CN110177123B - Botnet detection method based on DNS mapping association graph - Google Patents

Botnet detection method based on DNS mapping association graph Download PDF

Info

Publication number
CN110177123B
CN110177123B CN201910534665.3A CN201910534665A CN110177123B CN 110177123 B CN110177123 B CN 110177123B CN 201910534665 A CN201910534665 A CN 201910534665A CN 110177123 B CN110177123 B CN 110177123B
Authority
CN
China
Prior art keywords
domain name
graph
flow
nodes
node
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910534665.3A
Other languages
Chinese (zh)
Other versions
CN110177123A (en
Inventor
张小松
牛伟纳
熊智鹏
谢鑫
蒋天宇
葛洪麟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
University of Electronic Science and Technology of China
Original Assignee
University of Electronic Science and Technology of China
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by University of Electronic Science and Technology of China filed Critical University of Electronic Science and Technology of China
Priority to CN201910534665.3A priority Critical patent/CN110177123B/en
Publication of CN110177123A publication Critical patent/CN110177123A/en
Application granted granted Critical
Publication of CN110177123B publication Critical patent/CN110177123B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/144Detection or countermeasures against botnets

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention relates to a botnet detection method based on a DNS mapping association graph, which comprises the following steps: A. filtering DNS traffic and response data packet traffic containing A records, and preprocessing the filtered response data packet traffic; B. extracting associated mapping relations of the preprocessed response data packet traffic by taking the full domain name and the IP as keywords respectively, constructing a bipartite graph component set by taking the full domain name and the IP as central nodes respectively, and combining graph components in each bipartite graph component set; C. analyzing elements in the bipartite graph set, and extracting graph feature vectors; D. taking the published Fast-flux and Domain-flux botnet sets as data input, executing the steps A to C, dividing the data into a training set and a test set according to the extracted graph feature vectors, and obtaining a classification model by using a LightGBM algorithm; E. and (5) finishing the botnet detection of the flow to be detected by applying the classification model. The method can be used for simultaneously detecting Fast-flux and Domain-flux botnets, and has high detection accuracy.

