域名请求行为特征与构成特征相结合的域名变换检测
发布时间:2018-12-17 04:38
【摘要】:针对僵尸网络为避免域名黑名单封堵而广泛采用域名变换技术的问题,提出一种域名请求行为特征与域名构成特征相结合的僵尸网络检测方法。该方法通过支持向量机(SVM)分类器对网络中主机解析失败的域名进行分析,提取出可疑感染主机;通过新域名聚类分析,将请求同一组新域名的主机集合作为检测对象,分析请求主机集合是否由可疑感染主机构成,提取出僵尸网络当前使用的域名集合以及命令与控制(Command and Control,CC)服务器使用的IP地址集合。实验结果表明:训练后SVM分类器可达98.5%以上的准确率;经对ISP域名服务器监测,系统可准确提取出感染主机和CC服务器的IP地址。
[Abstract]:To avoid the problem of domain name blacklist blocking, a botnet detection method based on domain name request behavior feature and domain name composition feature is proposed. In this method, support vector machine (SVM) (SVM) classifier is used to analyze the domain name which failed to resolve the host in the network, and the suspected infected host is extracted. Through the cluster analysis of new domain names, the host set requesting the same group of new domain names is used as the detection object, and whether the request host collection is made up of suspected infected hosts is analyzed. The collection of domain names currently used by botnet and the set of IP addresses used by command and control (Command and Control,CC) server are extracted. The experimental results show that the SVM classifier can achieve 98.5% accuracy after training, and the IP address of the infected host and CC server can be accurately extracted by monitoring the ISP domain name server.
【作者单位】: 西北工业大学计算机学院;
【基金】:国家自然科学基金资助项目(60903126,60872145)
【分类号】:TP393.08
[Abstract]:To avoid the problem of domain name blacklist blocking, a botnet detection method based on domain name request behavior feature and domain name composition feature is proposed. In this method, support vector machine (SVM) (SVM) classifier is used to analyze the domain name which failed to resolve the host in the network, and the suspected infected host is extracted. Through the cluster analysis of new domain names, the host set requesting the same group of new domain names is used as the detection object, and whether the request host collection is made up of suspected infected hosts is analyzed. The collection of domain names currently used by botnet and the set of IP addresses used by command and control (Command and Control,CC) server are extracted. The experimental results show that the SVM classifier can achieve 98.5% accuracy after training, and the IP address of the infected host and CC server can be accurately extracted by monitoring the ISP domain name server.
【作者单位】: 西北工业大学计算机学院;
【基金】:国家自然科学基金资助项目(60903126,60872145)
【分类号】:TP393.08
【相似文献】
相关期刊论文 前10条
1 朱帆;;僵尸网络检测和防范研究[J];现代商贸工业;2010年12期
2 沈利香;;僵尸网络传播模式分析和防治对策[J];常州工学院学报;2008年06期
3 王明华;;网络安全波澜不惊[J];信息网络安全;2010年04期
4 周佳骏;汪婷婷;韦刚;李肖坚;;基于计算机网络对抗的僵尸网络研究与进展[J];计算机应用研究;2009年05期
5 张琛;王亮;熊文柱;;P2P僵尸网络的检测技术[J];计算机应用;2010年S1期
6 门汝静;;近期网络安全的特点与热点[J];现代电信科技;2009年01期
7 黄萍;谭良;;半分布式P2P Botnet控制服务器的设计与实现[J];计算机应用;2009年09期
8 张蕾;;僵尸网络特性与发展研究分析[J];河西学院学报;2010年05期
9 董开坤;刘扬;郭栗;董岚;;P2P僵尸网络检测技术[J];信息安全与通信保密;2008年04期
10 陆伟宙;余顺争;;僵尸网络检测方法研究[J];电信科学;2007年12期
相关会议论文 前10条
1 张建宇;廖唯h,
本文编号:2383668
本文链接:https://www.wllwen.com/guanlilunwen/ydhl/2383668.html
