基于网络流量的Fast-flux僵尸网络域名检测方法

信息安全研究 ›› 2020, Vol. 6 ›› Issue (5): 388-395.

基于网络流量的Fast-flux僵尸网络域名检测方法

谷勇浩,郭振洋

北京邮电大学计算机学院

收稿日期:2020-04-29 出版日期:2020-05-15 发布日期:2020-04-29
通讯作者: 谷勇浩
作者简介:谷勇浩 1980年生，博士，硕导，研究方向：网络安全。 guyonghao@bupt.edu.cn 郭振洋 1992年生，硕士研究生，研究方向：网络安全。 583958562@qq.com

Fast-flux Botnet Domain Detection Method Base On Network Traffic

Received:2020-04-29 Online:2020-05-15 Published:2020-04-29

摘要/Abstract

摘要： APT攻击危害着网络安全，对企业数据安全产生重大威胁，黑客和不法分子在APT攻击前可能会使用自己组建的僵尸网络为攻击做准备。同时为了提高僵尸网络的生成机会，攻击者常会使用Fast-flux技术隐藏主控机，因此要检测APT攻击需要先检测Fast-flux僵尸网络域名。本文调研了Fast-flux僵尸网络检测方法国内外研究现状，发现现有方法存在对CDN域名产生误报、准确率不高的问题。为此，本文提出两个新特征并且利用DNS流量设计了基于AdaBoosting算法的检测方法，然后对所提方法进行验证。实验表明，本文提出特征和方法在对Fast-flux域名检测时可以有效降低对CDN域名的误报率，大大提高整体检测性能。

关键词: APT攻击, Fast-flux, 集成学习, DNS 僵尸网络

Abstract: APT attacks harm the existing network security and pose a major threat to the security of enterprise data. Hackers and criminals may use the bot-nets to prepare for their own attacks before APT attacks. Fast-flux is used by hackers and criminals to conceal themselves and improve the chances of bot-net generation. To detect APT attacks, we need to detect fast-flux bot-net domain names. There are many deficiencies in the existing detection methods, so it is urgent to study the detection methods of fast-flux bot-net. We investigated the research status at home and abroad, and found that the existing methods have the problem of false positives and low accuracy for CDN domain names. This paper presents two new features and designs an AdaBoosting-based method using DNS traffic to solve the above problems. After that, the above detection methods are verified by experiments. Experiments show that the characteristics and methods proposed in this paper can effectively reduce the false positives of CDN domain names and greatly improve the overall detection performance in the detection of fast-flux domain names.

Key words: APT attacks, Fast-flux, ensemble learning, DNS

谷勇浩郭振洋. 基于网络流量的Fast-flux僵尸网络域名检测方法[J]. 信息安全研究, 2020, 6(5): 388-395.

参考文献

[1] 巫锡洪, 刘宝旭, 杨沛安. 基于域名的僵尸网络行为分析[J]. 信息网络安全, 2013(09):16-19. [2] 袁福祥,王琤,刘粉等.基于IP分布及请求响应时间的恶意fast-flux域名检测算法[J].信息工程大学学报,2017,18(5):93-98. [3] 康乐，李东，余翔湛.基于SVM的Fast-flux僵尸网络检测技术研究[J].智能计算机与应用,2011,1(1):24-27. [4] 刘资茂，李芝棠，李战春等.基于代理控制力的Fast-Flux 僵尸网络检测方法[J].广西大学学报：自然科学版,2011,36(增刊1):105-109. [5] Hsu C,Huang C,Chen K, Fast-flux bot detection in real time[C]//International Conference on Recent Advances in Intrusion Detection. Springer-Verlag, 2010:3-4. [6] Stalmans E , Hunter S O , Irwin B . Geo-spatial autocorrelation as a metric for the detection of Fast-Flux botnet domains[C]// Information Security for South Africa. IEEE, 2012. [7] Nazario J, Holz T. As the net churns: Fast-flux botnet observations[C]//2008 3rd International Conference on Malicious and Unwanted Software (MALWARE). IEEE, 2008: 24–31. [8] 左晓军,董立勉,曲武.基于域名系统流量的Fast—Flux僵尸网络检测方法[J].计算机工程,2017,43(9):185-193. [9] Paul T , Tyagi R , Manoj B S , et al. Fast-flux botnet detection from network traffic[C]// India Conference. IEEE, 2015. [10] Basheer Al-Duwairi, Ahmad Al-Hammouri, Monther Aldwairi, et al. GFlux: A Google-Based System for FastFlux Detection[C]//IEEE CNS.IEEE,2015:755-756. [11] Soltanaghaeie, Kharrazim. Detection of fast- flux botnets through DNS traffic analysis[J]. Scientia Iranica ,2015, 22(6):2389-2400. [12] Freund Y . Boosting a Weak Learning Algorithm By Majority[J]. Information and Computation, 1997, 121(2):20-23. [13] Freund Y , Schapire R E . A Decision-Theoretic Generalization of On-Line Learning and an Application to Boosting[J]. Journal of Computer & System Sciences, 1999, 55:119-139. [14] Freund Y. An Adaptive Version of the Boost by Majority Algorithm[J]. Machine Learning, 2001, 43(3):293-318. [15]Google.Fast-Fluxdatasets.[OL/DB]https://sites.google.com/site/huangpublication/datasets/-1-fast-flux-attaack-datasets,2018-10-25