检索规则说明:AND代表“并且”;OR代表“或者”;NOT代表“不包含”;(注意必须大写,运算符两边需空一格)
检 索 范 例 :范例一: (K=图书馆学 OR K=情报学) AND A=范并思 范例二:J=计算机应用与软件 AND (U=C++ OR U=Basic) NOT M=Visual
名 称:
注 释:
机构地区:[1]西安交通大学电子与信息工程学院,西安710049
出 处:《西安交通大学学报》2012年第4期7-12,共6页Journal of Xi'an Jiaotong University
基 金:国家自然科学基金资助项目(60970121);西安市科技计划资助项目(CXY1130①)
摘 要:针对局部行为特征信息偏少而使得僵尸网络行为难以全面追踪的问题,提出了一种基于域名共现行为的僵尸网络行为追踪方法.该方法通过域名共现评分算法计算待测域名与已知僵尸域名的域名共现行为来追踪其他僵尸域名,进而发现更多的僵尸主机;为提高域名评分准确性,还提出了过滤基于网络地址转换的主机域名访问、空间区分单个僵尸网络,以及基于观测时长共现行为统计3项改进措施.采集西安交通大学网络域名服务器的域名查询流量作为数据源进行了实验和测试,结果表明:基于改进的域名评分措施不仅将待测域名数量降为原来的1/4,且计算出的前10名域名共现评分更加合理,提高了追踪僵尸主机的准确性.Botnet activities can't be tracked entirely with traditional methods because of the deficiency of information in local behavioral feature.A novel approach on tracking Botnet activity is presented based on co-occurrence relation of domain name system(DNS) queries.An algorithm is utilized to calculate the co-occurrence between undetermined DNS and known Botnet DNS so as to find some other Botnet DNS.Three improved measures are proposed in order to increase the accuracy of evaluating co-occurrence.The three measures are filtering DNS access by network address translation,differentiating individual spatial Botnet and observation time based statistic of co-occurrence.Experiments are carried out with test data of DNS queries collected in the campus network of Xi′an Jiaotong University.The results show that some advantages are acquired obviously with the improved measures,such as the number of undetermined DNS can fall to a quarter of traditional method,the co-occurrence acquired is more suitable for the top ten DNS and the accuracy is improved in finding zombies.
关 键 词:域名共现行为 僵尸网络 网络行为追踪 网络地址转换
分 类 号:TP393[自动化与计算机技术—计算机应用技术]
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在链接到云南高校图书馆文献保障联盟下载...
云南高校图书馆联盟文献共享服务平台 版权所有©
您的IP:216.73.216.30