Cyber theft behavior detection method based on DNS traffic analysis and device

A flow analysis and network technology, applied in the direction of electrical components, transmission systems, etc., can solve the problems that firewalls cannot completely control malware infection and data leakage, and achieve the effect of relatively low detection cost, simple specification, and small DNS protocol traffic

Active Publication Date: 2018-03-23
上海安恒智慧城市安全技术有限公司
View PDF4 Cites 18 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

But Firewalls Can't Fully Control Malware Infections and Data Breaches

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Cyber theft behavior detection method based on DNS traffic analysis and device
  • Cyber theft behavior detection method based on DNS traffic analysis and device
  • Cyber theft behavior detection method based on DNS traffic analysis and device

Examples

Experimental program
Comparison scheme
Effect test

no. 1 example

[0027] Please refer to figure 2 , figure 2 It is a flow chart of a method for detecting network stealing behavior based on DNS traffic analysis provided by the first embodiment of the present invention, and the method is applied to a detection device. The following will be figure 2 The process shown is described in detail, and the method includes:

[0028] Step S110: The detection device acquires network traffic data in real time.

[0029] The detection equipment can directly collect data from the network card, and can also directly receive network traffic data sent by other systems.

[0030] Step S120: the detection device analyzes the network traffic data, and judges whether the analysis is successful.

[0031] The detection device can analyze the network flow data based on the RFC protocol specification, and restore the operator's original network behavior information. Further, the protocol analysis module can analyze the information of both communication parties f...

Embodiment approach

[0039] As an implementation, the detection device may pre-acquire the IP address and the domain name of the C&C (Command and Control) server accessed by the target malware, and use the IP address and the domain name of the C&C server as a domain name blacklist Save to the blacklist library.

[0040] The preset condition may be: the IP address and domain name accessed by the data to be analyzed are the IP address and domain name of the C&C server in the blacklist database.

[0041] As another implementation manner, before step S110, the detection device may also acquire a plurality of normal domain name data accessed by the target network device during daily work within a preset time, and the domain name data includes a domain name and a subdomain name.

[0042] The preset time may be one week or half a month. It is worth pointing out that during this period of time, the target network equipment (computer equipment in the internal network of the unit) must be in a daily workin...

no. 2 example

[0072] Please refer to image 3 , image 3 It is a structural block diagram of an apparatus 400 for network stealing behavior detection based on DNS traffic analysis provided by the second embodiment of the present invention. The following will be image 3 The structure block diagram shown is described, and the shown device includes:

[0073] The first acquisition module 410 is configured to acquire network traffic data in real time;

[0074] The first judging module 420 is configured to analyze the network traffic data, and obtain the data to be analyzed when judging that the parsing is successful;

[0075] The second judging module 430 is used to judge whether the data to be analyzed satisfies the preset condition based on the pre-saved data indicators, and if yes, save the data to be analyzed and generate a warning message, so that the detection device can Perform risk analysis on the data to be analyzed and the warning message.

[0076] As an implementation, see Fig...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention provides a cyber theft behavior detection method based on DNS traffic analysis and a device. The method comprises the following steps: detection equipment acquires network traffic data in real time; the detection equipment analyzes the network traffic data, and obtains to-be-analyzed data after judging that the analysis is successful; the detection equipment judges whether the to-be-analyzed data satisfies a preset condition based on the pre-stored data index; if the to-be-analyzed data satisfies the preset condition, the to-be-analyzed data is saved to generate alarm information, thereby facilitating the detection equipment to perform risk analysis on the to-be-analyzed data and the alarm information. Through the method provided by the invention, the disadvantage of the existing firewall technology can be overcome, and the possible behavior of transmitting the sensitive data is identified.

Description

technical field [0001] The invention relates to the field of network security detection, in particular to a method and device for detecting network stealing behavior based on DNS flow analysis. Background technique [0002] Domain Name System (Domain Name System, DNS), one of the important infrastructures of Internet business, is a distributed database that maps domain names and IP addresses to each other, making it easier for users to connect and access the Internet without having to remember that it can be accessed by a machine. A string of IP address numbers to read directly. At present, most Internet applications need to use the domain name system to complete address conversion from domain name to IP address before carrying out specific services. [0003] The firewall is an important tool in the network security system. It always checks the data packets entering and leaving the protected network. The data packets that threaten the protected network will be intercepted b...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
IPC IPC(8): H04L29/06H04L29/12
CPCH04L61/10H04L63/1416H04L63/145H04L63/1466H04L63/0236H04L61/4511
Inventor 程华才范渊李凯
Owner 上海安恒智慧城市安全技术有限公司
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap