Detecting malicious domain names based on AGD

Xiaodong ZANG; Jian GONG; Xiaoyan HU

doi:10.11959/j.issn.1000-436x.2018116

您当前的位置：

首页 >

文章列表页 >

Detecting malicious domain names based on AGD

Papers | 更新时间：2024-06-05

- Detecting malicious domain names based on AGD
- Journal on Communications Vol. 39, Issue 7, Pages: 15-25(2018)
- 作者机构：
  
  1. 东南大学网络空间安全学院，江苏南京 211189
  2. 东南大学江苏省计算机网络重点实验室，江苏南京 211189
  3. 东南大学教育部计算机网络和信息集成重点实验室，江苏南京 211189
- 作者简介：
- 基金信息：
  
  The National Natural Science Foundation of China(61602114)
- DOI：10.11959/j.issn.1000-436x.2018116
  CLC： TP393
- Online First：2018-07，
  
  Published：25 July 2018
- 稿件说明：
移动端阅览
Xiaodong ZANG, Jian GONG, Xiaoyan HU. Detecting malicious domain names based on AGD[J]. Journal on Communications, 2018, 39(7): 15-25.
DOI：

Xiaodong ZANG, Jian GONG, Xiaoyan HU. Detecting malicious domain names based on AGD[J]. Journal on Communications, 2018, 39(7): 15-25. DOI： 10.11959/j.issn.1000-436x.2018116.

摘要

提出了一种聚类和分类算法相结合的恶意域名检测思路，首先通过聚类关联，辨识出同一域名生成算法（DGA

domain generation algorithm）或其变体生成的域名，然后分别提取每一个聚类集合中算法生成域名（AGD

algorithmically generated domain）的TTL、解析IP分布、归属、whois的更新、完整性及域名的活动历史特征等，利用 SVM 分类器过滤出其中的恶意域名。实验表明，该算法在不需要客户端查询记录信息的情况下即可实现准确率为 98.4%、假阳性为0.9%的恶意域名检测。

Abstract

A new malicious domain name detection algorithm was proposed.More specifically

the domain names in a cluster belonging to a DGA (domain generation algorithm) or its variants was identified firstly by using cluster correlation.Then

these AGD (algorithmically generated domain) names’ TTL

the distribution and attribution of their resolved IP addresses

their whois features and their historical information were extracted and further applied SVM algorithm to identify the malicious domain names.Experimental results demonstrate that it achieves an accuracy rate of 98.4% and the false positive of 0.9% without any client query records.

关键词

Keywords

references

江健 , 诸葛建伟 , 段海新 , 等 . 僵尸网络机理与防御技术 [J ] . 软件学报 , 2012 , 23 ( 1 ): 82 - 96 .

JIANG J , ZHUGE J W , DUAN H X , et al . Research on botnet mechanisms and defenses [J ] . Journal of Software , 2012 , 23 ( 1 ): 82 - 96 .

YADAV S , REDDY A , REDDY A , et al . Detecting algorithmically generated malicious domain names [C ] // The 10th ACM SIGCOMM Conference on Internet Measurement . 2010 : 48 - 61 .

STONE G B , COVA M , CAVALLARO L . Your botnet is mybotnet:analysis of a botnet takeover [C ] // ACM Conference on Computerand Communications Security (CCS) . 2009 : 635 - 647 .

DANIEL P , KHALED Y , MICHAEL K , et al . A comprehensive measurement study of domain generating mal-ware [C ] // The 25th USENIX Security Symposium . 2016 : 263 - 278 .

WANG T S , LIN H T , CHENG W T , et al . DBod:clustering and detecting dga-based botnets using DNS traffic analysis [J ] . Computers＆ Security , 2017 , 64 : 1 - 15 .

BILGE L , KIRDA E , KRUEGEL C , et al . Exposure:finding malicious domains using passive DNS analysis [C ] // NDSS . 2011 : 1 - 17 .

ANTONAKAKIS M , PERDISCI R , NADJI Y . From throw-away traffic to bots:detecting the rise of DGA-Basedmalware [C ] // Usenix Conference on Security Symposium . 2012 : 24 - 40 .

SHARIFNYA R , ABADI M . DFBotKiller:domain-flux botnet detection based on the history of group activities and failures in DNS traffic [J ] . Digital Investigation , 2015 , 12 ( 12 ): 15 - 26 .

KHEIR N , TRAN F , CARON P , et al . Mentor:positive DNS reputation to skim-off benign domains in botnet c＆c blacklists [C ] // IFIP International Information Security Conference . 2014 : 1 - 14 .

MANOS A , ROBERTO P , DAVID D , et al . Building a dynamic reputation system for DNS [C ] // The 19th USENIX Security Symposium (USENIX Security’10) . 2010 : 273 - 290 .

ANTONAKAKIS M , PERDISCI R , LEE W , et al . Kopis:detecting malware domains at the upper DNS hierarchy [C ] // Usenix Conference on Security . 2011 .

张维维 , 龚俭 , 刘尚东 , 等 . 面向主干网的 DNS 流量监测研究 [J ] . 软件学报 , 2017 , 28 ( 9 ): 2370 - 2387 .

ZHANG W W , GONG J , LIU S D , et al . DNS surveillance on backbone [J ] . Journal of Software , 2017 , 28 ( 9 ): 2370 - 2387 .

THOMAS M , MOHAISEN A . Kindred domains:detecting and clustering botnet domains using DNS traffic [C ] // Companion Publication of the International Conference on World Wide Web Companion . 2014 : 707 - 712 .

STEFANO S , FEDERICO M , LORENZO C , et al . Phoenix:DGA-based botnet tracking and intelligence [C ] // International Conference on Detection of Intrusions＆ Malware . 2014 : 192 - 211 .

CELIK Z B , OKTUG S . Detection of fast-flux networks using various DNS feature sets [J ] . Computers＆Communications , 2013 : 868 - 873 .

HUANG S Y , MAO C H , LEE H M . Fast-flux service network detection based on spatial snapshot mechanism for delay-free detection [C ] // 5th International Symposium on ACM Symposium on Information,Computer and Communications Security . 2010 : 101 - 111 .

ALMOMANI A . Fast-flux hunter:a system for filtering online fast-flux botnet [J ] . Neural Computing＆ Applications , 2016 : 1 - 11 .

袁福祥 , 刘粉林 , 芦斌 , 等 . 基于历史数据的异常域名检测算法 [J ] . 通信学报 , 2016 , 37 ( 10 ): 172 - 180 .

YUAN F X , LIU F L , LU B , et al . Anomaly domains detection algorithm based on historical data [J ] . Journal on Communications , 2016 , 37 ( 10 ): 172 - 180 .

WANGA K C , HUANGB C Y , LIN S J , et al . Fuzzy pattern-based filtering algorithm for botnet detection [J ] . Computer Networks , 2011 , 55 ( 15 ): 3275 - 3286 .

WANG K , HUANG C Y , LIN S J , et al . A fuzzy pattern-based filtering algorithm for botnet detection [J ] . Computer Networks the International Journal of Computer ＆ Telecommunications Networking , 2011 , 55 ( 15 ): 3275 - 3286 .

张维维 , 龚俭 , 刘茜 , 等 . 基于词素特征的轻量级域名检测算法 [J ] . 软件学报 , 2016 , 27 ( 9 ): 2348 - 2364 .

ZHANG W W , GONG J , LIU Q , et al . A Lightweight domain name detection algorithm based on morpheme features [J ] . Journal of Software , 2016 , 27 ( 9 ): 2348 - 2364 .

LIN H T , LIN Y Y , CHIANG J W . Genetic-based real-time fast-flux service networks detection [J ] . Computer Networks , 2013 , 57 ( 2 ): 501 - 513 .

BILGE L , SEN S , BALZAROTTI D . Exposure:a passive DNS analysis service to detect and report malicious domains [J ] . ACM Transactions on Information and System Security (TISSEC) , 2014 , 16 ( 4 ): 14 - 41 .

SHI Y , CHEN G , LI J T . Malicious domain name detection based on extreme machine learning [J ] . Neural Process Letters , 2017 : 1 - 11 .

LI B D , SPRINGER J , BEBIS G , et al . A survey of network flow applications [J ] . Journal of Network and Computer Applications , 2013 , 36 ( 2 ): 567 - 581 .

Views

2070

下载量

CSCD

Alert me when the article has been cited

提交

Tools

Publicity Resources

CPDGA: foresee future DGA using proactive conformal propagation

DGA malicious domain name identification based on XGBoost and particle swarm optimization algorithm

Related Author

LIU Shuangshuang

WANG Zhi

DONG Yimeng

LI Wanpeng

CHEN Zesheng

ZHOU Min

FENG Lichun

CHEN Weijie

Related Institution

College of Cryptology and Cyber Science, Nankai University

College of Computer Science, University of Liverpool, Liverpool BX

Information Technology Center, Guangzhou Academy of Fine Arts

AI问答

⁰