Looking for breakthrough ideas for innovation challenges? Try Patsnap Eureka!

Method and device for detecting anomaly of domain name system

A domain name system and abnormal technology, applied in the field of computer networks, can solve the problems of high missed detection rate and DNS lag in detection, and achieve the effect of low missed detection rate and reduced loss.

Active Publication Date: 2010-10-06
CHINA INTERNET NETWORK INFORMATION CENTER
View PDF3 Cites 15 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0006] The present invention provides a method and device for detecting DNS anomalies to solve the problems in the prior art that the detection of DNS anomalies is lagging behind and the rate of missed detection is high

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Method and device for detecting anomaly of domain name system
  • Method and device for detecting anomaly of domain name system
  • Method and device for detecting anomaly of domain name system

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0032] figure 1 It is a schematic flow chart of an embodiment of the method for detecting DNS anomalies in the present invention, such as figure 1 As shown, the method includes:

[0033] Step 101: dividing the DNS query data flow into multiple data blocks;

[0034] It should be noted that: the larger the divided data block, that is to say, the more query data each data block contains, the more gentle the change of the entropy value of the data block, which can effectively reduce the occurrence of false detection, but at the same time It also reduces the sensitivity to abnormal traffic, and the missed detection rate increases; on the contrary, the smaller the data block, that is to say, the smaller the amount of query data included in each data block, the higher the sensitivity of detecting DNS anomalies, but the accuracy is lower. will decrease accordingly.

[0035] In practical applications, the DNS query data flow can be divided into multiple data blocks according to a sp...

Embodiment 2

[0070] Figure 5 It is a schematic diagram of an embodiment of a device for detecting DNS anomalies in the present invention, such as Figure 5 As shown, the device includes: a division module 201, a calculation module 202 and a judgment module 203;

[0071] Wherein, the division module 201 is used to divide the DNS query data flow into a plurality of data blocks;

[0072] Specifically, the division module 201 is configured to divide the DNS query data flow into multiple data blocks according to a specified time and / or according to a specified query volume.

[0073] A calculation module 202, configured to calculate entropy values ​​of multiple data blocks divided by the division module 201 according to preset query attributes, and obtain corresponding multiple entropy values;

[0074] Wherein, the calculation module 202 includes a first calculation unit and a second calculation unit;

[0075] The first calculation unit is used to calculate the probability that each element ...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The invention provides a method and device for detecting the anomaly of a domain name system, belonging to the technical field of computer network. The method comprises the following steps: dividing the inquiry data stream of the domain name system into a plurality of data blocks; calculating the entropy values of the data blocks according to the preset inquiry attribute to obtain the corresponding entropy values; judging whether preset quantity of entropy values in the obtained entropy values are more than a preset threshold; and if so, determining that the domain name system is abnormal. The device of the invention comprises a dividing module, a calculating module and a judging module. The device of the invention calculates the entropy values of a plurality of data blocks in the inquirydata stream of the domain name system and determines that the domain name system is abnormal when preset quantity of entropy values in the obtained entropy values are more than the preset threshold; the device of the invention can perform early warning to the anomaly of the domain name system, thus reducing loss after the anomaly of domain name system appears; and compared with the prior art, themethod of the invention has high detection accuracy degree and low omission ratio.

Description

technical field [0001] The invention relates to computer network security technology, in particular to a method and device for detecting domain name system anomalies, and belongs to the technical field of computer networks. Background technique [0002] The Domain Name System (DNS for short) is a distributed database system, which is used to convert domain names into IP addresses that can be recognized by the network. Since the DNS is the foundation of the Internet, if the DNS is abnormal, it will have a serious impact on the entire network, so it is very important to detect the DNS anomaly. [0003] The methods for detecting DNS anomalies in the prior art mainly include determining whether the DNS is abnormal based on changes in query traffic or values ​​of query attributes. Determining whether the DNS is abnormal based on the change of the query traffic refers to: when the query traffic is extremely large or extremely small, it is considered that the DNS is abnormal. [...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
Patent Type & Authority Applications(China)
IPC IPC(8): H04L29/12G06F17/30
CPCH04L61/1511H04L29/12066H04L61/4511
Inventor 毛伟李晓东丁森林王欣吴军金键卢文哲
Owner CHINA INTERNET NETWORK INFORMATION CENTER
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Patsnap Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Patsnap Eureka Blog
Learn More
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic, Popular Technical Reports.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap|About US| Contact US: help@patsnap.com