US 12,335,291 B2
Information leakage detection method and device using the same
Chiung-Ying Huang, Taipei (TW); Huei-Tang Li, Taipei (TW); Yi-Chung Tseng, Taipei (TW); and Wei-An Chen, Taipei (TW)
Assigned to Acer Cyber Security Incorporated, Taipei (TW)
Filed by Acer Cyber Security Incorporated, Taipei (TW)
Filed on Jun. 8, 2022, as Appl. No. 17/834,943.
Claims priority of application No. 110121326 (TW), filed on Jun. 11, 2021.
Prior Publication US 2022/0400133 A1, Dec. 15, 2022
Int. Cl. H04L 9/40 (2022.01); G06N 20/00 (2019.01)
CPC H04L 63/1433 (2013.01) [G06N 20/00 (2019.01); H04L 63/1416 (2013.01); H04L 63/1425 (2013.01); H04L 63/1475 (2013.01)] 6 Claims
OG exemplary drawing
 
1. An information leakage detection method, comprising:
obtaining network connection data of an electronic device;
extracting log data related to a domain name system from the network connection data;
analyzing a domain name system request in the log data to obtain a plurality of character distribution feature values according to an analysis result, wherein the character distribution feature values reflect a character distribution status of a domain name in the domain name system request under different classification rules; and
determining whether the domain name system request is a malicious domain name system request by a machine learning model according to the character distribution feature values, wherein the malicious domain name system request is used to carry leaked data to a remote host,
wherein the character distribution feature values comprise a first type feature value and a second type feature value,
wherein the first type feature value reflects a first character distribution status of the domain name under a first classification rule, the second type feature value reflects a second character distribution status of the domain name under a second classification rule, and the first classification rule is different from the second classification rule,
wherein the step of analyzing the domain name system request in the log data to obtain the character distribution feature values according to the analysis result comprises:
analyzing the domain name system request to obtain a plurality of evaluation parameters; and
obtaining the character distribution feature values according to the evaluation parameters,
wherein the evaluation parameters reflect a total number of characters comprised in a string in the domain name, a total number of all characters in the domain name, a total number of numerals in the domain name, a total number of non-repeated characters in a third-level domain name in the domain name, a total number of all characters except a first-level domain name and a second-level domain name in the domain name, a number of appearances of a character appearing most in the third-level domain name in the domain name, a number of occurrences of numerals being adjacent to letters in the third-level domain name in the domain name, a total number of characters meeting a specific condition in the third-level domain name in the domain name, and an entropy value of the third-level domain name in the domain name.