WO2011113239A1 - Flow detection method for domain name system and domain name server thereof - Google Patents

Abstract

A flow detection method for a domain name system (DNS) and a domain name server thereof are provided in the present invention. The method includes the following steps: acquiring the number of domain name inquiry requests and the actual value of the type of a measurement index, which are received during a detection period (11); acquiring a predicted value of the type of the measurement index, according to the mapping relationship between the domain name inquiry request and the measurement index and the number of the domain name inquiry requests (12); determining the first difference value between the actual value and the predicted value of the type of the measurement index (13); and outputting alarm information indicating the abnormality of the DNS flow when the fact that the first difference value is larger than the threshold obtained in advance is confirmed (14). The domain name server can be used for executing the flow detection method for a DNS. By applying the flow detection method and the domain name server for a DNS provided in the present invention, the rate of false alarm for the judgment about the abnormality of the DNS flow can be reduced, and the accuracy of the detection about the abnormality of the DNS flow is improved.

Description

 Domain Name System Traffic Detection Method and Domain Name Server

Technical field

 The present invention relates to the field of communications technologies, and in particular, to a domain name system traffic detection method and a domain name server. Background technique

 The Domain Name System (DNS) is one of the important infrastructures of the Internet. It is responsible for providing mapping and resolution between domain names and Internet Protocol (IP) addresses. It is web browsing and email. Wait for key links in almost all Internet applications. Therefore, the stable operation of the domain name system is a prerequisite for the normal service of the Internet. However, the recent cyber attacks against the domain name system have become increasingly rampant, and the abuse of the domain name system has emerged one after another. Coupled with the inherent limitations of the DNS protocol, the security of the domain name system is facing a severe test. Therefore, how to quickly and effectively detect the domain name system Abnormal behavior and avoiding catastrophic events have become an important issue for today's domain name systems and the entire Internet.

 Since the DNS server implements the external domain name resolution service by responding to the DNS query request it receives, the DNS query data flow directly reflects the entire process of the DNS server's external service. Therefore, the prior art usually detects the DNS traffic. Efficiently evaluate the service status of the DNS server to detect abnormal behavior of the domain name system.

 A commonly used method for detecting DNS traffic anomalies in the prior art is one or more measurement indicators (for example, a domain name query request, a source IP address, a query domain name, a port number, etc.) in a DNS query request data stream sent to a DNS server. The quantity is detected in real time. Once the number of certain measurement indicators exceeds the specified threshold at a certain time, a DNS traffic abnormal alarm is generated, indicating that the domain name system behaves abnormally.

The reason for the abnormal DNS traffic is multi-faceted. The prior art only determines whether the DNS traffic is abnormal by instantaneously measuring an independent measurement index. This method is one-sided. The false alarm rate is high, and the detection of abnormal DNS traffic cannot be accurately and effectively implemented. Summary of the invention

 The object of the present invention is to provide a domain name system traffic detection method and a domain name server, which are used to improve the accuracy of DNS traffic anomaly detection.

 The present invention provides a domain name system traffic detection method, including:

 Obtaining the number of domain name query requests received during the detection period and the actual value of the measurement indicator type;

 Obtaining a predicted value of the type of the measurement indicator according to a mapping relationship between the domain name query request and the measurement indicator and the number of the domain name query request;

 Determining a first difference between the actual value of the type of measurement indicator and the predicted value of the type of measurement indicator;

 When it is determined that the first difference is greater than a pre-acquired threshold, the domain name system traffic abnormality alarm information is output.

 The invention provides a domain name server, comprising:

 An actual value obtaining module, configured to acquire the number of domain name query requests received during the detection period and the actual value of the type of the measurement indicator;

 a prediction value obtaining module, configured to acquire a predicted value of the type of the measurement indicator according to a mapping relationship between the domain name query request and the measurement indicator and the number of the domain name query request;

 a first difference determining module, configured to determine a first difference between the actual value of the measurement indicator type and the predicted value of the measurement indicator type;

 The determining output module is configured to output the domain name system traffic abnormality alarm information when determining that the first difference is greater than a pre-acquired threshold.

The domain name system traffic detection method and the domain name server of the present invention detect the DNS traffic according to the actual value of the measurement index type, the number of domain name query requests, and the mapping relationship between the domain name query request and the measurement index. Compared with technology, it reduces the judgment of DNS flow. The false positive rate when the quantity is abnormal increases the accuracy of detecting abnormal DNS traffic. DRAWINGS

 In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, a brief description of the drawings used in the embodiments or the prior art description will be briefly described below. Obviously, the drawings in the following description It is a certain embodiment of the present invention, and other drawings can be obtained from those skilled in the art without any inventive labor.

 1 is a flowchart of a method for detecting a traffic of a domain name system according to Embodiment 1 of the present invention; FIG. 2 is a flowchart of a method for acquiring parameters and thresholds according to Embodiment 1 of the present invention; FIG. 3 is a domain name provided by Embodiment 2 of the present invention; FIG. 4 is a flow chart of a double logarithmic transformation of a query domain name and a domain name query request in multiple test cycles according to Embodiment 2 of the present invention; FIG.

