信息安全研究 ›› 2020, Vol. 6 ›› Issue (5): 388-395.

• 学术论文 • 上一篇    下一篇

基于网络流量的Fast-flux僵尸网络域名检测方法

谷勇浩,郭振洋   

  1. 北京邮电大学 计算机学院
  • 收稿日期:2020-04-29 出版日期:2020-05-15 发布日期:2020-04-29
  • 通讯作者: 谷勇浩
  • 作者简介:谷勇浩 1980年生,博士,硕导,研究方向:网络安全。 guyonghao@bupt.edu.cn 郭振洋 1992年生,硕士研究生,研究方向:网络安全。 583958562@qq.com

Fast-flux Botnet Domain Detection Method Base On Network Traffic

  • Received:2020-04-29 Online:2020-05-15 Published:2020-04-29

摘要: APT攻击危害着网络安全,对企业数据安全产生重大威胁,黑客和不法分子在APT攻击前可能会使用自己组建的僵尸网络为攻击做准备。同时为了提高僵尸网络的生成机会,攻击者常会使用Fast-flux技术隐藏主控机,因此要检测APT攻击需要先检测Fast-flux僵尸网络域名。本文调研了Fast-flux僵尸网络检测方法国内外研究现状,发现现有方法存在对CDN域名产生误报、准确率不高的问题。为此,本文提出两个新特征并且利用DNS流量设计了基于AdaBoosting算法的检测方法,然后对所提方法进行验证。实验表明,本文提出特征和方法在对Fast-flux域名检测时可以有效降低对CDN域名的误报率,大大提高整体检测性能。

关键词: APT攻击, Fast-flux, 集成学习, DNS 僵尸网络

Abstract: APT attacks harm the existing network security and pose a major threat to the security of enterprise data. Hackers and criminals may use the bot-nets to prepare for their own attacks before APT attacks. Fast-flux is used by hackers and criminals to conceal themselves and improve the chances of bot-net generation. To detect APT attacks, we need to detect fast-flux bot-net domain names. There are many deficiencies in the existing detection methods, so it is urgent to study the detection methods of fast-flux bot-net. We investigated the research status at home and abroad, and found that the existing methods have the problem of false positives and low accuracy for CDN domain names. This paper presents two new features and designs an AdaBoosting-based method using DNS traffic to solve the above problems. After that, the above detection methods are verified by experiments. Experiments show that the characteristics and methods proposed in this paper can effectively reduce the false positives of CDN domain names and greatly improve the overall detection performance in the detection of fast-flux domain names.

Key words: APT attacks, Fast-flux, ensemble learning, DNS