摘要
针对局部行为特征信息偏少而使得僵尸网络行为难以全面追踪的问题,提出了一种基于域名共现行为的僵尸网络行为追踪方法.该方法通过域名共现评分算法计算待测域名与已知僵尸域名的域名共现行为来追踪其他僵尸域名,进而发现更多的僵尸主机;为提高域名评分准确性,还提出了过滤基于网络地址转换的主机域名访问、空间区分单个僵尸网络,以及基于观测时长共现行为统计3项改进措施.采集西安交通大学网络域名服务器的域名查询流量作为数据源进行了实验和测试,结果表明:基于改进的域名评分措施不仅将待测域名数量降为原来的1/4,且计算出的前10名域名共现评分更加合理,提高了追踪僵尸主机的准确性.
Botnet activities can't be tracked entirely with traditional methods because of the deficiency of information in local behavioral feature.A novel approach on tracking Botnet activity is presented based on co-occurrence relation of domain name system(DNS) queries.An algorithm is utilized to calculate the co-occurrence between undetermined DNS and known Botnet DNS so as to find some other Botnet DNS.Three improved measures are proposed in order to increase the accuracy of evaluating co-occurrence.The three measures are filtering DNS access by network address translation,differentiating individual spatial Botnet and observation time based statistic of co-occurrence.Experiments are carried out with test data of DNS queries collected in the campus network of Xi′an Jiaotong University.The results show that some advantages are acquired obviously with the improved measures,such as the number of undetermined DNS can fall to a quarter of traditional method,the co-occurrence acquired is more suitable for the top ten DNS and the accuracy is improved in finding zombies.
出处
《西安交通大学学报》
EI
CAS
CSCD
北大核心
2012年第4期7-12,共6页
Journal of Xi'an Jiaotong University
基金
国家自然科学基金资助项目(60970121)
西安市科技计划资助项目(CXY1130①)
关键词
域名共现行为
僵尸网络
网络行为追踪
网络地址转换
co-occurrence of domain name
Botnet
tracking in network activity
network address translation
