CN101854404B - Method and device for detecting anomaly of domain name system - Google Patents
Method and device for detecting anomaly of domain name system Download PDFInfo
- Publication number
- CN101854404B CN101854404B CN201010198228.8A CN201010198228A CN101854404B CN 101854404 B CN101854404 B CN 101854404B CN 201010198228 A CN201010198228 A CN 201010198228A CN 101854404 B CN101854404 B CN 101854404B
- Authority
- CN
- China
- Prior art keywords
- entropy
- domain name
- name system
- data block
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 24
- 238000001514 detection method Methods 0.000 claims abstract description 25
- 238000004364 calculation method Methods 0.000 claims abstract description 4
- 230000002159 abnormal effect Effects 0.000 abstract description 5
- 230000005856 abnormality Effects 0.000 abstract description 5
- 230000008859 change Effects 0.000 description 6
- 230000006870 function Effects 0.000 description 5
- 238000010586 diagram Methods 0.000 description 4
- 239000000725 suspension Substances 0.000 description 3
- 206010033799 Paralysis Diseases 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000000205 computational method Methods 0.000 description 1
- 239000012467 final product Substances 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 230000008569 process Effects 0.000 description 1
- 230000035945 sensitivity Effects 0.000 description 1
- 230000009897 systematic effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4505—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
- H04L61/4511—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
本发明提供了一种检测域名系统异常的方法和装置,属于计算机网络技术领域。所述方法包括:将域名系统查询数据流划分为多个数据块;根据预设查询属性计算所述多个数据块的熵值,得到对应的多个熵值;判断得到的所述多个熵值中是否有预设个数的熵值超过预设阈值,如果是,则确定所述域名系统发生了异常。所述装置包括:划分模块,计算模块和判断模块。本发明通过计算域名系统查询数据流中多个数据块的熵值,当得到的对应的多个熵值中有预设个数的熵值超过预设阈值时,确定域名系统发生了异常,本发明能够对域名系统系统发生异常起到预警作用,从而减少当域名系统系统发生异常后的损失,相对于现有技术来说,检测准确度高,而且漏检率低。
The invention provides a method and device for detecting domain name system abnormality, belonging to the technical field of computer networks. The method includes: dividing the domain name system query data flow into multiple data blocks; calculating the entropy values of the multiple data blocks according to preset query attributes to obtain multiple corresponding entropy values; judging the obtained multiple entropy values Whether a preset number of entropy values among the values exceeds a preset threshold, and if so, it is determined that an abnormality has occurred in the domain name system. The device includes: a division module, a calculation module and a judgment module. The present invention calculates the entropy values of multiple data blocks in the domain name system query data stream, and when the entropy values of the preset number among the obtained corresponding multiple entropy values exceed the preset threshold, it is determined that the domain name system is abnormal. The invention can play an early warning function for the domain name system abnormality, thereby reducing the loss when the domain name system system abnormality occurs. Compared with the prior art, the detection accuracy is high and the missed detection rate is low.
Description
Technical field
The present invention relates to computer network security technology, relate in particular to a kind of method and apparatus that detects anomaly of domain name system, belong to technical field of the computer network.
Background technology
Domain name system (Domain Name System is hereinafter to be referred as DNS) is a distributed data base system, and this system is used for domain name is converted into the IP address that network can be identified.Because DNS is the basis of internet, if will causing whole network unusually, DNS seriously influences, therefore DNS is detected unusually very important.
The method that prior art detects unusually to DNS mainly contains based on the variation of the variation of query flows or querying attributes value determines whether DNS takes place unusually.Determine based on the variation of query flows whether DNS takes place to refer to unusually: it is unusual to think that when query flows is big or especially little especially DNS takes place.
The inventor finds that there is following problem at least in prior art in realizing process of the present invention:
Determine based on the variation of query flows whether DNS unusual scheme takes place have hysteresis quality, detect unusual in, therefore query flows often has been accumulated to a certain degree, has caused more serious consequence, can not play forewarning function.Sometimes, unusual differing influences the DNS query flows surely, therefore determines based on the variation of query flows whether DNS takes place to have very high loss unusually.
Summary of the invention
The invention provides the unusual method and apparatus of a kind of DNS of detection, detection DNS lags behind unusually in the prior art to solve, and the high problem of loss.
The unusual method of detection DNS provided by the invention comprises:
Domain name system data query stream is divided into a plurality of data blocks;
According to presetting the entropy that querying attributes calculates described a plurality of data blocks, obtain corresponding a plurality of entropy;
Judge that the entropy whether default number is arranged in the described a plurality of entropy that obtain surpasses predetermined threshold value, if determine that then the domain name system has taken place unusually.
The unusual device of detection DNS provided by the invention comprises:
Divide module, be used for domain name system data query stream is divided into a plurality of data blocks;
Computing module is used for obtaining corresponding a plurality of entropy according to presetting the entropy that querying attributes calculates described a plurality of data blocks;
Judge module is used for judging whether a plurality of entropy that obtain have the entropy of default number to surpass predetermined threshold value, if then unusual information takes place in output expression domain name system.
The present invention is by calculating the entropy of a plurality of data blocks in the DNS data query stream, when the entropy that default number is arranged in a plurality of entropy of the correspondence that obtains surpasses predetermined threshold value, determine that the DNS system has taken place unusually, forewarning function can take place to play unusually to the DNS system in the present invention, thereby reduce the loss after the DNS system takes place unusually, and loss is low.
Description of drawings
In order to be illustrated more clearly in the present invention or technical scheme of the prior art, will to do one to the accompanying drawing of required use in embodiment or the description of the Prior Art below and introduce simply.
Fig. 1 detects the unusual method embodiment schematic flow sheet of DNS for the present invention;
Fig. 2 is the schematic diagram according to fixed time dividing data piece;
Fig. 3 is the entropy curve that obtained in 10000 o'clock for adopting window size;
Fig. 4 is DNS inquiry rate curve;
Fig. 5 detects the unusual device example structure schematic diagram of DNS for the present invention.
Embodiment
For making the purpose, technical solutions and advantages of the present invention clearer, below in conjunction with accompanying drawing of the present invention, technical scheme of the present invention is clearly and completely described, obviously, described embodiment is the present invention's part embodiment, rather than whole embodiment.Based on the embodiment among the present invention, those of ordinary skills belong to the scope of protection of the invention not making the every other embodiment that obtains under the creative work prerequisite.
The present invention is applied to the theory of entropy in the abnormality detection of DNS for the first time, therefore at first entropy is once introduced.Entropy is defined as in information theory: if having an event sets E={E1 among the S of system, and E2 ..., En}, E1, E2 ..., En is each event among the event sets E.The probability distribution P={P1 of each event, P2 ..., Pn}, P1, P2 ..., the probability that Pn occurs for each event.The amount of information I of each event r itself
rCan be calculated by formula (1):
I
r=-log
2P
r (1)
In the formula (1), r=1,2 ..., n.
For example: English has 26 letters, if each letter occurrence number in article is average, each alphabetical amount of information is: I=-log
2(1/26)=4.7
And Chinese character commonly used have 2500, if each Chinese character occurrence number in article is average, the amount of information of each Chinese character is: I=-log
2(1/2500)=11.3
Entropy is the average information of whole system S, and establishing entropy is H
s, then the computational methods of entropy are as shown in Equation (2):
Entropy is represented the uncertainty of information in the information communication sphere.The entropy of high information degree is lower, illustrates that the systematic comparison of high information degree is stable; Whether and the entropy of low information degree is higher, and system's instability of low information degree is described, take place easily therefore can detect DNS by entropy and take place unusually unusually.
Fig. 1 detects the unusual method embodiment schematic flow sheet of DNS for the present invention, and as shown in Figure 1, this method comprises:
Step 101: DNS data query stream is divided into a plurality of data blocks;
Need to prove: the data block of division is more big, that is to say that the data query amount that each data block comprises is more many, the variation of the entropy of this data block is just more mild, can effectively reduce the situation that flase drop surveys and take place, but also reduced the susceptibility to abnormal flow simultaneously, loss rises; Otherwise data block is more little, that is to say that the data query amount that each data block comprises is more few, and it is just more high to detect the unusual sensitivity of DNS, but accuracy can reduce again accordingly.
In the practical application, DNS data query stream can be divided into a plurality of data blocks according to the fixed time and/or according to the given query amount.For example, the data query amount of each minute in the DNS data query stream can be divided into a data block, perhaps the inquiry amount with per 1000 query notes in the DNS data query stream is divided into a data block; Can also divide according to fixed time and given query amount simultaneously, for example, when reaching the fixed time, but be divided into a data block when not reaching the given query amount, perhaps reach the given query amount, but be divided into a data block when not reaching the fixed time.Can also divide according to the time period function, such as, the morning 8:30 between the 12:00, data block can be divided according to the less time period, for example: divide a data block second every 20-30; At noon 12:00 to afternoon 1:00 data block can be divided according to the long time period, for example: divided a data block every 2-3 minute.This division can be adjusted according to actual conditions by the technical staff, perhaps comes the dividing data piece according to the size of experience and data query amount.
Step 102: according to presetting the entropy that querying attributes calculates a plurality of data blocks, obtain corresponding a plurality of entropy;
Wherein, default querying attributes comprises that situation appears in the query source IP that occurs in the type of error that occurs in query type, the inquiry, the inquiry or the nslookup in the inquiry, but be not limited to these querying attributes, so long as all can according to the querying attributes of certain category division.
Above-mentioned query type comprises at least: the IP address record (Address of domain name correspondence, abbreviation A), the address record AAAA of IPv6 main frame, reverse record (Pointer, abbreviation PTR), mail exchange record (Mail exchanger, abbreviation MX), name server record (Name Server, abbreviation NS), initial authorized organization record (Start Of Authority is called for short SOA).
The type of error that occurs in the inquiry refers to: comprise illegal field in the DNS query requests of transmission, main type of error comprises: the query source address is the name format mistake that comprises illegal character, inquiry in TLD that privately owned address, query type do not exist, the inquire abouts name that do not exist, inquire about, repeat to inquire about or normal queries class etc.Wherein, normal queries refers to not have wrong inquiry, can work as default querying attributes when being type of error, will not have wrong inquiry to be included in the normal queries class, makes every query note can be included into specifically in certain type.
According to presetting the entropy that querying attributes calculates a plurality of data blocks, be specially:
The probability that each element of the default querying attributes of calculating occurs in each data block;
According to the probability that each element of presetting querying attributes occurs, calculate the entropy of each data block in each data block.
When having overlapped part between a plurality of data blocks of dividing, for example, Fig. 2 is the schematic diagram according to fixed time dividing data piece, as shown in Figure 2, the inquiry amount between the 8:00 to 8:10 is a data block, and the inquiry amount between the 8:03 to 8:13 is a data block, divide a data block in namely 10 minutes, arranged between each data block 3 minutes overlapping time, like this data query stream is divided into a plurality of overlapping data blocks that have.Present embodiment comprises that with each data block of dividing the given query amount is that example is elaborated.
If the given query amount that each data block comprises is 10 query notes, current data block is i data block, the last data piece adjacent with current data block is i-1 data block, a back data block adjacent with current data block is i+1 data block, if i-1 data block comprises the 1st to the 10th query note, then i data block comprises the 2nd query note to Sub_clause 11, and i+1 data block comprises the 3rd to the 12nd query note.The inquiry amount of i-1 data block and i data block lap is the 2nd to the 10th query note, the inquiry amount of i data block and i+1 data block lap be the 3rd to the Sub_clause 11 query note.
When having overlapped part between a plurality of data blocks of dividing, according to presetting the entropy that querying attributes calculates a plurality of data blocks, can comprise:
Calculate the entropy H of the last data piece adjacent with current data block
1
Entropy H according to the last data piece adjacent with current data block
1, the entropy H of calculating current data block
2
Entropy H according to the last data piece adjacent with current data block
1, the entropy H of calculating current data block
2, be specially:
Calculate the first given query amount and the second given query amount weighted information amount T in i-1 data block respectively
fAnd T
lThe first given query amount refers to before i data block and i-1 the data block lap the not inquiry amount of lap; The second given query amount refers to behind i data block and i+1 the data block lap the not inquiry amount of lap;
Continue above-mentioned example, the first given query amount refers to the 1st query note, and the second given query amount refers to the 12nd query note.
Article 12, the probability that occurs in i-1 data block of the query type under the query note is P
l, T then
l=-P
lLog
2P
l
Calculate the second given query amount and the 3rd given query amount weighted information amount in i data block respectively
With
The 3rd given query amount refers to before i data block and i+1 the data block lap the not inquiry amount of lap;
Continue above-mentioned example, the probability that the query type under the 12nd query note occurs in i data block is
Then
The 3rd given query amount refers to the 2nd query note, and then the probability that occurs in i data block of the query type under the 2nd query note is
Then
Entropy H according to the i-1 data block
1, T
f, T
l,
With
Calculate the entropy H of i data block
2, namely
Wherein, when i is 2, when namely the last data piece adjacent with current data block is for first data block of dividing, calculate the probability that each element of default querying attributes occurs in first data block;
Entropy H according to above-mentioned first data block of probability calculation
1
For example, if default querying attributes is query type, then the element in the query type is concrete query type, and as above-mentioned A, AAAA, PTR, MX, NS, SOA etc., each bar query note can only belong to a query type.Can calculate the probability that the query type under each bar query note occurs in this data block in this data block, the probability that occurs in this data block according to the query type under each bar query note calculates the entropy of this data block then, and computing formula is
In the formula (3), H
kBe the entropy of each data block, j represents j bar query note in each data block, and n represents that n bar query note, p are arranged in each data block
jThe probability that in this data block, occurs for the query type under the j bar query note in each data block;
When default querying attributes was query source IP, the element among the query source IP was the IP address of each bar query note correspondence.Because each the bar query note in each data block can only be from an IP address, then can calculate the probability that the IP address of each bar query note in the data block occurs in this data block, the probability that occurs in this data block according to the IP address of each bar query note calculates the entropy of this data block then.
Need to prove: default querying attributes can also comprise two or more simultaneously, for example, when default querying attributes comprises query type and query source IP, can calculate the entropy of each data block according to these two kinds of querying attributes respectively, two entropy weighting summations that will calculate respectively according to query type and query source IP then are with the result of the weighting summation that the obtains final entropy as this data block.
Step 103: judge that the entropy whether default number is arranged in the above-mentioned a plurality of entropy that obtain surpasses predetermined threshold value, if determine that then DNS has taken place unusually.
If it is 5 that default number is set, if then have 5 entropy all to surpass predetermined threshold value in a plurality of entropy that step 102 obtains, determine that then this DNS has taken place unusually.Default number also can be set to 1,2 etc. other numbers.The precision that how much can influence testing result of default number, default number is more big, and the accuracy of detection that obtains is more high, but loss also rises simultaneously.Default number is more little, and accuracy of detection is more low, and loss also reduces simultaneously, and the selection of default number need be determined according to actual network conditions and experience.
The DNS data query can be historical DNS data query in the present embodiment, also can be real-time DNS data query.If the DNS data query is historical DNS data query, then the method that provides of present embodiment can be used for the DNS operating position is analyzed, and analysis result can be used for carrying out DNS and optimize; The present embodiment more applications is in the scene that detects in real time, and namely the DNS data query is real-time DNS data query, is used in time finding unusual among the DNS, avoids DNS to sustain losses severely.
In order better to embody effect of the present invention, can Chinese the Internet occurrence of large-area suspension on May 19th, 2009 accident be that example describes.The reason of occurrence of large-area suspension accident is exactly that the DNS system has been subjected to attack, according to from China (China, being called for short CN) query note of 19 days Mays in 2009 between the 9:00-24:00 that collect on the DNS authoritative server of certain top node make a concrete analysis of, query note between on May 19th, 2009 9:00-24:00 is divided into a plurality of data blocks, the size of each data block is 10000, be that each data block comprises 10000 query notes, calculate the entropy of each data block, a plurality of entropy that obtain are plotted as the entropy curve.Fig. 3 is the entropy curve that obtained in 10000 o'clock for the data block size, and Fig. 4 is DNS inquiry rate curve, and the inquiry rate is the inquiry times of per minute.As can be seen from Figure 3, big ups and downs have appearred in 16:00 left and right sides entropy curve, namely have a plurality of entropy all to surpass predetermined threshold value, show at this time to have begun to have a large amount of DNS abnormal flows to enter network, and namely DNS has taken place unusually; And in inquiry rate curve shown in Figure 4,18:30 left and right sides query flows just presents significantly unusual, but large tracts of land suspension this moment has begun to take place, and therefore can find out obviously that prior art has hysteresis quality and very high loss based on the detection scheme of query flows; The unusual method of detection provided by the invention DNS can detect unusual among the DNS in advance timely, has played the effect of early warning.
The present invention is by being divided into a plurality of data blocks with DNS data query stream, calculate the entropy of a plurality of data blocks according to default querying attributes, obtain corresponding a plurality of entropy, when the entropy that default number is arranged in these a plurality of entropy surpasses predetermined threshold value, determine that DNS has taken place unusually.Because entropy is tolerance to the querying attributes random distribution of DNS data query, when DNS takes place when unusual, for example, when DNS was subjected to attack, the random distribution of the querying attributes of DNS data query will change, thereby also can cause entropy to change.Just can learn that according to the situation of change of entropy DNS has taken place unusually, and the taking place when unusual at DNS based on the detection method of flow of prior art, when the unusual performance of DNS is not clearly the time, variation clearly can not take place in the query flows of DNS yet, thereby also just can not detect the DNS generation unusually, have only when DNS shows very seriously unusually, the network paralysis of occurrence of large-area for example, when causing a large number of users to use network, the detection method based on flow of prior art just can detect the DNS Traffic Anomaly, and then detect the DNS generation unusually, have tangible hysteresis quality; And the present invention can just can detect DNS and taken place unusually before the abnormal conditions serious as large tracts of land network failure etc. take place, can forewarning function take place to play unusually to DNS, the user can be got ready before DNS is serious unusually, the loss of having avoided serious DNS to bring to the user unusually, reduce loss, improved user's experience; And because DNS is an extremely complicated system, prior art determines based on the variation of querying attributes value whether DNS takes place when unusual, do not consider the state variation of DNS internal system complexity, thereby accuracy of detection is not high, and among the further embodiment of the present invention, when having lap between a plurality of data blocks of dividing, also reflected the variation of DNS internal system state between a plurality of entropy that obtain, make accuracy of detection improve greatly.
Fig. 5 detects the unusual device embodiment schematic diagram of DNS for the present invention, and as shown in Figure 5, this device comprises: divide module 201, computing module 202 and judge module 203;
Wherein, divide module 201, be used for DNS data query stream is divided into a plurality of data blocks;
Concrete, divide module 201 and be used for DNS data query stream is divided into a plurality of data blocks according to the fixed time and/or according to the given query amount.
Wherein, computing module 202 comprises first computing unit and second computing unit;
First computing unit is used for calculating and presets the probability that each element of querying attributes occurs in each data block;
Second computing unit is used for the probability that each element of the default querying attributes that obtains according to first computing unit occurs in each data block, calculates the entropy of dividing a plurality of data blocks that module 201 divides, obtains corresponding a plurality of entropy.
When having overlapped part between a plurality of data blocks of dividing module 201 divisions, computing module 202 comprises:
The 3rd computing unit is for the entropy H that calculates the last data piece adjacent with current data block
1
The 4th computing unit is used for the H according to the last data piece adjacent with current data block of the 3rd computing unit calculating
1, the entropy H of calculating current data block
2
Wherein, the 3rd computing unit comprises:
First computation subunit is used for when the above-mentioned last data piece adjacent with current data block is first data block that divides into, the probability that each element of the default querying attributes of calculating occurs in first data block;
Second computation subunit is used for each element of the default querying attributes of basis at the probability that first data block occurs, and calculates the entropy H of first data block
1
Need to prove: for detecting unusual device first embodiment of DNS, because it is substantially corresponding to method first embodiment, so relevant part gets final product referring to the part explanation of method first embodiment.
The present invention is by being divided into a plurality of data blocks with DNS data query stream, calculate the entropy of a plurality of data blocks according to default querying attributes, obtain the entropy of a plurality of correspondences, when the entropy that default number is arranged in these a plurality of entropy surpasses predetermined threshold value, determine that DNS has taken place unusually.Because entropy is tolerance to the querying attributes random distribution of DNS data query, when DNS takes place when unusual, for example, when DNS was subjected to attack, the random distribution of the querying attributes of DNS data query will change, thereby also can cause entropy to change.Just can learn that according to the situation of change of entropy DNS has taken place unusually, and the taking place when unusual at DNS based on the detection method of flow of prior art, when the unusual performance of DNS is not clearly the time, variation clearly can not take place in the query flows of DNS yet, thereby also just can not detect the DNS generation unusually, have only when DNS shows very seriously unusually, the network paralysis of occurrence of large-area for example, when causing a large number of users to use network, the detection method based on flow of prior art just can detect the DNS Traffic Anomaly, and then detect the DNS generation unusually, have tangible hysteresis quality; And the present invention can just can detect DNS and taken place unusually before the abnormal conditions serious as large tracts of land network failure etc. take place, can forewarning function take place to play unusually to DNS, the user can be got ready before DNS is serious unusually, the loss of having avoided serious DNS to bring to the user unusually, reduce loss, improved user's experience; And because DNS is an extremely complicated system, prior art determines based on the variation of querying attributes value whether DNS takes place when unusual, do not consider the state variation of DNS internal system complexity, thereby accuracy of detection is not high, and among the further embodiment of the present invention, when having lap between a plurality of data blocks of dividing, also reflected the variation of DNS internal system state between a plurality of entropy that obtain, make accuracy of detection improve greatly.
One of ordinary skill in the art will appreciate that: all or part of step that realizes said method embodiment can be finished by the relevant hardware of program command, aforesaid program can be stored in the computer read/write memory medium, this program is carried out the step that comprises said method embodiment when carrying out; And aforesaid storage medium comprises: various media that can be program code stored such as ROM, RAM, magnetic disc or CD.
It should be noted that at last: above embodiment only in order to technical scheme of the present invention to be described, is not intended to limit; Although with reference to previous embodiment the present invention is had been described in detail, those of ordinary skill in the art is to be understood that: it still can be made amendment to the technical scheme that aforementioned each embodiment puts down in writing, and perhaps part technical characterictic wherein is equal to replacement; And these modifications or replacement do not make the essence of appropriate technical solution break away from the spirit and scope of various embodiments of the present invention technical scheme.
Claims (8)
1. a method that detects anomaly of domain name system is characterized in that, described method comprises:
Domain name system data query stream is divided into a plurality of data blocks;
According to presetting the entropy that querying attributes calculates described a plurality of data blocks, obtain corresponding a plurality of entropy; Wherein, when having overlapped part between described a plurality of data blocks, then calculate the entropy of described a plurality of data blocks according to default querying attributes, comprising: the entropy that calculates the last data piece adjacent with current data block; According to the entropy of the described last data piece adjacent with current data block, calculate the entropy of described current data block;
Judge that the entropy whether default number is arranged in the described a plurality of entropy that obtain surpasses predetermined threshold value, if determine that then the domain name system has taken place unusually.
2. the method for detection anomaly of domain name system according to claim 1 is characterized in that, describedly domain name system queries data flow is divided into a plurality of data blocks comprises:
Domain name system queries data flow is divided into a plurality of data blocks according to fixed time and/or given query amount.
3. the method for detection anomaly of domain name system according to claim 1, it is characterized in that, when the described last data piece adjacent with current data block is first data block that divides into, calculate the probability that each element of described default querying attributes occurs in described first data block;
Entropy according to described first data block of described probability calculation.
4. the method for detection anomaly of domain name system according to claim 1 is characterized in that, described default querying attributes comprises: query type, type of error, inquiry source IP address and/or nslookup.
5. the method for detection anomaly of domain name system according to claim 4, it is characterized in that, when described default querying attributes comprised at least two kinds of querying attributes, described entropy was the result of at least two entropy weighted sums obtaining according to described at least two kinds of querying attributes respectively.
6. a device that detects anomaly of domain name system is characterized in that, described device comprises:
Divide module, be used for domain name system data query stream is divided into a plurality of data blocks;
Computing module is used for obtaining corresponding a plurality of entropy according to presetting the entropy that querying attributes calculates described a plurality of data blocks; Wherein, when having overlapped part between described a plurality of data blocks, described computing module comprises: the 3rd computing unit, for the entropy that calculates the last data piece adjacent with current data block; The 4th computing unit is used for the entropy according to the adjacent last data piece with current data block of described the 3rd computing unit calculating, calculates the entropy of described current data block;
Judge module is used for judging whether a plurality of entropy that obtain have the entropy of default number to surpass predetermined threshold value, if then unusual information takes place in output expression domain name system.
7. the device of detection anomaly of domain name system according to claim 6 is characterized in that, described division module, and concrete being used for is divided into a plurality of data blocks with domain name system queries data flow according to fixed time and/or given query amount.
8. the device of detection anomaly of domain name system according to claim 6 is characterized in that, described the 3rd computing unit comprises:
First computation subunit is used for when the described last data piece adjacent with current data block is first data block that divides into, calculates the probability that each element of described default querying attributes occurs in described first data block;
Second computation subunit is used for the entropy according to described first data block of described probability calculation.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010198228.8A CN101854404B (en) | 2010-06-04 | 2010-06-04 | Method and device for detecting anomaly of domain name system |
| PCT/CN2010/074577 WO2011150579A1 (en) | 2010-06-04 | 2010-06-28 | Method and device for detecting domain name system (dns) anomaly |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010198228.8A CN101854404B (en) | 2010-06-04 | 2010-06-04 | Method and device for detecting anomaly of domain name system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101854404A CN101854404A (en) | 2010-10-06 |
| CN101854404B true CN101854404B (en) | 2013-08-07 |
Family
ID=42805666
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201010198228.8A Active CN101854404B (en) | 2010-06-04 | 2010-06-04 | Method and device for detecting anomaly of domain name system |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN101854404B (en) |
| WO (1) | WO2011150579A1 (en) |
Families Citing this family (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105745868B (en) * | 2013-11-26 | 2019-04-26 | 爱立信(中国)通信有限公司 | Method and device for anomaly detection in network |
| CN104268289B (en) * | 2014-10-21 | 2017-12-12 | 中国建设银行股份有限公司 | The abatement detecting method and device of link URL |
| CN105471639B (en) * | 2015-11-23 | 2018-07-27 | 清华大学 | Network flow entropy evaluation method based on median and device |
| CN106533829B (en) * | 2016-11-04 | 2019-04-30 | 东南大学 | A method for identifying DNS traffic based on bit entropy |
| CN106803824A (en) * | 2016-12-19 | 2017-06-06 | 互联网域名系统北京市工程研究中心有限公司 | A kind of means of defence attacked for random domain name inquiry |
| CN107707375B (en) * | 2017-05-26 | 2018-07-20 | 贵州白山云科技有限公司 | A kind of method and apparatus of positioning parsing failure |
| SG10202002125QA (en) * | 2020-03-09 | 2020-07-29 | Flexxon Pte Ltd | System and method for detecting data anomalies by analysing morphologies of known and/or unknown cybersecurity threats |
| CN111818037A (en) * | 2020-07-02 | 2020-10-23 | 上海工业控制安全创新科技有限公司 | Detection and defense method and defense system of vehicle network traffic anomaly based on information entropy |
| CN113676379B (en) * | 2021-09-01 | 2022-08-09 | 上海观安信息技术股份有限公司 | DNS tunnel detection method, device and system and computer storage medium |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101051952A (en) * | 2007-04-18 | 2007-10-10 | 东南大学 | Self adaption sampling stream measuring method under high speed multilink logic channel environment |
