[go: up one dir, main page]

TWI524207B - Method of detecting suspicious botnet relay station domain name - Google Patents

Method of detecting suspicious botnet relay station domain name Download PDF

Info

Publication number
TWI524207B
TWI524207B TW104119695A TW104119695A TWI524207B TW I524207 B TWI524207 B TW I524207B TW 104119695 A TW104119695 A TW 104119695A TW 104119695 A TW104119695 A TW 104119695A TW I524207 B TWI524207 B TW I524207B
Authority
TW
Taiwan
Prior art keywords
domain
domain name
information
module
search
Prior art date
Application number
TW104119695A
Other languages
Chinese (zh)
Other versions
TW201701182A (en
Inventor
Kai-Feng Hong
Jian-Zhi Chen
Jian-Quan Pan
Shun-De Liu
guo-sen Zhou
Original Assignee
Chunghwa Telecom Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chunghwa Telecom Co Ltd filed Critical Chunghwa Telecom Co Ltd
Priority to TW104119695A priority Critical patent/TWI524207B/en
Application granted granted Critical
Publication of TWI524207B publication Critical patent/TWI524207B/en
Publication of TW201701182A publication Critical patent/TW201701182A/en

Links

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Description

偵測可疑殭屍網路中繼站域名之方法 Method for detecting domain name of suspicious botnet relay station

本發明係關於一種偵測網路域名之方法,特別係一種偵測可疑殭屍網路中繼站域名之方法。 The present invention relates to a method for detecting a domain name of a network, and more particularly to a method for detecting a domain name of a suspicious botnet relay station.

網路世界的犯罪大多數借力於殭屍網路,透過建立殭屍網路,駭客可於使用者不知情的情況下竊取機密資料或者對於殭屍電腦進行操控或攻擊,而駭客為了增加保護性,會避免其IP位址直接關連到特定主機及所在地理位址,故建立殭屍網路者多會以網域名稱連接網際網路。 Most of the crimes in the online world are borrowed from the botnet. By establishing a botnet, hackers can steal confidential information or manipulate or attack zombies without the user's knowledge, and hackers want to increase protection. It will prevent its IP address from directly connecting to a specific host and its geographical address, so those who establish botnets will connect to the Internet with the domain name.

對於擁有許多個人資料以及企業之敏感性資料的企業,如何有效偵測出可疑殭屍網路的中繼站域名,達成一種事先避免駭客利用殭屍網路竊取敏感或機密資料的資安保護方式絕對是一項迫切需要的技術。 For enterprises with many personal data and sensitive information of enterprises, how to effectively detect the domain name of the relay station of the suspicious botnet, and achieve a kind of security protection method that prevents the hacker from using the botnet to steal sensitive or confidential information in advance is absolutely one. The technology that is urgently needed.

而現存技術之方法係透過監控DNS(Domain Name System)主機的流量,分析具有刺探行為(reconnaissance)等類似殭屍網路行為的網域流量,再利用已知的惡意網域資訊,如ASN標準(Abstract Syntax Notation)的比對或網際網路搜尋引擎(Internet Search Engine)進行惡意判斷的依據,其中該專利透過網際網路搜尋引擎回傳的結果比對惡意程式分析的網站,若搜尋結果包含連結到惡意程式分析的網站,或 是回傳的結果為空,則判斷此分析網域為可疑或惡意。 The existing technology method analyzes the traffic of the DNS (Domain Name System) host, analyzes the domain traffic with similar botnet behaviors such as reconnaissance, and then uses known malicious domain information, such as the ASN standard ( Abstract Syntax Notation) is based on the comparison of the Internet Search Engine and the Internet Search Engine. The result of the patent's return through the Internet search engine is compared to the website analyzed by the malicious program. Go to a website for malware analysis, or If the result of the return is empty, then the analysis domain is judged to be suspicious or malicious.

本發明係一種偵測可疑殭屍網路的中繼站域名之方法,將使用網際網路搜尋引擎,本發明之概念是基於一般合法網域多註冊於知名公司行號名下,而知名公司大多也會註冊多個產品之網域,如此透過搜尋引擎便能於產品或公司的網頁找到大量搜尋筆數或結果,相對地,而中繼站網域多使用私人帳號註冊,且中繼站本身並不公開於網頁或者是留下連結紀錄,故相當難以被搜尋引擎所尋獲,因此本發明之發想為可以透過搜尋引擎所回傳之結果數,對網域名稱是否為殭屍網路之中繼站的可疑程度加以判斷。 The present invention is a method for detecting a relay station domain name of a suspicious botnet, and an internet search engine will be used. The concept of the present invention is based on a general legal domain registered under the name of a well-known company, and most well-known companies will also Registering the domain of multiple products, so that the search engine can find a large number of search results or results on the product or company webpage. In contrast, the relay domain uses a private account to register, and the relay itself is not publicly available on the webpage or It is a link record, so it is quite difficult to be searched by the search engine. Therefore, the invention is based on the number of results returned by the search engine, and whether the domain name is a suspicious degree of the botnet relay station. .

本發明偵測可疑殭屍網路的中繼站域名之方法中,將也使用到WHOIS(https://who.is/)的查詢方法,主要係因為WHOIS查詢可以幫助查找出網域名稱的相關網域註冊資料,其中包含網域名稱的註冊者之電子郵件地址等資訊,可以利用該電子郵件地址反向的查找WHOIS資料庫,得到使用該電子郵件地址註冊的所有網域,如此則可透過這些WHOIS查找的相關資訊,找出與此網域名稱相關聯的網域名稱集合。 The method for detecting the domain name of a relay station of a suspicious botnet in the present invention will also use the query method of WHOIS (https://who.is/), mainly because the WHOIS query can help find the relevant domain of the domain name. Registration information, including the email address of the registrant of the domain name, etc., can use the email address to look up the WHOIS database in reverse to get all the domains registered with the email address, so that these WHOIS can be accessed. Find relevant information to find the set of domain names associated with this domain name.

本發明之偵測可疑殭屍網路的中繼站域名之方法中,也使用到網域名稱系統(Domain Name System,DNS)紀錄的查詢方法,主要因為DNS紀錄查詢可以幫助查找出網域名稱的相關網域資料,其中包含網域名稱紀錄所存放的名稱伺服器(Name Server,NS)位址,與這個網域底下還註冊有自己的名稱伺服器位址;如此則可透過這些DNS查找的相關資訊, 找出與此網域名稱相關聯的網域名稱集合。 In the method for detecting a domain name of a relay station of a suspicious botnet, the method for querying a Domain Name System (DNS) record is also used, mainly because the DNS record query can help find the relevant network of the domain name. Domain data, which contains the name server (NS) address stored in the domain name record, and also has its own name server address registered under the domain; thus, the relevant information can be found through these DNS addresses. , Find the set of domain names associated with this domain name.

本發明之目的即在於偵測可疑殭屍網路的中繼站域名,當給定一個嫌疑網域名稱時,將該嫌疑網域名稱之第一階層及第二階層之網域名稱,利用網際網路搜尋引擎進行搜尋,當得到回傳後的結果分別少於第一階層篩選值與第二階層篩選值時,表示該網域名稱是可被列入考慮的可疑網域名稱,其中的回傳結果數目比較對象,也就是第一階層篩選值與第二階層篩選值是需要事前定義的值,因為此值會影響本方法結果的準確度;接著再進一步透過WHOIS查詢得到此網域名稱註冊者之電子郵件地址以及該電子郵件地址之網域,確認該電子郵件地址之網域與該電子郵件地址網域註冊者的電子郵件網域是否相同,若相同則表示該網域是可被列入考慮的網域,反之則不列入考慮。 The purpose of the present invention is to detect the domain name of the relay station of the suspicious botnet. When a suspect domain name is given, the domain name of the first and second level of the suspect domain name is searched by the Internet. The engine performs the search. When the returned result is less than the first-level filter value and the second-level filter value respectively, it indicates that the domain name is a suspicious domain name that can be considered, and the number of returned results. The comparison object, that is, the first-level filter value and the second-level filter value are values that need to be defined beforehand, because this value affects the accuracy of the result of the method; and then further obtains the electronic name of the domain name registrant through the WHOIS query. The email address and the domain of the email address confirm that the email domain is the same as the email domain of the email address domain registrant. If the email domain is the same, the domain is considered for consideration. Domains, and vice versa are not considered.

再來透過DNS(Domain Name System)查詢得到名稱伺服器(Name Server,NS)和授權起始紀錄(Start Of Authority,SOA)等資訊也屬於該嫌疑網域名稱相關聯之網域,因此也需一併納入考慮之網域集合中,下一步將前述加入網域集合中的該嫌疑網域名稱相關聯之網域進行網頁內容分析,剔除所有屬於網域名稱服務提供者(Domain Name Service Provider)之網域名;再利用網域名稱註冊者之電子郵件地址反向查詢WHOIS資料庫,得到使用該郵件地址註冊之所有網域集合結果,並且一併都納入考慮的該嫌疑網域名稱相關聯之網域集合中,依據上述之網域集合,將網域集合中的網域提供予搜尋引擎進行搜尋,則可依相關網域在搜尋引擎進行搜尋的回傳數目結果進行進一步判斷,當網域集合中的相關網域的搜尋結果數量均小於一定值(第二階層篩選值),則判斷 為可疑,反之則判斷為合法,此為本發明之依據相關網域的知名程度,偵測出是否為可疑殭屍網路的中繼站域名的方法。 Then, through the DNS (Domain Name System) query, the name server (NS) and the Start of Authority (SOA) information are also belong to the domain associated with the suspect domain name, so it is also required. In the network domain collection considered together, the next step is to analyze the content of the webpage associated with the suspect domain name in the network collection, and remove all domain name service providers (Domain Name Service Provider). The domain name of the network; the domain name registrant's email address is used to reversely query the WHOIS database, and all the domain collection results registered using the email address are obtained, and the suspect domain name associated with the email address is also considered. In the domain collection, according to the foregoing network domain set, the domain in the network domain collection is provided to the search engine for searching, and the network domain may be further judged according to the result of the number of backhaul searches by the search engine in the relevant domain. If the number of search results of related domains in the collection is less than a certain value (second level filter value), then judge It is suspicious, otherwise it is judged to be legal. This is the method for detecting the domain name of the relay station of the suspicious botnet based on the popularity of the relevant domain.

本發明透過網際網路搜尋引擎,排除合法的網域,並找出可疑的中繼站。對於搜尋結果極少或無結果的網域,進行網域資料的蒐集,透過主動查詢該網域的DNS紀錄,包含SOA、NS以及註冊者電子郵件位址的網域,並分析WHOIS資料庫,找出相同註冊者電子郵件的其他相關網域。最終找出背後的公司網域及所註冊的相關網域。根據這些延伸出來的網域及公司資訊,判斷此網域是否為知名公司所註冊的網域,排除掉註冊在知名公司下的網域,提升準確度。 The present invention excludes legitimate domains through an internet search engine and finds suspicious relay stations. For the domain with few or no results, collect the domain data, and actively query the DNS records of the domain, including the domain of SOA, NS and registrant email addresses, and analyze the WHOIS database to find Other related domains that have the same registrant email. Finally find out the company domain behind it and the relevant domain registered. Based on these extended domain and company information, determine whether the domain is a domain registered by a well-known company, and exclude the domain registered under a well-known company to improve accuracy.

相較於先前技術透過收集被動DNS查詢(passive DNS query)資訊,以對已知的惡意網域特徵與合法的網域特徵建立模型,再利用此模型對一個新網域進行合法或非法網域的判斷,該模型之訓練資料的優劣會直接影響新網域判斷的準確性,所以需要經常性地取得大量的訓練資料對模型進行更新,此時對資料的維護與篩選過程就會產生大量的額外成本。 Compared with the prior art, by collecting passive DNS query information, a model is established for known malicious domain features and legitimate domain features, and then this model is used to legally or illegally domain a new domain. Judging that the quality of the training data of the model will directly affect the accuracy of the new domain judgment, so it is necessary to frequently obtain a large amount of training data to update the model. At this time, the maintenance and screening process of the data will generate a large amount of Additional cost.

而本發明提供一種即時的方式,透過當下網路搜尋引擎的回傳結果,依照當下的狀況對新網域進行判斷與偵測,不需要事先建立模型,故也不須收集維護大量的訓練資料。 The present invention provides an instant way to judge and detect a new network domain according to the current situation through the backhaul result of the current network search engine, and does not need to establish a model in advance, so it is not necessary to collect and maintain a large amount of training materials. .

本發明與先前技術相比,有以下之功效: Compared with the prior art, the present invention has the following effects:

1.本發明可判斷出網域名稱的知名程度,給定一個網域名稱,透過本發明之相關流程步驟,可產出相關網域集合階層關係及各自搜尋回傳結果數,藉此判斷出網域名 稱的知名程度。 1. The present invention can determine the popularity of the domain name, given a domain name, through the relevant process steps of the present invention, can generate the relevant domain collection hierarchy relationship and the number of respective search returns, thereby judging Domain name The degree of popularity.

2.本發明可關聯出網域名稱的其他相關聯網域之集合,以及可識別出相關網域集合,透過本發明之相關流程步驟,可識別出網域名稱相互之間的關聯性。 2. The present invention can associate a collection of other related network domains of the domain name and identify the relevant network domain set. Through the related process steps of the present invention, the relationship between the network domain names can be identified.

3.本發明可偵測出可疑殭屍網路的中繼站域名。本發明不需事先取得相關之連線封包資訊,在無法取得殭屍網路交換訊息的情況下,即可透過本發明之相關流程步驟,僅透過網域名稱本身,產出相關網域集合關係以偵測可疑殭屍網路的中繼站域名。 3. The present invention can detect the relay station domain name of the suspicious botnet. The invention does not need to obtain relevant connection packet information in advance, and in the case that the botnet exchange message cannot be obtained, the related process steps of the present invention can be used to generate the relevant domain association relationship only through the domain name itself. Detects the relay domain name of the suspicious botnet.

S101~S117‧‧‧步驟流程 S101~S117‧‧‧Step procedure

S201~S215‧‧‧步驟流程 S201~S215‧‧‧Step procedure

圖1係為本發明偵測可疑殭屍網路的中繼站域名之方法的步驟流程示意圖。 1 is a flow chart showing the steps of a method for detecting a domain name of a relay station of a suspicious botnet according to the present invention.

圖2係為本發明偵測可疑殭屍網路的中繼站域名之方法的實施例執行流程示意圖。 FIG. 2 is a schematic flowchart of an embodiment of a method for detecting a domain name of a relay station of a suspicious botnet according to the present invention.

