基于AGD的恶意域名检测

doi:10.11959/j.issn.1000-436x.2018116

通信学报 ›› 2018, Vol. 39 ›› Issue (7): 15-25.doi: 10.11959/j.issn.1000-436x.2018116

基于AGD的恶意域名检测

臧小东^1,^2,³,龚俭^1,^2,³,胡晓艳^1,^2,³

¹ 东南大学网络空间安全学院，江苏南京 211189
² 东南大学江苏省计算机网络重点实验室，江苏南京 211189
³ 东南大学教育部计算机网络和信息集成重点实验室，江苏南京 211189

修回日期:2018-06-21 出版日期:2018-07-01 发布日期:2018-08-08
作者简介:臧小东（1985-），男，山东济宁人，东南大学博士生，主要研究方向为网络安全、网络管理。|龚俭（1957-），男，上海人，博士，东南大学教授、博士生导师，主要研究方向为网络安全、网络管理。|胡晓艳（1985-），女，江西金溪人，博士，东南大学讲师，主要研究方向为网络体系结构、网络安全。
基金资助:
国家自然科学基金资助项目(61602114)

Detecting malicious domain names based on AGD

Xiaodong ZANG^1,^2,³,Jian GONG^1,^2,³,Xiaoyan HU^1,^2,³

¹ School of Cyber Science and Engineering,Southeast University,Nanjing 211189,China
² Jiangsu Provincial Key Laboratory of Computer Network Technology,Southeast University,Nanjing 211189,China
³ Key Laboratory of Computer Network and Information Integration of Ministry of Education,Southeast University,Nanjing 211189,China

Revised:2018-06-21 Online:2018-07-01 Published:2018-08-08
Supported by:
The National Natural Science Foundation of China(61602114)

摘要/Abstract

摘要：

提出了一种聚类和分类算法相结合的恶意域名检测思路，首先通过聚类关联，辨识出同一域名生成算法（DGA,domain generation algorithm）或其变体生成的域名，然后分别提取每一个聚类集合中算法生成域名（AGD,algorithmically generated domain）的TTL、解析IP分布、归属、whois的更新、完整性及域名的活动历史特征等，利用 SVM 分类器过滤出其中的恶意域名。实验表明，该算法在不需要客户端查询记录信息的情况下即可实现准确率为 98.4%、假阳性为0.9%的恶意域名检测。

关键词: 网络安全监测, 域名生成算法, 命令与控制服务器, 算法生成域名

Abstract:

A new malicious domain name detection algorithm was proposed.More specifically,the domain names in a cluster belonging to a DGA (domain generation algorithm) or its variants was identified firstly by using cluster correlation.Then,these AGD (algorithmically generated domain) names’ TTL,the distribution and attribution of their resolved IP addresses,their whois features and their historical information were extracted and further applied SVM algorithm to identify the malicious domain names.Experimental results demonstrate that it achieves an accuracy rate of 98.4% and the false positive of 0.9% without any client query records.

Key words: network security monitoring, domain generation algorithm, command and control server, algorithmically generated domain

中图分类号:

TP393

臧小东,龚俭,胡晓艳. 基于AGD的恶意域名检测[J]. 通信学报, 2018, 39(7): 15-25.

Xiaodong ZANG,Jian GONG,Xiaoyan HU. Detecting malicious domain names based on AGD[J]. Journal on Communications, 2018, 39(7): 15-25.

图/表 13

图1

图2

图3

表1

图4

图5

图6

图7

图8

图9

图10

图11

表2

参考文献 25

[1]	江健, 诸葛建伟, 段海新 ,等. 僵尸网络机理与防御技术[J]. 软件学报, 2012,23(1): 82-96.
	JIANG J , ZHUGE J W , DUAN H X ,et al. Research on botnet mechanisms and defenses[J]. Journal of Software, 2012,23(1): 82-96.
[2]	YADAV S , REDDY A , REDDY A ,et al. Detecting algorithmically generated malicious domain names[C]// The 10th ACM SIGCOMM Conference on Internet Measurement. 2010: 48-61.
[3]	STONE G B , COVA M , CAVALLARO L . Your botnet is mybotnet:analysis of a botnet takeover[C]// ACM Conference on Computerand Communications Security (CCS). 2009: 635-647.
[4]	DANIEL P , KHALED Y , MICHAEL K ,et al. A comprehensive measurement study of domain generating mal-ware[C]// The 25th USENIX Security Symposium. 2016: 263-278.
[5]	WANG T S , LIN H T , CHENG W T ,et al. DBod:clustering and detecting dga-based botnets using DNS traffic analysis[J]. Computers＆ Security, 2017,64: 1-15.
[6]	BILGE L , KIRDA E , KRUEGEL C ,et al. Exposure:finding malicious domains using passive DNS analysis[C]// NDSS. 2011: 1-17.
[7]	ANTONAKAKIS M , PERDISCI R , NADJI Y . From throw-away traffic to bots:detecting the rise of DGA-Basedmalware[C]// Usenix Conference on Security Symposium. 2012: 24-40.
[8]	SHARIFNYA R , ABADI M . DFBotKiller:domain-flux botnet detection based on the history of group activities and failures in DNS traffic[J]. Digital Investigation, 2015,12(12): 15-26.
[9]	KHEIR N , TRAN F , CARON P ,et al. Mentor:positive DNS reputation to skim-off benign domains in botnet c＆c blacklists[C]// IFIP International Information Security Conference. 2014: 1-14.
[10]	MANOS A , ROBERTO P , DAVID D ,et al. Building a dynamic reputation system for DNS[C]// The 19th USENIX Security Symposium (USENIX Security’10). 2010: 273-290.
[11]	ANTONAKAKIS M , PERDISCI R , LEE W ,et al. Kopis:detecting malware domains at the upper DNS hierarchy[C]// Usenix Conference on Security. 2011.
[12]	张维维, 龚俭, 刘尚东 ,等. 面向主干网的 DNS 流量监测研究[J]. 软件学报, 2017,28(9): 2370-2387.
	ZHANG W W , GONG J , LIU S D ,et al. DNS surveillance on backbone[J]. Journal of Software , 2017,28(9): 2370-2387.
[13]	THOMAS M , MOHAISEN A . Kindred domains:detecting and clustering botnet domains using DNS traffic[C]// Companion Publication of the International Conference on World Wide Web Companion. 2014: 707-712.
[14]	STEFANO S , FEDERICO M , LORENZO C ,et al. Phoenix:DGA-based botnet tracking and intelligence[C]// International Conference on Detection of Intrusions＆ Malware. 2014: 192-211.
[15]	CELIK Z B , OKTUG S . Detection of fast-flux networks using various DNS feature sets[J]. Computers＆Communications, 2013: 868-873.
[16]	HUANG S Y , MAO C H , LEE H M . Fast-flux service network detection based on spatial snapshot mechanism for delay-free detection[C]// 5th International Symposium on ACM Symposium on Information,Computer and Communications Security . 2010: 101-111.
[17]	ALMOMANI A . Fast-flux hunter:a system for filtering online fast-flux botnet[J]. Neural Computing＆ Applications, 2016: 1-11.
[18]	袁福祥, 刘粉林, 芦斌 ,等. 基于历史数据的异常域名检测算法[J]. 通信学报, 2016,37(10): 172-180.
	YUAN F X , LIU F L , LU B ,et al. Anomaly domains detection algorithm based on historical data[J]. Journal on Communications, 2016,37(10): 172-180.
[19]	WANGA K C , HUANGB C Y , LIN S J ,et al. Fuzzy pattern-based filtering algorithm for botnet detection[J]. Computer Networks, 2011,55(15): 3275-3286.
[20]	WANG K , HUANG C Y , LIN S J ,et al. A fuzzy pattern-based filtering algorithm for botnet detection[J]. Computer Networks the International Journal of Computer ＆ Telecommunications Networking, 2011,55(15): 3275-3286.
[21]	张维维, 龚俭, 刘茜 ,等. 基于词素特征的轻量级域名检测算法[J]. 软件学报, 2016,27(9): 2348-2364.
	ZHANG W W , GONG J , LIU Q ,et al. A Lightweight domain name detection algorithm based on morpheme features[J]. Journal of Software, 2016,27(9): 2348-2364.
[22]	LIN H T , LIN Y Y , CHIANG J W . Genetic-based real-time fast-flux service networks detection[J]. Computer Networks, 2013,57(2): 501-513.
[23]	BILGE L , SEN S , BALZAROTTI D . Exposure:a passive DNS analysis service to detect and report malicious domains[J]. ACM Transactions on Information and System Security (TISSEC), 2014,16(4): 14-41.
[24]	SHI Y , CHEN G , LI J T . Malicious domain name detection based on extreme machine learning[J]. Neural Process Letters, 2017: 1-11.
[25]	LI B D , SPRINGER J , BEBIS G ,et al. A survey of network flow applications[J]. Journal of Network and Computer Applications, 2013,36(2): 567-581.

