Looking for breakthrough ideas for innovation challenges? Try Patsnap Eureka!

Self-adaptive malicious domain name detection method based on DNS (Domain Name Server) flow

A domain name detection and traffic detection technology, applied in the field of network security, can solve the problems of poor reliability, poor accuracy, and few malicious signs, and achieve the effects of low false alarm rate, high accuracy rate, and low delay.

Inactive Publication Date: 2018-03-09
BEIJING INFORMATION SCI & TECH UNIV
View PDF6 Cites 71 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0008] 1) The existing lightweight malicious domain name detection method has a simplified feature model, poor accuracy in the face of massive data, and unreasonable design of calculation time and space overhead
[0009] 2) Unable to solve the detection blind spots of multi-type malicious domain names, especially advanced DGA domain names (word combinations, pinyin, initial indentation, etc.)
At the same time, excessively rely on malicious domain name samples provided by third-party platforms, and there are defects such as less malicious marks and poor reliability
[0010] 3) At present, there is still no solution proposed to realize adaptive dynamic detection of malicious domain names based on certain training samples and model baselines

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Self-adaptive malicious domain name detection method based on DNS (Domain Name Server) flow
  • Self-adaptive malicious domain name detection method based on DNS (Domain Name Server) flow
  • Self-adaptive malicious domain name detection method based on DNS (Domain Name Server) flow

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0061] In the embodiment of the present invention, an adaptive malicious domain name detection method based on DNS traffic, in the implementation process, firstly according to the following figure 1 As shown in the training logic of malicious domain name detection, the initialization of the structure detection engine and traffic detection engine is completed. (Steps 1-4) On this basis, follow figure 2 Realize the adaptive malicious domain name detection mechanism (steps 5-6), which can be divided into the following steps:

[0062] Step 1: Collect the black-and-white list sample set provided by the third-party platform, and use the black-and-white list sample set as the baseline of the training set according to the domain name structure feature list, and select the random forest classifier to train the domain name structure detection model.

[0063] The initialization whitelist is selected from legal domain names provided by Alexa, Webmaster’s Home and other organizations. Th...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The invention discloses a self-adaptive malicious domain name detection method based on a DNS (Domain Name Server) flow. The method comprises the following steps: collecting a blacklist and whitelistsample set provided by a third party platform, and selecting a random forest classifier to train a domain name structure detection model by using the blacklist and whitelist sample set as a training set base line according to domain name structure characteristic list; performing Whois query and tracking verification on a domain name which is judged as a malicious domain name; training a flow detection model; performing data preprocessing on a domain name to be detected and DNS flow data, inputting the domain name and the DNS flow data as a loaded domain name structure detection engine and a flow detection engine, and acquiring prediction results; updating a training set blacklist of the domain name structure detection engine according to data set of malicious domain name judged by the flowdetection engine, and establishing a self-adaptive malicious domain name detection. By adopting the method, suspicious domain names can be rapidly detected, a relatively low time delay and an acceptable accuracy rate can be maintained, multiple types of malicious domain names can be detected from a massive amount of data, and a relatively high accuracy rate and a relatively low false alarm rate can be maintained.

Description

technical field [0001] The invention relates to the field of network security, in particular to an adaptive malicious domain name detection method based on DNS flow. Background technique [0002] At present, the rapid development of Internet technology has made the security threats from the network more prominent. Attackers gradually form a domain name generated using Domain Generation Algorithm (DGA) technology to control a botnet, that is, a network composed of puppet machines that are attacked by malware, and then through the command and control server (Command And Control) Server, C&C) sends commands to each node of the botnet to launch attack modes such as DDOS, click fraud, spam and other network attacks. [0003] In order to effectively control the botnet and hide itself, the C&C server controller adopts technical means such as fast-changing domain names and DGA to avoid the detection of security software. Among them, DGA technology is the mainstream active in malwar...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
IPC IPC(8): H04L29/06H04L29/12
CPCH04L63/1416H04L63/145H04L2463/144H04L61/4511
Inventor 孟坤徐硕李淑琴丁濛罗江
Owner BEIJING INFORMATION SCI & TECH UNIV
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Patsnap Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Patsnap Eureka Blog
Learn More
PatSnap group products