| 面向主干网的DNS流量监测 |
| |
| 引用本文: | 张维维,龚俭,刘尚东,胡晓艳.面向主干网的DNS流量监测[J].软件学报,2017,28(9):2370-2387. |
| |
| 作者姓名: | 张维维 龚俭 刘尚东 胡晓艳 |
| |
| 作者单位: | 东南大学 计算机科学与工程学院, 南京 210096;江苏省计算机网络重点实验室 南京 210096;计算机网络和信息集成教育部重点实验室 南京 210096,东南大学 计算机科学与工程学院, 南京 210096;江苏省计算机网络重点实验室 南京 210096;计算机网络和信息集成教育部重点实验室 南京 210096,东南大学 计算机科学与工程学院, 南京 210096;江苏省计算机网络重点实验室 南京 210096;计算机网络和信息集成教育部重点实验室 南京 210096,东南大学 计算机科学与工程学院, 南京 210096;江苏省计算机网络重点实验室 南京 210096;计算机网络和信息集成教育部重点实验室 南京 210096 |
| |
| 基金项目: | the State Scientific and Technological Support Plan Project of China under Grant No.2008BAH37B04(国家科技支撑计划),the National Basic Research Program of China (973) under Grant No.2009CB320505(国家基础研究发展计划(973)) and the National Natural Science Foundation of China under Grant No.60973123(国家自然科学基金) |
| |
| 摘 要: | 面对ISP主干网,为了检测威胁其管理域内用户安全的僵尸网络、钓鱼网站以及垃圾邮件等恶意活动.本文实时监测流经主干网边界的DNS交互报文,并从域名的“依赖性”和“使用位置”两个方面刻画DNS活动行为模式,而后基于有监督的多分类器模型,提出一个面向ISP主干网的上层DNS活动监测算法DAOS(BinaryClassifier For DNS Activity Observation System).其中“依赖性”从用户角度观察域名的外在使用情况,而“使用位置”则关注区域文件中记录的域名内部资源配置.实验结果表明,该算法在不依赖先验知识的前提下,经过两小时的DNS活动观测,可以达到90.5%的检测准确率,以及2.9%的假阳性和6.6%的假阴性.若持续观察一周,准确率可以上升到93.9%,假阳性和假阴性也可以下降到1.3%和4.8%.
|
| 关 键 词: | DNS安全监测 域名检测 上层DNS流量 DNS活动分析 多分类器 |
| 收稿时间: | 2016/7/11 0:00:00 |
| 修稿时间: | 2016/9/4 0:00:00 |
DNS Surveillance on Backbone |
| |
| ZHANG Wei-Wei,GONG Jian,LIU Shang-Dong and HU Xiao-Yan.DNS Surveillance on Backbone[J].Journal of Software,2017,28(9):2370-2387. |
| |
| Authors: | ZHANG Wei-Wei GONG Jian LIU Shang-Dong and HU Xiao-Yan |
| |
| Affiliation: | School of Computer Science and Engineering, Southeast University, Nanjing 210096, China;Jiangsu Provincial Key Laboratory of Computer Network Technology, Nanjing 210096, China;Key Laboratory of Computer Network and Information Integration(Southeast University), Ministry of Education, Nanjing 210096, China,School of Computer Science and Engineering, Southeast University, Nanjing 210096, China;Jiangsu Provincial Key Laboratory of Computer Network Technology, Nanjing 210096, China;Key Laboratory of Computer Network and Information Integration(Southeast University), Ministry of Education, Nanjing 210096, China,School of Computer Science and Engineering, Southeast University, Nanjing 210096, China;Jiangsu Provincial Key Laboratory of Computer Network Technology, Nanjing 210096, China;Key Laboratory of Computer Network and Information Integration(Southeast University), Ministry of Education, Nanjing 210096, China and School of Computer Science and Engineering, Southeast University, Nanjing 210096, China;Jiangsu Provincial Key Laboratory of Computer Network Technology, Nanjing 210096, China;Key Laboratory of Computer Network and Information Integration(Southeast University), Ministry of Education, Nanjing 210096, China |
| |
| Abstract: | Confronting ISP backbone, in order to detect malicious activities of botnets, phishing, spam etc., that threats user security in the domain, by monitoring DNS interaction messages through border in real time, the paper depicts DNS behavior patterns based on "dependency" and "position" attribute. Then the paper proposes a supervised classifier based DNS activity detecting algorithm (DAOS, Binary Classifier for DNS Activity Observation System). Dependency attribute is used to describe external using of the domain name from perspective of DNS customer. And position attribute is used to describe resource allocation of records in the zone file. Experimental results show that the algorithm, with a DNS data source in 2 hours, can achieve 90.5% of accuracy, 2.9% of false positive and 6.6% of false negative without prior knowledge. If the observation keeps a week, accuracy rises up to 93.9%, false positive and false negative can descend to 1.3% and 4.8%. |
| |
| Keywords: | DNS surveillance domain name detection upper DNS traffic DNS Activity Analysis multi-classifier |
|
| 点击此处可从《软件学报》浏览原始摘要信息 |
|
点击此处可从《软件学报》下载全文 |
|
