Fast-flucos：基于DNS流量的Fast-flux恶意域名检测方法

doi:10.11959/j.issn.1000-436x.2020094

通信学报 ›› 2020, Vol. 41 ›› Issue (5): 37-47.doi: 10.11959/j.issn.1000-436x.2020094

Fast-flucos：基于DNS流量的Fast-flux恶意域名检测方法

韩春雨^1,²,张永铮^2,³,张玉¹

¹ 南开大学计算机学院，天津 300071
² 中国科学院信息工程研究所，北京 100093
³ 中国科学院大学网络空间安全学院，北京 100049

修回日期:2020-04-22 出版日期:2020-05-25 发布日期:2020-05-30
作者简介:韩春雨（1990- ），男，黑龙江鹤岗人，南开大学博士生，主要研究方向为网络与信息安全|张永铮（1978- ），男，黑龙江哈尔滨人，博士，中国科学院信息工程研究所研究员、博士生导师，主要研究方向为网络安全态势感知|张玉（1981- ），男，浙江湖州人，南开大学副教授、硕士生导师，主要研究方向为网络安全、数据安全、数据挖掘等
基金资助:
国家自然科学基金资助项目(U1736218);北京市科学技术委员会基金资助项目(Z191100007119005)

Fast-flucos:malicious domain name detection method for Fast-flux based on DNS traffic

Chunyu HAN^1,²,Yongzheng ZHANG^2,³,Yu ZHANG¹

¹ College of Computer Science,Nankai University,Tianjin 300071,China
² Institute of Information Engineering,Chinese Academy of Sciences,Beijing 100093,China
³ School of Cyber Security,University of Chinese Academy of Sciences,Beijing 100049,China

Revised:2020-04-22 Online:2020-05-25 Published:2020-05-30
Supported by:
The National Natural Science Foundation of China(U1736218);Beijing Municipal Science ＆ Technology Commission Project(Z191100007119005)

摘要/Abstract

摘要：

现有的Fast-flux域名检测方法在稳定性、针对性和流量普适性方面存在一些不足，为此提出一种基于DNS流量的检测方法Fast-flucos。首先，采用流量异常过滤和关联匹配算法，以提高检测的稳定性；然后，引入量化的地理广度、国家向量表和时间向量表特征，以加强对Fast-flux域名检测的针对性；最后，采用更合理的正负样本和包括深度学习在内的多种机器学习方法确定最佳分类器和最优特征组合，以尽量确保对真实DNS流量的普适性。基于真实DNS流量的实验表明，Fast-flucos的召回率、精确率和ROC_AUC分别达到了0.998 6、0.976 7和0.992 9，均优于当前主流的EXPOSURE、GRADE和AAGD等检测方法。

关键词: Fast-flux, 域名系统, 域名检测, 机器学习, 深度学习

Abstract:

There are three weaknesses in previous Fast-flux domain name detection method on the aspects of stability,targeting,and applicability to common real-world DNS traffic environment.For this,a method based on DNS traffic,called Fast-flucos was proposed.Firstly,the traffic anomaly filtering and association matching algorithms were used for improving detection stability.Secondly,the features,quantified geographical width,country list,and time list,were applied for better targeting Fast-flux domains.Lastly,the feature extraction were finished by the more suitable samples for trying to adapt to common real-world DNS traffic.Several machine learning algorithms including deep learning are tried for determining the best classifier and feature combination.The experimental result based on real-world DNS traffic shows that Fast-flucos’ recall rate is 0.998 6,precision is 0.976 7,and ROC_AUC is 0.992 9,which are all better than the current main stream approaches,such as EXPOSURE,GRADE and AAGD.

Key words: Fast-flux, domain name system, domain name detection, machine learning, deep learning

中图分类号:

TP393

韩春雨,张永铮,张玉. Fast-flucos：基于DNS流量的Fast-flux恶意域名检测方法[J]. 通信学报, 2020, 41(5): 37-47.

Chunyu HAN,Yongzheng ZHANG,Yu ZHANG. Fast-flucos:malicious domain name detection method for Fast-flux based on DNS traffic[J]. Journal on Communications, 2020, 41(5): 37-47.

