基于组行为特征的恶意域名检测

计算机科学 ›› 2013, Vol. 40 ›› Issue (8): 146-148.

基于组行为特征的恶意域名检测

张永斌,陆寅,张艳宁

西北工业大学计算机学院西安710129;西北工业大学计算机学院西安710129;西北工业大学计算机学院西安710129

出版日期:2018-11-16 发布日期:2018-11-16
基金资助:
本文受国家自然科学基金(60903126,60872145)资助

Malware Domains Detection by Monitoring Group Activities

ZHANG Yong-bin,LU Yin and ZHANG Yan-ning

Online:2018-11-16 Published:2018-11-16

摘要/Abstract

摘要： 目前,僵尸网络广泛采用域名变换技术,以避免域名黑名单的封堵,为此提出一种基于组行为特征的恶意域名检测方法。该方法对每个检测周期内网络中主机请求的新域名集合、失效域名集合进行聚类分析,并将请求同一组新域名的主机集合作为检测对象,通过分析集合内主机在请求失效域名、新域名行为上是否具有组特性,提取出网络中的感染主机集合、C&C服务器使用的IP地址集合。对一ISP域名服务器监测的结果表明,该方法可准确提取出感染主机、C&C服务器IP地址。

关键词: 网络安全,僵尸网络,域名生成算法,域名变换

Abstract: At present,many botnets adopt Domain Flux techniques to avoid the block of domain blacklists．A new technique was proposed to detect malicious domain by analyzing group-behavior of compromised hosts on DNS queries．The method clusters new domains and Non-Existent domains queried by hosts in each epoch,groups these hosts by new domain names,and identifies that if the hosts within the same set have group activities when querying Non-Existent domains,to detect compromised hosts and IP addresses of C&C servers．The monitoring results for an ISP DNS show that compromised hosts and IP addresses of C&C servers are detected accurately.

Key words: Network security,Botnet,Domain name generation algorithms(DGA),Domain flux

张永斌,陆寅,张艳宁. 基于组行为特征的恶意域名检测[J]. 计算机科学, 2013, 40(8): 146-148. https://doi.org/

ZHANG Yong-bin,LU Yin and ZHANG Yan-ning. Malware Domains Detection by Monitoring Group Activities[J]. Computer Science, 2013, 40(8): 146-148. https://doi.org/

参考文献

[1] Leder W．Know Your Enemy:Containing Conficker [R]．The Honeynet Project & Research Alliance,University of Bonn,Germany,2009
[2] Royal P．On the kraken and bobax botnets[R/OL]．http://www.damballa.com/downloads/r_pubs/Kraken_Response.pdf,2009
[3] Stone-Gross B,Cova M,Vigna G．Your Botnet is My Botnet:Analysis of A Botnet Takeover [C]∥ACM Conference on Computer and Communications Security(CCS)．2009:635-647
[4] Yadav S,Reddy A,Ranjan S．Detecting Algorithmically Generated Malicious Domain Names [A]∥10th Annual ACM Conference on Internet Measurement [C]．New York,USA,2010:48-61
[5] Stalmans E,Irwin B．A Framework for DNS Based Detectionand Mitigation of Malware Infections on a Network [A]∥Information Security South Africa(ISSA)[C]．2011:76-83
[6] Jiang N,Zhang Z．Identifying Suspicious Activities through DNS Failure Graph Analysis [A]∥Network Protocols(ICNP),the 18th IEEE International Conference [C]．2010:144-153
[7] Yadav S,Reddy A N．Winning with DNS Failures:Strategies forFaster Botnet Detection [A]∥7th International ICST Confe-rence on Security and Privacy in Communication Networks [C]．2011:133-145
[8] Hao S,Feamster N,Pandrangi．An Internet Wide View intoDNS Lookup Patterns[R/OL]．http://labs.verisigninc.com/projects/malicious-domain-names.html,2010
[9] Antonakakis M,Perdisci R,Dagon D,et al.Building A Dynamic Reputation System for DNS [A]∥the Proceedings of 19th USENIX Security Symposium(USENIX Security’10)[C]．2010:273-289
[10] Antonakakis M,Lee R,Dagon D．Detecting Malware Domains at the Upper DNS Hierarchy [A]∥the Proceedings of 20th USENIX Security Symposium(USENIX Security ’11)[C]．2011:23-46
[11] Bilge L,Kirda E,Kruegel C,et al．Exposure:Finding Malicious Domains using Passive DNS Analysis [A]∥Proceedings of NDSS [C]．2011:1-17
[12] 黄彪,成淑萍,欧阳晨星,等．无尺度网络下具有双因素的僵尸网络传播模型[J].计算机科学,2012,9(10):78-81
[13] 冯丽萍,韩琦,王鸿斌.具有变化感染率的僵尸网络传播模型[J].计算机科学,2012,9(11):51-53

Metrics

Viewed

Full text

Abstract

Cited

Shared

Discussed