通信学报 ›› 2016, Vol. 37 ›› Issue (10): 172-180.doi: 10.11959/j.issn.1000-436x.2016208

• 学术通信 • 上一篇    下一篇

基于历史数据的异常域名检测算法

袁福祥1,2,刘粉林1,2,芦斌1,2,巩道福1,2   

  1. 1 解放军信息工程大学网络空间安全学院,河南 郑州 450001
    2 数学工程与先进计算国家重点实验室,河南 郑州 450001
  • 出版日期:2016-10-25 发布日期:2016-10-25
  • 基金资助:
    国家自然科学基金资助项目;国家自然科学基金资助项目;国家自然科学基金资助项目;国家自然科学基金资助项目;河南省杰出青年基金资助项目

Anomaly domains detection algorithm based on historical data

Fu-xiang YUAN1,2,Fen-lin LIU1,2,Bin LU1,2,Dao-fu GONG1,2   

  1. 1 School of Cyberspace Security,PLA Information Engineering University,Zhengzhou 450001,China
    2 State Key Laboratory of Mathematical Engineering and Advanced Computing,Zhengzhou 450001,China
  • Online:2016-10-25 Published:2016-10-25
  • Supported by:
    The National Natural Science Foundation of China;The National Natural Science Foundation of China;The National Natural Science Foundation of China;The National Natural Science Foundation of China;The Excellent Youth Foundation of Henan Province of China

摘要:

提出一种基于域名历史数据的异常域名检测算法。该算法基于合法域名与恶意域名历史数据的统计差异,将域名已生存时间、whois信息变更、whois信息完整度、域名IP变更、同IP地址域名和域名TTL值等作为主要参量,给出了具体的分类特征表示;在此基础上,构建了用于异常域名检测的 SVM 分类器。特征分析和实验结果表明,算法对未知域名具有较高的检测正确率,尤其适合对生存时间较长的恶意域名进行检测。

关键词: 异常域名, 域名历史数据, 特征, 检测

Abstract:

An anomaly domains detection algorithm was proposed based on domains’ historical data.Based on statistical differences in historical data of legitimate domains and malicious domains,the proposed algorithm used domains’ lifetime,changes of whois information,whois information integrity,IP changes,domains that share same IP,TTL value,etc,as main parameters and concrete representations of features for classification were given.And on this basis the proposed algorithm constructed SVM classifier for detecting anomaly domains.Features analysis and experimental results show that the algorithm obtains high detection accuracy to unknown domains,especially suitable for detecting long lived malicious domains.

Key words: anomaly domain, domain historical data, feature, detection

No Suggested Reading articles found!