Description

Botnet detection method based on DNS mapping association graph
Technical Field
The invention relates to a detection method of network security, in particular to a botnet detection method based on a DNS mapping association diagram.
Background
Botnets are platforms of comprehensive attack methods developed on the basis of malicious codes such as traditional computer viruses, trojan horses, network worms, spyware and the like. In recent years, the novel botnet program can also apply the technologies such as 0DAY bug, phishing, p2p and the like to the propagation of the botnet program, so that the traditional host, the mobile equipment, even cloud equipment and a router are infected to become a host controlled by the botnet, commonly called 'broiler'. Botnets are still one of the current major threats to the internet, and are increasingly developed. Detection of botnets has become a significant challenge for security field personnel.
The DNS is an abbreviation of Domain Name System (Domain Name System), which is an important service in the internet System, and is a distributed database capable of mapping Domain names and IP addresses in association, similar to a phone book, and records the correspondence between Domain names and IP addresses.
The Fast-flux technology refers to a technology that the incidence relation between a domain name and an IP address changes constantly, a Network deployed by the Fast-flux technology is called as FFSN (Fast-flux Service Network) for short, and the FFSN can allocate a plurality of (or even thousands of) IP addresses to a legal domain name by constantly changing DNS records, so that high availability of the domain name is guaranteed.
Domain-flux refers to the dynamic change of Domain name by the controller of the botnet to avoid detection. The key to this is the domain name generation algorithm (DGA), which randomly generates a large number of domain names using a seed, and then zombie hosts initiate DNS requests one by one to attempt a communication connection, only a portion of which will be responded to. The communication nodes of the attacker and the controlled host are also dynamically changed, and detection can be well avoided.
Disclosure of Invention
The invention provides a botnet detection method based on a DNS mapping association graph, which aims at the detection of Fast-flux and Domain-flux botnets and has higher detection accuracy.
The invention relates to a botnet detection method based on a DNS mapping association graph, which comprises the following steps:
DNS traffic filtering and preprocessing: according to a flow mirror image of equipment at an outlet of a network to be tested, DNS flow is filtered according to a preset rule, response data packet flow containing an A record (A (Address) record is an IP address record corresponding to a specified host name (or domain name)) is filtered, and then the filtered response data packet flow is preprocessed;
B. and (3) map mapping association processing: according to the preprocessed response data packet flow, respectively taking a full Domain Name (FQDN) and an IP (Internet protocol) as keywords (key) according to DNS query response, extracting the associated mapping relation therein, respectively constructing a bipartite graph component set taking the full Domain Name and the IP as central nodes, and respectively merging graph components in each bipartite graph component set;
C. analyzing and extracting the characteristic of the graph assembly: analyzing the elements in the bipartite graph component set, and extracting graph feature vectors by combining information obtained by preprocessing;
D. and (4) classifying graph components: taking the published Fast-flux and Domain-flux botnet sets as data input, executing the steps A to C, completing the standardization of the data according to the extracted graph feature vectors, dividing the standardized data into a training set and a test set, and obtaining a classification model by using a LightGBM algorithm; LightGBM is a fast, high-performance, distributed, excellent gradient boosting framework that was sourced by Microsoft in 2017 and can be used for machine learning tasks such as sorting, classification, regression, etc. The method is based on a decision tree algorithm, adopts an optimal leaf wisdom strategy to split leaf nodes, and improves the speed by about 10 times compared with a mainstream classification algorithm on the premise of not reducing the accuracy, and reduces the occupied memory by about 3 times on the contrary.
E. Inputting the information of the flow to be detected into a classification model, calculating whether the flow to be detected is malicious flow or not through the classification model, and calculating the category of the malicious flow (Fast-flux or Domain-flux botnet) through the classification model if the flow to be detected is calculated to be the malicious flow.
Through tests, the method can cover the detection of Fast-flux and Domain-flux two types of botnets simultaneously, and has higher detection accuracy.
Further, the preprocessing in step a includes performing secondary filtering on the response packet traffic recorded in step a according to the full domain name and the white list of the IP, and extracting a plurality of pieces of field information of each record in the record a with the timestamp of the traffic as the ID, including the timestamp, the source MAC address, the destination MAC address, the source IP, the destination IP, the TTL value, the source port, the destination port, and the like.
Furthermore, when merging the graph components in the bipartite graph component set in step B, merging the graph components in a manner corresponding to the bipartite graph component set centered on the domain name and the bipartite graph component set centered on the IP.
Specifically, when graph components with the global names as the central nodes are merged, firstly, the difference DD between the similar domain names is calculated according to the hierarchical characteristics of the global domains, and then two similar graph components are merged by adopting a k-means clustering algorithm, wherein the difference DD between the similar domain names is calculated as follows:
Figure GDA0002500012170000021
Figure GDA0002500012170000022
Figure GDA0002500012170000023
Figure GDA0002500012170000024
wherein, ω isλAn intermediate value calculated for the domain name disparity, λ being the hierarchy of the domain name, X and Y each representing a full domain name, XλLayer λ, Y, representing the full domain name XλA lambda-th layer representing a full domain name Y, e.g. full domain name www.baidu.com, the first layer being com, | XλI represents XλLength, | YλI represents YλThe length of (d), wherein | X | represents the number of X levels, | Y | represents the number of Y levels, α is a predetermined parameter, the initialization α is 2, α is used as a balance weight, the initial value is an empirical value, and then, the optimal adjustment dd can be performedλAnd Ω are the median values of the calculation process, respectively.