 5 is a fitting curve of a double logarithmic transformation of a source IP address and a domain name query request in multiple test cycles according to Embodiment 2 of the present invention;

 6 is a schematic diagram showing the distribution of the number of domain name query requests and the number of query domain names over time in an experiment process according to an embodiment of the present invention;

 7 is a schematic diagram of changes in calculation cost and measurement index in a test process according to an embodiment of the present invention; FIG. 8 is a schematic structural diagram of a domain name server according to Embodiment 3 of the present invention;

 FIG. 9 is a schematic structural diagram of a domain name server according to Embodiment 4 of the present invention. detailed description

The technical solutions in the embodiments of the present invention are clearly and completely described in the following with reference to the accompanying drawings in the embodiments of the present invention. It is a partial embodiment of the invention, and not all of the embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments of the present invention without departing from the inventive scope are the scope of the present invention. Before introducing the technical solution of the present invention, the following briefly introduces the law of accumulation: The Heap's Law originated in computational linguistics and is used to describe the relationship between the total number of words contained in a document collection and the number of different words. Suppose a document collection contains N words, where the number of different words is called the size of the dictionary is V, then: V = KN ^P , where K and β are the mapping between the total number of words 字典 and the dictionary size V The parameter of the relationship, which is a constant and 0 < β < 1. A large number of English documents have been statistically verified to verify the correctness of the law, and the range of parameters Κ and β is obtained, usually 0 < Κ < 100, 0.4 ≤ β ≤ 0.6. The law states: As the number of texts increases, the number of different words involved accounts for a sudden increase in the proportion of words in the text, and then the growth slows, but is always increasing, that is, with the observed text More and more, new words are always appearing, but the probability of new words appearing is decreasing.

 The technical solution of the present invention is based on the above stacking law, that is, under the normal network, the stacking law is followed between the number of DNS query requests received by the DNS server and the measurement indicators included in the query request within a certain period of time.

 Embodiment 1

 FIG. 1 is a flowchart of a method for detecting a traffic of a domain name system according to Embodiment 1 of the present invention. The execution entity of this embodiment is a domain name server. As shown in FIG. 1 , the detection method in this embodiment includes:

 Step 11: Obtain the number of domain name query requests received during the detection period and the actual value of the measurement indicator type;

 In this embodiment, the working state of the DNS server is detected according to the status of the DNS query request received by the DNS server in a period of time. In this embodiment, the "period" is a detection period, that is, the result of detecting the DNS server traffic at the end of the detection period. The detection period may be a time interval for detecting the DNS server traffic according to an actual application, and may be time-divided, for example, one hour is a detection period, or may be divided according to the query quantity, for example, every ten million query requests are received. For a detection cycle.

Specifically, the DNS server receives the DNS query request, and collects the number of DNS query requests in the detection period, and simultaneously calculates the actual value of the measurement indicator type. Where the measurement indicator is requested from the query The source IP address: 192.168.200.1 and the source IP address are used to distinguish different measurement indicators, for example, when the source IP address is used as a measurement indicator, for example, Source IP address: 192.168.200.2 belongs to different types of measurement indicators, and the actual value of the corresponding measurement indicator type is 2.

 The process of calculating the actual value of the measurement indicator type is as follows: When the DNS server receives any DNS query request, obtains the measurement index in any DNS query request; and determines the measurement index in any DNS query request obtained. Type, whether it is the same as the type of the measurement indicator included in the other domain name query request; if the judgment result is different, the DNS server increases the actual value of the corresponding measurement indicator type by 1, and obtains the measurement index at the end of the detection period. The actual value of the type.

 Step 12: Obtain a predicted value of the type of the measurement indicator according to the mapping relationship between the domain name query request and the measurement indicator and the number of the domain name query request;

 Specifically, in the normal network state, the stacking law is followed between the number of DNS query requests and the measurement indicators. Among them, the number of DNS query requests is equivalent to the total number of words in the stacking law, and the number of measurement index types is equivalent to the dictionary size, that is, the number of different words. Then, the DNS query request and the measurement indicator type satisfy the formula (1) quantitatively, that is, the mapping relationship between the DNS query request and the measurement indicator type, and the formula (1) is as follows:

 Log^^ - ^log^) + ^ ( 1 )

 It can be seen from the above that if any one of the number of DNS query requests and the number of measurement index types is known, another one can be obtained according to formula (1); specifically, the number and formula of the query according to the known DNS query will be obtained. (1) The calculated number of measurement index types is called the predicted value of the measurement index type; wherein, the meaning of each variable or parameter in formula (1) is as follows:

 N, the number of domain name query requests within the detection period;

 The predicted value of the type of measurement indicator in the detection period calculated according to the number of domain name query requests in the normal network state;

β, pre-acquired, indicating the number of domain name query requests and the type of measurement indicator The parameter of the mapping relationship between values, the parameter range is 0~1, and the parameter range is 0-100. The specific parameters and the acquisition process will be described in detail later.

 Further, it is known from the stacking law that as the number of DNS query requests increases, the number of measurement metric types suddenly increases, and then the growth rate slows down, but it always increases. Under normal network conditions, the predicted value of the type of measurement indicator is calculated according to the number of DNS query requests and the formula (1), which should be the same or similar to the actual value of the measurement indicator type.

 Step 13: determining a first difference between the actual value of the measurement indicator type and the predicted value of the measurement indicator type;

 Specifically, the actual value of the actually measured type of the measurement index is compared with the predicted value of the type of the measurement index calculated according to the formula (1), and the difference is taken as an absolute value to obtain the first difference.

 According to the mapping relationship between the DNS query request and the measurement index type, that is, the stacking law, if the network is normal, the actual value of the measurement index type and the prediction value of the measurement index type should be the same or similar, therefore, the size of the first difference may be The proximity of the actual value of the type of measurement indicator to the predicted value of the type of measurement indicator, which in turn indicates the status of the domain name system traffic.

 Step 14. When it is determined that the first difference is greater than the pre-acquired threshold, the domain name system traffic abnormal alarm information is output.

