基于网络流量的Fast-flux僵尸网络域名检测方法  被引量：1

作　　者：谷勇浩[1] 郭振洋 Gu Yonghao;Guo Zhenyang(School of Computer Science,Beijing University of Posts and Telecommunications,Beijing 100876;Beijing Key Laboratory of Intelligent Telecommunications Software and Multimedia,Beijing University of Posts and Telecommunications,Beijing 100876)

机构地区：[1]北京邮电大学计算机学院,北京100876 [2]北京邮电大学智能通信软件与多媒体北京市重点实验室,北京100876

出　　处：《信息安全研究》2020年第5期388-395,共8页Journal of Information Security Research

基　　金：国家自然科学基金项目(61873040);工业与信息化部通信软科学研究项目(2O15-R-29)。

摘　　要：APT攻击危害着网络安全,对企业数据安全产生重大威胁,黑客和不法分子在APT攻击前可能会使用自己组建的僵尸网络为攻击做准备.同时为了提高僵尸网络的生成机会,攻击者常会使用Fast-flux技术隐藏主控机,因此要检测APT攻击需要先检测Fast-flux僵尸网络域名.本文调研了Fast-flux僵尸网络检测方法国内外研究现状,发现现有方法存在对CDN域名产生误报、准确率不高的问题.为此,本文提出两个新特征并且利用DNS流量设计了基于AdaBoosting算法的检测方法,然后对所提方法进行验证.实验表明,本文提出特征和方法在对Fast-flux域名检测时可以有效降低对CDN域名的误报率,大大提高整体检测性能.APT attacks damage the existing network security and pose a major threat to the security of enterprise data.Hackers and criminals may use the botnet which are build by themself to prepare for their own attacks before APT attacks.FastFlux is used by hackers and criminals to conceal botmasterand improve the chances of botnet generation.To detect APT attacks,we need to detect FastFlux botnet domain names.We investigated the research status at home and abroad about the detection method of FastFlux botnet,and found that the existing methods have the problem of false positives and low accuracy for CDN domain names.Therefore,this paper presents two new features and designs a detection method based on AdaBoosting algorithm by using DNS traffic to solve the above problems.After that,the above detection methods are verified by experiments.Experiments show that the characteristics and methods proposed in this paper can effectively reduce the false positives of CDN domain names and greatly improve the overall detection performance in the detection of FastFlux domain names.

关 键 词：APT攻击 Fast-flux 集成学习 DNS 僵尸网络 

分 类 号：TP181[自动化与计算机技术—控制理论与控制工程]