoint Detection and Response, endpoint protection tools, typically include modules for virus protection and intrusion detection;
[0043] EDR Agent: A security detection and response program that runs on the terminal host;
[0044] NGFW: Next-Generation Firewall, Application Firewall;
[0045] Auditd: An auditing process in Linux systems. Auditd can audit and record host outbound requests and corresponding processes.
[0046] XDR: Extended Detection and Response, is a platform that integrates, correlates, and contextualizes data and alerts from multiple security defense, detection, and response components.
[0047] Please refer to Figure 1 , Figure 1 This is a flowchart illustrating a method for tracing the origin of a domain name generation algorithm virus, provided in an embodiment of the present invention. The method may include:
[0048] S101, use the security detection response program to obtain the Domain Name System server corresponding to the domain name generation algorithm risk request.
[0049] The execution subject in this embodiment is an electronic device. This electronic device can be a computer, tablet, etc. The security detection and response program (EDR Agent) in this embodiment is a security detection and response program running on the terminal host. The request corresponding to the Domain Name Generation Algorithm (DGA) in this embodiment is considered a risk request.
[0050] It should be further explained that, to improve the accuracy of determining the Domain Name System (DNS) server corresponding to the domain name generation algorithm (DGA) risk request, before obtaining the DNS server corresponding to the DGA risk request using the aforementioned security detection and response program, the process can further include: using extended detection and response (XDR) devices for situational awareness to identify servers with outgoing DGA connection risks, thereby obtaining the DNS server. It is understood that situational awareness technology can analyze network activity in real time, promptly detect potential risks and threats, and analyze server network communication patterns, especially their DNS request behavior, to identify DGA activities that do not conform to normal business logic. Therefore, using XDR devices (extended detection and response devices) in conjunction with situational awareness technology can not only effectively identify and handle connection risks caused by DGA viruses, but also deepen the understanding of network security status, optimize security resource allocation, and improve the overall level of network security protection.
[0051] It should be further explained that, to improve the efficiency of tracking different events, the aforementioned method of obtaining the Domain Name System (DNS) server corresponding to the domain name generation algorithm risk request using the security detection response program can include: obtaining the DNS server and event ID corresponding to the domain name generation algorithm risk request using the security detection response program, so as to use the event ID for event tracking. It is understood that, using the event ID, a timeline of events can be constructed to understand the various stages and key turning points of the attack. As a unique identifier, the event ID can establish correlations between different security events, thereby revealing complex attack patterns and strategies. This embodiment improves the efficiency of tracking different events and establishes correlations between events through event tracking using time IDs, thus enhancing the security of the entire network ecosystem.
[0052] S102, using the security detection response program to add audit rules to the Domain Name System server corresponding to the domain name generation algorithm risk request; wherein, the audit rules are rules for determining the process of the Domain Name System server that made the connection risk request.
[0053] This embodiment does not limit the specific audit rules; any audit rule can be used to trace the relevant servers. For example, the audit rule in this embodiment could be `auditctl -a always,exit -F arch=b64 -S connect -F a0=DNSServer1 / 53 -k dns_audit_rule`; or it could be `auditctl -a always,exit -F arch=b64 -S connect -F a0=DNSServer2 / 53 -k dns_audit_rule`. It is understood that the audit rule in this embodiment can audit access to DNS (Domain Name System) servers and determine which processes connect to the DNS server.
[0054] It should be further explained that, to improve the comprehensiveness of the tracking, the above audit rules include rules for Domain Name System (DNS) server information, host information, and execution results. Understandably, DNS server information: This part of the audit rules focuses on DNS queries and responses, monitoring abnormal DNS resolution requests or unauthorized external communication attempts, which helps prevent domain hijacking or malicious domain communication. Host information: This includes the device's IP address, MAC address (Media Access Control address), operating system type and version, etc. Monitoring this information helps track the device's status and activity history, thereby discovering potential security behaviors. Execution results: This focuses on the execution results of programs or operations, such as success, failure, or cancellation. By analyzing these results, one can understand the application's performance and potential errors, and also reveal possible security vulnerabilities or malicious activities. This embodiment improves the comprehensiveness of the tracking by establishing audit rules from three aspects: DNS server information, host information, and execution results.
[0055] S103, When a virus warning is triggered by the domain name generation algorithm, the extended detection and response equipment is used to analyze the source tracing logs corresponding to the audit rules to determine the risk process and / or risk procedure.
[0056] This embodiment does not limit the specific method of triggering the warning. For example, this embodiment can automatically issue a warning based on the identification of suspected domain name generation algorithm viruses; or this embodiment can also issue a warning by having a user click on a relevant button as needed. In this embodiment, risky processes generally refer to active processes that behave abnormally or unexpectedly, while risky programs refer to programs that may contain malicious code or logic.
[0057] It should be further explained that, in order to improve the efficiency of source tracing, the aforementioned analysis of the source tracing logs corresponding to the audit rules using extended detection and response equipment to determine the risk process and / or risk procedure may include: automatically correlating and analyzing the source tracing logs using extended detection and response equipment, and determining the risk process and / or risk procedure by combining the warning time and audit rules. This embodiment, by combining the warning time, can obtain only the source tracing logs before and after the warning time period, thereby achieving the location of the source tracing logs and quickly determining the risk process and / or risk procedure from a portion of the source tracing logs.
[0058] It should be further explained that, to improve the accuracy of the early warning, when the domain name generation algorithm virus warning is triggered, the aforementioned analysis of the source tracing logs corresponding to the audit rules using extended detection and response devices to determine the risk process and / or risk procedure may include: when the host corresponding to the domain name generation algorithm risk request triggers the domain name generation algorithm virus warning, the extended detection and response devices analyze the source tracing logs corresponding to the audit rules to determine the risk process and / or risk procedure. This embodiment only performs source tracing when it is determined that the host corresponding to the domain name generation algorithm risk request has triggered the domain name generation algorithm virus warning. This ensures that only hosts previously bound to this source tracing method will trigger the warning, preventing hosts with source tracing logs from not triggering the warning and thus preventing incorrect analysis and improving the accuracy of the analysis.
[0059] This invention provides a method for tracing the origin of a domain name generation algorithm virus, which may include: S101, using a security detection and response program to obtain the Domain Name System (DNS) server corresponding to the domain name generation algorithm risk request; S102, using the security detection and response program to add audit rules to the DNS server corresponding to the risk request; wherein, the audit rules are rules for determining the process connecting to the DNS server of the risk request; S103, when a domain name generation algorithm virus warning is triggered, using an extended detection and response device to analyze the tracing logs corresponding to the audit rules to determine the risk process and / or risk program. Compared with the current method of making matching judgments based on domain name rules, which can only trace back to the host, this application, by adding audit rules to the DNS server, enables the precise location of the specific process where the domain name generation algorithm virus is located when a risk exists, thereby achieving a deeper level of tracing. Furthermore, by utilizing XDR (Extended Detection and Response) devices combined with situational awareness technology, this approach can effectively identify and address connection risks caused by domain name generation algorithm viruses. It also deepens the understanding of network security status, optimizes security resource allocation, and enhances the overall level of network security protection. Additionally, this embodiment improves the efficiency of tracking different events and establishes correlations between events through time ID-based event tracking, thus strengthening the security of the entire network ecosystem. Moreover, this embodiment enhances the comprehensiveness of tracking by establishing audit rules from three aspects: Domain Name System server information, host information, and operational results. Furthermore, by combining the warning time, this embodiment can obtain source tracing logs only before and after the warning time period, thereby enabling the location of source tracing logs and quickly identifying risk processes and / or risk procedures from a portion of the source tracing logs. Finally, this embodiment only performs source tracing when the host corresponding to the domain name generation algorithm risk request triggers the domain name generation algorithm virus warning, ensuring that only hosts previously bound to this source tracing method will trigger the warning, preventing hosts with source tracing logs from being triggered and thus preventing incorrect analysis and improving the accuracy of the analysis.
[0060] For a clearer understanding of this invention, please refer to the following details. Figure 2 , Figure 2 A flowchart illustrating a method for tracing the origin of a domain name generation algorithm virus, provided in an embodiment of the present invention, may specifically include:
[0061] In cloud-native environments, tracing the source of potentially infected processes using individual DGA alert logs is difficult. This paper proposes an XDR (Extended Detection and Response) linked EDR (Endpoint Detection and Response) mechanism, combined with the Linux system's audit daemon auditing mechanism, to achieve automatic DGA process tracing.
[0062] The S201 XDR platform, by analyzing device logs such as AF / (Next Generation Firewall) situational awareness, identified that Server1 had a risk of sending outbound DGA connections and alerted security operations personnel.
[0063] The structural diagram corresponding to this embodiment is as follows: Figure 3 As shown, Figure 3 This is a schematic diagram of a domain name generation algorithm virus tracing system provided in an embodiment of the present invention. In this embodiment, when the XDR platform analyzes the logs of devices such as AF / (Next Generation Firewall) situational awareness devices, it identifies that server Server1 has a risk of sending outbound DGA connections and alerts security operations personnel.
[0064] S202, the XDR platform adds an automatic DGA tracing function. After clicking "Automatic Tracing" in the DGA warning bar, the XDR platform will send the target DNS server DNSServer1 and event ID in the DGA warning message to the EDR endpoint protection device.
[0065] In this embodiment, the XDR platform adds an automatic DGA tracing function: After the operator clicks "Automatic Tracing" in the DGA warning bar, the XDR platform will send the target DNS server DNSServer1 and the event ID eventID1 from the DGA warning message to the EDR terminal protection device; the event ID is used for event tracking.
[0066] S203, Add audit rule to EDR Agent device: uditctl -a always,exit -F arch=b64 -Sconnect -F a0=DNSServer1 / 53 -k dns_audit_rule.
[0067] In this example, the EDR Agent device adds an audit rule: `auditctl -a always,exit -F arch=b64 -S connect -F a0=DNSServer1 / 53 -k dns_audit_rule`. This is a command used to create an audit rule to monitor DNS server connections. Specifically: `auditctl` is a Linux command used to manage audit rules. `-a always,exit`: indicates that all exit events of all processes are audited. `-F arch=b64`: indicates that only processes on 64-bit architectures are audited. `-S connect`: indicates that only the `connect` system call is audited. `-F a0=DNSServer1 / 53`: indicates that only processes connecting to port 53 of DNSServer1 are audited. `-k dns_audit_rule`: indicates that this rule is marked as "dns_audit_rule" for easy identification when viewing audit logs.
[0068] S204, the EDR Agent continuously reports the dns_audit_rule associated with the event ID as a source log to the XDR platform.
[0069] In this embodiment, the EDR Agent continuously reports the corresponding dns_audit_rule as a source log (with an associated identifier: eventID1) to the XDR platform.
[0070] S205, the XDR platform continuously tracks and, once the host triggers a DGA alert, the XDR platform automatically analyzes the auditd source logs based on the event ID, and combines the alert time with the external DNS processes audited by auditd to automatically identify programs that may be infected with the DGA.
[0071] In this embodiment, the DR platform continuously tracks the system. Once a DGA warning for the host is triggered again, the XDR platform automatically analyzes the auditd log (associated with eventID1), combines the warning time with the external DNS process audited by auditd, and automatically identifies programs that may be infected with the DGA.
[0072] This invention identifies DGA risks through traffic analysis; it sends the host and DNS server of the DGA risk request as source tracing input to the host; the host enables the Auditd auditing mechanism to audit connection requests to the specified DNS server, thereby associating all DNS requests and application processes, and reports the audit logs for this stage; subsequently, if the XDR / border security device detects the DGA risk of the host again, it combines the Auditd audit logs and automatically associates it with the suspicious process. This achieves automatic tracking and association with minimal impact on business operations, ultimately accurately identifying the problematic program, realizing automatic source tracing, and improving security operation efficiency.
[0073] The following describes the source tracing device for the domain name generation algorithm virus provided in the embodiments of the present invention. The source tracing device for the domain name generation algorithm virus described below and the source tracing method for the domain name generation algorithm virus described above can be referred to in correspondence with each other.
[0074] Please refer to the details. Figure 4 , Figure 4 A schematic diagram of a domain name generation algorithm virus tracing device provided in an embodiment of the present invention may include:
[0075] The risk server determination module 100 is used to obtain the domain name system server corresponding to the domain name generation algorithm risk request using the security detection response program;
[0076] The audit rule adding module 200 is used to add audit rules to the Domain Name System server corresponding to the domain name generation algorithm risk request using the security detection response program; wherein, the audit rule is a rule for determining the process connecting to the Domain Name System server of the risk request;
[0077] The tracing module 300 is used to analyze the tracing logs corresponding to the audit rules using extended detection and response devices when the domain name generation algorithm virus warning is triggered, in order to determine the risk process and / or risk procedure.
