摘要: 目前,僵尸网络广泛采用域名变换技术,以避免域名黑名单的封堵,为此提出一种基于组行为特征的恶意域名检测方法。该方法对每个检测周期内网络中主机请求的新域名集合、失效域名集合进行聚类分析,并将请求同一组新域名的主机集合作为检测对象,通过分析集合内主机在请求失效域名、新域名行为上是否具有组特性,提取出网络中的感染主机集合、C&C服务器使用的IP地址集合。对一ISP域名服务器监测的结果表明,该方法可准确提取出感染主机、C&C服务器IP地址。
[1] Leder W.Know Your Enemy:Containing Conficker [R].The Honeynet Project & Research Alliance,University of Bonn,Germany,2009 [2] Royal P.On the kraken and bobax botnets[R/OL].http://www.damballa.com/downloads/r_pubs/Kraken_Response.pdf,2009 [3] Stone-Gross B,Cova M,Vigna G.Your Botnet is My Botnet:Analysis of A Botnet Takeover [C]∥ACM Conference on Computer and Communications Security(CCS).2009:635-647 [4] Yadav S,Reddy A,Ranjan S.Detecting Algorithmically Generated Malicious Domain Names [A]∥10th Annual ACM Conference on Internet Measurement [C].New York,USA,2010:48-61 [5] Stalmans E,Irwin B.A Framework for DNS Based Detectionand Mitigation of Malware Infections on a Network [A]∥Information Security South Africa(ISSA)[C].2011:76-83 [6] Jiang N,Zhang Z.Identifying Suspicious Activities through DNS Failure Graph Analysis [A]∥Network Protocols(ICNP),the 18th IEEE International Conference [C].2010:144-153 [7] Yadav S,Reddy A N.Winning with DNS Failures:Strategies forFaster Botnet Detection [A]∥7th International ICST Confe-rence on Security and Privacy in Communication Networks [C].2011:133-145 [8] Hao S,Feamster N,Pandrangi.An Internet Wide View intoDNS Lookup Patterns[R/OL].http://labs.verisigninc.com/projects/malicious-domain-names.html,2010 [9] Antonakakis M,Perdisci R,Dagon D,et al.Building A Dynamic Reputation System for DNS [A]∥the Proceedings of 19th USENIX Security Symposium(USENIX Security’10)[C].2010:273-289 [10] Antonakakis M,Lee R,Dagon D.Detecting Malware Domains at the Upper DNS Hierarchy [A]∥the Proceedings of 20th USENIX Security Symposium(USENIX Security ’11)[C].2011:23-46 [11] Bilge L,Kirda E,Kruegel C,et al.Exposure:Finding Malicious Domains using Passive DNS Analysis [A]∥Proceedings of NDSS [C].2011:1-17 [12] 黄彪,成淑萍,欧阳晨星,等.无尺度网络下具有双因素的僵尸网络传播模型[J].计算机科学,2012,9(10):78-81 [13] 冯丽萍,韩琦,王鸿斌.具有变化感染率的僵尸网络传播模型[J].计算机科学,2012,9(11):51-53 |
No related articles found! |
|