检索规则说明:AND代表“并且”;OR代表“或者”;NOT代表“不包含”;(注意必须大写,运算符两边需空一格)
检 索 范 例 :范例一: (K=图书馆学 OR K=情报学) AND A=范并思 范例二:J=计算机应用与软件 AND (U=C++ OR U=Basic) NOT M=Visual
名 称:
注 释:
机构地区:[1]数学工程与先进计算国家重点实验室,河南郑州450001 [2]西安报业传媒集团,陕西西安710002
出 处:《浙江大学学报(工学版)》2017年第9期1780-1787,共8页Journal of Zhejiang University:Engineering Science
基 金:国家重点研发计划资助项目(2016YFB0801505;2016YFB0801601);国家自然科学基金资助项目(61271252)
摘 要:传统基于载荷分析和流量监测的DNS隧道检测手段误报率高且不能有效应对新型DNS隧道木马,为此提出一种基于通信行为分析的DNS隧道木马检测方法.从DNS会话的视角对比分析DNS隧道木马通信行为与正常DNS解析行为的差异性,提取7个DNS隧道木马属性,组成DNS会话评估向量,采用随机森林分类算法构建DNS会话评估向量检测分类器,建立基于通信行为分析的DNS隧道木马检测模型.实例测试结果表明:该方法误报率小,漏报率低,对未知的DNS隧道木马同样具有很高的检测能力.The traditional DNS tunneling detection method based on load analysis and traffic monitoring has high false positive rate and can not effectively cope with the new DNS tunnel Trojan horse.Therefore,a DNS tunnel Trojan detection method based on communication behavior analysis was proposed.First,the difference between DNS tunnel Trojan communication behavior and normal DNS parsing behavior from the point of view of DNS sessions was analyzed.Second,seven features of DNS tunnel Trojan sessions were extracted,which composed DNS session evaluation vector.Then,DNS session evaluation vector classifiers using the random forest classification algorithm was approached;a DNS tunnel detection model based on communication behavior analysis was constructed.The experimental results show that this method not only has small false positive rate and low false negative rate,but also has high detection ability for unknown DNS tunnel Trojans.
关 键 词:DNS隧道木马 DNS会话 通信行为分析 随机森林 木马检测
分 类 号:TP393.08[自动化与计算机技术—计算机应用技术]
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在链接到云南高校图书馆文献保障联盟下载...
云南高校图书馆联盟文献共享服务平台 版权所有©
您的IP:216.73.216.206