基于AGD的恶意域名检测

臧小东; 龚俭; 胡晓艳

doi:10.11959/j.issn.1000-436x.2018116

您当前的位置：

首页 >

文章列表页 >

基于AGD的恶意域名检测

学术论文 | 更新时间：2024-06-05

- 基于AGD的恶意域名检测
- Detecting malicious domain names based on AGD
- 通信学报 2018年39卷第7期页码：15-25
- 作者机构：
  
  1. 东南大学网络空间安全学院，江苏南京 211189
  2. 东南大学江苏省计算机网络重点实验室，江苏南京 211189
  3. 东南大学教育部计算机网络和信息集成重点实验室，江苏南京 211189
- 作者简介：
  
  [ "臧小东（1985-），男，山东济宁人，东南大学博士生，主要研究方向为网络安全、网络管理。" ]
  [ "龚俭（1957-），男，上海人，博士，东南大学教授、博士生导师，主要研究方向为网络安全、网络管理。" ]
  [ "胡晓艳（1985-），女，江西金溪人，博士，东南大学讲师，主要研究方向为网络体系结构、网络安全。" ]
- 基金信息：
  
  国家自然科学基金资助项目(61602114)
- DOI：10.11959/j.issn.1000-436x.2018116
  中图分类号： TP393
- 网络出版日期：2018-07，
  
  纸质出版日期：2018-07-25
- 稿件说明：
移动端阅览
臧小东, 龚俭, 胡晓艳. 基于AGD的恶意域名检测[J]. 通信学报, 2018,39(7):15-25.

Xiaodong ZANG, Jian GONG, Xiaoyan HU. Detecting malicious domain names based on AGD[J]. Journal on communications, 2018, 39(7): 15-25.
臧小东, 龚俭, 胡晓艳. 基于AGD的恶意域名检测[J]. 通信学报, 2018,39(7):15-25. DOI： 10.11959/j.issn.1000-436x.2018116.

Xiaodong ZANG, Jian GONG, Xiaoyan HU. Detecting malicious domain names based on AGD[J]. Journal on communications, 2018, 39(7): 15-25. DOI： 10.11959/j.issn.1000-436x.2018116.

摘要

提出了一种聚类和分类算法相结合的恶意域名检测思路，首先通过聚类关联，辨识出同一域名生成算法（DGA

domain generation algorithm）或其变体生成的域名，然后分别提取每一个聚类集合中算法生成域名（AGD

algorithmically generated domain）的TTL、解析IP分布、归属、whois的更新、完整性及域名的活动历史特征等，利用 SVM 分类器过滤出其中的恶意域名。实验表明，该算法在不需要客户端查询记录信息的情况下即可实现准确率为 98.4%、假阳性为0.9%的恶意域名检测。

Abstract

A new malicious domain name detection algorithm was proposed.More specifically

the domain names in a cluster belonging to a DGA (domain generation algorithm) or its variants was identified firstly by using cluster correlation.Then

these AGD (algorithmically generated domain) names’ TTL

the distribution and attribution of their resolved IP addresses

their whois features and their historical information were extracted and further applied SVM algorithm to identify the malicious domain names.Experimental results demonstrate that it achieves an accuracy rate of 98.4% and the false positive of 0.9% without any client query records.

关键词

Keywords

references

江健 , 诸葛建伟 , 段海新 , 等 . 僵尸网络机理与防御技术 [J ] . 软件学报 , 2012 , 23 ( 1 ): 82 - 96 .

JIANG J , ZHUGE J W , DUAN H X , et al . Research on botnet mechanisms and defenses [J ] . Journal of Software , 2012 , 23 ( 1 ): 82 - 96 .

YADAV S , REDDY A , REDDY A , et al . Detecting algorithmically generated malicious domain names [C ] // The 10th ACM SIGCOMM Conference on Internet Measurement . 2010 : 48 - 61 .

STONE G B , COVA M , CAVALLARO L . Your botnet is mybotnet:analysis of a botnet takeover [C ] // ACM Conference on Computerand Communications Security (CCS) . 2009 : 635 - 647 .

DANIEL P , KHALED Y , MICHAEL K , et al . A comprehensive measurement study of domain generating mal-ware [C ] // The 25th USENIX Security Symposium . 2016 : 263 - 278 .

WANG T S , LIN H T , CHENG W T , et al . DBod:clustering and detecting dga-based botnets using DNS traffic analysis [J ] . Computers＆ Security , 2017 , 64 : 1 - 15 .

BILGE L , KIRDA E , KRUEGEL C , et al . Exposure:finding malicious domains using passive DNS analysis [C ] // NDSS . 2011 : 1 - 17 .

ANTONAKAKIS M , PERDISCI R , NADJI Y . From throw-away traffic to bots:detecting the rise of DGA-Basedmalware [C ] // Usenix Conference on Security Symposium . 2012 : 24 - 40 .

SHARIFNYA R , ABADI M . DFBotKiller:domain-flux botnet detection based on the history of group activities and failures in DNS traffic [J ] . Digital Investigation , 2015 , 12 ( 12 ): 15 - 26 .

KHEIR N , TRAN F , CARON P , et al . Mentor:positive DNS reputation to skim-off benign domains in botnet c＆c blacklists [C ] // IFIP International Information Security Conference . 2014 : 1 - 14 .

MANOS A , ROBERTO P , DAVID D , et al . Building a dynamic reputation system for DNS [C ] // The 19th USENIX Security Symposium (USENIX Security’10) . 2010 : 273 - 290 .

ANTONAKAKIS M , PERDISCI R , LEE W , et al . Kopis:detecting malware domains at the upper DNS hierarchy [C ] // Usenix Conference on Security . 2011 .

张维维 , 龚俭 , 刘尚东 , 等 . 面向主干网的 DNS 流量监测研究 [J ] . 软件学报 , 2017 , 28 ( 9 ): 2370 - 2387 .

ZHANG W W , GONG J , LIU S D , et al . DNS surveillance on backbone [J ] . Journal of Software , 2017 , 28 ( 9 ): 2370 - 2387 .

THOMAS M , MOHAISEN A . Kindred domains:detecting and clustering botnet domains using DNS traffic [C ] // Companion Publication of the International Conference on World Wide Web Companion . 2014 : 707 - 712 .

STEFANO S , FEDERICO M , LORENZO C , et al . Phoenix:DGA-based botnet tracking and intelligence [C ] // International Conference on Detection of Intrusions＆ Malware . 2014 : 192 - 211 .

CELIK Z B , OKTUG S . Detection of fast-flux networks using various DNS feature sets [J ] . Computers＆Communications , 2013 : 868 - 873 .

HUANG S Y , MAO C H , LEE H M . Fast-flux service network detection based on spatial snapshot mechanism for delay-free detection [C ] // 5th International Symposium on ACM Symposium on Information,Computer and Communications Security . 2010 : 101 - 111 .

ALMOMANI A . Fast-flux hunter:a system for filtering online fast-flux botnet [J ] . Neural Computing＆ Applications , 2016 : 1 - 11 .

袁福祥 , 刘粉林 , 芦斌 , 等 . 基于历史数据的异常域名检测算法 [J ] . 通信学报 , 2016 , 37 ( 10 ): 172 - 180 .

YUAN F X , LIU F L , LU B , et al . Anomaly domains detection algorithm based on historical data [J ] . Journal on Communications , 2016 , 37 ( 10 ): 172 - 180 .

WANGA K C , HUANGB C Y , LIN S J , et al . Fuzzy pattern-based filtering algorithm for botnet detection [J ] . Computer Networks , 2011 , 55 ( 15 ): 3275 - 3286 .

WANG K , HUANG C Y , LIN S J , et al . A fuzzy pattern-based filtering algorithm for botnet detection [J ] . Computer Networks the International Journal of Computer ＆ Telecommunications Networking , 2011 , 55 ( 15 ): 3275 - 3286 .

张维维 , 龚俭 , 刘茜 , 等 . 基于词素特征的轻量级域名检测算法 [J ] . 软件学报 , 2016 , 27 ( 9 ): 2348 - 2364 .

ZHANG W W , GONG J , LIU Q , et al . A Lightweight domain name detection algorithm based on morpheme features [J ] . Journal of Software , 2016 , 27 ( 9 ): 2348 - 2364 .

LIN H T , LIN Y Y , CHIANG J W . Genetic-based real-time fast-flux service networks detection [J ] . Computer Networks , 2013 , 57 ( 2 ): 501 - 513 .

BILGE L , SEN S , BALZAROTTI D . Exposure:a passive DNS analysis service to detect and report malicious domains [J ] . ACM Transactions on Information and System Security (TISSEC) , 2014 , 16 ( 4 ): 14 - 41 .

SHI Y , CHEN G , LI J T . Malicious domain name detection based on extreme machine learning [J ] . Neural Process Letters , 2017 : 1 - 11 .

LI B D , SPRINGER J , BEBIS G , et al . A survey of network flow applications [J ] . Journal of Network and Computer Applications , 2013 , 36 ( 2 ): 567 - 581 .

浏览量

1395

下载量

CSCD

文章被引用时，请邮件提醒。

提交

工具集

关联资源

基于XGBoost和粒子群优化算法的DGA恶意域名识别