[0078] Furthermore, based on the above embodiments, the traceability module 300 may include:
[0079] Based on the early warning time tracing unit, it is used to automatically correlate and analyze the tracing log using the extended detection and response equipment, and determine the risk process and / or risk procedure by combining the early warning time and the audit rules.
[0080] Furthermore, based on any of the above embodiments, the risk server determination module 100 may include:
[0081] The event ID and risk server determination unit is used to obtain the domain name system server and event ID corresponding to the domain name generation algorithm risk request using the security detection response program, so as to use the event ID for event tracking.
[0082] Furthermore, based on any of the above embodiments, the audit rules are rules that include Domain Name System server information, host information, and execution results.
[0083] Furthermore, based on any of the above embodiments, the source tracing device for the domain name generation algorithm virus may further include:
[0084] The Domain Name System (DNS) server identification module is used to identify servers that have a risk of connecting to outgoing domain name generation algorithm viruses by using the extended detection and response equipment for situational awareness, and thus obtain the DNS server.
[0085] Furthermore, based on any of the above embodiments, the traceability module 300 may include:
[0086] Based on the host tracing unit, when the host corresponding to the domain name generation algorithm risk request triggers a domain name generation algorithm virus warning, the extended detection and response device analyzes the tracing logs corresponding to the audit rules to determine the risk process and / or the risk procedure.
[0087] It should be noted that the order of the modules and units in the aforementioned domain name generation algorithm virus tracing device can be changed without affecting the logic.
[0088] This invention provides a source tracing device for domain name generation algorithm viruses, which may include: a risk server determination module 100, used to obtain the Domain Name System (DNS) server corresponding to the domain name generation algorithm risk request using a security detection and response program; an audit rule adding module 200, used to add audit rules to the DNS server corresponding to the domain name generation algorithm risk request using the security detection and response program; wherein the audit rules are rules for determining the process connecting to the DNS server of the risk request; and a source tracing module 300, used to analyze the source tracing logs corresponding to the audit rules using extended detection and response equipment when a domain name generation algorithm virus warning is triggered, to determine the risk process and / or risk program. Compared with the current matching judgment based on domain name rules, which can only trace back to the host, this application, by adding audit rules to the DNS server, enables the precise location of the specific process where the domain name generation algorithm virus is located when a risk exists, thereby achieving a deeper level of source tracing. Furthermore, by utilizing XDR (Extended Detection and Response) devices combined with situational awareness technology, this approach can effectively identify and address connection risks caused by domain name generation algorithm viruses. It also deepens the understanding of network security status, optimizes security resource allocation, and enhances the overall level of network security protection. Additionally, this embodiment improves the efficiency of tracking different events and establishes correlations between events through time ID-based event tracking, thus strengthening the security of the entire network ecosystem. Moreover, this embodiment enhances the comprehensiveness of tracking by establishing audit rules from three aspects: Domain Name System server information, host information, and operational results. Furthermore, by combining the warning time, this embodiment can obtain source tracing logs only before and after the warning time period, thereby enabling the location of source tracing logs and quickly identifying risk processes and / or risk procedures from a portion of the source tracing logs. Finally, this embodiment only performs source tracing when the host corresponding to the domain name generation algorithm risk request triggers the domain name generation algorithm virus warning, ensuring that only hosts previously bound to this source tracing method will trigger the warning, preventing hosts with source tracing logs from being triggered and thus preventing incorrect analysis and improving the accuracy of the analysis.
[0089] The following describes a source tracing device for a domain name generation algorithm virus provided by an embodiment of the present invention. The source tracing device for the domain name generation algorithm virus described below and the source tracing method for the domain name generation algorithm virus described above can be referred to in correspondence.
[0090] Please refer to Figure 5 , Figure 5 A schematic diagram of a domain name generation algorithm virus tracing device provided in an embodiment of the present invention may include:
[0091] Memory 10 is used to store computer programs;
[0092] Processor 20 is used to execute computer programs to implement the aforementioned domain name generation algorithm virus tracing method.
[0093] The memory 10, processor 20, and communication interface 30 all communicate with each other through the communication bus 40.
