计算机工程

• 安全技术 • 上一篇    下一篇

基于域名系统流量的Fast-Flux僵尸网络检测方法

左晓军 1,董立勉 1,曲武 2   

  1. (1.国网河北省电力公司电力科学研究院,石家庄 050021;2.北京启明星辰信息安全技术有限公司核心研究院,北京 100193)
  • 收稿日期:2016-05-19 出版日期:2017-09-15 发布日期:2017-09-15
  • 作者简介:左晓军(1973—),男,高级工程师、硕士,主研方向为信息安全、网络管理、软件工程;董立勉,高级工程师;曲武,博士后、CCF会员。

Fast-Flux Botnet Detection Method Based on Domain Name System Traffic

ZUO Xiaojun 1,DONG Limian 1,QU Wu 2   

  1. (1.Electric Power Research Institute,State Grid Hebei Electric Power Company,Shijiazhuang 050021,China; 2.Core Research Institute,Beijing Venustech Cybervision Co.,Ltd.,Beijing 100193,China)
  • Received:2016-05-19 Online:2017-09-15 Published:2017-09-15

摘要: 在僵尸网络中,为保持服务器的可用性和隐蔽性,与域名关联的Flux-Agent的IP地址需要不停地变动,而黑名单策略对于阻止Fast-Flux僵尸网络攻击已经失效。为解决该问题,基于域名系统流量的分析和识别技术,提出一种新的Fast-Flux僵尸网络检测方法,用于检测互联网中使用Fast-Flux技术的僵尸网络,且对域名的分析不局限于来自垃圾邮件、点击欺诈或黑名单列表的可疑域名。实验结果表明,该方法能够以较高的准确率检测Fast-Flux僵尸网络,并且有利于完善黑名单列表。

关键词: 僵尸网络, Fast-Flux域名, 域名系统流量, 层次聚类, 机器学习

Abstract: In a botnet,to maintain availability and invisibility of servers,the IP address of Flux-Agent associated with the domain name is changing constantly,and the blacklist policy is no longer effective in preventing Fast-Flux botnet attacks.In order to solve this problem,based on the analysis and recognition technologies of domain name system traffic,a new Fast-Flux botnet detection method is proposed.The method can detect the botnet using Fast-Flux technology in the Internet,which is not confined to the analysis of suspicious domain names from spame-mails,click fraud,or blacklists.Experimental results show that,this method can detect Fast-Flux botnets with higher accuracy,and help to give a more perfect blacklist.

Key words: botnet, Fast-Flux domain name, Domain Name System(DNS)traffic, hierarchical clustering, machine learning

中图分类号: