检索规则说明:AND代表“并且”;OR代表“或者”;NOT代表“不包含”;(注意必须大写,运算符两边需空一格)
检 索 范 例 :范例一: (K=图书馆学 OR K=情报学) AND A=范并思 范例二:J=计算机应用与软件 AND (U=C++ OR U=Basic) NOT M=Visual
名 称:
注 释:
出 处:《西安交通大学学报》2013年第8期54-60,共7页Journal of Xi'an Jiaotong University
基 金:国家自然科学基金资助项目(60903126;60872145)
摘 要:针对僵尸网络为避免域名黑名单封堵而广泛采用域名变换技术的问题,提出一种域名请求行为特征与域名构成特征相结合的僵尸网络检测方法。该方法通过支持向量机(SVM)分类器对网络中主机解析失败的域名进行分析,提取出可疑感染主机;通过新域名聚类分析,将请求同一组新域名的主机集合作为检测对象,分析请求主机集合是否由可疑感染主机构成,提取出僵尸网络当前使用的域名集合以及命令与控制(Command and Control,C&C)服务器使用的IP地址集合。实验结果表明:训练后SVM分类器可达98.5%以上的准确率;经对ISP域名服务器监测,系统可准确提取出感染主机和C&C服务器的IP地址。The technique of domain flux has been used by many botnets to avoid being blocked by domain blacklists. A new technique is proposed to detect botnets by analyzing the patterns inherent to domains that comprise alphanumeric characters and query behavior of hosts. The method analyzes failed domain queries through support vector machine (SVM) to identify suspicious compromised hosts. Clustering analyses are then performed to generate new successful domains and the groups of hosts that query these domains, and to examine if these host groups are composed of compromised hosts. Then, the command and control (C&C) domains and related IP addresses used by botnets are detected. Experimental results show that the accuracy of SVM prediction reaches more than 98.5% after training, and that the system can accurately detect compromised hosts and IP of C&C servers when DNS traffic from the ISP is monitored.
分 类 号:TP393[自动化与计算机技术—计算机应用技术]
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在链接到云南高校图书馆文献保障联盟下载...
云南高校图书馆联盟文献共享服务平台 版权所有©
您的IP:216.73.216.30