通信学报 ›› 2018, Vol. 39 ›› Issue (7): 15-25.doi: 10.11959/j.issn.1000-436x.2018116

• 学术论文 • 上一篇    下一篇

基于AGD的恶意域名检测

臧小东1,2,3,龚俭1,2,3,胡晓艳1,2,3   

  1. 1 东南大学网络空间安全学院,江苏 南京 211189
    2 东南大学江苏省计算机网络重点实验室,江苏 南京 211189
    3 东南大学教育部计算机网络和信息集成重点实验室,江苏 南京 211189
  • 修回日期:2018-06-21 出版日期:2018-07-01 发布日期:2018-08-08
  • 作者简介:臧小东(1985-),男,山东济宁人,东南大学博士生,主要研究方向为网络安全、网络管理。|龚俭(1957-),男,上海人,博士,东南大学教授、博士生导师,主要研究方向为网络安全、网络管理。|胡晓艳(1985-),女,江西金溪人,博士,东南大学讲师,主要研究方向为网络体系结构、网络安全。
  • 基金资助:
    国家自然科学基金资助项目(61602114)

Detecting malicious domain names based on AGD

Xiaodong ZANG1,2,3,Jian GONG1,2,3,Xiaoyan HU1,2,3   

  1. 1 School of Cyber Science and Engineering,Southeast University,Nanjing 211189,China
    2 Jiangsu Provincial Key Laboratory of Computer Network Technology,Southeast University,Nanjing 211189,China
    3 Key Laboratory of Computer Network and Information Integration of Ministry of Education,Southeast University,Nanjing 211189,China
  • Revised:2018-06-21 Online:2018-07-01 Published:2018-08-08
  • Supported by:
    The National Natural Science Foundation of China(61602114)

摘要:

提出了一种聚类和分类算法相结合的恶意域名检测思路,首先通过聚类关联,辨识出同一域名生成算法(DGA,domain generation algorithm)或其变体生成的域名,然后分别提取每一个聚类集合中算法生成域名(AGD,algorithmically generated domain)的TTL、解析IP分布、归属、whois的更新、完整性及域名的活动历史特征等,利用 SVM 分类器过滤出其中的恶意域名。实验表明,该算法在不需要客户端查询记录信息的情况下即可实现准确率为 98.4%、假阳性为0.9%的恶意域名检测。

关键词: 网络安全监测, 域名生成算法, 命令与控制服务器, 算法生成域名

Abstract:

A new malicious domain name detection algorithm was proposed.More specifically,the domain names in a cluster belonging to a DGA (domain generation algorithm) or its variants was identified firstly by using cluster correlation.Then,these AGD (algorithmically generated domain) names’ TTL,the distribution and attribution of their resolved IP addresses,their whois features and their historical information were extracted and further applied SVM algorithm to identify the malicious domain names.Experimental results demonstrate that it achieves an accuracy rate of 98.4% and the false positive of 0.9% without any client query records.

Key words: network security monitoring, domain generation algorithm, command and control server, algorithmically generated domain

中图分类号: 

  • TP393