Specifically, when graph components with an IP as a central node are merged, similar services are provided by IP addresses adjacent to the central node as conditions, similarity IS of the two IPs IS calculated under the condition that a specific time span IS satisfied, and the similar graph components are merged when a threshold value IS reached; the time span refers to the time interval of data processing in actual implementation, and IS usually 12 hours as an initial value, wherein the similarity IS of two IPs IS calculated as:
Figure GDA0002500012170000031
in the above formula, X represents an IP address of a central node of the graph component, Y represents the adjacent IP address, and XmDenotes the value of X, YmDenotes the value of Y, XtTime stamp of X, YtThe timestamp indicating Y, α and β respectively indicate the preset parameter, the initial value is 1.8 and 0.2, λ indicates the class difference of two IP addresses, for example, the class difference of a class-a IP address and a class-B IP address is 1, and the class difference of a class-a IP and a class-C IP is 2.
On the basis, the graph component characteristic analysis in the step C comprises the following steps:
C1. analyzing the structural characteristics of the graph assembly: calculating the number of nodes in the graph assembly, including a universal name node and an IP node, and calculating the maximum degree and the average degree of all central nodes;
C2. analyzing the full domain name node characteristics: calculating the Whois information of the full domain name according to the public data of the Whois database by using the information after the flow preprocessing of the step A; whois information is public information of domain names and IPs, indicating its basic relevant information.
C3. Analyzing the characteristics of the IP nodes: calculating the Whois information of the IP node according to the public data of the Whois database by using the information after the flow preprocessing of the step A;
C4. analyzing the characteristics of the connecting edges: the nodes in the graph component are connected through connecting edges, one connecting edge is a primary DNS query response, and TTL information (Time To Live, the field specifies the maximum network segment number allowed To pass before an IP packet is discarded by a router) including the average value and the variance value of the connecting edge is selected as the characteristic of the connecting edge;
C5. calculating blacklist characteristics: the blacklist comprises a full domain name blacklist and an IP blacklist, when the characteristics of the blacklist of the graph assembly are analyzed, the number of full domain name marks of the graph assembly, the number of marked second-level domain names + top-level domain names (2-LD + TLD), the maximum number of marked full domain name nodes, the number of marked IP nodes, the maximum number of marked IP nodes and the ratio of the marked nodes to the total nodes are calculated by combining the published blacklist library.
Further, the Whois information of the full domain name stated in the step C2 includes the creation time, the number of updates, the integrity, the maximum number of layers of the full domain name, the number of tie layers, the number of categories of the top level domain name (TLD), the number of categories of the secondary domain name (2-LD), and the maximum length, the average length, the number of words included, and the degree of character repetition of the secondary domain name (2-LD) characters.
Further, the Whois information of the IP node described in step C3 includes the status of the IP node, the update time, the country to which the node belongs, the number of Autonomous System Numbers (ASN) of the IP node, and the ratio of the number of Autonomous System Numbers (ASN) to the IP.
The botnet detection method based on the DNS mapping association graph has the advantages that:
1. the method can simultaneously cover the detection of Fast-flux and Domain-flux botnets.
2. And the response packet flow recorded by the A flow filtering record aiming at the DNS flow is greatly reduced in the data volume of subsequent processing.
3. A new DNS traffic processing idea is provided by constructing a bipartite graph set taking a full domain name and an IP as central nodes.
4. The combination of different algorithms is respectively carried out on the full Domain name and the IP, so that the data set of image components is greatly reduced, and the technical characteristics of Fast-flux and Domain-flux are better met.
5. By analyzing the characteristics of the DNS mapping association graph, the accuracy of botnet detection is greatly improved, and the method is also suitable for processing mass data of a high-speed network.
The present invention will be described in further detail with reference to the following examples. This should not be understood as limiting the scope of the above-described subject matter of the present invention to the following examples. Various substitutions and alterations according to the general knowledge and conventional practice in the art are intended to be included within the scope of the present invention without departing from the technical spirit of the present invention as described above.
Drawings
Fig. 1 is a flowchart of a botnet detection method based on a DNS mapping association map according to the present invention.
Detailed Description
The present embodiment adopts a Linux-based distributed operating system, CentOS system, with a version number of 7.6.1810.
As shown in fig. 1, the botnet detection method based on the DNS mapping association map of the present invention includes:
DNS traffic filtering and preprocessing: the equipment at the network outlet to be tested comprises a switch, a router and the like, wherein flow is led into a specific server network port by configuring a port mirror image, a PF _ RING Packet is installed on the server, if the data volume is large, flow collection at the level of 10Gbps can be realized by adopting a mode of PF _ RING + Zero Copy, DNS flow is filtered according to BPF (Berkeley Packet Filter) rules, and response data Packet flow containing A records (A (address) records are used for specifying IP address records corresponding to a host name (or a domain name)) is filtered.
And then preprocessing the filtered response data packet flow, including secondarily filtering the response data packet flow recorded by the A according to a full domain name and a white list of IP, and extracting a plurality of field information of each record in the A record by taking a time stamp of the flow as an ID, wherein the field information comprises the time stamp, a source MAC address, a destination MAC address, a source IP, a destination IP, a TTL value, a source port, a destination port and the like.
B. And (3) map mapping association processing: and for the flow of the preprocessed response data packet, according to DNS query response, respectively taking a full Domain Name (FQDN) and an IP as keywords (key), extracting the associated mapping relation therein, respectively constructing a bipartite graph component set taking the full Domain Name and the IP as central nodes, and respectively merging graph components by respectively adopting a corresponding mode for the bipartite graph component set taking the full Domain Name as the center and the bipartite graph component set taking the IP as the central node.
When graph components with domain names as central nodes are combined, firstly, the difference DD between the similar domain names is calculated according to the hierarchical characteristics of the full domain names, and then two similar graph components are combined by adopting a k-means clustering algorithm, wherein the difference DD between the similar domain names is calculated as follows:
Figure GDA0002500012170000051
Figure GDA0002500012170000052
Figure GDA0002500012170000053
Figure GDA0002500012170000054
wherein, ω isλAn intermediate value calculated for the domain name disparity, λ being the hierarchy of the domain name, X and Y each representing a full domain name, XλLayer λ, Y, representing the full domain name XλLambda-th layer, | X, representing the full domain name YλI represents XλLength, | YλI represents YλThe length of (d), wherein | X | represents the number of X levels, | Y | represents the number of Y levels, α is a predetermined parameter, the initialization α is 2, α is used as a balance weight, the initial value is an empirical value, and then, the optimal adjustment dd can be performedλAnd Ω are the median values of the calculation process, respectively.
When graph components with an IP as a central node are combined, similar services are provided by IP addresses adjacent to the central node as conditions, the similarity IS of the two IPs IS calculated under the condition of meeting a specific time span, and the similar graph components are combined when a threshold value IS reached; the time span refers to the time interval of data processing in actual implementation, and IS usually 12 hours as an initial value, wherein the similarity IS of two IPs IS calculated as:
Figure GDA0002500012170000055
in the above formula, X represents an IP address of a central node of the graph component, Y represents the adjacent IP address, and XmDenotes the value of X, YmDenotes the value of Y, XtTime stamp of X, YtThe time stamp indicating Y, α and β respectively indicate preset parameters, the initial values are 1.8 and 0.2, respectively, and λ indicates a class difference value of two IP addresses, for example, a class a and B difference value is 1.
C. Analyzing and extracting the characteristic of the graph assembly: and analyzing the elements in the bipartite graph component set, and extracting graph feature vectors by combining the information obtained by preprocessing. Wherein the graph component feature analysis comprises:
C1. analyzing the structural characteristics of the graph assembly: calculating the number of nodes in the graph assembly, including a universal name node and an IP node, and calculating the maximum degree and the average degree of all central nodes;
C2. analyzing the full domain name node characteristics: calculating the Whois information of the full domain name according to the public data of the Whois database by using the information after the flow preprocessing of the step A, wherein the Whois information comprises the creation time, the updating times, the integrity, the maximum number of layers of the full domain name, the number of tie layers, the number of TLD (top level domain name) types, the number of 2-LD (second level domain name) types, the maximum length and the average length of 2-LD (second level domain name) characters, the number of words and the character repetition degree and the like;
C3. analyzing the characteristics of the IP nodes: calculating the Whois information of the IP node according to the public data of the Whois database by using the information after the flow preprocessing of the step A, wherein the Whois information comprises the complete state, the updating time, the country, the individual, the region, the ASN (autonomous system number) quantity of the IP node, the ratio of the ASN (autonomous system number) quantity to the IP and the like;
C4. analyzing the characteristics of the connecting edges: the nodes in the graph component are connected through connecting edges, one connecting edge is a primary DNS query response, and TTL information (Time To Live, the field specifies the maximum network segment number allowed To pass before an IP packet is discarded by a router) including the average value and the variance value of the connecting edge is selected as the characteristic of the connecting edge;
C5. calculating blacklist characteristics: the blacklist comprises a full domain name blacklist and an IP blacklist, when the characteristics of the blacklist of the graph assembly are analyzed, the number of full domain name marks of the graph assembly, the number of marked 2-LD + TLD (second-level domain name + top-level domain name), the maximum degree of the full domain name nodes, the number of the marked IP nodes, the maximum degree of the marked IP nodes and the ratio of the marked nodes to the total nodes are calculated by combining the published blacklist library.
D. And (4) classifying graph components: the published Fast-flux and Domain-flux botnet sets are used as data input, and a mixed data set containing real flow is constructed through flow replay of TCPReplay in a laboratory environment. Wherein the Fast-flux public dataset is pure Fast-flux malicious traffic in CTU-13 and sample traffic of Strom, Waledoc and Zeus botnet in ISOT. The Domain-flux public dataset is the ISOT HTTP Botnet dataset constructed by Alenazi A et al. And executing the step A to the step C, completing the standardization of data according to the extracted graph feature vector, dividing the standardized data into a training set and a test set, and obtaining a classification model by using a LightGBM algorithm.
E. Inputting the information of the flow to be detected into a classification model, calculating whether the flow to be detected is malicious flow or not through the classification model, and if the flow to be detected is calculated to be the malicious flow, calculating the category of the malicious flow through the classification model, wherein the category of the malicious flow is Fast-flux or Domain-flux botnet.

Claims (7)

1. The botnet detection method based on the DNS mapping association diagram is characterized by comprising the following steps:
DNS traffic filtering and preprocessing: according to a flow mirror image of equipment at an outlet of a network to be tested, DNS flow is filtered according to a preset rule, then response data packet flow containing A records is filtered, and then the filtered response data packet flow is preprocessed;
B. and (3) map mapping association processing: according to the preprocessed response data packet flow, respectively taking a full domain name and an IP as keywords according to DNS query response, extracting the association mapping relation therein, respectively constructing a bipartite graph component set taking the full domain name and the IP as central nodes, and respectively merging graph components in each bipartite graph component set;
C. analyzing and extracting the characteristic of the graph assembly: analyzing the elements in the bipartite graph component set, and extracting graph feature vectors by combining information obtained by preprocessing; the analysis comprises the following steps:
C1. analyzing the structural characteristics of the graph assembly: calculating the number of nodes in the graph assembly, including a universal name node and an IP node, and calculating the maximum degree and the average degree of all central nodes;
C2. analyzing the full domain name node characteristics: calculating the Whois information of the full domain name according to the public data of the Whois database by using the information after the flow preprocessing of the step A;
C3. analyzing the characteristics of the IP nodes: calculating the Whois information of the IP node according to the public data of the Whois database by using the information after the flow preprocessing of the step A;
C4. analyzing the characteristics of the connecting edges: the nodes in the graph component are connected through connecting edges, one connecting edge is a primary DNS query response, and TTL information including an average value and a variance value of the connecting edge is selected as a connecting edge characteristic;
C5. calculating blacklist characteristics: the blacklist comprises a full domain name blacklist and an IP blacklist, when the characteristics of the blacklist of the graph assembly are analyzed, the number of full domain name marks of the graph assembly, the number of second-level domain names and top-level domain names to be marked, the maximum degree of the full domain name nodes to be marked, the number of IP nodes to be marked, the maximum degree of the IP nodes to be marked and the ratio of the marked nodes to the total nodes are calculated by combining the published blacklist library;
D. and (4) classifying graph components: taking the published Fast-flux and Domain-flux botnet sets as data input, executing the steps A to C, completing the standardization of data according to the extracted graph feature vectors, dividing a training set and a testing set, and obtaining a classification model by using a LightGBM algorithm;
E. and inputting the information of the flow to be detected into a classification model, calculating whether the flow to be detected is malicious flow or not through the classification model, and calculating the category of the malicious flow through the classification model if the flow to be detected is calculated to be the malicious flow.
2. The botnet detection method based on DNS mapping association map according to claim 1, characterized by: and the preprocessing of the step A comprises the steps of carrying out secondary filtering on the flow of the response data packet recorded in the step A according to the full domain name and the white list of the IP, and extracting a plurality of pieces of field information of each record in the step A by taking the time stamp of the flow as the ID.
3. The botnet detection method based on DNS mapping association map according to claim 1, characterized by: when merging the graph components in the bipartite graph component set in the step B, merging the graph components in a mode respectively corresponding to the bipartite graph component set taking the universe name as the center and the bipartite graph component set taking the IP as the center node.
4. The botnet detection method based on DNS mapping association map according to claim 3, characterized by: when the graph components with the global names as the central nodes are combined, firstly, the difference DD between the similar domain names is calculated according to the hierarchical characteristics of the full domain names, and then two similar graph components are combined by adopting a k-means clustering algorithm, wherein the difference DD between the similar domain names is calculated as follows:
Figure FDA0002500012160000021
Figure FDA0002500012160000022
Figure FDA0002500012160000023
Figure FDA0002500012160000024
wherein, ω isλAn intermediate value calculated for the domain name disparity, λ being the hierarchy of the domain name, X and Y representing respectivelyA full domain name, XλLayer λ, Y, representing the full domain name XλLambda-th layer, | X, representing the full domain name YλI represents XλLength, | YλI represents YλThe length of (a), X represents the number of X levels, | Y represents the number of Y levels, | α is a preset parameter, the initialization α is 2, ddλAnd Ω are the median values of the calculation process, respectively.
5. The botnet detection method based on DNS mapping association map according to claim 3, characterized by: when graph components with an IP as a central node are combined, similar services are provided by IP addresses adjacent to the central node as conditions, the similarity IS of the two IPs IS calculated under the condition of meeting a specific time span, and the similar graph components are combined when a threshold value IS reached; wherein, the similarity IS of the two IPs IS calculated as:
Figure FDA0002500012160000025
in the above formula, X represents an IP address of a central node of the graph component, Y represents the adjacent IP address, and XmDenotes the value of X, YmDenotes the value of Y, XtTime stamp of X, YtA time stamp indicating Y, α and β respectively indicate preset parameters, and λ indicates a category difference value of two IP addresses.
6. The botnet detection method based on DNS mapping association map according to claim 1, characterized by: the Whois information of the full domain name stated in step C2 includes the creation time, the update times, the integrity, the maximum number of layers, the number of tie layers, the number of top-level domain name categories, the number of secondary domain name categories of the full domain name, and the maximum length, the average length, the number of words included, and the character repetition degree of the secondary domain name characters.
7. The botnet detection method based on DNS mapping association map according to claim 1, characterized by: the Whois information of the IP node described in step C3 includes the state of the IP node, the update time, the country to which the node belongs, the number of autonomous system numbers of the node IP, and the ratio of the number of autonomous system numbers to the IP.
CN201910534665.3A 2019-06-20 2019-06-20 Botnet detection method based on DNS mapping association graph Active CN110177123B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910534665.3A CN110177123B (en) 2019-06-20 2019-06-20 Botnet detection method based on DNS mapping association graph

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910534665.3A CN110177123B (en) 2019-06-20 2019-06-20 Botnet detection method based on DNS mapping association graph

Publications (2)

Publication Number Publication Date
CN110177123A CN110177123A (en) 2019-08-27
CN110177123B true CN110177123B (en) 2020-09-18

Family

ID=67698615

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910534665.3A Active CN110177123B (en) 2019-06-20 2019-06-20 Botnet detection method based on DNS mapping association graph

Country Status (1)

Country Link
CN (1) CN110177123B (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110598774B (en) * 2019-09-03 2023-04-07 中电长城网际安全技术研究院(北京)有限公司 Encrypted flow detection method and device, computer readable storage medium and electronic equipment
CN113381962B (en) * 2020-02-25 2023-02-03 深信服科技股份有限公司 Data processing method, device and storage medium
CN112468484B (en) * 2020-11-24 2022-09-20 山西三友和智慧信息技术股份有限公司 Internet of things equipment infection detection method based on abnormity and reputation
CN113449782B (en) * 2021-06-18 2022-05-24 中电积至(海南)信息技术有限公司 CDN (content delivery network) hosting node detection method based on graph semi-supervised classification
CN114244580A (en) * 2021-11-29 2022-03-25 北京华清信安科技有限公司 Graphic analysis and recognition method for internet botnet