域名whois信息项	含义
Registrant	注册人信息（姓名、单位、电话、E-mail、通信地址）
Administrative Contact	管理员信息（姓名、单位、电话、E-mail、通信地址）
Technical Contact	技术人员信息（姓名、单位、电话、E-mail、通信地址）
Registrar Name	注册商信息
Created Time	创建时间
Updated Time	最近更新时间
Expire Time	截止时间
Domain Server	域名服务器列表
Status	状态信息

算法	内存开销/MB	计算时间/s
A₃	临时内存80.56，常驻2.57	202.2
A₁	临时内存80.14，常驻2.64	205.1
A₂	临时内存80.74，常驻2.71	208.5
A₄	临时内存80.76，常驻2.71	208.6
A₅	临时内存83.92，常驻2.91	210.8

基于AGD的恶意域名检测

Detecting malicious domain names based on AGD

在线阅读

PDF下载

可视化

摘要/Abstract

引用本文

使用本文

图/表 13

参考文献 25

相关文章 15

Metrics

推荐阅读 0

[1]	李竟博, 马礼, 李阳, 傅颖勋, 马东超. 感传算协同工业互联网优化设计[J]. 通信学报, 2023, 44(6): 12-22.
[2]	赵仕祺, 黄小红, 钟志港. 基于信誉的域间路由选择机制的研究与实现[J]. 通信学报, 2023, 44(6): 47-56.
[3]	陈真, 陈文辉, 刘啸威, 尤殿龙, 刘林林, 申利民. 功能互补关系增强的云API推荐方法[J]. 通信学报, 2023, 44(6): 125-137.
[4]	魏德宾, 潘成胜, 杨力, 颜佐任. 基于网络流量水平等级预测的自适应随机早期检测算法[J]. 通信学报, 2023, 44(6): 154-166.
[5]	李元诚, 秦永泰. 基于深度强化学习的软件定义安全中台QoS实时优化算法[J]. 通信学报, 2023, 44(5): 181-192.
[6]	夏莹杰, 朱思雨, 刘雪娇. 区块链架构下具有条件隐私的车辆编队跨信任域高效群组认证研究[J]. 通信学报, 2023, 44(4): 111-123.
[7]	谢人超, 文雯, 唐琴琴, 刘云龙, 谢高畅, 黄韬. 轨道交通移动边缘计算网络安全综述[J]. 通信学报, 2023, 44(4): 201-215.
[8]	罗智勇, 张玉, 王青, 宋伟伟. 基于贝叶斯攻击图的SDN入侵意图识别算法的研究[J]. 通信学报, 2023, 44(4): 216-225.
[9]	王一丰, 郭渊博, 陈庆礼, 方晨, 林韧昊, 周永良, 马佳利. 基于对比增量学习的细粒度恶意流量分类方法[J]. 通信学报, 2023, 44(3): 1-11.
[10]	张进, 葛强, 徐伟海, 江逸茗, 马海龙, 于洪涛. 拟态路由器BGP代理的设计实现与形式化验证[J]. 通信学报, 2023, 44(3): 33-44.
[11]	经普杰, 王良民, 董学文, 张玉书, 王骞, Muhammad Sohail. 分层跨链结构：一种面向区块链系统监管的可行架构[J]. 通信学报, 2023, 44(3): 93-104.
[12]	舒坚, 史佳伟, 刘琳岚, Manar Al-Kali. 基于时空卷积的机会网络拓扑预测[J]. 通信学报, 2023, 44(3): 145-156.
[13]	王东滨, 吴东哲, 智慧, 郭昆, 张勖, 时金桥, 张宇, 陆月明. 软件定义网络抗拒绝服务攻击的流表溢出防护[J]. 通信学报, 2023, 44(2): 1-11.
[14]	康海燕, 龙墨澜. 基于吸收马尔可夫链攻击图的网络攻击分析方法研究[J]. 通信学报, 2023, 44(2): 122-135.
[15]	张云涛, 方滨兴, 杜春来, 王忠儒, 崔志坚, 宋首友. 基于异构观测链的容器逃逸检测方法[J]. 通信学报, 2023, 44(1): 49-63.