面向主干网的DNS流量监测

发布时间：2018-05-14 09:05

本文选题：DNS监测 + 域名检测　；参考：《软件学报》2017年09期

【摘要】：面对ISP主干网,为了检测威胁其管理域内用户安全的僵尸网络、钓鱼网站以及垃圾邮件等恶意活动,实时监测流经主干网边界的DNS交互报文,并从域名的依赖性和使用位置两个方面刻画DNS活动行为模式,而后,基于有监督的多分类器模型,提出面向ISP主干网的上层DNS活动监测算法DAOS(binary classifier for DNS activity observation system).其中,依赖性从用户角度观察域名的外在使用情况,而使用位置则关注区域文件中记录的域名内部资源配置.实验结果表明:该算法在不依赖先验知识的前提下,经过两小时的DNS活动观测,可以达到90.5%的检测准确率,以及2.9%的假阳性和6.6%的假阴性.若持续观察1周,准确率可以上升到93.9%,假阳性和假阴性也可以下降到1.3%和4.8%.
[Abstract]:In the face of ISP backbone network, in order to detect malicious activities such as botnet, phishing website, spam and other malicious activities that threaten the safety of users in its administrative domain, real-time monitoring of DNS interactive messages flowing through the boundary of the backbone network is carried out. Then, based on the supervised multi-classifier model, an upper-layer DNS activity monitoring algorithm DAOS(binary classifier for DNS activity observation system for ISP backbone network is proposed. The dependency observes the external usage of the domain name from the user's point of view, while the location pays attention to the internal resource allocation of the domain name recorded in the region file. The experimental results show that the algorithm can achieve 90.5% detection accuracy, 2.9% false positive and 6.6% false negative after two hours of DNS activity observation without prior knowledge. If observed for one week, the accuracy rate could rise to 93.9 and false positive and false negative could also decrease to 1.3% and 4.8%.
【作者单位】：东南大学计算机科学与工程学院;江苏省计算机网络重点实验室;计算机网络和信息集成教育部重点实验室(东南大学);
【基金】：国家科技支撑计划(2008BAH37B04) 国家基础研究发展计划(973)(2009CB320505) 国家自然科学基金(60973123)~~
【分类号】：TP393.06

【相似文献】