以下結合圖式說明本發明,如圖1所示,本發明之目的即在於偵測可疑殭屍網路的中繼站域名,當給定一嫌疑網域d時,執行步驟S101於網際網路搜尋引擎搜尋嫌疑網域d,也就是搜尋第一階層網域名稱,則進入判斷,也就是步驟S102嫌疑網域d的搜尋結果是否小於第一階層篩選值N1,若是小於第一階層篩選值N1,執行步驟S103於網際網路搜尋嫌疑網域d之二階網域名,若否,判定執行步驟S117嫌疑網域d是合法網域。 The present invention is described below in conjunction with the drawings. As shown in FIG. 1, the purpose of the present invention is to detect a relay station domain name of a suspicious botnet. When a suspect domain d is given, step S101 is performed to search the Internet search engine. The suspect domain d, that is, the search for the first-level domain name, enters a judgment, that is, the search result of the suspected domain d in step S102 is smaller than the first-level filter value N1, and if it is smaller than the first-level filter value N1, the execution step S103 searches for the second-order network domain name of the suspected domain d on the Internet. If not, it is determined that step S117 is suspected that the domain d is a legal domain.

執行步驟S103於網際網路搜尋嫌疑網域d之二階網域名後,接著進入判斷,步驟S104嫌疑網域d的二階 域名搜尋結果是否小於第二階層篩選值N2,若是小於第二階層篩選值N2,執行步驟S105以WHOIS搜尋嫌疑網域d的電子郵件註冊者網域得到郵件結果w1,若否,判定執行步驟S117嫌疑網域d是合法網域;接續步驟S105之後為步驟S106以WHOIS搜尋郵件結果w1的電子郵件註冊者網域得到郵件結果w2,再來進入判斷步驟S107郵件結果w1與郵件結果w2是否相等,若是相等,執行步驟S108將郵件結果w1加入資料池,若不相等,跳至步驟S109將對嫌疑網域d二階域名的DNS、NS、SOA搜尋結果加入資料池,透過DNS查詢得到名稱伺服器(Name Server)、名稱伺服系統和授權起始紀錄(Start Of Authority,SOA)等資訊也屬於該嫌疑網域名稱相關聯之網域,因此也需一併納入考慮之網域集合中。 Step S103 is performed after the Internet searches for the second-order network domain name of the suspected domain d, and then proceeds to the judgment. Step S104 suspects the second-order of the domain d. If the domain name search result is smaller than the second-level filter value N2, if it is smaller than the second-level filter value N2, step S105 is performed to search for the email registrant domain of the suspect domain d by the WHOIS to obtain the mail result w1, and if not, the process proceeds to step S117. The suspected domain d is a legal domain; after step S105, the email registrant domain of the WHOIS search mail result w1 is obtained by the WHOIS in step S106 to obtain the mail result w2, and then the judgment result S1 is determined whether the mail result w1 and the mail result w2 are equal. If yes, step S108 is performed to add the mail result w1 to the data pool. If not, the process goes to step S109 to add the DNS, NS, and SOA search results of the second-level domain name of the suspect domain d to the data pool, and obtain the name server through the DNS query ( Information such as the Name Server, the name server, and the Start Of Authority (SOA) also belong to the domain associated with the suspect domain name, so it must also be included in the set of domains considered.

步驟S110係為對資料池中資料獲取其網頁,下一步將前述加入網域集合中的該嫌疑網域名稱相關聯之網域進行網頁內容分析,剔除所有屬於網域名稱服務提供者(Domain Name Service Provider)之網域名,也就是S111若其網頁為網域服務提供者則將該資料刪除;再利用網域名稱註冊者之電子郵件地址反向查詢WHOIS資料庫,即為步驟S112反向搜尋資料池中所有資料,將得到使用該郵件地址註冊之所有網域集合結果,一併都納入考慮的該嫌疑網域名稱相關聯之網域集合中,即為圖中步驟S113將反向查找所得電子郵件地址註冊之網域加入資料池。 Step S110 is to obtain the webpage of the data in the data pool, and the next step is to analyze the webpage content associated with the suspected domain name in the network collection, and remove all the domain name service providers (Domain Name). The service Provider) domain name, that is, S111, if the webpage is the domain service provider, the data is deleted; and the domain name registrant's email address is used to reversely query the WHOIS database, that is, the reverse search in step S112. All the data in the data pool will get the results of all the domain collections registered with the email address, and all of them will be included in the set of domain names associated with the suspected domain name, which is the reverse search result in step S113 in the figure. The domain registered with the email address is added to the data pool.

步驟S114對資料池中所有資料以網際網路搜尋引擎搜尋,係依據上述之網域集合,將網域集合中的網域提供予搜尋引擎進行搜尋,則可依相關網域在搜尋引擎進行搜尋的回傳數目結果進行進一步判斷;再來為最後之判斷步驟 S115搜尋結果是否小於第二階層篩選值N2,當網域集合中的相關網域的搜尋結果數量均小於第二階層篩選值N2,則判斷步驟S116嫌疑網域d是可疑網域,反之則執行步驟S117嫌疑網域d是合法網域;以上為本發明之依據相關網域的知名程度,偵測出是否為可疑殭屍網路的中繼站域名的流程方法。 Step S114 searches the Internet search engine for all the data in the data pool, and provides the search engine to the search engine according to the related network domain according to the above-mentioned domain collection. The number of return passes is further judged; again, the final judgment step If the search result of the S115 is smaller than the second-level screening value N2, if the number of search results of the related domain in the network set is smaller than the second-level screening value N2, it is determined that the suspected domain d is a suspicious domain, and vice versa. In step S117, the suspected domain d is a legal domain; the above is a process method for detecting whether the domain name of the relay station is a suspicious botnet based on the visibility of the related domain.

再來請參閱圖2所示,以說明本發明之一較佳實施例,若欲測試一個網域名稱tosis.tecpolicy.com是否為可疑之殭屍網路中繼站域名,根據本發明之方法,執行步驟S201於網際網路搜尋引擎搜尋網域名tosis.tecpolicy.com,即先將第一階層網域名稱tosis,利用網際網路搜尋引擎進行關鍵字搜尋,而其判斷步驟S202搜尋結果是否小於第一階層篩選值N1,該搜尋結果之數目確實小於第一階層篩選值N1,則執行步驟S203於網際網路搜尋二階域名www.tecpolicy.com,而判斷步驟S204二階域名搜尋結果是否小於第二階層篩選值N2,搜尋結果數目低於第二階層篩選值N2,則進行下一步驟的網域名稱WHOIS查詢判斷步驟S205以WHOIS搜尋電子郵件註冊者網域得到qq.com,上述第一階層篩選值N1值略大於零,第一階層篩選值N1與第二階層篩選值N2均需事先於系統中定義,其值將會影響本偵測可疑殭屍網路中繼站域名方法的判斷準確度。 Referring now to FIG. 2, to illustrate a preferred embodiment of the present invention, if a domain name tom.tecpolicy.com is to be tested as a suspicious botnet relay domain name, steps are performed in accordance with the method of the present invention. S201 searches the network domain name tosis.tecpolicy.com in the Internet search engine, that is, firstly searches for the domain name of the first-level domain name using the Internet search engine, and determines whether the search result in step S202 is smaller than the first level. The screening value N1, the number of the search results is indeed smaller than the first level filter value N1, then step S203 is performed on the Internet to search for the second-order domain name www.tecpolicy.com, and it is determined whether the second-order domain name search result in step S204 is smaller than the second-level filter value. N2, the number of search results is lower than the second-level screening value N2, and the domain name WHOIS query determination step S205 of the next step is performed by the WHOIS search email registrant domain to obtain qq.com, the first-level screening value N1 value Slightly greater than zero, the first level filter value N1 and the second level filter value N2 must be defined in the system in advance, and the value will affect the detection of suspicious botnets. Following the station domain method to determine accuracy.

為了尋找與該網域名稱tosis.tecpolicy.com的相關網域,WHOIS查詢將可以得到該網域註冊者之電子郵件地址,於實施例中,該網域註冊者之電子郵件地址為68972312@qq.com,並可以了解該郵件地址之電子郵件網域名係為qq.com,在經過步驟S205後取得該網域註冊者之電子郵 件網域qq.com,執行步驟S206以WHOIS搜尋qq.com的電子郵件註冊者網域得到tencent.com,因為所得之資訊顯示網域qq.com之註冊者電子郵件地址為dns@tencent.com,而dns@tencent.com的網域名為tencent.com。而後,執行判斷步驟S207 qq.com與tencent.com是否相等,將該網域註冊者之電子郵件網域qq.com與該網域註冊者之電子郵件網域的註冊者所屬電子郵件網域tencent.com比較後,結果並不相等,於是根據本發明之方法,判斷該網域註冊者之電子郵件網域qq.com不加入該網域名稱tosis.tecpolicy.com之關聯網域的網域集合中。 In order to find the relevant domain with the domain name tosis.tecpolicy.com, the WHOIS query will get the email address of the domain registrant. In the embodiment, the email address of the domain registrant is 68972312@qq .com, and can know that the email domain name of the email address is qq.com, and after obtaining the email of the domain registrant after step S205 The domain qq.com, step S206 is performed by WHOIS to search for the qq.com email registrant domain to get tencent.com, because the obtained information shows that the domain registrant email address of the domain qq.com is dns@tencent.com The domain name of dns@tencent.com is tencent.com. Then, it is judged whether step S207 qq.com is equal to tencent.com, the email domain of the domain registrant qq.com and the registrant of the domain registrant's email domain belong to the tencent domain of the email domain After the .com comparison, the results are not equal, so according to the method of the present invention, it is determined that the domain registrant's email domain qq.com does not join the domain collection of the associated domain of the domain name tosis.tecpolicy.com in.

根據本偵測可疑殭屍網路中繼站域名方法再透過名稱伺服器紀錄(DNS Record)查詢第二階層之網域(2nd domain),在本實施例中該第二階層之網域係為tecpolicy.com,由此得到包含了名稱伺服器(Name Server)、名稱伺服系統和授權起始紀錄(Start Of Authority,SOA)所屬之網域,係為hichina.com(直接查詢之結果為dns29.hichina.com與dns30.hichina.com),將這些網域(tecpolicy.com、hichina.com)一併加入該網域名稱tosis.tecpolicy.com之關聯網域的網域集合中,上述動作為步驟S208將對二階域名的DNS、NS、SOA搜尋結果hichina.com加入資料池。 According to the method for detecting the domain name of the suspicious botnet relay station, the domain name of the second layer is queried by using a DNS record. In this embodiment, the domain of the second layer is tecpolicy.com. Thus, the domain that contains the name server, the name server, and the Start Of Authority (SOA) is located, which is hichina.com (the result of the direct query is dns29.hichina.com) And dns30.hichina.com), these domains (tecpolicy.com, hichina.com) are added to the domain collection of the associated domain of the domain name tosis.tecpolicy.com, the above action is step S208 will be The second-order domain name DNS, NS, SOA search results hichina.com join the data pool.

執行步驟S209對資料池中資料hichina.com獲取其網頁,係為了排除有關網域名稱服務提供者(Domain Name Service Provider)的網域,將該網域名稱tosis.tecpolicy.com之關聯網域的網域集合中的所有網域實施網頁內容分析,於此實施例中發現www.hichina.com的網頁內容為網域名稱服務提供者,則根據規則執行步驟S210 hichina.com為網域服務 提供者則將該資料刪除,即將此網域hichina.com從該網域名稱tosis.tecpolicy.com之關聯網域的網域集合資料池中移除。 Step S209 is performed to obtain the webpage of the data hichina.com in the data pool, in order to exclude the domain of the domain name service provider (Domain Name Service Provider), the associated domain of the domain name toosis.tecpolicy.com All the domains in the domain collection implement web content analysis. In this embodiment, it is found that the webpage content of www.hichina.com is the domain name service provider, and step S210 hichina.com is used as the domain service according to the rules. The provider deletes the data and removes the domain hichina.com from the domain collection data pool of the associated domain of the domain name tosis.tecpolicy.com.

步驟S211反向搜尋資料池中所有資料,根據上述透過WHOIS搜尋方式所查詢到的tecpolicy.com網域之註冊者電子郵件地址,利用此郵件地址68972312@qq.com反向查找WHOIS資料庫,得到使用該郵件地址註冊者之所有網域的集合comqap.com、erickstar.com,也將這些得到的網域集合一併加入之該網域名稱tosis.tecpolicy.com之關聯網域的網域集合中,係為步驟S212將反向查找所得電子郵件地址註冊之網域comqap.com、erickstar.com加入資料池。 Step S211 searches for all the data in the data pool in reverse, and searches for the WHOIS database by using the email address 68972312@qq.com according to the email address of the tecpolicy.com domain queried by the WHOIS search method. The collection of all the domains of the email address registrant, comqap.com, erickstar.com, is also added to the domain collection of the associated domain of the domain name toosis.tecpolicy.com. In step S212, the domain comqap.com and erickstar.com registered in the reverse lookup email address are added to the data pool.

此時資料池中含有對於該網域名稱tosis.tecpolicy.com之關聯網域的網域集合中所有列入考慮的網域名稱,執行步驟S213對資料池中所有資料以網際網路搜尋引擎搜尋,再以得出之結果筆數進行判斷,即為判斷步驟S214搜尋結果是否小於第二階層篩選值N2,若列入考慮的網域名稱之搜尋結果只包含非常少量的回傳資訊筆數,也就是低於定義之該第二階層篩選值N2的筆數,則根據本發明之方法執行步驟S215 tosis.tecpolicy.com為可疑,係因為於此實施例中,此步驟發現所有關聯網域中,包含comqap.com與erickstar.com於搜尋引擎的結果數目均小於第二階層篩選值N2。 At this time, the data pool contains all the considered domain names in the domain collection of the associated domain of the domain name tosis.tecpolicy.com, and step S213 is performed to search all the data in the data pool by the Internet search engine. And judging by the number of results obtained, that is, whether the search result in step S214 is smaller than the second-level screening value N2, and if the search result of the domain name considered includes only a very small amount of return information, That is, the number of pens lower than the defined second-level filter value N2 is performed according to the method of the present invention. Step S215 tosis.tecpolicy.com is suspicious because in this embodiment, this step finds all associated domains. The number of results including comqap.com and erickstar.com in the search engine is less than the second-level screening value N2.

綜上所述,所有已列入該網域名稱tosis.tecpolicy.com之關聯網域的網域集合中被考慮的網域名稱,經過本發明之偵測可疑殭屍網路中繼站域名方法得到其搜尋結果之筆數小於第二階層篩選值N2,判斷tosis.tecpolicy.com為可疑的殭屍網路中繼站域名。 In summary, all the domain names considered in the domain collection of the associated domain that is listed in the domain name tosis.tecpolicy.com are searched by the method for detecting the domain name of the suspicious botnet relay station of the present invention. The number of results is less than the second-level screening value N2, and the diagnosis of tosis.tecpolicy.com is the suspicious botnet relay domain name.

上列詳細說明乃針對本發明之較佳實施例進行具體說明,惟該實施例並非用以限制本發明之專利範圍,凡未脫離本發明技藝精神所為之等效實施或變更,均應包含於本案之專利範圍中。 The detailed description of the preferred embodiments of the present invention is intended to be construed as the The patent scope of this case.

綜上所述,本案於技術思想上實屬創新,也具備先前技術不及的多種功效,已充分符合新穎性及進步性之法定發明專利要件,爰依法提出專利申請,懇請 貴局核准本件發明專利申請案以勵發明,至感德便。 In summary, the case is innovative in terms of technical ideas, and also has multiple functions that are not in the prior art. It has fully complied with the statutory invention patent requirements of novelty and progressiveness, and has filed a patent application according to law. You are requested to approve the invention patent. The application is to invent the invention, and it is a matter of feeling.

S101~S117‧‧‧步驟流程 S101~S117‧‧‧Step procedure

Claims (3)

一種偵測可疑殭屍網路中繼站域名之方法,其步驟包含:於一嫌疑網路搜尋系統內設置一搜尋引擎模組,該搜尋引擎模組內設置有一第一階層篩選值;於該嫌疑網路搜尋系統內設置一關聯搜尋模組,將該關聯搜尋模組連結該搜尋引擎模組,且該關聯搜尋模組內設置有一第二階層篩選值;於該嫌疑網路搜尋系統內設置一分析模組,將該分析模組連結該搜尋引擎模組和該關聯搜尋模組;該搜尋引擎模組通過網際網路搜尋引擎對一嫌疑域名進行搜尋,若搜尋結果之符合筆數小於該第一階層篩選值,則產生一第一階層篩選資訊並傳輸至該分析模組和該關聯搜尋模組;該關聯搜尋模組根據該第一階層篩選資訊產生一第二階層嫌疑域名,並根據該第二階層嫌疑域名進行搜尋,若搜尋結果之符合筆數小於關聯搜尋模組內之該第二階層篩選值,則通過關聯判斷規則產生一關聯篩選資訊並傳輸至該分析模組;以及該分析模組對第一階層篩選資訊和該關聯篩選資訊分析並產生一判定結果。 A method for detecting a domain name of a suspicious botnet relay station, the method comprising: setting a search engine module in a suspect network search system, wherein the search engine module is provided with a first level filter value; and the suspect network An associated search module is disposed in the search system, and the associated search module is coupled to the search engine module, and a second-level filter value is set in the associated search module; an analysis module is set in the suspect network search system. a group, the analysis module is coupled to the search engine module and the associated search module; the search engine module searches for a suspect domain name through an internet search engine, if the number of matching results is less than the first level Filtering the value, generating a first-level screening information and transmitting the information to the analysis module and the associated search module; the associated search module generates a second-level suspect domain name according to the first-level screening information, and according to the second The suspected domain name is searched, and if the matching result is less than the second-level screening value in the associated search module, the association judgment rule is adopted. Information associated with a green filter and transmitted to the analysis module; and a first filter information and the hierarchy information associated with the screening analysis module analyzes and generates a determination result. 如申請專利範圍1所述之偵測可疑殭屍網路中繼站域名之方法,其中該關聯判斷規則包含下列步驟:該關聯搜尋模組通過WHOIS查詢得出該第二階層嫌疑域名之一網域註冊者電郵地址所屬之網域和該網域註冊者電郵地址所屬之網域的註冊者所屬之網域; 該關聯搜尋模組通過WHOIS查詢該網域註冊者電郵地址所屬之網域的註冊者所屬之網域,若該網域註冊者電郵地址所屬之網域的註冊者所屬之網域與該網域註冊者電郵地址所屬之網域相同,則依據該網域註冊者電郵地址所屬之網域產生一郵件地址網域結果資訊;以及該關聯搜尋模組通過DNS(Domain Name System)紀錄查詢該第二階層嫌疑域名得出名稱伺服器、名稱伺服系統和授權起始紀錄等資訊並與該郵件地址網域結果資訊結合,以產生該關聯篩選資訊。 The method for detecting a domain name of a suspicious botnet relay station according to the scope of claim 1, wherein the association judgment rule comprises the following steps: the association search module obtains a domain registrant of the second-level suspect domain name through WHOIS query. The domain to which the email address belongs and the domain to which the registrant of the domain to which the domain registrant email address belongs; The association search module queries the domain of the domain registrant of the domain to which the domain registrant email address belongs by WHOIS, and the domain to which the registrant of the domain to which the domain registrant email address belongs belongs and the domain The registrant email address belongs to the same domain, and generates a mail address domain result information according to the domain to which the domain registrant email address belongs; and the associated search module queries the second through a DNS (Domain Name System) record. The hierarchical suspect domain name derives information such as the name server, the name server system, and the authorization start record, and combines with the email address domain result information to generate the association screening information. 如申請專利範圍2所述之偵測可疑殭屍網路中繼站域名之方法,其中該分析模組將第一階層篩選資訊和該關聯篩選資訊分析並產生該判定結果更包含以下步驟:該分析模組包含一資料池,該資料池用以接收該關聯篩選資訊;該分析模組對該第一階層篩選資訊和該關聯篩選資訊進行網頁分析,篩選移除當中屬於網域名稱服務者的網域名並將餘下資訊加入資料池中;該分析模組根據該關聯篩選資訊中的該郵件地址網域結果資訊通過該關聯搜尋模組進行反向查找,將郵件地址註冊之所有網域加入資料池中;以及該分析模組將資料池中所有資訊通過該搜尋引擎模組於網際網路上搜尋,若搜尋結果之符合筆數小於該第二階層篩選值,則判定該嫌疑域名為可疑,若搜尋結果之符合筆數小於該第二階層篩選值,則判定該嫌疑域名為合法。 The method for detecting a domain name of a suspicious botnet relay station according to claim 2, wherein the analyzing module analyzes the first-level screening information and the associated screening information and generates the determination result, and further comprises the following steps: the analyzing module Include a data pool, the data pool is used to receive the association screening information; the analysis module performs webpage analysis on the first-level screening information and the association screening information, and filters and removes the domain name of the domain name service provider Adding the remaining information to the data pool; the analysis module performs reverse lookup through the associated search module according to the email result information of the email address in the association filtering information, and adds all the domains registered by the email address to the data pool; And the analysis module searches all the information in the data pool through the search engine module on the Internet. If the number of matching results is less than the second-level screening value, the suspect domain name is determined to be suspicious, if the search result is If the number of matches is less than the filter value of the second level, the suspect domain name is determined to be legal.
TW104119695A 2015-06-18 2015-06-18 Method of detecting suspicious botnet relay station domain name TWI524207B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW104119695A TWI524207B (en) 2015-06-18 2015-06-18 Method of detecting suspicious botnet relay station domain name