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102291268A (en) * 2011-09-23 2011-12-21 杜跃进 Safety domain name server and hostile domain name monitoring system and method based on same
EP3306900A1 (en) * 2016-10-07 2018-04-11 Secucloud GmbH Dns routing for improved network security
CN108494790A (en) * 2018-04-08 2018-09-04 南京大学 A method of detecting sustained network attack in distributed network

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102045215B (en) * 2009-10-21 2013-04-24 成都市华为赛门铁克科技有限公司 Botnet detection method and device
CN102938769A (en) * 2012-11-22 2013-02-20 国家计算机网络与信息安全管理中心 Detection method of Domain flux botnet domain names
US9363269B2 (en) * 2014-07-30 2016-06-07 Zscaler, Inc. Zero day threat detection based on fast flux detection and aggregation
CN106230867A (en) * 2016-09-29 2016-12-14 北京知道创宇信息技术有限公司 Prediction domain name whether method, system and the model training method thereof of malice, system

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102291268A (en) * 2011-09-23 2011-12-21 杜跃进 Safety domain name server and hostile domain name monitoring system and method based on same
EP3306900A1 (en) * 2016-10-07 2018-04-11 Secucloud GmbH Dns routing for improved network security
CN108494790A (en) * 2018-04-08 2018-09-04 南京大学 A method of detecting sustained network attack in distributed network

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
Website Fingerprinting Attack on Anonymity Networks Based on Profile Hidden Markov Model;Zhongliu Zhuo;《IEEE Transactions on Information Forensics and Security 》;IEEE;20171013;第5卷(第13期);全文 *
基于代理控制力的Fast-Flux僵尸网络检测方法;刘资茂等;《广西大学学报(自然科学版)》;20111030;全文 *

Also Published As

Publication number Publication date
CN110177123A (en) 2019-08-27

Similar Documents

Publication Publication Date Title
CN110177123B (en) Botnet detection method based on DNS mapping association graph
US10740363B2 (en) Domain classification based on domain name system (DNS) traffic
CN105681250B (en) A kind of Botnet distribution real-time detection method and system
CN112104677B (en) Controlled host detection method and device based on knowledge graph
Antonakakis et al. Building a dynamic reputation system for {DNS}
US10721244B2 (en) Traffic feature information extraction method, traffic feature information extraction device, and traffic feature information extraction program
US20170359362A1 (en) Spam classification system based on network flow data
WO2020133986A1 (en) Botnet domain name family detecting method, apparatus, device, and storage medium
CN102685145A (en) Domain name server (DNS) data packet-based bot-net domain name discovery method
US11652845B2 (en) Attack countermeasure determination apparatus, attack countermeasure determination method, and attack countermeasure determination program
CN111953552B (en) Data flow classification method and message forwarding equipment
CN110336789A (en) Domain-flux Botnet detection method based on blended learning
Tajalizadehkhoob et al. Apples, oranges and hosting providers: Heterogeneity and security in the hosting market
Lei et al. Detecting malicious domains with behavioral modeling and graph embedding
CN109067778B (en) Industrial control scanner fingerprint identification method based on honeynet data
KR102128008B1 (en) Method and apparatus for processing cyber threat information
CN108199878B (en) Personal identification information identification system and method in high-performance IP network
US11159548B2 (en) Analysis method, analysis device, and analysis program
Kondracki et al. The droid is in the details: Environment-aware evasion of android sandboxes
JP6538618B2 (en) Management device and management method
Nguyen A scheme for building a dataset for intrusion detection systems
CN108347447B (en) P2P botnet detection method and system based on periodic communication behavior analysis
CN111031068B (en) DNS analysis method based on complex network
CN110784483B (en) DGA abnormal domain name-based event detection system and method
Blaise et al. Learning Model Generalisation for Bot Detection

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
CB03 Change of inventor or designer information

Inventor after: Zhang Xiaosong

Inventor after: Niu Weina

Inventor after: Xiong Zhipeng

Inventor after: Xie Xin

Inventor after: Jiang Tianyu

Inventor after: Ge Honglin

Inventor before: Zhang Xiaosong

Inventor before: Niu Weina

Inventor before: Xiong Zhipeng

Inventor before: Xie Xin

Inventor before: Jiang Tianyu

Inventor before: Ge Honglin

CB03 Change of inventor or designer information
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant