Fast-flucos：基于DNS流量的Fast-flux恶意域名检测方法

韩春雨; 张永铮; 张玉

doi:10.11959/j.issn.1000-436x.2020094

您当前的位置：

首页 >

文章列表页 >

Fast-flucos：基于DNS流量的Fast-flux恶意域名检测方法

学术论文 | 更新时间：2024-06-05

- Fast-flucos：基于DNS流量的Fast-flux恶意域名检测方法
- Fast-flucos:malicious domain name detection method for Fast-flux based on DNS traffic
- 通信学报 2020年41卷第5期页码：37-47
- 作者机构：
  
  1. 南开大学计算机学院，天津 300071
  2. 中国科学院信息工程研究所，北京 100093
  3. 中国科学院大学网络空间安全学院，北京 100049
- 作者简介：
  
  [ "韩春雨（1990- ），男，黑龙江鹤岗人，南开大学博士生，主要研究方向为网络与信息安全" ]
  [ "张永铮（1978- ），男，黑龙江哈尔滨人，博士，中国科学院信息工程研究所研究员、博士生导师，主要研究方向为网络安全态势感知" ]
  [ "张玉（1981- ），男，浙江湖州人，南开大学副教授、硕士生导师，主要研究方向为网络安全、数据安全、数据挖掘等" ]
- 基金信息：
  
  国家自然科学基金资助项目(U1736218);北京市科学技术委员会基金资助项目(Z191100007119005)
- DOI：10.11959/j.issn.1000-436x.2020094
  中图分类号： TP393
- 网络首发：2020-05，
  
  纸质出版：2020-05-25
- 稿件说明：
移动端阅览
韩春雨, 张永铮, 张玉. Fast-flucos：基于DNS流量的Fast-flux恶意域名检测方法[J]. 通信学报, 2020,41(5):37-47.

Chunyu HAN, Yongzheng ZHANG, Yu ZHANG. Fast-flucos:malicious domain name detection method for Fast-flux based on DNS traffic[J]. Journal on Communications, 2020, 41(5): 37-47.
韩春雨, 张永铮, 张玉. Fast-flucos：基于DNS流量的Fast-flux恶意域名检测方法[J]. 通信学报, 2020,41(5):37-47. DOI： 10.11959/j.issn.1000-436x.2020094.

Chunyu HAN, Yongzheng ZHANG, Yu ZHANG. Fast-flucos:malicious domain name detection method for Fast-flux based on DNS traffic[J]. Journal on Communications, 2020, 41(5): 37-47. DOI： 10.11959/j.issn.1000-436x.2020094.

摘要

现有的Fast-flux域名检测方法在稳定性、针对性和流量普适性方面存在一些不足，为此提出一种基于DNS流量的检测方法Fast-flucos。首先，采用流量异常过滤和关联匹配算法，以提高检测的稳定性；然后，引入量化的地理广度、国家向量表和时间向量表特征，以加强对Fast-flux域名检测的针对性；最后，采用更合理的正负样本和包括深度学习在内的多种机器学习方法确定最佳分类器和最优特征组合，以尽量确保对真实DNS流量的普适性。基于真实DNS流量的实验表明，Fast-flucos的召回率、精确率和ROC_AUC分别达到了0.998 6、0.976 7和0.992 9，均优于当前主流的EXPOSURE、GRADE和AAGD等检测方法。

Abstract

There are three weaknesses in previous Fast-flux domain name detection method on the aspects of stability

targeting

and applicability to common real-world DNS traffic environment.For this

a method based on DNS traffic

called Fast-flucos was proposed.Firstly

the traffic anomaly filtering and association matching algorithms were used for improving detection stability.Secondly

the features

quantified geographical width

country list

and time list

were applied for better targeting Fast-flux domains.Lastly

the feature extraction were finished by the more suitable samples for trying to adapt to common real-world DNS traffic.Several machine learning algorithms including deep learning are tried for determining the best classifier and feature combination.The experimental result based on real-world DNS traffic shows that Fast-flucos’ recall rate is 0.998 6

precision is 0.976 7

and ROC_AUC is 0.992 9

which are all better than the current main stream approaches

such as EXPOSURE

GRADE and AAGD.

关键词

Keywords

references

ZHAUNIAROVICH Y , KHALIL I , YU T , et al . A survey on malicious domains detection through DNS data analysis [J ] . ACM Computing Surveys , 2018 , 51 ( 4 ):67.

ALMOMANI A . Fast-flux hunter:a system for filtering online fast-flux botnet [J ] . Neural Computing and Applications , 2018 , 29 ( 7 ): 483 - 493 .

ZHOU C V , LECKIE C , KARUNASEKERA S . Collaborative detection of fast flux phishing domains [J ] . Journal of Networks , 2009 , 4 ( 1 ): 75 - 84 .

ZHOU C V , LECKIE C , KARUNASEKERA S , et al . A self-healing,self-protecting collaborative intrusion detection architecture to trace-back Fast-flux phishing domains [C ] // IEEE Network Operations and Management Symposium Workshop . Piscataway:IEEE Press , 2008 : 321 - 327 .

AL-DUWAIRI B N , AL-HAMMOURI A T . Fast flux watch:a mechanism for online detection of fast flux networks [J ] . Journal of Advanced Research , 2014 , 1 ( 3 ): 1 - 7 .

MARTINEZ-BEA S , CASTILLO-PEREZ S , GARCIA-ALFARO J , . Real-time malicious fast-flux detection using DNS and bot related features [C ] // 2013 Eleventh Annual International Conference on Privacy,Security and Trust . Piscataway:IEEE Press , 2013 : 369 - 372 .

CAGLAYAN A , TOOTHAKER M , DRAPEAU D , et al . Real-time detection of fast flux service networks [C ] // Proceedings of the Cybersecurity Applications ＆ Technology Conference for Homeland Security . 2009 : 285 - 292 .

NAZARIO J , HOLZ T . As the net churns:fast-flux botnet observations [C ] // Proceeding of 3rd International Conference on Malicious and Unwanted Software (MALWARE) . 2008 : 24 - 31 .

CAGLAYAN A , TOOTHAKER M , DRAPAEAU D , et al . Behavioral patterns of fast flux service networks [C ] // Proceeding of the 43rd Hawii International Conference on System Sciences (HICSS) . Piscataway:IEEE Press , 2010 : 1 - 9 .

HU X , KNYSZ M , SHIN K G . Measurement and analysis of global IP-usage patterns of fast-flux botnets [C ] // Proceeding of IEEE INFORCOM . Piscataway:IEEE Press , 2011 :15.

PASSERINI E , PALEARI R , MARTIGNONI L , et al . FluXOR:detecting and monitoring Fast-flux service networks [C ] // Proceeding of the 5th Conference on Detection of Intrusion and Malware ＆ Vulnerability Assessment(DIMVA) . Berlin:Springer , 2008 : 186 - 206 .

PERDISCI R , CORONA I , DAGON D , et al . Detecting malicious Flux service networks through passive analysis of recursive DNS traces [C ] // Twenty-Fifth Annual Computer Security Applications Conference . Los Alamitos:IEEE Computer Society , 2009 : 311 - 320 .

LIN H T , LIN Y Y , CHIANG J W . Genetic-based real-time fast-flux service networks detection [J ] . Computer Networks , 2013 ( 57 ): 501 - 513 .

HUANG S Y , MAO C H , LEE H M . Fast-flux service network detection based on spatial snapshot mechanism for delay-free detection [C ] // Proceedings of the 5th ACM Symposium on Information,Computer and Communications Security . New York:ACM Press , 2010 : 101 - 111 .

HOLZ T , GORECKI C , RIECK K , et al . Measuring and detecting Fast-flux service networks [C ] // In Symposium on Network and Distributed System Security . 2008 : 1 - 12 .

KNYSZ M , HU X , SHIN K G . Good guys vs.bot guise:mimicry attacks against fast-flux detection systems [C ] // Proceeding of IEEE INFORCOM . Piscataway:IEEE Press , 2011 : 1844 - 1852 .

HSU F H , WANG C S , HSU C H , et al . Detect Fast-flux domains through response time differences [J ] . IEEE Journal on Selected Areas in Communications , 2014 , 32 ( 10 ): 1947 - 1956 .

BILGE L , KIRDA E , KRUEGEL C , et al . EXPOSURE:finding malicious domains using passive DNS analysis [C ] // Proceedings of the Network and Distributed System Security Symposium . 2011 : 1 - 17 .

臧小东 , 龚俭 , 胡晓艳 . 基于 AGD 的恶意域名检测 [J ] . 通信学报 , 2018 , 39 ( 7 ): 15 - 25 .

ZANG X D , GONG J , HU X Y . Detecting malicious domains based on AGD [J ] . Journal on Communications , 2018 , 39 ( 7 ): 15 - 25 .

FAKERI-TABRIZI A , NGUYEN T , LIU H L , . et al Analyzing DNS requests for anomaly detection:US 20160065611A1 [P ] .(2016-03-03)[2019-10-31 ] .

LEI K , FU Q , NI J , et al . Detecting malicious domains with behavioral modeling and graph embedding [C ] // 2019 IEEE 39th International Conference on Distributed Computing Systems . Piscataway:IEEE Press , 2019 : 601 - 611 .

SUN X , TONG M , YANG J , et al . HinDom:a robust malicious domain detection system based on heterogeneous information network with transductive classification [C ] // 22nd International Symposium on Research in Attacks,Intrusions and Defenses . Berkeley:USENIX Association , 2019 : 399 - 412 .

SHI Y , CHEN G , LI J . Malicious domain name detection based on extreme machine learning [J ] . Neural Processing Letters , 2018 , 48 ( 3 ): 1347 - 1357 .

周昌令 , 陈恺 , 公绪晓 , 等 . 基于Passive DNS的速变域名检测 [J ] . 北京大学学报(自然科学版) , 2016 , 52 ( 3 ): 396 - 402 .

ZHOU C L , CHEN K , GONG X X , et al . Detection of Fast-flux domains based on passive DNS analysis [J ] . Acta Scientiarum Naturalium Universitatis Pekinensis , 2016 , 52 ( 3 ): 396 - 402 .

浏览量

2684

下载量

CSCD

文章被引用时，请邮件提醒。

提交

工具集

关联资源

IP地理定位技术综述：理论、方法与应用创新

基于机器学习的加密流量分类研究综述

基于生成对抗网络的僵尸网络检测

基于DNS的隐蔽通道流量检测

基于置信度差异与熵最小化的跨时间鲁棒射频指纹识别方法