Fast-flux服务网络检测方法研究
发布时间:2019-04-24 03:07
【摘要】: 互联网的迅猛发展,给人类社会带来了巨大的进步和繁荣,但是网络安全问题也变得愈发严重。Fast-flux Service Network(FFSN)就是一种精心设计的并且正在发展中的技术,这项技术正在被越来越多的应用在诸如钓鱼网站、恶意网站、垃圾邮件和广告发送等非法活动中。 FFSN由大量被控制的计算机组成,这些计算机的作用主要有两个:一是提供了一个庞大的IP地址池,FFSN的控制者可以选择其中的IP来为自己的域名服务;二是这些机器可以为向该域名的请求提供代理中转服务,以隐藏背后的控制者。FFSN的表现是域名的DNS记录以非常快的频率持续变化。由于它的这些特点,它和经常被应用在非法活动中的其它技术比如普通的钓鱼或者恶意网站相比,有更好的隐蔽性和生存性。 重点分析了FFSN的可用性问题。FFSN的可用性问题源自它的网络节点的不可控性,利用泊松过程原理建立了一个描述可用性的模型,并且分析了FFSN的可用性和它的规模的关系。 为了应对FFSN的威胁,找到检测它的方法至关重要。不过它与循环DNS和CDN等负载均衡的技术有着相似的表现,因此要检测需要能正确区分它们。依据提取的标识域名的特征四元组,包括域名的不同A记录个数,TTL值,IP分散度以及域名的创建时间,提出了一个FFSN的检测机制,它由两层的分类器组成,这两层分类器分别根据域名的单次DNS查询和累次DNS查询进行FFSN的检测。 根据提出的检测机制实现了一个原型系统进行测试,并且用神经网络和SVM进行了对比,测试结果是二者的漏报率都为0%,SVM的误报率在2%以下,神经网络的误报率在4%以下。实验结果表明,提出的检测机制能非常有效的识别FFSN。
[Abstract]:The rapid development of the Internet has brought great progress and prosperity to the human society, but the problem of network security has become more and more serious. Fast-flux Service Network (FFSN) is a well-designed and developing technology. The technology is increasingly being used in illegal activities such as phishing sites, malicious websites, spam and advertising. FFSN is composed of a large number of controlled computers, which have two main functions: one is to provide a large pool of IP addresses, FFSN controllers can choose one of the IP to serve their domain name; The second is that these machines can provide proxy forwarding services for requests to the domain name to hide the controller behind it. The performance of the FFSN is that the DNS records of the domain name continue to change at a very fast rate. Because of these features, it has better concealment and survivability than other techniques that are often used in illegal activities, such as phishing or malicious websites. The usability of FFSN comes from the uncontrollability of its network nodes. Based on the Poisson process principle, a model describing availability is established, and the relationship between the availability of FFSN and its scale is analyzed. In order to deal with the threat of FFSN, it is important to find a way to detect it. However, it has similar performance with load balancing techniques such as cyclic DNS and CDN, so it is necessary to distinguish them correctly in order to detect them. According to the extracted characteristic quaternion of identifying domain name, including the different A record number of domain name, TTL value, IP dispersion and the creation time of domain name, a detection mechanism of FFSN is proposed, which is composed of two-layer classifier. These two-layer classifiers perform FFSN detection based on single DNS query and repeated DNS query of domain name respectively. According to the proposed detection mechanism, a prototype system is tested and compared with SVM. The results show that the false positive rate of both systems is 0%, and the false positive rate of SVM is less than 2%. The false positive rate of neural network is less than 4%. The experimental results show that the proposed detection mechanism can effectively identify FFSN..
【学位授予单位】:华中科技大学
【学位级别】:硕士
【学位授予年份】:2009
【分类号】:TP393.08
本文编号:2464053
[Abstract]:The rapid development of the Internet has brought great progress and prosperity to the human society, but the problem of network security has become more and more serious. Fast-flux Service Network (FFSN) is a well-designed and developing technology. The technology is increasingly being used in illegal activities such as phishing sites, malicious websites, spam and advertising. FFSN is composed of a large number of controlled computers, which have two main functions: one is to provide a large pool of IP addresses, FFSN controllers can choose one of the IP to serve their domain name; The second is that these machines can provide proxy forwarding services for requests to the domain name to hide the controller behind it. The performance of the FFSN is that the DNS records of the domain name continue to change at a very fast rate. Because of these features, it has better concealment and survivability than other techniques that are often used in illegal activities, such as phishing or malicious websites. The usability of FFSN comes from the uncontrollability of its network nodes. Based on the Poisson process principle, a model describing availability is established, and the relationship between the availability of FFSN and its scale is analyzed. In order to deal with the threat of FFSN, it is important to find a way to detect it. However, it has similar performance with load balancing techniques such as cyclic DNS and CDN, so it is necessary to distinguish them correctly in order to detect them. According to the extracted characteristic quaternion of identifying domain name, including the different A record number of domain name, TTL value, IP dispersion and the creation time of domain name, a detection mechanism of FFSN is proposed, which is composed of two-layer classifier. These two-layer classifiers perform FFSN detection based on single DNS query and repeated DNS query of domain name respectively. According to the proposed detection mechanism, a prototype system is tested and compared with SVM. The results show that the false positive rate of both systems is 0%, and the false positive rate of SVM is less than 2%. The false positive rate of neural network is less than 4%. The experimental results show that the proposed detection mechanism can effectively identify FFSN..
【学位授予单位】:华中科技大学
【学位级别】:硕士
【学位授予年份】:2009
【分类号】:TP393.08
【引证文献】
相关期刊论文 前1条
1 褚燕琴;应凌云;冯登国;苏璞睿;;速变服务网络行为特征分析[J];计算机系统应用;2013年08期
,本文编号:2464053
本文链接:https://www.wllwen.com/wenyilunwen/guanggaoshejilunwen/2464053.html
