CN-121217622-B - Method and system for identifying specific CDN traffic based on domain name CNAME record

Abstract

The invention discloses a method and a system for identifying specific CDN traffic based on a domain name CANME record, belonging to the technical field of traffic monitoring, wherein the method comprises the steps of identifying DNS traffic in internet traffic by using a traffic analysis engine and outputting DNS CNAME type resource records; obtaining a CNAME domain name record according to the output DNS CNAME type resource record, matching the CNAME domain name record with preset platform domain name characteristics and specific service characteristics to obtain specific service structure data, transmitting the specific service structure data to a CDN domain name tracking state table, updating the CDN domain name tracking state table, transmitting an IP instruction according to the updated CDN domain name tracking state table, and matching the IP address in the IP instruction with specific service flow in target internet flow to obtain the specific internet flow of the CDN domain name. The invention can identify the service flow of the specific CDN platform so as to provide guarantee for further monitoring and analyzing the specific CDN flow.

Inventors

• ZHAO CHUNGUANG
• REN XINYUAN
• HAN JUNWEI
• LI JUNQIANG
• WANG ZHENHUI

Assignees

• 北京九栖科技有限责任公司

Dates

Publication Date

20260508

Application Date

20251128

Claims (6)

1. 1. A method for identifying specific CDN traffic based on a domain name CNAME record, comprising the steps of: s1, analyzing DNS traffic in target internet traffic, filtering and screening DNS recursion request response traffic with CNAME records as effective traffic, analyzing the effective traffic, and outputting DNS CNAME type resource records; S2, obtaining a CNAME domain name record according to the output DNS CNAME type resource record, matching with preset platform domain name characteristics and specific service characteristics, obtaining specific service structure data and transmitting the specific service structure data to a CDN domain name tracking state table; s3, updating CNAME alias domain name state information and state information of a flow matching engine in a CDN domain name tracking state table according to the identified specific service structure data, wherein the method specifically comprises the following steps: S31, searching a CNAME alias domain name table entry by using a CDN domain name tracking state table: if the CNAME alias domain name table item is found in the CDN domain name tracking state table, comparing the correlation IP address record in the specific service structure data with the correlation IP address record in the CNAME alias domain name table item, and executing step S32; If the CNAME alias domain name table item is not found in the CDN domain name tracking state table, executing step S33; S32, if the associated IP address record in the specific service structure data is the same as the associated IP address in the table entry, updating the TTL survival time of the corresponding IP address in the corresponding table entry of the tracking state table, and simultaneously issuing an IP time updating instruction to the flow matching engine; if the associated IP address record in the CNAME record structure data is different from the associated IP address in the CNAME alias domain name table entry, the IP address record in the corresponding table entry of the CDN domain name tracking state table is newly added, and meanwhile, an IP new instruction is issued to the flow matching engine; S33, newly adding a CDN domain name tracking state table item with a key CNAME alias domain name as an index in the CDN domain name tracking state table, filling a key CNAME alias domain name, an associated IP address record and a TTL survival time field, and simultaneously issuing IP newly-added instructions corresponding to all the associated IP address records to a flow matching engine; S34, traversing the CDN domain name tracking state table at regular time, reducing the TTL survival time corresponding to each table item in the CDN domain name tracking state table by a regular period, if the TTL survival time is less than 0, ageing and overtime the table item, generating an IP deleting instruction through IP address record in the table item, issuing the IP deleting instruction to a flow matching engine, and deleting the table item; S4, according to the updated CDN domain name tracking state table, an IP instruction is issued, and the IP address in the IP instruction is matched with a specific service flow in the target internet flow, so that the CDN domain name specific internet flow is obtained, wherein the specific service flow comprises HTTP service flow or HTTPS service flow.
2. 2. The method of claim 1, wherein in S1, the DNS CNAME type resource record includes a request domain name, a CNAME domain name record, an associated IP address record, and TTL life cycle information; the CNAME domain name records comprise at least one CNAME alias domain name record.
3. 3. The method for identifying a specific CDN traffic based on a domain name CNAME record of claim 1, S2 specifically includes: S21, CNAME domain name record finishing: obtaining a CNAME domain name record from the DNS CNAME type resource record; sequentially performing duplication removal and word segmentation on the obtained CNAME domain name record to obtain a corresponding domain name data set and a corresponding service data set; S22, traversing a secondary domain name record of the domain name data set, sequentially matching with a preset platform domain name feature library, if the secondary domain name in the domain name data set is matched with the secondary domain name in the platform domain name feature library, turning to the step S23, and if the secondary domain name is not matched with the secondary domain name in the platform domain name feature library, carrying out next DNS request response analysis; s23, traversing word segmentation records of a service data set, sequentially performing multimode matching with a preset service feature library, generating a specific CDN identification ID if word sequences after word segmentation in the service data set are matched with word sequences in the service feature library, generating specific service structure data by combining with associated DNS CNAME type resource record data, and then turning to step S24, otherwise, performing next word segmentation record matching; And S24, transmitting specific service structure data to a CDN domain name tracking state table, wherein the specific service structure data comprises a key CNAME alias domain name, a specific CDN identification ID, a CNAME domain name record, an associated IP address record and TTL life cycle information, and the key CNAME alias domain name is the last CNAME alias domain name in the CNAME domain name record.
4. 4. The method for identifying specific CDN traffic based on the domain name CNAME record according to claim 3, wherein in step S21, the obtained CNAME domain name record is sequentially subjected to duplication removal and word segmentation to obtain a corresponding domain name data set and a corresponding service data set, and the method specifically comprises: removing the repeated data content of the character string of the request domain name aiming at the first CNAME domain name record; Intercepting a CNAME secondary domain name from the data after the request domain name character string is removed, and storing the CNAME secondary domain name into a domain name data collection structure; Carrying out word segmentation on the character string after the CNAME secondary domain name is intercepted through point numbers and hyphens, and sequentially storing word sequences after word segmentation into a service data set structure; For non-first CNAME domain records, sequentially intercepting a secondary domain name and storing the secondary domain name in a domain name data set structure; Carrying out word segmentation on a character string after the second-level domain name is intercepted in the non-first CNAME domain name record through a dot number and a hyphen, and storing word sequences after word segmentation into a service data set structure; And obtaining a domain name data set and a service data set of the CNAME domain name record through arrangement.
5. 5. The method for identifying specific CDN traffic based on the domain name CNAME record of claim 3, wherein in step S23, the word sequence after word segmentation in the service data set matches the word sequence in the service feature library for hit, specifically comprising: and comparing the word sequence after word segmentation in the service data set with the word sequence in the service feature library, and if any one of the three features of the front general feature, the rear general feature and the accurate matching feature is successfully matched, successfully identifying the service data, namely, matching hit.
6. 6. The method for identifying specific CDN traffic based on the domain name CNAME record of claim 1, wherein in S4, matching the specific traffic in the target internet traffic with the IP address in the IP command to obtain the specific CDN domain name internet traffic, specifically comprising: the flow matching engine receives an IP instruction issued by the CDN domain name tracking state table in real time; if the IP instruction issued by the CDN domain name tracking state table is an IP deleting instruction, deleting the corresponding IP rule in the flow matching engine; If the IP instruction issued by the CDN domain name tracking state table is an IP updating instruction or an IP adding instruction, matching the IP address in the IP updating instruction or the IP adding instruction with the IP address of the specific service flow in the target Internet flow, and if the matching is successful, the specific service flow in the target Internet flow is the CDN domain name specific Internet surfing flow.

Description

Method and system for identifying specific CDN traffic based on domain name CNAME record Technical Field The invention relates to the technical field of internet traffic monitoring, in particular to a method and a system for identifying specific CDN traffic based on domain name CNAME records. Background The field of internet traffic monitoring analysis generally adopts a static rule method for traffic filtering and screening, but the identification analysis and filtering and screening of internet traffic aiming at specific services or scenes face the problem that no obvious static features exist or certain features are provided but the coverage is incomplete, and particularly the static features function is obviously reduced under the large trend of traffic encryption aiming at traffic identification and filtering of CDN platform services. Therefore, there is a need in the art to address this issue if identifying specific CDN platform traffic. Disclosure of Invention In view of the above, the present invention provides a method and system for identifying specific CDN traffic based on a domain name CNAME record. In order to achieve the above purpose, the present invention adopts the following technical scheme: The invention firstly discloses a method for identifying specific CDN traffic based on domain name CNAME records, which comprises the following steps: s1, analyzing DNS traffic in target internet traffic, filtering and screening DNS recursion request response traffic with CNAME records as effective traffic, analyzing the effective traffic, and outputting DNS CNAME type resource records; S2, obtaining a CNAME domain name record according to the output DNS CNAME type resource record, matching with preset platform domain name characteristics and specific service characteristics, obtaining specific service structure data and transmitting the specific service structure data to a CDN domain name tracking state table; s3, updating CNAME alias domain name state information in a CDN domain name tracking state table and state information of a flow matching engine according to the identified specific service structure data; S4, according to the updated CDN domain name tracking state table, an IP instruction is issued, and the IP address in the IP instruction is matched with a specific service flow in the target internet flow, so that the CDN domain name specific internet flow is obtained, wherein the specific service flow comprises HTTP service flow or HTTPS service flow. Further, in S1, the DNS CNAME type resource record includes a request domain name, a CNAME domain name record, an associated IP address record, and TTL life cycle information; the CNAME domain name records comprise at least one CNAME alias domain name record. Further, S2 specifically includes: S21, CNAME domain name record finishing: obtaining a CNAME domain name record from the DNS CNAME type resource record; sequentially performing duplication removal and word segmentation on the obtained CNAME domain name record to obtain a corresponding domain name data set and a corresponding service data set; S22, traversing a secondary domain name record of the domain name data set, sequentially matching with a preset platform domain name feature library, if the secondary domain name in the domain name data set is matched with the secondary domain name in the platform domain name feature library, turning to the step S23, and if the secondary domain name is not matched with the secondary domain name in the platform domain name feature library, carrying out next DNS request response analysis; s23, traversing word segmentation records of a service data set, sequentially performing multimode matching with a preset service feature library, generating a specific CDN identification ID if word sequences after word segmentation in the service data set are matched with word sequences in the service feature library, generating specific service structure data by combining with associated DNS CNAME type resource record data, and then turning to step S24, otherwise, performing next word segmentation record matching; And S24, transmitting specific service structure data to a CDN domain name tracking state table, wherein the specific service structure data comprises a key CNAME alias domain name, a specific CDN identification ID, a CNAME domain name record, an associated IP address record and TTL life cycle information, and the key CNAME alias domain name is the last CNAME alias domain name in the CNAME domain name record. Further, in step S21, the performing duplication removal and word segmentation processing on the obtained CNAME domain name record sequentially to obtain a corresponding domain name data set and a service data set, which specifically includes: removing the repeated data content of the character string of the request domain name aiming at the first CNAME domain name record; Intercepting a CNAME secondary domain name from the data after the request domai