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW104119695A TWI524207B (en) 2015-06-18 2015-06-18 Method of detecting suspicious botnet relay station domain name

Publications (2)

Publication Number Publication Date
TWI524207B true TWI524207B (en) 2016-03-01
TW201701182A TW201701182A (en) 2017-01-01

Family

ID=56085381

Family Applications (1)

Application Number Title Priority Date Filing Date
TW104119695A TWI524207B (en) 2015-06-18 2015-06-18 Method of detecting suspicious botnet relay station domain name

Country Status (1)

Country Link
TW (1) TWI524207B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI764618B (en) * 2020-10-19 2022-05-11 新加坡商賽博創新新加坡股份有限公司 Cyber security protection system and related proactive suspicious domain alert system
US11558352B2 (en) 2020-10-19 2023-01-17 Cycraft Singapore Pte. Ltd. Cyber security protection system and related proactive suspicious domain alert system

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI666568B (en) * 2018-04-30 2019-07-21 國立成功大學 Method of Netflow-Based Session Detection for P2P Botnet
TWI677803B (en) * 2018-05-09 2019-11-21 中華電信股份有限公司 Suspicious domain detecting method, gateway apparatus and non-transitory computer readable medium apparatus

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI764618B (en) * 2020-10-19 2022-05-11 新加坡商賽博創新新加坡股份有限公司 Cyber security protection system and related proactive suspicious domain alert system
US11558352B2 (en) 2020-10-19 2023-01-17 Cycraft Singapore Pte. Ltd. Cyber security protection system and related proactive suspicious domain alert system

Also Published As

Publication number Publication date
TW201701182A (en) 2017-01-01

Similar Documents

Publication Publication Date Title
Pearce et al. Global measurement of {DNS} manipulation
Hao et al. Monitoring the initial DNS behavior of malicious domains
Marchal et al. PhishStorm: Detecting phishing with streaming analytics
De Silva et al. Compromised or {Attacker-Owned}: A large scale classification and study of hosting domains of malicious {URLs}
Kührer et al. Paint it black: Evaluating the effectiveness of malware blacklists
Messabi et al. Malware detection using dns records and domain name features
CN102647422B (en) Phishing website detection method and device
CN102891826B (en) The control method of web page access, equipment and system
Chiba et al. DomainProfiler: Discovering domain names abused in future
WO2018163464A1 (en) Attack countermeasure determination device, attack countermeasure determination method, and attack countermeasure determination program
TWI524207B (en) Method of detecting suspicious botnet relay station domain name
CN107800686A (en) A kind of fishing website recognition methods and device
Xia et al. Identifying and characterizing COVID-19 themed malicious domain campaigns
Mishsky et al. A topology based flow model for computing domain reputation
TW201902174A (en) Malicious domain detection method combining network information and network traffic
Son et al. Cyber-attack group analysis method based on association of cyber-attack information.
Korczynski et al. Statistical analysis of DNS abuse in gTLDs final report
TWI634769B (en) Method for detecting domain name transformation botnet through proxy server log
CN118784329A (en) A CDN domain name abuse automatic detection method and system based on domain name hosting status
CN106157214A (en) The method and device of tracking of information
JP7686667B2 (en) Malicious domain hosting type classification system and method
CN117614931A (en) A quick discovery method and analysis method and device for black and gray domain names based on domain name pool
Ito et al. Money talks: detection of disposable phishing websites by analyzing its building costs
Dolberg et al. Multi-dimensional aggregation for dns monitoring
TWI636371B (en) Associated sentiment cluster method

Legal Events

Date Code Title Description
MM4A Annulment or lapse of patent due to non-payment of fees