基于历史数据的异常域名检测算法

doi:10.11959/j.issn.1000-436x.2016208

Abstract

Abstract:

An anomaly domains detection algorithm was proposed based on domains’ historical data.Based on statistical differences in historical data of legitimate domains and malicious domains,the proposed algorithm used domains’ lifetime,changes of whois information,whois information integrity,IP changes,domains that share same IP,TTL value,etc,as main parameters and concrete representations of features for classification were given.And on this basis the proposed algorithm constructed SVM classifier for detecting anomaly domains.Features analysis and experimental results show that the algorithm obtains high detection accuracy to unknown domains,especially suitable for detecting long lived malicious domains.

Key words: anomaly domain, domain historical data, feature, detection

Fu-xiang YUAN,Fen-lin LIU,Bin LU,Dao-fu GONG. Anomaly domains detection algorithm based on historical data[J]. Journal on Communications, 2016, 37(10): 172-180.

Figures/Tables 15

实验序号	训练集构成及样本数量			测试集构成及样本数量
实验序号	训练集构成	合法样本/个	恶意样本/个	测试集构成	合法样本/个	恶意样本/个
1	$S_{1} (\frac{3}{4})$	562	447	$S_{1} (\frac{1}{4})$ 、S₂、S₃、S₄、S₅	4 211	1 871
2				S₂、S₃、S₄、S₅	4 024	1 723
3	$S_{2} (\frac{3}{4})$	745	522	$S_{2} (\frac{1}{4})$ 、S₃、S₄、S₅	3 279	1 201
4				S₃、S₄、S₅	3 031	1 028
5	$S_{3} (\frac{3}{4})$	809	393	$S_{3} (\frac{1}{4})$ 、S₄、S₅	2 222	635
6				S₄、S₅	1 953	505
7	$S_{4} (\frac{3}{4})$	1 074	276	$S_{4} (\frac{1}{4})$ 、S₅	879	229
8				S₅	522	138

References 17

[1]	ROSSOW C , DIETRICH C , BOS H . Detection of intrusions and malware,and vulnerability assessment[M]. Berlin: SpringerPress, 2013.
[2]	MAHMOUD M , NIR M , MATRAWY A . A survey on botnet architectures,detection and defences[J]. International Journal of Network Security, 2015,17(3): 272-289.
[3]	PU Y , CHEN X , CUI X ,et al. Data stolen trojan detection based on network behaviors[J]. Procedia Computer Science, 2013,17: 828-835.
[4]	NIRMAL K , JANET B , KUMAR R . Phishing-the threat that still exists[C]// International Conference on Computing and Communications Technologies(ICCCT). IEEE, 2015: 139-143.
[5]	CHEN C M , CHENG S T , CHOU J H . Detection of fast-flux domains[J]. Journal of Advances in Computer Networks, 2013,1(2): 148-152.
[6]	VANIA J , MENIYA A , JETHVA H B . A review on botnet and detection technique[J]. International Journal of Computer Trends and Technology, 2013,4(1): 23-29.
[7]	KHATTAK S , RAMAY N R , KHAN K R ,et al. A taxonomy of botnet behavior,detection and defense[J]. Communications Surveys ＆ Tutorials,IEEE, 2014,16(2): 898-924.
[8]	GARCíA S , UHLí? V , REHAK M . Identifying and modeling botnet C＆C behaviors[C]// The 1st International Workshop on Agents and CyberSecurity. ACM, 2014.
[9]	YADAV S , REDDY A K K , REDDY A L ,et al. Detecting algorithmically generated malicious domain names[C]// The 10th ACM SIGCOMM Conference on Internet Measurement. Melbourne,Australia, 2010: 48-61.
[10]	FELEGYHAZI M , KREIBICH C , PAXSON V . On the potential of proactive domain blacklisting[C]// The 3rd USENIX Conference on Large-Scale Exploits and Emergent Threats:Botnets,Spyware,Worms,and More. San Jose,CA,USA, 2010.
[11]	刘爱江, 黄长慧, 胡光俊 . 基于改进神经网络算法的木马控制域名检测方法[J]. 电信科学, 2014,30(7): 39-42. LIU A J , HUANG C H , HU G J . Detection method of trojan's control domain based on improved neural network algorithm[J]. Telecommunications Science, 2014,30(7): 39-42.
[12]	ANTONAKAKIS M , PERDISCI R , DAGON D ,et al. Building a dynamic reputation system for DNS[C]// USENIX Security Symposium. Washington,DC,USA, 2010: 273-290.
[13]	ANTONAKAKIS M , PERDISCI R , LEE W ,et al. Detecting malware domains at the upper DNS hierarchy[C]// USENIX Security Symposium. San Francisco,CA,USA, 2011: 23-46.
[14]	BILGE L , SEN S , BALZAROTTI D ,et al. Exposure:a passive DNS analysis service to detect and report malicious domains[J]. ACM Transactions on Information and System Security (TISSEC), 2014,16(4): 14-41.
[15]	周勇林, 由林麟, 张永铮 . 基于命名及解析行为特征的异常域名检测方法[J]. 计算机工程与应用, 2011,47(20): 50-52. ZHOU Y L , YOU L L , ZHANG Y Z . Anomaly domain name detection method based on characteristics of name and resolution behavior[J]. Computer Engineering and Applications, 2011,47(20): 50-52.
[16]	LENG Y , XU X , QI G . Combining active learning and semi-supervised learning to construct SVM classifier[J]. Knowledge-Based Systems, 2013,44: 121-131.
[17]	YU B , SMITH L , THREEFOOT M . Machine learning and data mining in pattern recognition[M]. Berlin: SpringerPress, 2014.

Metrics

Recommended 0

No Suggested Reading articles found!

whois信息数/条	合法域名	恶意域名
≤10	1.76%	79.28%
11~20	1.99%	11.57%
21~30	3.78%	4.75%
31~40	5.42%	3.11%
≥41	87.05%	1.29%

whois信息项	含义
registrar	域名注册机构
registrant name	注册人姓名
registrant city	注册人所在城市
registrant postal code	注册人所在城市邮政编码
registrant country	注册人所在国家
admin name	域名管理人姓名
admin city	域名管理人所在城市
admin country	域名管理人所在国家
name server	域名服务器

信息	合法域名	恶意域名	是否与域名已生存时间相关
whois信息更新次数	明显增长	变化较小	是
whois信息完整度	几乎不变	几乎不变	否
IP变更个数	数量较少	明显增长	是
IP变更次数	增长较缓	明显增长	是
同IP地址域名数量	数量较少	数量较多	否
域名TTL值	较大	较小	否

特征序号	特征名称
F₁	域名whois信息更新次数
F₂	域名IP变更个数与次数之比
F₃	域名同IP域名数量与其whois信息完整度总和的比值
F₄	基于域名IP变更速率与TTL的二元函数值

实验序号	正确率	漏报数/个	漏报率	虚警数/个	虚警率
1	89.9%	297	15.9%	318	7.6%
2	91.6%	232	13.5%	251	6.2%
3	94.3%	119	9.9%	137	4.2%
4	95.8%	82	8.0%	89	2.9%
5	97.8%	37	5.8%	26	1.2%
6	98.9%	15	3.0%	13	0.7%
7	99.3%	4	1.7%	4	0.5%
8	99.5%	1	0.7%	2	0.4%

Anomaly domains detection algorithm based on historical data

RichHTML

PDF

Knowledge

Cited

Abstract

Cite this article

share this article

Figures/Tables 15

References 17

Related Articles 15

Metrics

Recommended 0

	恶意样本中				合法样本中
实验序号	各类异常域名样本数量/个				各类异常域名样本数量/个
实验序号	A类	B类	C类	D类	A类	B类	C类	D类
1	47	120	79	51	57	138	65	58
2	31	107	53	41	42	88	70	51
3	25	41	29	24	25	44	41	27
4	19	12	31	20	21	25	25	18
5	8	9	12	8	6	5	8	7
6	4	3	6	2	4	1	5	3
7	1	0	2	1	0	0	3	1
8	0	0	0	1	0	0	1	1

实验序号	测试集构成及样本数量			分类正确率
实验序号	测试集构成	合法样本/个	恶意样本/个	本文方法	文献[11]方法	文献[14]方法
9	S₁'、S₂'、S₃'、S₄'、S₅'	2 000	2 000	89.8%	97.8%	99.5%
10	S₂'、S₃'、S₄'、S₅'	1 687	1 486	92.5%	97.8%	99.5%
11	S₂'、S₃'、S₄'、S₅'	1 687	1 486	95.7%	97.8%	99.5%
12	S₃'、S₄'、S₅'	1 271	885	96.9%	97.8%	99.5%
13	S₃'、S₄'、S₅'	1 271	885	98.1%	97.8%	99.5%
14	S₄'、S₅'	820	433	99.0%	97.8%	99.5%
15	S₄'、S₅'	820	433	99.6%	97.8%	99.5%
16	S₅'	220	116	99.8%	97.8%	99.5%

[1]	Yang GAO, Hongli ZHANG. Survey on community detection method based on random walk [J]. Journal on Communications, 2023, 44(6): 198-210.
[2]	Jinzhi ZHENG, Ruyi JI, Libo ZHANG, Chen ZHAO. End-to-end scene text detection and recognition algorithm based on Transformer decoders [J]. Journal on Communications, 2023, 44(5): 64-78.
[3]	Xin SUN, Guifu ZHANG, Hongyan XING, Wang Zenghui. Research on intrusion detection for maritime meteorological sensor network based on balancing generative adversarial network [J]. Journal on Communications, 2023, 44(4): 124-136.
[4]	Qianyi DAI, Bin ZHANG, Song GUO, Kaiyong XU. Blockchain network layer anomaly traffic detection method based on multiple classifier integration [J]. Journal on Communications, 2023, 44(3): 66-80.
[5]	Bingpeng ZHOU, Shanshan MA. Simultaneous vehicular location and velocity detection towards 6G integrated communication and sensing [J]. Journal on Communications, 2023, 44(3): 81-92.
[6]	Feibo JIANG, Yubo PENG, Li DONG. Deep image semantic communication model for 6G [J]. Journal on Communications, 2023, 44(3): 198-208.
[7]	Shuangyan YI, Yongsheng LIANG, Jingjing LU, Wei LIU, Tao HU, Zhenyu HE. Robust feature selection method via joint low-rank reconstruction and projection reconstruction [J]. Journal on Communications, 2023, 44(3): 209-219.
[8]	Helin SUN, Hongyuan GAO, Yanan DU, Jianhua CHENG, Yapeng LIU. Joint estimation method of target number and orientation parameters for FDA-MIMO radar [J]. Journal on Communications, 2023, 44(2): 41-51.
[9]	Weigang HUO, Rui LIANG, Yonghua LI. Anomaly detection model for multivariate time series based on stochastic Transformer [J]. Journal on Communications, 2023, 44(2): 94-103.
[10]	Guojun LI, Cuiling XIANG, Changrong YE, Zunli WANG. Fast link-establishment method of integrated of communication and detection based on short-wave digital channelization [J]. Journal on Communications, 2023, 44(1): 89-102.
[11]	Hongyu YANG, Haiyun YANG, Liang ZHANG, Xiang CHENG. Feature dependence graph based source code loophole detection method [J]. Journal on Communications, 2023, 44(1): 103-117.
[12]	Yanhua LIU, Jiaqi LI, Zhengui OU, Xiaoling GAO, Ximeng LIU, Weizhi MENG, Baoxu LIU. Adversarial training driven malicious code detection enhancement method [J]. Journal on Communications, 2022, 43(9): 169-180.
[13]	Chengsheng YUAN, Qiang GUO, Zhangjie FU. Copyright protection algorithm based on differential privacy deep fake fingerprint detection model [J]. Journal on Communications, 2022, 43(9): 181-193.
[14]	Rui JIANG, Jun LI, Youyun XU, Xiaoming WANG, Dapeng LI. Fault tolerant GPS-AOA-SINS integrated navigation algorithm based on federated Kalman filter [J]. Journal on Communications, 2022, 43(8): 78-89.
[15]	Weiyu CHEN, Junshan LUO, Fanggang WANG, Haiyang DING, Shilian WANG, Guojiang XIA. Survey of capacity limits and implementation techniques in wireless covert communication [J]. Journal on Communications, 2022, 43(8): 203-218.