 After obtaining the first difference, the DNS server compares the first difference with the pre-acquired threshold. When comparing the first difference with the pre-acquired threshold, the actual value of the measurement indicator type and the type of the measurement indicator are The predicted values differ greatly, which indicates that the DNS server traffic is abnormal at this time, and the traffic abnormal alarm information should be output.

In this embodiment, the threshold value is not limited, and the threshold may be an empirical value obtained in an actual application, or may be a range value of the allowed fluctuation according to the application scenario. Preferably, in the normal network state, the second difference between the actual value of the measurement index type and the predicted value of the measurement index type of multiple test periods is obtained, and the largest second difference is taken as the current step. The threshold in 14. It is worth noting that the threshold is acquired before performing this step, but it is not limited to enter the detection period after acquiring the threshold. The domain name system traffic detection method in this embodiment obtains the predicted value of the measurement index type according to the mapping relationship between the domain name query request and the measurement index type, and compares the actual value of the measurement index type with the predicted value according to the two The range of the difference is used to determine whether the DNS server traffic is abnormal. The stacking law combines the domain name query request with the measurement index to detect the DNS traffic. Compared with the prior art, the false alarm rate when determining the abnormal DNS traffic can be reduced. The accuracy of the abnormality of the DNS traffic is detected. At the same time, the technical solution of the present invention detects the traffic of the DNS server based on the domain name query request in the detection period, and does not make the judgment instantaneously as in the prior art, thereby further improving the abnormality of detecting the DNS traffic. Accuracy and effectiveness.

 Generally, the DNS server performs the external domain name resolution service by responding to the domain name query request received by the DNS server. The typical domain name query request includes a timestamp, a source IP address, a port number, a query domain name, and a resource type. Therefore, in this embodiment, the measurement indicator obtained from the query request refers to each field value in the domain name query request, that is, the measurement indicator may be a timestamp, a source IP address, a port number, a query domain name, a resource type, and the like.

 Further, the obtaining threshold value and the implementation manner of the parameter in the formula (1) provided by the embodiment are as follows:

 In the normal network state, multiple test cycles are set, as shown in FIG. 2, the implementation process specifically includes the following steps:

 Step 111: Obtain the number of domain name query requests received during each test period and the actual value of the measurement indicator type;

 The test period is similar to the detection period. The difference is that the test period is before the detection period to provide various parameters and information required for the detection period, and the test period is generally selected during a period in which the network performance is relatively stable, that is, in a normal network state. Next, test it.

 Specifically, the process of obtaining the actual value of the measurement indicator type in this step 111 is the same as that in step 11, and will not be discussed in detail.

Step 112: linearly fitting the number of domain name query requests and the actual value of the measurement index type in the obtained multiple test periods, and obtaining the parameter β and the parameter according to the fitting result; Wherein, the linear fitting may be a least square method, an equal-partition three-group averaging method or a piecewise optimal slope averaging method, and this embodiment is preferably a least square method, that is, determining the number and measurement of the domain name query request by the least squares method. The linear relationship between the actual values of the indicator types, as well as the linear coefficients, ie parameters and parameters.

 Step 113: Calculate a predicted value of the type of the measurement indicator for each test period according to the mapping relationship between the domain name query request and the measurement indicator;

 Specifically, the predicted value of the type of the measurement index for each test period is calculated according to the formula (2), wherein the formula (2) is as follows:

Log(F ₂ ') - ^log(N ₂ ) + ^ ( 2 )

Where N ₂ is the number of domain name query requests for each test period; I is the predicted value of the type of measurement indicator for each test period; β, Κ is the parameter obtained according to step 111 and step 112 above, where the value of the parameter The range is 0~1, and the parameter range is 0~100.

 Step 114: Determine a second difference between the actual value of the measurement indicator type of each test period and the predicted value of the measurement indicator type;

 Specifically, the actual value of the measurement index type of each test period and the predicted value of the measurement index type are made a difference and the result of taking the absolute value is used as the second difference.

 Step 115: Obtain a second largest difference among the second differences of the multiple test periods as a threshold for detecting domain name system traffic.

 It should be noted that the method provided in this embodiment can acquire parameters and thresholds at the same time, that is, after obtaining the parameters and parameters, the subsequent operations are directly performed to obtain the threshold, that is, the acquisition parameters and the thresholds use the same test period, but in practical applications. The process of obtaining parameters and thresholds may be independent, that is, different test periods may be set for acquiring parameters and thresholds respectively. This embodiment provides a preferred embodiment, and the efficiency is high.

The parameters and thresholds in this embodiment are obtained by testing the normal network. The test process is similar to the actual detection process. Therefore, the DNS traffic is detected based on the parameters and thresholds provided in this embodiment, and the detection accuracy and effectiveness are high. In addition, this embodiment does not count the number of test cycles and test cycles. The amount is limited. Generally, the more the number of test cycles, the closer the threshold is to the actual situation, and the better the detection effect is when the DNS traffic is detected based on the threshold.

 There are many ways to attack a network. For example, in order to reduce the local DNS cache hit rate and improve the attack effect, the attacker will randomly generate any domain name and send it to the attack object. Or the attacker can control the hyperscale by improving his hiddenness. The botnet, even forging a large number of source IP addresses to achieve attacks, therefore, the reasons for the abnormality of the domain name system traffic are also diverse. Based on this, the measurement index in this embodiment may be not only a single measurement parameter obtained from a domain name query request, such as a source IP address or a query domain name, but also a set of multiple measurement parameters, for example, including a source IP address and Query requests, etc. to deal with a variety of situations. The measurement parameter refers to the source IP address, query domain name or port number obtained from the domain name query request.

 When the measurement indicator includes multiple measurement parameters, the domain name system traffic detection method provided in this embodiment needs to obtain the actual value of each measurement parameter type and the prediction value of each measurement parameter type separately; and determine the actual value of each measurement parameter type respectively. And a first difference value of the predicted values of the measured parameter types; and when any of the first differences is greater than a first threshold corresponding to any of the first differences, the domain name system traffic abnormality alarm information is output. The first threshold corresponding to each first difference may be the same or different, and the acquiring process of each first threshold is the same as the foregoing step 111 to step 115.

 The domain name system traffic detection method provided in this embodiment detects the domain name system traffic according to multiple measurement parameters, and the adaptability thereof is stronger.

 Further, in the following embodiments of the present invention, the source IP address and the query domain name are taken as an example for description.

 Embodiment 2

 FIG. 3 is a flowchart of a method for detecting a domain name system traffic according to Embodiment 2 of the present invention. This embodiment will be implemented based on the above embodiments. The specific embodiment of the present invention will further explain the technical solution of the present invention in combination with practical applications.

Taking the CN domain name as an example, as of the end of 2009, the number of CN domain name registrations reached 13.456 million, and the total number of DNS query requests received by CN domain name servers from around the world was nearly 1.5 billion times. The peak of queries received per second is close to 60,000 times. Once the CN domain name server is abnormal, it will endanger the security of its tens of millions of second-level domain names. Therefore, this embodiment implements the technical solution provided by the present invention on the CN domain name server, that is, detects the traffic of the CN domain name server according to the method provided by the present invention. The specific embodiment is a test period of half an hour, and the total test time is 24 hours. The two measurement indicators of the domain name and the source IP address are taken as an example. As shown in FIG. 3, the method in this embodiment includes:

Step 31: Record the actual quantity value of the query domain name as V _name , the actual quantity value of the source IP address as V _{ip ,} and the number of DNS domain name query requests as N, and initialize V _name , V _ip , N respectively to 0;

Step 32, receiving a DNS domain name query request, and updating V _name , V _ip and N;

Specifically, the information in the domain name query request is obtained, where the information includes the query domain name and the source IP address; determining whether the query domain name is a newly appearing domain name, and if yes, adding V _name to 1 to implement V _nam update; V _name remains unchanged; for the same reason, it is judged whether the source IP address is the newly-created source IP address, and if so, V _{ip is} incremented by 1 to implement the update of V _ip ; otherwise, V _ip remains unchanged. For example, the source IP address in the current domain name query request is 192.168.200.1, and is compared with the source IP address that has been received by other domain name query requests to determine whether the source IP address already exists: 192.168.200.1, if present , then V _ip remains unchanged; if not, V _{ip is} incremented by 1.

 Step 33: Determine whether the test period has arrived;

 This step determines whether the domain name query request has been received from the beginning for half an hour, and if so, step 34 is performed; otherwise, step 32 is performed;

Step 34, recording V _name , V _ip and N of the current test period;

That is, the actual value V _name of the query domain _name , the actual value V _{ip of the} source IP address, and the number N of the domain name query request are accumulated for each test period, and are stored for subsequent processing.

 Step 35, determining whether the test time has expired;

In this embodiment, it refers to whether it has reached 24 hours from the beginning to the time, for example, it can be timed. The device records the test period and the test time; if yes, step 36 is performed; otherwise, step 31 is performed; step 36, parameters β _η „ K _name and parameters β _ιρ , Κ _ιρ are respectively calculated;

N进行线性拟合， 双对数变换后的拟合结果如图 4所示， 其中虚线为 拟合结果， 并根据拟合结果得到参数 β_η,=0.4937, K_name=6.7017; 同理， 本 步骤根据记录的多个测试周期内的 V_ip和 N进行线性拟合， 双对数变换后的 拟合结果如图 5 所述， 其中虚线为拟合结果， 并根据拟合结果得到参数 β_ίρ=0.3759, K_ip=6.5222„ Specifically, this step is based on multiple test cycles (specifically 48 test cycles) recorded.

N is linearly fitted, and the fitting result after double logarithmic transformation is shown in Fig. 4. The dotted line is the fitting result, and the parameter β _{η is} obtained according to the fitting result, = 0.4937, K _name = 6.7017; similarly, this The steps are linearly fitted according to V _ip and N in the recorded test cycles. The fitting result after double logarithmic transformation is as shown in Fig. 5, wherein the dotted line is the fitting result, and the parameter β _{ίρ is} obtained according to the fitting result. =0.3759, K _ip =6.5222„

 The abscissa of FIG. 4 and FIG. 5 is the cumulative total number of domain name query requests, and the ordinate is the cumulative total of the query domain name and the cumulative total number of source IP addresses respectively. The above results are analyzed in combination with FIG. 4 and FIG. 5, and the normal network state is known. Next, the cumulative total number of query domain names, the cumulative total number of source IP addresses, and the total number of DNS domain name query requests have a linear relationship after the double logarithmic transformation, that is, the stacking law is met.