| CN101572701A (en) * | 2009-02-10 | 2009-11-04 | 中科正阳信息安全技术有限公司 | Security gateway system for resisting DDoS attack for DNS service |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102609640B (en) * | 2004-10-25 | 2015-07-15 | 安全第一公司 | Secure data parser method and system |
| CN101378394B (en) * | 2008-09-26 | 2012-01-18 | 成都市华为赛门铁克科技有限公司 | Detection defense method for distributed reject service and network appliance |
| CN101645884B (en) * | 2009-08-26 | 2012-09-05 | 西安理工大学 | Multi-measure network abnormity detection method based on relative entropy theory |
-
2010
- 2010-06-04 CN CN201010198228.8A patent/CN101854404B/en active Active
- 2010-06-28 WO PCT/CN2010/074577 patent/WO2011150579A1/en active Application Filing
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101051952A (en) * | 2007-04-18 | 2007-10-10 | 东南大学 | Self adaption sampling stream measuring method under high speed multilink logic channel environment |
| CN101572701A (en) * | 2009-02-10 | 2009-11-04 | 中科正阳信息安全技术有限公司 | Security gateway system for resisting DDoS attack for DNS service |
Non-Patent Citations (1)
| Title |
|---|
| 王垚.《域名系统安全性研究》.《域名系统安全性研究》.2008, * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101854404A (en) | 2010-10-06 |
| WO2011150579A1 (en) | 2011-12-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101854404B (en) | Method and device for detecting anomaly of domain name system | |
| Steinert-Threlkeld | Spontaneous collective action: Peripheral mobilization during the Arab Spring | |
| US8266116B2 (en) | Method and apparatus for dual-hashing tables | |
| WO2018176874A1 (en) | Dns evaluation method and apparatus | |
| CN110781246A (en) | Enterprise association relationship construction method and system | |
| Wen et al. | Probabilistic model for contextual retrieval | |
| CN101826996A (en) | Domain name system flow detection method and domain name server | |
| CN101267313A (en) | Flood attack detection method and detection device | |
| CN110851758B (en) | Webpage visitor quantity counting method and device | |
| CN103152442A (en) | Detection and processing method and system for botnet domain names | |
| CN101841435A (en) | Method, apparatus and system for detecting abnormality of DNS (domain name system) query flow | |
| RU2010128169A (en) | SUPPORT ASYNCHRON MULTILEVEL CANCELING IN JAVASCRIPT GRID | |
| CN103733193A (en) | Statistical spell checker | |
| CN106294468B (en) | Method and device for processing service data | |
| CN111581202A (en) | Big data exchange system | |
| EP4012980A1 (en) | Application identification method and apparatus, and storage medium | |
| CN102546205B (en) | Method and device for generating fault relation and determining fault | |
| CN104951503B (en) | A kind of sensitive big data summary info of freshness is safeguarded and polymerizing value querying method | |
| CN108460030A (en) | A kind of set element judgment method based on improved Bloom filter | |
| Chen et al. | Worst-input mutation approach to web services vulnerability testing based on SOAP messages | |
| CN105554181A (en) | DNS log compression method and device | |
| US8087019B1 (en) | Systems and methods for performing machine-implemented tasks | |
| CN102915313A (en) | Error correction relation generation method and system in web search | |
| Hua et al. | Br-tree: A scalable prototype for supporting multiple queries of multidimensional data | |
| US20070174234A1 (en) | Data quality and validation within a relational database management system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C53 | Correction of patent of invention or patent application | ||
| CB03 | Change of inventor or designer information |
Inventor after: Mao Wei Inventor after: Li Xiaodong Inventor after: Ding Senlin Inventor after: Wang Xin Inventor after: Wu Jun Inventor after: Jin Jian Inventor before: Mao Wei Inventor before: Li Xiaodong Inventor before: Ding Senlin Inventor before: Wang Xin Inventor before: Wu Jun Inventor before: Jin Jian Inventor before: Lu Wenzhe |
|
| COR | Change of bibliographic data |
Free format text: CORRECT: INVENTOR; FROM: MAO WEI LI XIAODONG DING SENLIN WANG XIN WU JUN JIN JIAN LU WENZHE TO: MAO WEI LI XIAODONG DING SENLIN WANG XIN WU JUN JIN JIAN |
|
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20210207 Address after: 100190 room 506, building 2, courtyard 4, South 4th Street, Zhongguancun, Haidian District, Beijing Patentee after: CHINA INTERNET NETWORK INFORMATION CENTER Address before: 100190 No. four, four South Street, Haidian District, Beijing, Zhongguancun Patentee before: Computer Network Information Center, Chinese Academy of Sciences |
|
| TR01 | Transfer of patent right |