基于改进BP算法的DNS图挖掘恶意域名检测方法  被引量：1

作　　者：马骁[1] 蔡满春[1] 芦天亮[1] MA Xiao;CAI Manchun;LU Tianliang(School of Information and Cyber Security,People s Public Security University of China,Beijing 102600,China)

机构地区：[1]中国人民公安大学信息网络安全学院,北京102600

出　　处：《中国人民公安大学学报（自然科学版）》2021年第4期68-73,共6页Journal of People’s Public Security University of China(Science and Technology)

基　　金：“十三五”国家重点课题(MMJJ20180108);中国人民公安大学2019年基本科研业务费重大项目(2019JKF108)。

摘　　要：广泛的恶意活动依赖DNS来管理其受感染计算机的大型分布式网络,目前,主要的恶意域名检测方法是基于DNS相关的局部域特征构建分类器,但这样做存在着一些无法克服的弊端,如攻击者可以在不影响其攻击能力的情况下改变域名模式和时态模式等特性来逃避检测,从而导致这些方法所依赖的特征不稳定。因此,利用攻击者总是循环利用资源,频繁更改域名-IP解析,并创建新的域名来避免被检测这一特点,从所有域的查询历史回溯的标记域来验证和找出它们之间的关联,图是代表这种关系的最佳候选,有许多基于图开发的算法都具有高性能。我们以域名和主机ip为数据源构建DNS图,挖掘域和主机ip之间的内在关系,并基于置信传播算法(BP算法)的思想提出了一种计算图中每个节点信誉评分的算法,节点显示出的信誉分数越高,推断出的恶意概率就越高。为了证明方法的有效性,利用恶意域检测技术,并在从DNS数据服务器中收集的真实数据集上进行了评估。Extensive malicious activity relies on DNS to manage large distributed networks of its infected computers.Currently,the main malicious domain detection method is building classifiers based on DNS-related local domain features.However,this method has some insurmountable drawbacks.For example,attackers can evade detection by changing features like domain patterns and temporal patterns without affecting their attack capabilities,which leads to feature instability.The attackers always recycle resources,frequently change domain-IP parsing and create new domain names to avoid detecting.By using these features,their associations are verified and identified from labeled domains which are backtracked from query history across all domains.Graphs are the best candidate to represent this relationship,and many graph-based algorithms have high performance.In this paper,DNS graphs were constructed by using the domain name and host ip as the data source.The intrinsic relationship between the domain and host ip were also excavated.And an algorithm was established to calculate the credit score of each node in the graph,which was based on the idea of the confidence propagation algorithm(BP algorithm).The higher the credit score displayed by the nodes,the higher the probability of inferred malice.By using malicious domain detection method,real datasets were collected from the DNS data server to evaluate the effectiveness of this method.

关 键 词：恶意域名检测 置信传播算法 图挖掘 DNS 被动数据 

分 类 号：TP393.08[自动化与计算机技术—计算机应用技术]