检索规则说明:AND代表“并且”;OR代表“或者”;NOT代表“不包含”;(注意必须大写,运算符两边需空一格)
检 索 范 例 :范例一: (K=图书馆学 OR K=情报学) AND A=范并思 范例二:J=计算机应用与软件 AND (U=C++ OR U=Basic) NOT M=Visual
作 者:王琪 谢坤 马严 丛群 WANG Qi;XIE Kun;MA Yan;CONG Qun(Information Network Center,Institute of Network Technology,Beijing University of Posts and Telecommunications,Beijing 100876,China;Beijing Wrdtech Co.Ltd,Beijing 100876,China)
机构地区:[1]北京邮电大学网络技术研究院,信息网络中心,北京100876 [2]北京网瑞达科技有限公司,北京100876
出 处:《浙江大学学报(工学版)》2020年第9期1753-1760,共8页Journal of Zhejiang University:Engineering Science
基 金:中央高校基本科研专项资金资助项目(2019RC53);国家CNGI专项资助项目(CNGI-12-03-001).
摘 要:以DNS服务器的日志为数据源,提取出二级域名的熵、子域名个数、缓存命中率等多维日志统计特征,将日志量化为特征向量集;以特征向量集为数据源,使用随机森林算法进行模型训练,并使用十折交叉验证的方法对模型参数进行调整,对模型进行优化,提高整体检测精度;在不同分类算法下进行对比实验,并将实验结果与已有研究方法进行比较.实验结果表明,提出的检测方法在召回率达到98.5%的情况下,有不低于90%的准确率,检测精度有所提高,即提出的算法能有效检测DNS隧道.The log of DNS server was used as the data source to extract the multi-dimensional statistical characteristics of the secondary domain name,such as the entropy of the domain,the number of sub domain names,and the cache hit rate.The logs were quantized as feature vector set,which was used as data source.The random forest algorithm was used for model training,the model parameters were adjusted by the method of ten fold cross validation,and the model was optimized to improve the overall detection accuracy.Finally,comparative experiments were made under different classification algorithms,and compared with the existing research methods.The experimental results show that the proposed detection method had an accuracy rate of not less than 90%when the recall rate was 98.5%,and the detection accuracy was improved.Thus,the proposed algorithm can effectively detect DNS tunnel.
关 键 词:DNS隧道 日志分析 DNS缓存 随机森林 恶意域名
分 类 号:TP302[自动化与计算机技术—计算机系统结构]
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在链接到云南高校图书馆文献保障联盟下载...
云南高校图书馆联盟文献共享服务平台 版权所有©
您的IP:216.73.216.3