图/表 15

图1

图2

图3

表1

图5

图4

图6

图7

图8

图9

图10

表2

图11

图12

表3

参考文献 24

[1]	ZHAUNIAROVICH Y , KHALIL I , YU T ,et al. A survey on malicious domains detection through DNS data analysis[J]. ACM Computing Surveys, 2018,51(4):67.
[2]	ALMOMANI A . Fast-flux hunter:a system for filtering online fast-flux botnet[J]. Neural Computing and Applications, 2018,29(7): 483-493.
[3]	ZHOU C V , LECKIE C , KARUNASEKERA S . Collaborative detection of fast flux phishing domains[J]. Journal of Networks, 2009,4(1): 75-84.
[4]	ZHOU C V , LECKIE C , KARUNASEKERA S ,et al. A self-healing,self-protecting collaborative intrusion detection architecture to trace-back Fast-flux phishing domains[C]// IEEE Network Operations and Management Symposium Workshop. Piscataway:IEEE Press, 2008: 321-327.
[5]	AL-DUWAIRI B N , AL-HAMMOURI A T . Fast flux watch:a mechanism for online detection of fast flux networks[J]. Journal of Advanced Research, 2014,1(3): 1-7.
[6]	MARTINEZ-BEA S , CASTILLO-PEREZ S , GARCIA-ALFARO J , . Real-time malicious fast-flux detection using DNS and bot related features[C]// 2013 Eleventh Annual International Conference on Privacy,Security and Trust. Piscataway:IEEE Press, 2013: 369-372.
[7]	CAGLAYAN A , TOOTHAKER M , DRAPEAU D ,et al. Real-time detection of fast flux service networks[C]// Proceedings of the Cybersecurity Applications ＆ Technology Conference for Homeland Security. 2009: 285-292.
[8]	NAZARIO J , HOLZ T . As the net churns:fast-flux botnet observations[C]// Proceeding of 3rd International Conference on Malicious and Unwanted Software (MALWARE). 2008: 24-31.
[9]	CAGLAYAN A , TOOTHAKER M , DRAPAEAU D ,et al. Behavioral patterns of fast flux service networks[C]// Proceeding of the 43rd Hawii International Conference on System Sciences (HICSS). Piscataway:IEEE Press, 2010: 1-9.
[10]	HU X , KNYSZ M , SHIN K G . Measurement and analysis of global IP-usage patterns of fast-flux botnets[C]// Proceeding of IEEE INFORCOM. Piscataway:IEEE Press, 2011:15.
[11]	PASSERINI E , PALEARI R , MARTIGNONI L ,et al. FluXOR:detecting and monitoring Fast-flux service networks[C]// Proceeding of the 5th Conference on Detection of Intrusion and Malware ＆ Vulnerability Assessment(DIMVA). Berlin:Springer, 2008: 186-206.
[12]	PERDISCI R , CORONA I , DAGON D ,et al. Detecting malicious Flux service networks through passive analysis of recursive DNS traces[C]// Twenty-Fifth Annual Computer Security Applications Conference. Los Alamitos:IEEE Computer Society, 2009: 311-320.
[13]	LIN H T , LIN Y Y , CHIANG J W . Genetic-based real-time fast-flux service networks detection[J]. Computer Networks, 2013(57): 501-513.
[14]	HUANG S Y , MAO C H , LEE H M . Fast-flux service network detection based on spatial snapshot mechanism for delay-free detection[C]// Proceedings of the 5th ACM Symposium on Information,Computer and Communications Security. New York:ACM Press, 2010: 101-111.
[15]	HOLZ T , GORECKI C , RIECK K ,et al. Measuring and detecting Fast-flux service networks[C]// In Symposium on Network and Distributed System Security. 2008: 1-12.
[16]	KNYSZ M , HU X , SHIN K G . Good guys vs.bot guise:mimicry attacks against fast-flux detection systems[C]// Proceeding of IEEE INFORCOM. Piscataway:IEEE Press, 2011: 1844-1852.
[17]	HSU F H , WANG C S , HSU C H ,et al. Detect Fast-flux domains through response time differences[J]. IEEE Journal on Selected Areas in Communications, 2014,32(10): 1947-1956.
[18]	BILGE L , KIRDA E , KRUEGEL C ,et al. EXPOSURE:finding malicious domains using passive DNS analysis[C]// Proceedings of the Network and Distributed System Security Symposium. 2011: 1-17.
[19]	臧小东, 龚俭, 胡晓艳 . 基于 AGD 的恶意域名检测[J]. 通信学报, 2018,39(7): 15-25.
	ZANG X D , GONG J , HU X Y . Detecting malicious domains based on AGD[J]. Journal on Communications, 2018,39(7): 15-25.
[20]	FAKERI-TABRIZI A , NGUYEN T , LIU H L , .et al Analyzing DNS requests for anomaly detection:US 20160065611A1[P].(2016-03-03)[2019-10-31].
[21]	LEI K , FU Q , NI J ,et al. Detecting malicious domains with behavioral modeling and graph embedding[C]// 2019 IEEE 39th International Conference on Distributed Computing Systems. Piscataway:IEEE Press, 2019: 601-611.
[22]	SUN X , TONG M , YANG J ,et al. HinDom:a robust malicious domain detection system based on heterogeneous information network with transductive classification[C]// 22nd International Symposium on Research in Attacks,Intrusions and Defenses. Berkeley:USENIX Association, 2019: 399-412.
[23]	SHI Y , CHEN G , LI J . Malicious domain name detection based on extreme machine learning[J]. Neural Processing Letters, 2018,48(3): 1347-1357.
[24]	周昌令, 陈恺, 公绪晓 ,等. 基于Passive DNS的速变域名检测[J]. 北京大学学报(自然科学版), 2016,52(3): 396-402.
	ZHOU C L , CHEN K , GONG X X ,et al. Detection of Fast-flux domains based on passive DNS analysis[J]. Acta Scientiarum Naturalium Universitatis Pekinensis, 2016,52(3): 396-402.