[0094] In this embodiment of the invention, the memory 10 is used to store one or more programs. The programs may include program code, which includes computer operation instructions. In this embodiment of the invention, the memory 10 may store programs for implementing the following functions:
[0095] Use the security detection response program to obtain the Domain Name System server corresponding to the domain name generation algorithm risk request;
[0096] The security detection and response program adds audit rules to the Domain Name System (DNS) server corresponding to the risky requests in the domain name generation algorithm; the audit rules are rules for determining the process of connecting to the DNS server of the risky request.
[0097] When a virus alert is triggered by the domain name generation algorithm, the extended detection and response equipment is used to analyze the source tracing logs corresponding to the audit rules to determine the risk process and / or risk procedure.
[0098] In one possible implementation, the memory 10 may include a program storage area and a data storage area, wherein the program storage area may store the operating system and applications required for at least one function; and the data storage area may store data created during use.
[0099] Furthermore, memory 10 may include read-only memory and random access memory, providing instructions and data to the processor. A portion of the memory may also include NVRAM. The memory stores operating systems and operating instructions, executable modules, or data structures, or subsets thereof, or extended sets thereof, wherein the operating instructions may include various operating instructions for implementing various operations. The operating system may include various system programs for implementing various basic tasks and handling hardware-based tasks.
[0100] Processor 20 can be a central processing unit (CPU), an application-specific integrated circuit, a digital signal processor, a field-programmable gate array, or other programmable logic device. Processor 20 can be a microprocessor or any conventional processor. Processor 20 can call programs stored in memory 10.
[0101] The communication interface 30 can be an interface for the communication module, used to connect with other devices or systems.
[0102] Of course, it should be noted that, Figure 5 The structure shown does not constitute a limitation on the source tracing device for the domain name generation algorithm virus in this embodiment of the invention. In practical applications, the source tracing device for the domain name generation algorithm virus may include... Figure 5 More or fewer components as shown, or combinations of certain components.
[0103] The following describes a source tracing system for a domain name generation algorithm virus provided by an embodiment of the present invention. The source tracing system for the domain name generation algorithm virus described below can be referred to in correspondence with the source tracing method for the domain name generation algorithm virus described above.
[0104] Please refer to Figure 6 , Figure 6 A schematic diagram of the structure of a domain name generation algorithm virus tracing system provided in an embodiment of the present invention may include:
[0105] Security detection response program 400 is used to perform the steps of obtaining the domain name system server corresponding to the domain name generation algorithm risk request; and adding audit rules to the domain name system server of the risk request.
[0106] The extended detection and response device 500 is used to perform the steps described above, which involve analyzing the source logs corresponding to the audit rules using the extended detection and response device to determine risk processes and / or risk procedures.
[0107] The following describes the computer-readable storage medium provided in the embodiments of the present invention. The computer-readable storage medium described below can be referred to in correspondence with the source tracing method of the domain name generation algorithm virus described above.
[0108] The present invention also provides a computer-readable storage medium storing a computer program, which, when executed by a processor, implements the steps of the above-described method for tracing the origin of a domain name generation algorithm virus.
[0109] The computer-readable storage medium may include various media capable of storing program code, such as USB flash drives, portable hard drives, read-only memory (ROM), random access memory (RAM), magnetic disks, or optical disks.
[0110] The various embodiments in this specification are described in a progressive manner, with each embodiment focusing on its differences from other embodiments. Similar or identical parts between embodiments can be referred to interchangeably. For the apparatus disclosed in the embodiments, since it corresponds to the method disclosed in the embodiments, the description is relatively simple; relevant parts can be referred to in the method section.
[0111] Those skilled in the art will further recognize that the units and algorithm steps of the various examples described in conjunction with the embodiments disclosed herein can be implemented in electronic hardware, computer software, or a combination of both. To clearly illustrate the interchangeability of hardware and software, the components and steps of the various examples have been generally described in terms of functionality in the foregoing description. Whether these functions are implemented in hardware or software depends on the specific application and design constraints of the technical solution. Those skilled in the art can use different methods to implement the described functions for each specific application, but such implementations should not be considered beyond the scope of this invention.
[0112] Finally, it should be noted that in this document, relationships such as "first" and "second" are used merely to distinguish one entity or operation from another, and do not necessarily require or imply any such actual relationship or order between these entities or operations. Furthermore, the terms "comprising," "including," or any other variations are intended to cover non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements includes not only those elements but also other elements not expressly listed, or elements inherent to such process, method, article, or apparatus.
[0113] The foregoing has provided a detailed description of the method, apparatus, device, and system for tracing the source of a domain name generation algorithm virus. Specific examples have been used to illustrate the principles and implementation methods of the present invention. The descriptions of the above embodiments are only for the purpose of helping to understand the method and core ideas of the present invention. At the same time, for those skilled in the art, there will be changes in the specific implementation methods and application scope based on the ideas of the present invention. Therefore, the content of this specification should not be construed as a limitation of the present invention.
Claims
1. A method for tracing the origin of a domain name generation algorithm virus, characterized in that, include: Use the security detection response program to obtain the Domain Name System server corresponding to the domain name generation algorithm risk request; The security detection and response program is used to add audit rules to the Domain Name System server corresponding to the domain name generation algorithm risk request; wherein, the audit rules are rules for determining the process connecting to the Domain Name System server of the risk request; When a virus alert is triggered by the domain name generation algorithm, the extended detection and response equipment is used to analyze the source tracing logs corresponding to the audit rules to determine the risk process and / or risk procedure.
2. The method for tracing the origin of a domain name generation algorithm virus according to claim 1, characterized in that, The step of analyzing the source logs corresponding to the audit rules using extended detection and response equipment to determine risk processes and / or risk procedures includes: The extended detection and response equipment is used to automatically correlate and analyze the source tracing logs, and the risk process and / or risk procedure are determined by combining the warning time and the audit rules.
3. The method for tracing the origin of a domain name generation algorithm virus according to claim 1, characterized in that, The process of obtaining the Domain Name System server corresponding to the domain name generation algorithm risk request using the security detection response program includes: The security detection response program is used to obtain the Domain Name System server and event ID corresponding to the domain name generation algorithm risk request, and the event ID is used for event tracking.
4. The method for tracing the origin of a domain name generation algorithm virus according to any one of claims 1 to 3, characterized in that, The audit rules include rules that cover Domain Name System server information, host information, and execution results.
5. The method for tracing the origin of a domain name generation algorithm virus according to claim 1, characterized in that, Before obtaining the Domain Name System server corresponding to the domain name generation algorithm risk request using the security detection response program, the method further includes: Using the extended detection and response device, situational awareness is used to identify servers that pose a risk of connecting to external domain name generation algorithm viruses, thus obtaining the Domain Name System server.
6. The method for tracing the origin of a domain name generation algorithm virus according to claim 1, characterized in that, When the domain name generation algorithm triggers a virus warning, the extended detection and response device analyzes the source tracing logs corresponding to the audit rules to determine the risk process and / or risk procedure, including: When the host corresponding to the domain name generation algorithm risk request triggers a domain name generation algorithm virus warning, the extended detection and response device is used to analyze the source tracing logs corresponding to the audit rules to determine the risk process and / or the risk procedure.
7. A source tracing system for a domain name generation algorithm virus, characterized in that, include: The security detection response program is used to execute the Domain Name System server corresponding to the above-mentioned request to obtain the domain name generation algorithm risk. The steps to add audit rules to the Domain Name System server for the risky request; An extended detection and response device is used to perform the steps described above, which involve analyzing the source logs corresponding to the audit rules using the extended detection and response device to determine risk processes and / or risk procedures.
8. A device for tracing the origin of a domain name generation algorithm virus, characterized in that, include: The risk server determination module is used to obtain the Domain Name System server corresponding to the risk request of the domain name generation algorithm using the security detection response program; An audit rule adding module is used to add audit rules to the Domain Name System server corresponding to the domain name generation algorithm risk request using the security detection response program; wherein, the audit rule is a rule for determining the process connecting to the Domain Name System server of the risk request; The source tracing module is used to analyze the source tracing logs corresponding to the audit rules using extended detection and response devices when a virus warning is triggered by the domain name generation algorithm, in order to determine the risk process and / or risk procedure.
9. A device for tracing the origin of a domain name generation algorithm virus, characterized in that, include: Memory, used to store computer programs; A processor, configured to implement the steps of the method for tracing the origin of a domain name generation algorithm virus as described in any one of claims 1 to 6 when executing the computer program.
10. A computer-readable storage medium, characterized in that, The computer-readable storage medium stores a computer program that, when executed by a processor, implements the steps of the method for tracing the origin of a domain name generation algorithm virus as described in any one of claims 1 to 6.