首页 | 本学科首页   官方微博 | 高级检索  
     检索      

基于域名共现行为的僵尸网络行为追踪
引用本文:夏秦,王志文,刘璐.基于域名共现行为的僵尸网络行为追踪[J].西安交通大学学报,2012,46(4):7-12.
作者姓名:夏秦  王志文  刘璐
作者单位:西安交通大学电子与信息工程学院,710049,西安
基金项目:国家自然科学基金资助项目(60970121);西安市科技计划资助项目(CXY1130①)
摘    要:针对局部行为特征信息偏少而使得僵尸网络行为难以全面追踪的问题,提出了一种基于域名共现行为的僵尸网络行为追踪方法.该方法通过域名共现评分算法计算待测域名与已知僵尸域名的域名共现行为来追踪其他僵尸域名,进而发现更多的僵尸主机;为提高域名评分准确性,还提出了过滤基于网络地址转换的主机域名访问、空间区分单个僵尸网络,以及基于观测时长共现行为统计3项改进措施.采集西安交通大学网络域名服务器的域名查询流量作为数据源进行了实验和测试,结果表明:基于改进的域名评分措施不仅将待测域名数量降为原来的1/4,且计算出的前10名域名共现评分更加合理,提高了追踪僵尸主机的准确性.

关 键 词:域名共现行为  僵尸网络  网络行为追踪  网络地址转换

Tracking Botnet Activity Based on Co-Occurrence Relation of Domain Name System Queries
XIA Qin , WANG Zhiwen , LIU Lu.Tracking Botnet Activity Based on Co-Occurrence Relation of Domain Name System Queries[J].Journal of Xi'an Jiaotong University,2012,46(4):7-12.
Authors:XIA Qin  WANG Zhiwen  LIU Lu
Institution:(School of Electronics and Information Engineering, Xi′an Jiaotong University,Xi′an 710049,China)
Abstract:Botnet activities can’t be tracked entirely with traditional methods because of the deficiency of information in local behavioral feature.A novel approach on tracking Botnet activity is presented based on co-occurrence relation of domain name system(DNS) queries.An algorithm is utilized to calculate the co-occurrence between undetermined DNS and known Botnet DNS so as to find some other Botnet DNS.Three improved measures are proposed in order to increase the accuracy of evaluating co-occurrence.The three measures are filtering DNS access by network address translation,differentiating individual spatial Botnet and observation time based statistic of co-occurrence.Experiments are carried out with test data of DNS queries collected in the campus network of Xi′an Jiaotong University.The results show that some advantages are acquired obviously with the improved measures,such as the number of undetermined DNS can fall to a quarter of traditional method,the co-occurrence acquired is more suitable for the top ten DNS and the accuracy is improved in finding zombies.
Keywords:co-occurrence of domain name  Botnet  tracking in network activity  network address translation
本文献已被 CNKI 万方数据 等数据库收录!
设为首页 | 免责声明 | 关于勤云 | 加入收藏

Copyright©北京勤云科技发展有限公司  京ICP备09084417号