T/min	Fast-flux域名AX值范围	88%的非Fast-flux域名AX值范围
30	2.82~4.36	1.70~6.40
20	4.24~5.67	1.76~5.38
15	3.76~6.08	1.88~4.80
10	5.08~5.61	2.11~6.62
5	6.78~11.22	2.46~7.38

10折组号	召回率	精确率	ROC_AUC
1	0.996 0	0.981 0	0.992 6
2	1.000 0	0.983 0	0.993 7
3	1.000 0	0.975 0	0.992 3
4	1.000 0	0.977 0	0.994 7
5	0.99 8	0.974 0	0.993 2
6	0.99 8	0.971 0	0.992 5
7	1.000 0	0.971 0	0.993 0
8	0.99 6	0.980 0	0.992 2
9	0.99 8	0.972 0	0.990 1
10	1.000 0	0.983 0	0.994 2
平均	0.998 6	0.976 7	0.992 9

方法	常驻内存峰值/MB	运行时间/s	时间开销相对值
Fast-flucos	212.6	55.3	1
EXPOSURE	196.7	7.0	0.126
GRADE	194.5	30.7	0.555
AAGD	419.1	364.4	6.596

Fast-flucos：基于DNS流量的Fast-flux恶意域名检测方法

Fast-flucos:malicious domain name detection method for Fast-flux based on DNS traffic

在线阅读

PDF下载

可视化

摘要/Abstract

引用本文

使用本文

图/表 15

参考文献 24

相关文章 15

Metrics

推荐阅读 0

[1]	陈东昱, 陈华, 范丽敏, 付一方, 王舰. 基于深度学习的随机性检验策略研究[J]. 通信学报, 2023, 44(6): 23-33.
[2]	李荣鹏, 汪丙炎, 张宏纲, 赵志峰. 知识增强的语义通信接收端设计[J]. 通信学报, 2023, 44(6): 70-76.
[3]	马帅, 裴科, 祁华艳, 李航, 曹雯, 王洪梅, 熊海良, 李世银. 基于生成模型的地磁室内高精度定位算法研究[J]. 通信学报, 2023, 44(6): 211-222.
[4]	戴千一, 张斌, 郭松, 徐开勇. 基于多分类器集成的区块链网络层异常流量检测方法[J]. 通信学报, 2023, 44(3): 66-80.
[5]	杨洁, 董标, 付雪, 王禹, 桂冠. 基于轻量化分布式学习的自动调制分类方法[J]. 通信学报, 2022, 43(7): 134-142.
[6]	杨秀璋, 彭国军, 李子川, 吕杨琦, 刘思德, 李晨光. 基于Bert和BiLSTM-CRF的APT攻击实体识别及对齐研究[J]. 通信学报, 2022, 43(6): 58-70.
[7]	廖勇, 王世义. 高速移动环境下基于RM-Net的大规模MIMO CSI反馈算法[J]. 通信学报, 2022, 43(5): 166-176.
[8]	廖育荣, 王海宁, 林存宝, 李阳, 方宇强, 倪淑燕. 基于深度学习的光学遥感图像目标检测研究进展[J]. 通信学报, 2022, 43(5): 190-203.
[9]	赵增华, 童跃凡, 崔佳洋. 基于域自适应的Wi-Fi指纹设备无关室内定位模型[J]. 通信学报, 2022, 43(4): 143-153.
[10]	何高峰, 魏千峰, 肖咸财, 朱海婷, 徐丙凤. 支持数据隐私保护的恶意加密流量检测确认方法[J]. 通信学报, 2022, 43(2): 156-170.
[11]	廖勇, 程港, 李玉杰. 基于深度展开的大规模MIMO系统CSI反馈算法[J]. 通信学报, 2022, 43(12): 77-88.
[12]	段雪源, 付钰, 王坤, 李彬. 基于简单统计特征的LDoS攻击检测方法[J]. 通信学报, 2022, 43(11): 53-64.
[13]	霍俊彦, 邱瑞鹏, 马彦卓, 杨付正. 基于最邻近帧质量增强的视频编码参考帧列表优化算法[J]. 通信学报, 2022, 43(11): 136-147.
[14]	冯智斌, 徐煜华, 杜智勇, 刘鑫, 李文, 韩昊, 张晓博. 对抗智能干扰的主动防御技术[J]. 通信学报, 2022, 43(10): 42-54.
[15]	康海燕, 冀源蕊. 基于本地化差分隐私的联邦学习方法研究[J]. 通信学报, 2022, 43(10): 94-105.