北京大学学报(自然科学版) ›› 2016, Vol. 52 ›› Issue (3): 396-402.DOI: 10.13209/j.0479-8023.2016.064

上一篇    下一篇

基于Passive DNS的速变域名检测

周昌令1,2,3, 陈恺1,2, 公绪晓1, 陈萍1, 马皓1   

  1. 1. 北京大学计算中心, 北京 100871
    2. 北京大学信息科学技术学院, 北京 100871
    3. 北京大学计算机研究所, 北京 100871
  • 收稿日期:2015-06-01 修回日期:2015-07-07 出版日期:2016-05-20 发布日期:2016-05-20
  • 通讯作者: 周昌令, E-mail: zclfly(at)pku.edu.cn
  • 基金资助:
    国家2012 年下一代互联网技术研发、产业化和规模商用专项项目(CNGI-12-03-001)、国家发展改革委员会2011 年国家信息安全专项和863 计划(2015AA011403)资助

Detection of Fast-Flux Domains Based on Passive DNS Analysis

ZHOU Changling1,2,3, CHEN Kai1,2, GONG Xuxiao1, CHEN Ping1, MA Hao1   

  1. 1. Computer Center of Peking University, Beijing 100871
    2. School of Electronics Engineering and Computer Science, Peking University, Beijing 100871
    3. Institute of Computer Science & Technology of Peking University, Beijing 100871
  • Received:2015-06-01 Revised:2015-07-07 Online:2016-05-20 Published:2016-05-20
  • Contact: ZHOU Changling, E-mail: zclfly(at)pku.edu.cn

摘要:

利用Passive DNS采集校园网真实运行环境的域名访问记录, 从域名的多样性、时间性、增长性和相关性等方面构建18个特征集, 提出基于随机森林算法来识别速变域名的模型。交叉验证实验表明, 所构建的模型对域名分类的准确率超过90%。在所采集的数据集上, 所构建的模型比FluxBuster 能更有效地识别速变域名。

关键词: Passive DNS, 速变域名, 随机森林算法, DGA, CDN

Abstract:

The authors use Passive DNS to log domain name query history of real campus network environment, and construct eighteen feature sets grouping by diversity, time, growth, and relevance, and then propose a model detect Fast-Flux Domains using random forest algorithm. The result shows that the proposed model can classify domains with accuracy over 90% by cross validation experiments. The model can detect Fast-Flux domains in the datasets used in this study more effectively compared with Fluxbuster.

Key words: Passive DNS, fast-flux domain, random forest algorithm, DGA, CDN

中图分类号: