Kaminsky攻击及其异常行为分析

doi:10.11896/jsjkx.200100060

摘要/Abstract

摘要： Kaminsky攻击是一种远程DNS投毒攻击,攻击成功后解析域名子域的请求都被引导到伪造的权威域名服务器上,危害极大。通过模拟攻击实验并分析攻击特征提出一种新的针对Kaminsky攻击的异常行为分析方法,该方法先提取DNS报文中时间、IP、DNS中 Flags和 Transaction ID等信息,然后使用滑动窗口对DNS Transaction ID去重之后计算相同IP地址条件下Transaction ID的条件熵,最后用改进的CUSUM算法分析条件熵时间序列以检测攻击时间。此外,调取检测出的攻击时间内的数据,相同IP地址条件下Transaction ID的条件熵可以追溯到投毒目标权威域名服务器的IP地址。将攻击流量与正常流量混合作为分析样本,通过调整攻击代码参数模拟不同攻击模式,结果表明该方法不仅时间复杂度小,而且有较低的误检率、漏报率和较高的检测率,是一种有效的检测和分析手段。

关键词: CUSUM算法, Kaminsky攻击, 条件熵, 行为分析, 域名系统, 追溯

Abstract: Kaminsky attack is a kind of remote DNS poisoning attack.Since the attack is successful,requests for resolving the name of second-level domain are directed to a fake authoritative domain name server.This article proposes a novel method for detecting abnormal behaviors against Kaminsky attack s based on attack signatures.First,features such as time,IP,DNS Flags,and DNS Transaction ID in DNS packets are extracted.Then sliding window its applied to deduplicate the Transaction ID and calculate the conditional entropy of Transaction ID under the condition of the same IP address.Finally,improved CUSUM algorithm is applied to analyze time series of the conditional entropy to detect attack time.In addition,with data within the detected attack time,the conditional entropy could be traced back to the IP addresses of the poisoning target named the authoritative domain name server.The analysis sample consists of attack traffic and normal traffic.With different parameters of the attack code,simulations verify that this method not only has a small time complexity,but also has a low false positive rate,a low false negative rate,and a high detection rate.It is an effective means of detection and analysis.

Key words: Behavior analysis, Conditional entropy, CUSUM algorithm, Domain Name System, Kaminsky attack, Retrospect

中图分类号:

TP393

陈曦, 冯梅, 江波. Kaminsky攻击及其异常行为分析[J]. 计算机科学, 2020, 47(11A): 396-401. https://doi.org/10.11896/jsjkx.200100060

CHEN Xi, FENG Mei, JIANG Bo. Analysis of Kaminsky Attack and Its Abnormal Behavior[J]. Computer Science, 2020, 47(11A): 396-401. https://doi.org/10.11896/jsjkx.200100060

参考文献

[1] JIN C,HAO Z Y,WU Z G.Principle and Defense Strategy of DNS Cache Poisoning Attack [J].China Communications,2009,6(4):17-22,75-81.
[2] LARSEN M,GONT F.Transport Protocol Port Randomization Recommendations:RFC 6056[S].2010.
[3] DAGON D,ANTONAKAKIS M,VIXIE P.Increased DNS Forgery Resistance Through 0x20-Bit Encoding[C]//Proceedings of ACM CCS'08.ACM Press,2008.
[4] JU Y W,SONG K H,LEE E J,et al.Cache Poisoning Detection Method for Improving Security of Recursive DNS[C]//The 9th International Conference on Advanced Communication Techno-logy.Okamoto,Kobe,2007:1961-1965.
[5] MUSASHI Y,KUMAGAI M,KUBOTA S,et al.Detection of Kaminsky DNS Cache Poisoning Attack[C]//2011 4th International Conference on Intelligent Networks and Intelligent Systems.Kunming,2011:121-124.
[6] JIN Y,TOMOISHI M,MATSUURA S.A Detection MethodAgainst DNS Cache Poisoning Attacks Using Machine Learning Techniques:Work in Progress[C]//2019 IEEE 18th International Symposium on Network Computing and Applications (NCA).Cambridge,MA,USA,2019:1-3.
[7] WANG P J.Design and implementation of a private DNS-oriented attack detection and response system [D].Harbin:Harbin Institute of Technology,2018.
[8] Internet Governance Landscape Background Paper[EB/OL].(2010-08-11).http://www.intgovforum.org/cms/2010/Back ground/Chinese-IGF-Background-Paper.pdf.
[9] DU W L.Remote DNS Cache Poisoning Attack Lab[EB/OL].(2016-12-11).https://seedsecuritylabs.org/Labs_16.04/PDF/DNS_Remote.pdf.
[10] XU C X,HU R G,SHI F,et al.Research on defense strategy of cache poisoning in Kaminsky domain name system[J].ComputerEngineering,2013,39(1):12-17.
[11] ZHANG W X,WU W Z,LIANG J Y,et al.Rough Set Theory and Method [M].Beijing:Science Press,2001.
[12] KANDA Y,FONTUGNE R,FUKUDA K,et al.ADMIRE:Anomaly detection method using entropy-based PCA with three-step sketches[J].Computer Communications,2013,36(5):575-588.
[13] TELLENBACH B,BURKHART M,SCHATZMANN D,et al.Accurate network anomaly classification with generalized entropy metrics[J].Computer Networks,2011,55(15):3485-3502.
[14] LEE W,DONG X.Information-theoretic measures for anomaly detection[C]//Proc.of IEEE Symposium on Security and Privacy (S&P).Oakland:CA,2001.
[15] MANIKOPOULOS C,PAPAVASSILIOU S.Network intrusion and fault detection:a statistical anomaly approach[J].IEEE Communications Magazine,2002,40(10):76-82.
[16] LAKHINA A,CROVELLA M,DIOT C.Mining anomaliesusing traffic feature distributions[C]//Proc.of ACM SIGCOMM.Philadelphia:PA,2005.
[17] SHU Y Z,MEI M Y,HUANG W Q,et al.Research on DDoS Attack Detection Based on Conditional Entropy in SDN Environment [J].Wireless Internet Technology,2016(5):75-76.
[18] SUN Z X,LI Q D.DDoS Attack Prevention Strategies for Databases Based on Source and Destination IP Addresses [J].Journal of Software,2007(10):2613-2623.
[19] PETR E.An Analysis of the DNS Cache Poisoning Attack[EB/OL].(2009-11-02).http://labs.nic.cz/files/labs/ DNS-cache-poisoning-attack-analysis.pdf.
[20] WANG G.Research on Security of Domain Name System [D].Harbin:Harbin Institute of Technology,2007.

相关文章 15

[1]	李素, 宋宝燕, 李冬, 王俊陆. 面向金融活动的复合区块链关联事件溯源方法 Composite Blockchain Associated Event Tracing Method for Financial Activities 计算机科学, 2022, 49(3): 346-353. https://doi.org/10.11896/jsjkx.210700068
[2]	苗启广, 辛文天, 刘如意, 谢琨, 王泉, 杨宗凯. 面向智慧教育行为分析的图卷积骨架动作识别方法 Graph Convolutional Skeleton-based Action Recognition Method for Intelligent Behavior Analysis 计算机科学, 2022, 49(2): 156-161. https://doi.org/10.11896/jsjkx.220100061
[3]	于七龙, 鲁宁, 史闻博. 一种可追溯的比特币混淆方案 Traceable Mixing Scheme for Bitcoin 计算机科学, 2021, 48(11): 72-78. https://doi.org/10.11896/jsjkx.210600242
[4]	胡建伟,徐明洋,崔艳鹏. 改进的TLS指纹增强用户行为安全分析能力 Improved TLS Fingerprint Enhance User Behavior Security Analysis Ability 计算机科学, 2020, 47(3): 287-291. https://doi.org/10.11896/jsjkx.190200332
[5]	李卫, 王腾宇, 刘乾隆, 刘克猛, 范永刚. 基于区块链的商户间账本管理模型 Inter-merchant Account Management Model Based on Blockchain 计算机科学, 2019, 46(11A): 544-547.
[6]	翟宇鹏,洪玫,杨秋辉. 功能需求到测试用例的可追溯性研究 Research on Traceability of Functional Requirements to Test Case 计算机科学, 2017, 44(Z11): 480-484. https://doi.org/10.11896/j.issn.1002-137X.2017.11A.102
[7]	陈丹,王星,何鹏,曾诚. 开源社区中已有开发者的合作行为分析 Towards Understanding Existing Developers’ Collaborative Behavior in OSS Communities 计算机科学, 2016, 43(Z6): 476-479. https://doi.org/10.11896/j.issn.1002-137X.2016.6A.112
[8]	栗辉,唐萌,陈豪. 基于用户行为分析的网站结构优化研究综述 Summary of Research on Website Structure Optimization Based on User Behaviour Analysis 计算机科学, 2016, 43(Z6): 384-386. https://doi.org/10.11896/j.issn.1002-137X.2016.6A.091
[9]	郑志蕴,郭芳,王振飞,李钝. 基于行为分析的微博传播模型研究 Study on Microblog Propagation Model Based on Analysis of User Behavior 计算机科学, 2016, 43(12): 41-45. https://doi.org/10.11896/j.issn.1002-137X.2016.12.007
[10]	董振兴,张青,陈龙. 云存储服务数字取证调查 Digital Forensic Investigation in Cloud Storage 计算机科学, 2015, 42(Z11): 348-351.
[11]	陈倩,佘维,叶阳东. 一种基于TF-HBPN的复杂系统行为分析方法 Method of Behavior Analysis for Complex System Based on Hierarchical Bayesian Petri Net with Time Factor 计算机科学, 2015, 42(7): 62-67. https://doi.org/10.11896/j.issn.1002-137X.2015.07.014
[12]	何鹏,李兵,杨习辉,熊伟. 开源软件社区开发者偏好合作行为研究 Research on Developer Preferential Collaboration in Open-source Software Community 计算机科学, 2015, 42(2): 161-166. https://doi.org/10.11896/j.issn.1002-137X.2015.02.035
[13]	李立耀,孙鲁敬,杨家海. 社交网络研究综述 Research on Online Social Network 计算机科学, 2015, 42(11): 8-21. https://doi.org/10.11896/j.issn.1002-137X.2015.11.002
[14]	郭俊霞,高城,许南山,卢罡. 基于网页浏览日志的用户行为分析 User Behavior Analysis Based on Web Browsing Logs 计算机科学, 2014, 41(3): 110-115.
[15]	徐久成,张灵均,孙林,李双群. 广义邻域关系下不完备混合决策系统的约简 Reduction in Incomplete Hybrid Decision System Based on Generalized Neighborhood Relationship 计算机科学, 2013, 40(4): 244-248.

Metrics

Viewed

Full text

Abstract

Cited

Shared

Discussed