Step 37: Calculate a threshold value Y _name corresponding to the query domain _name and a threshold value Υ _ιρ corresponding to the source IP address. Specifically, in this step, the predicted value of the query domain name for each test period is calculated as V, _name , and the predicted value of the source IP address. For V, _ip , taking the i-th (l≤i≤48) test period as an example, the calculation process is as follows: According to the parameter β _η „ K _name calculated in step 36, calculate V _name by using formula (3); log (V' _name )i =β _e log(Ni)+K _n 3 )

 Where (ν'η^Α is the predicted value of the query domain name for the i-th test period; the number of DNS domain name query requests for the i-th test period;

Calculate the actual value of the query domain name of the i-th test period according to formula (4) (V^A and the predicted value of the query domain name (absolute error V ₁ between V'^o^ _;

( 4 )

(4)

Calculate the absolute error of each test cycle according to the above method, and use the maximum absolute error as the threshold Y _name , ie

In this embodiment, i is greater than or equal to 1 and less than or equal to 48, that is, the number of test cycles for testing is 48, and the number of the test period is determined according to the length of the test period and the test time, but is not limited thereto, and different test periods and test times can be selected according to the specific application environment.

Similarly, calculate Υ _ιρ according to formula (6) and formula (7).

logCV^, =β _ιρ 1ο _§ (Ν ₁ )+Κ _ιρ ( 6 )

 Y^maxdlogCV'^-logCV^I} (7).

 After calculating the above various parameters and thresholds, the traffic of the CN domain name server is detected through step 38 and subsequent steps, and the detection period is also half an hour;

Step 38, the detection cycle begins, and V _name , V _{ip ,} and N are initialized to 0;

Step 39, receiving a domain name query request, and updating V _name , V _ip and N; specifically, the step is the same as step 32;

 Step 40: Determine whether the detection period ends;

 That is, it is judged whether the time of the preset detection period has been reached from the start of the test to the current time (for example, 30 minutes), and if so, step 41 is performed; otherwise, step 39 is performed;

Step 41: Record the V _name , V _ip, and N of the current detection period, and calculate V, _name , V, and _ip . Specifically, obtain the number of CN domain name query requests, the actual value of the query domain name, and the source IP address in the current detection period. After the actual value of the address, V, _{name is} calculated according to the formula (3) and the parameters p _name and K _name calculated by the above steps; V is calculated according to the formula (6) and the parameters β _ιρ , Κ _ιρ calculated by the above steps, _1P ;

Step 42: Calculate the absolute difference between V _name and V' _name , V' _ip and V _ip of the detection period; that is, calculate |log ( V' _name ) -log ( V _name ) I and |log ( V' _name ) - Log ( V _name ) |;

 Step 43: Compare the magnitude relationship between the absolute difference and the corresponding threshold, and perform an abnormality alarm of the CN domain name server when the absolute difference is greater than the threshold.

Specifically, the absolute difference |log ( V' _name ) -log ( V _name ) I and the threshold Y _name are respectively compared, and the absolute difference |log ( V' _name ) -log ( V _name ) I and the threshold Y _ip The size of |log ( V' _name ) -log ( V _name ) I is greater than Y _name , or I log ( V, _ip ) -log ( V _ip ) I is greater than Y _ip , or |log ( V' _name ) - When log ( V _name ) I is greater than Y _name and I log ( V, _ip ) -log ( V _ip ) I is greater than Y _ip , the traffic is sent. Abnormal alarm; otherwise, the CN domain name server traffic is normal. If the CN domain name server is working well, go to step 38 to start a new detection cycle.

 In this embodiment, the query domain name and the source IP address are taken as an example for description, but it should be noted that the two processes are independent, and are two processes implemented in parallel, that is, as described in step 43, as long as the query One of the domain name and the source IP address has a corresponding absolute difference greater than the corresponding threshold, that is, a traffic abnormality alarm is issued.

Specifically, if an attacker conducts a network attack through a domain name, it can be judged by querying the change of the domain name data volume. If the attacker spoofs the source IP address for network attack, the traffic abnormality caused by the attacker cannot be reflected in the V. The difference between _name and V, _name , at this time can observe the abnormal changes of V _ip , to achieve the purpose of traffic anomaly detection.

 In this embodiment, the technical solution of the present invention is described in detail based on the CN domain name server. The domain name system traffic detection method in this embodiment is based on the mapping relationship between the number of DNS domain name query requests and the number of query domain names and the DNS domain name query. The mapping between the number of requests and the number of source IP addresses can detect the traffic of the CN domain name server from different angles, which can further improve the accuracy of detection and reduce the false alarm rate. Meanwhile, the technical solution of the present invention calculates the amount of calculation. Relatively small, low deployment costs, suitable for use on large DNS servers.

 Further, in this embodiment, multiple detection cycles are detected on the CN domain name server, and the detection results after the double logarithm transformation shown in the circles in FIG. 4 and FIG. 5 are obtained, which can be seen from the figure and after the double logarithmic transformation. The results of the fitting are basically the same, indicating that the CN domain name server is working normally.

 Further, the inventor performs an experiment of distributing a Denial of Denial of Service (DDOS) attack by simulating a large number of non-existing domain name query requests to the DNS server in a C++ language environment, and the technical solution of the present invention The performance was tested.

Specifically: In the C++ language environment, the standard association container set in the STL (Standard Template Library) is used to record the set of the actual value V _name of the query domain _name and the actual value V _ip of the source IP address, and perform in memory. Maintenance, each time a DNS query request is inserted into the two sets; the length of the test cycle and the number of test cycles are set to 30 in this experiment. Minutes and 48, through the test phase, p _name = 0.4937, K _name = 6.7017, and the resulting threshold Y _name = 0.03. And the DDOS attack is implemented from the 50th cycle. At this time, the DNS query request received by the DNS server is abnormally increased. FIG. 6 is a distribution of the number of domain name query requests and the number of query domain names in the experiment process according to the embodiment of the present invention. Schematic, you can see that the V _name observed at the end of the cycle is abnormally increased, and the position of the data point deviates significantly from the fitted straight line. After calculating |log ( V, _name ) -log ( V _name ) I is 0.09 Exceeded the obtained threshold Y _name = 0.03. At this time, the traffic of the domain name system is abnormal due to the traffic abnormality alarm message. In addition, the technical solution provided by the present invention can also effectively detect that the actual value V _{name of the} query domain _{name is} abnormally too small, the actual value of the source IP address V _{ip is} abnormally increased, or the increment is abnormally too small. The principle is similar, so it is no longer - discussion.

Since the set container encapsulates a very efficient balanced search binary tree: Red-Black Tree, the time complexity of binary search and insertion of set sets is 0 (log ₂ V), where V is ^ ^ or V _ip . As shown in Fig. 7, when the V size is 10 ⁴ , the time required to search for it is t, then the time required to find V when it rises to 10 ⁸ is only 2t, and it can be seen that the increase of V is for the search and The growth of the computational cost of insertion is limited. Therefore, the technical solution of the present invention has a relatively small amount of calculation and a low deployment cost, and is suitable for use on a large-scale DNS server.

 Embodiment 3

 FIG. 8 is a schematic structural diagram of a domain name server according to Embodiment 3 of the present invention. As shown in FIG. 8, the domain name server of this embodiment includes: an actual value obtaining module 81, a predicted value obtaining module 82, a first difference determining module 83, and The output module 84 is judged.

The actual value obtaining block 81 is configured to acquire the number of the domain name query request and the actual value of the measurement index type received during the detection period when the domain name query request is received; the predicted value obtaining module 82 is connected to the actual value obtaining module 81. The method is used to obtain a predicted value of a measurement indicator type according to a mapping relationship between a domain name query request and a measurement index, and a number of domain name query requests; wherein the mapping relationship refers to a stacking law that satisfies the number of domain name query requests and the number of measurement index types. As shown in formula (1). The first difference determining module 83 is connected to the actual value obtaining module 81 and the predicted value obtaining module 82, and is configured to calculate the actual value and the predicted value of the measured index type after acquiring the actual value of the measured index type and the predicted value of the measured index type. The difference value, and taking the absolute value to determine the first difference, and providing the first difference to the judgment output module 84; the judgment output module 84 compares the first difference with the pre-acquired threshold, and determines the first difference and The size of the threshold, and when it is determined that the first difference is greater than the threshold, the domain name server traffic abnormal alarm information is output; if it is determined that the first difference is less than the threshold, the domain name server traffic abnormal alarm information is not output, and the next detection is continued. The cycle is judged.

 The domain name server of this embodiment may be used to perform the domain name system traffic detection method provided by the embodiment of the present invention. The actual value obtaining module acquires the number of domain name query requests and the actual value of the measurement index type in the detection period, and the predicted value acquisition module According to the mapping relationship between the domain name query request and the measurement index type, that is, the stacking law obtains the predicted value of the measurement index type, and combines the predicted value and the actual value of the measurement index type to detect the traffic of the domain name server, on the one hand based on the detection period The statistical result of the domain name query request performs traffic detection on the domain name server instead of detecting it in real time, which can reduce the false positive rate when the domain name server traffic is abnormal. On the other hand, the actual value of the measurement index type and the mapping relationship are calculated. The predicted values of the types of measurement indicators are compared, and whether the abnormality of the domain name server traffic is abnormal according to the comparison result is compared, and the accuracy and effectiveness of detecting the DNS traffic are improved compared with the judgment based on the change of the actual value.

 The measurement indicator in this embodiment may be each field value in the data packet of the domain name query request, such as a source IP address, a port number, a query domain name, and the like.

 Further, the actual value obtaining module 81 of this embodiment includes: a first obtaining submodule 811 and a second obtaining submodule 812.

 The first obtaining sub-module 811 is configured to increase the number of domain name query requests by one when receiving any domain name query request in the detection period, to obtain the number of domain name query requests for the detection period.

The second obtaining sub-module 812 is configured to obtain an actual value of the type of the measurement indicator in the detection period, and specifically includes: a measurement index obtaining unit 8121 and a determining value-adding unit 8122. The measurement index obtaining unit 8121 is configured to obtain any domain name query request packet when receiving any domain name query request within the detection period. The measurement indicator includes, for example, a source IP address, a query domain name, a port number, and the like. The judgment value-adding unit 8122 is configured to perform the measurement indicator type acquired by the measurement index obtaining unit 8121 and the type of the measurement indicator included in the other domain name query request. Judging, and determining that the type of the measurement index acquired by the measurement index obtaining unit 8121 is different from the type of the measurement index included in the other domain name query request that has been received, increasing the actual value of the measurement indicator type by one to obtain the detection period The actual value of the type of measurement within.

 Further, the predicted value obtaining module 82 in the embodiment pre-stores the mapping relationship between the domain name query request and the measurement index, and the mapping relationship is specifically the relationship shown in the formula (1), that is, the stacking law. Description of the corresponding part of the system traffic detection method embodiment.

 Since the measurement index and the domain name query request conform to the stacking law, the predicted value of the measured index of the network under normal conditions can be accurately calculated according to the deformed deposition law, and the stacking law is logarithmically processed, one is to simplify The calculation process, the second is to more intuitively display the relationship between measurement indicators and domain name query requests.

 Embodiment 4

 FIG. 9 is a schematic structural diagram of a domain name server according to Embodiment 4 of the present invention. The embodiment is implemented based on Embodiment 3. As shown in FIG. 9, the domain name server in this embodiment further includes: a parameter obtaining module 85 and a threshold acquiring module 86.

 The parameter acquisition block 85 includes a first actual value acquisition unit 851 and a first parameter acquisition unit 852. The first actual value obtaining unit 851 is configured to obtain the number of the domain name query request and the actual value of the measurement index type received in the plurality of test periods, and provide the obtained result to the first parameter obtaining unit 852; The unit 852 linearly fits the number of domain name query requests and the actual values of the measurement index types of the plurality of test periods provided by the first actual value acquisition unit 851, and obtains parameters and parameters according to the fitting result and provides the obtained parameters to the parameters. Predicted value acquisition module 82.

The threshold acquisition module 86 includes a second actual value acquisition unit 861, a second parameter acquisition unit 862, a predicted value acquisition unit 863, a second difference determination unit 864, and a threshold acquisition unit 865. The threshold acquisition module 86 works as follows:

 The second actual value obtaining unit 861 is configured to obtain the actual number of the domain name query request and the measured index type received in the plurality of test periods, and provide the obtained result to the second parameter obtaining unit 862; The unit 862 linearly fits the number of domain name query requests of the plurality of test periods provided by the second actual value obtaining unit 861 and the actual value of the measurement index type, and obtains parameters and parameters according to the fitting result, and obtains the parameter values. Provided to the predicted value obtaining unit 863; the predicted value obtaining unit 863 brings the parameter provided by the second parameter acquiring unit 862 into the formula (2), and calculates the predicted value of the type of the measured index for each test period; the second difference determining unit The 864 is connected to the second actual value obtaining unit 861 and the predicted value obtaining unit 863, and is configured to: after acquiring the actual value of the measurement index type and the predicted value of the measurement index type for each test period, the actual value and the measurement type of the measurement index type. The predicted value of the indicator type is poor and takes an absolute value to obtain the second difference, and the second difference obtained Provided to the threshold acquisition unit 865; the threshold acquisition unit 865 is configured to compare the plurality of second differences, obtain the largest second difference therein as a threshold, and provide the maximum second difference to the determination output module 84.

 The domain name server of the present embodiment provides an implementation manner for obtaining the parameters and thresholds required by the technical solution of the present invention by using the foregoing modules. The test is obtained by testing the normal network, and the test process is similar to the actual detection process. The threshold value provided by the embodiment detects the traffic of the domain name server, and the detection accuracy and the validity thereof are high.

 It should be noted that the second actual value obtaining unit in the domain name server provided by the embodiment has the same function as the first actual value obtaining unit, the second parameter obtaining unit, and the first parameter obtaining unit, and can be used as an actual implementation. A functional module is implemented, and may also be a separate functional module. This embodiment does not limit this.

 Further, the domain name server of this embodiment may be used to perform the domain name system traffic detection method provided by the embodiment of the present invention. For a detailed working principle and process, refer to the description of the domain name system traffic detection method part provided by the embodiment of the present invention.

Specifically, when the measurement indicator includes multiple measurement parameters, the domain name server of the implementation may have There are a plurality of corresponding function modules for detecting the traffic of the domain name server according to different measurement parameters, and the same set of function modules and different softwares are used to detect the traffic of the domain name server according to multiple measurement parameters, this embodiment This is not a limitation.

 In summary, the embodiment of the present invention reduces the normal growth of the domain name server traffic caused by the increase in the number of domain name query requests, according to the technical solution for performing traffic detection on the statistics result of the domain name query request in a period of time. The false positive rate of the situation improves the accuracy of the detection; in addition, the predicted value of the type of the measurement index is calculated according to the stacking law satisfied by the measurement index and the domain name query request, and the flow rate is performed based on the comparison result between the predicted value and the actual value of the type of the measurement index Detection further improves the accuracy of domain name server traffic detection.

 A person skilled in the art can understand that all or part of the steps of implementing the above method embodiments may be completed by using hardware related to program instructions, and the foregoing program may be stored in a computer readable storage medium, and the program is executed when executed. The foregoing steps include the steps of the foregoing method embodiments; and the foregoing storage medium includes: a medium that can store program codes, such as a ROM, a RAM, a magnetic disk, or an optical disk.

 It should be noted that the above embodiments are only for explaining the technical solutions of the present invention, and are not intended to be limiting; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those skilled in the art that: The technical solutions described in the foregoing embodiments are modified, or some of the technical features are equivalently replaced. The modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention.

Claims

Rights request A method for detecting a domain name system traffic, which is characterized by comprising:  Obtaining the number of domain name query requests received during the detection period and the actual value of the measurement indicator type;  Obtaining a predicted value of the type of the measurement indicator according to a mapping relationship between the domain name query request and the measurement indicator and the number of the domain name query request;  Determining a first difference between the actual value of the type of measurement indicator and the predicted value of the type of measurement indicator;  When it is determined that the first difference is greater than a pre-acquired threshold, the domain name system traffic abnormality alarm information is output.  The method for detecting a domain name system traffic according to claim 1, wherein the obtaining the actual value of the type of the measurement indicator comprises:  When receiving any domain name query request, obtaining a measurement indicator included in the any domain name query request, a type of the measurement indicator included in the any domain name query request, and a measurement indicator included in the other domain name query request received When the types are different, the actual value of the type of measurement is increased by one.  The domain name system traffic detection method according to claim 1, wherein the mapping relationship between the domain name query request and the measurement index is specifically:  The number of the domain name query request and the predicted value of the type of the measurement indicator satisfy the formula log^ ^ - ^log^ + ^ ;  Where N is the number of domain name query requests in the detection period;  ^ ' is the predicted value of the type of measurement indicator within the detection period;  、, is a pre-acquired parameter indicating a mapping relationship between the number of the domain name query request and the predicted value of the measurement index type, and the parameter ranges from ο to i, and the parameter ranges from 0 to chaos.  The method for detecting a domain name system traffic according to claim 3, wherein the process of obtaining the parameter ^, comprises: Obtain the number of domain name query requests received during multiple test cycles and the actual value of the measurement indicator type; The number of the domain name query requests of the plurality of test periods and the actual value of the measurement index type are linearly fitted, and the parameters β and parameters are obtained according to the fitting result.  The method for detecting the domain name system traffic according to claim 1, wherein the process of obtaining the threshold value comprises:  Obtain the number of domain name query requests received during multiple test cycles and the actual value of the type of measurement indicator;  Linearly fitting the number of domain name query requests and the actual values of the measurement index types of the plurality of test cycles, and obtaining parameters β and parameters according to the fitting result; According to formula 1. _§ (^ ₂ ') = 1^(^) + , calculate the predicted value of the type of measurement index for each test cycle;  Determining a second difference between the actual value of the type of measurement indicator for each test cycle and the predicted value of the type of measurement indicator;  Obtaining a second largest difference among the second differences of the plurality of test periods as the threshold for detecting domain name system traffic; Where N ₂ is the number of domain name query requests for each test period;  a predicted value for the type of measurement indicator for each test cycle;  And a parameter indicating a mapping relationship between the number of the domain name query request and the predicted value of the measurement index type, the parameter ranges from 0 to 1, and the parameter ranges from 0 to 100.  The method for detecting a domain name system traffic according to any one of claims 1-5, wherein the measurement indicator is a query domain name or a source IP address.  The method for detecting a domain name system traffic according to any one of claims 1 to 5, wherein when the measurement index includes a plurality of measurement parameters, respectively acquiring actual values and respective locations of each of the measurement parameter types. Predicting the type of measurement parameter;  Determining, respectively, a first difference between an actual value of each of the measured parameter types and a predicted value of each of the measured parameter types;  The domain name system traffic abnormality alarm information is output when any of the first differences is greater than the first threshold corresponding to any of the first differences.  8. A domain name server, comprising: An actual value obtaining module, configured to acquire the number of domain name query requests received during the detection period Measuring the actual value of the indicator type;  a prediction value obtaining module, configured to acquire a predicted value of the type of the measurement indicator according to a mapping relationship between the domain name query request and the measurement indicator and the number of the domain name query request;  a first difference determining module, configured to determine a first difference between the actual value of the measurement indicator type and the predicted value of the measurement indicator type;  The determining output module is configured to output the domain name server traffic abnormality alarm information when determining that the first difference is greater than a pre-acquired threshold.  The domain name server according to claim 8, wherein the actual value acquisition module comprises: a first acquisition submodule and a second acquisition submodule;  The first obtaining submodule is configured to increase the number of the domain name query request by one when receiving any domain name query request;  The second obtaining submodule includes:  a measurement index obtaining unit, configured to acquire, when receiving the any domain name query request, a measurement indicator included in the domain name query request;  The determining value adding unit is configured to: when determining that the type of the measurement indicator included in the any domain name query request is different from the type of the measurement indicator included in the other domain name query request, increase the actual value of the measurement indicator type by one. .  The domain name server according to claim 8, wherein the mapping relationship between the domain name query request and the measurement index is specifically:  The number of the domain name query request and the predicted value of the type of the measurement indicator satisfy the formula log^ ^ - ^log^ + ^ ;  Where N is the number of domain name query requests in the detection period;  ^ ' is the predicted value of the type of measurement indicator within the detection period;  、, is a pre-acquired parameter indicating a mapping relationship between the number of the domain name query request and the predicted value of the measurement index type, and the parameter ranges from ο to i, and the parameter ranges from 0 to chaos.  The domain name server according to claim 10, further comprising: a parameter acquisition module; The first actual value obtaining unit is configured to obtain a domain name query request received in multiple test periods The number and the actual value of the type of measurement indicator;  The first parameter obtaining unit is configured to linearly fit the number of domain name lookup requests of the plurality of test periods and the actual value of the measurement index type, and obtain parameters and parameters according to the fitting result.  The domain name server according to claim 8, further comprising: a threshold acquisition module; the threshold acquisition module includes:  a second actual value obtaining unit, configured to acquire the number of domain name query requests received during a plurality of test periods and the actual value of the type of the measurement indicator; a second parameter obtaining unit linearly fitting the number of domain name lookup requests of the plurality of test periods and the actual value of the measurement index type, and obtaining parameters and parameters according to the fitting result; the predicted value obtaining unit, configured according to the formula Log(I ) = ^og(W ₂ ) + , calculating the predicted value of the type of measurement index for each test period;  a second difference determining unit, configured to determine a second difference between the actual value of the measurement indicator type of each test period and the predicted value of the measurement indicator type;  a threshold acquiring unit, configured to obtain a second largest difference among the second differences of the plurality of test periods as the threshold; Where N ₂ is the number of domain name query requests for each test period;  a predicted value for the type of measurement indicator for each test cycle;  And a parameter indicating a mapping relationship between the number of the domain name query request and the predicted value of the measurement index type, the parameter ranges from 0 to 1, and the parameter ranges from 0 to 100.  The domain name server according to any one of claims 8 to 12, wherein the measurement indicator is a query domain name or a source IP address.