CN102685145A

CN102685145A - Domain name server (DNS) data packet-based bot-net domain name discovery method

Info

Publication number: CN102685145A
Application number: CN2012101683406A
Authority: CN
Inventors: 王志文; 刘璐; 陶敬; 马小博; 周文瑜
Original assignee: Xian Jiaotong University
Current assignee: Xian Jiaotong University
Priority date: 2012-05-28
Filing date: 2012-05-28
Publication date: 2012-09-19

Abstract

The invention discloses a domain name server (DNS) data packet-based bot-net domain name discovery method. A DNS data packet is taken as a basic data source in a network layer, and a domain name co-occurrence scoring method is used for tracking and discovering a plurality of bot-net domain names under the condition that a part of bot-net domain names are known by utilizing the two key features of groupment and persistence of a bot-net. Known local features (manifesting as bot-net domain names) of the bot-net are updated or changed into unknown domain names along with time, the unknown domain names are discovered, and the dynamic variations of access behaviors of a specified bio-net are discovered, mastered and tracked, so that the shortcomings of the conventional bio-net detection method are overcome. According to the method, domain names are taken as features, so that the limitation caused by bio-net protocol diversity, information encryption and the like when feature codes are used for detection can be avoided; and an object is observed according to the co-occurrence behaviors of the domain names, so that the unknown bio-net domain names can be discovered by fully utilizing the features of groupment and persistence of the bio-net.

Description

Botnet domain name discovery method based on DNS data packet

Technical Field

The method relates to the field of computer network security, relates to a botnet domain name discovery method, and particularly relates to a botnet domain name discovery method based on a DNS (domain name system) data packet.

Background

Botnets are a group of zombie hosts (zoobie) infected by bots (bots) and having command and control relations, the bots are distributed in various occasions such as families, enterprises and government organizations, receive instructions from controllers (botmasters), execute various network attacks such as DDoS (distributed denial of service), information stealing, phishing, junk mails, advertisement abusing points, illegal voting and the like, and as a group large-scale network attack means, serious security threats are caused to civil internet, industrial production control systems, military networks and the like. One-to-many command and control (C & C) is the fundamental characteristic that botnets are different from traditional virus, trojan, backdoor and other attack technologies, and the botnets have typical characteristics of large scale, organization, high controllability, high concealment, long latency and the like.

At present, the traditional method for detecting the botnet is to discover a controlled botnet host by using feature codes, and the method for detecting the botnet by using non-feature codes mainly comprises the following steps: the method comprises the steps of collecting and classifying network characteristics, grading threats and relevance among hosts, mining malicious domain names in the domain names through semantic analysis of domain name lexical, and detecting botnets and the like through Fast-Flux phenomena of IP and the domain names. These methods face the following problems:

1) the characteristics of long-term latency of the botnet and the like determine that the interaction between a controller and a botnet host is a dynamic command and control process, so that the known characteristic information is updated quickly, a detection method based on the characteristic code cannot keep up with the steps of the characteristic information, and the detection failure rate is gradually improved along with time.

2) The network-based detection method has high requirements on data sources, and is difficult to apply to a large network due to complex data calculation.

3) The detection method based on literal semantic analysis and the detection method using the Fast-Flux phenomenon are very limited and cannot effectively detect a wide variety of botnets.

Disclosure of Invention

The method aims to provide a botnet domain name discovery method based on a DNS data packet, and by means of known local characteristics (expressed as the domain name of the botnet) of the botnet, an unknown domain name which is updated or changed along with time change is discovered, and dynamic changes of access behaviors of the given botnet are discovered, mastered and tracked, so that the defects of an existing botnet detection method are overcome. The method of the invention takes the domain name as the characteristic, and can avoid the limitations caused by the diversity of botnet protocols or information encryption and the like when the characteristic code is taken as the detection means; the object is observed by the co-occurrence behavior of the domain names, and the unknown botnet domain names can be found by fully utilizing the characteristics of the population and the persistence of the botnets. Experiments show that the method can effectively and reliably discover the unknown botnet domain name in the network scale of tens of thousands of hosts.

In order to achieve the purpose, the invention adopts the following technical scheme:

a botnet domain name discovery method based on DNS data packets comprises the following steps,

data preprocessing:

step 1.1: analyzing DNS query data from a data packet by taking given network outlet flow as a data source, and extracting a quadruplet r = (t, h, p, d) set containing DNS query characteristic information from the data packet, wherein t is request initiating time, h is a request initiating host, p is a requested resource record type, and d is a requested domain name;

step 1.2: filtering and reducing a quadruplet r = (t, h, p, d) set through a domain name white list, and removing the quadruplet containing a given domain name of the domain name white list from the quadruplet r = (t, h, p, d) set;

step 1.3: identifying an NAT (IP Network Address Translator/IP Network Address Translator) host, filtering an access record of the NAT host to a domain name in the NAT Network, and removing the access record from a quadruple set after the quadruple set r = (t, h, p, d) is removed from the quadruple set after the domain name is given by the domain name white list in the step 1.2; eliminating to obtain reduced quadruple set;

step 1.4: counting the time windows on the reduced quaternary set obtained in the step 3 by taking the domain name as a main body, counting the number of times of inquiring each domain name by each host in each time window, and defining the number as a quadruple s = (T)_i,h,d,n_all)；T_iRepresents from t_iTo t_i+1Time range of (t)_i+1=t_i+ T, h is the request initiating host, d is the domain name of the request, n_allThe number of times each domain name is queried by each host in a time window, wherein the time window is T in size;

preferably, the process of identifying the NAT host in step 1.3 includes the following steps:

step a: dividing time periods, and recording the observed value x of the number of the domain names accessed by each host i in each time period j_ij(ii) a j =1,2,3, … N, N being a natural number;

step b: calculating the average value of the number of domain names accessed by the host i in n time periods as

Step c: calculating a threshold M_kLet M stand_kIs a random variable X_ijUpper k quantile of (i.e., P { X)_ij>M_k} = k, k ∈ (0,1), where the random variable X_ijRepresenting the domain name query number of the host i in the time period j; experiments show that k is 0.05, so that the optimal effect is achieved;

step d: if it is judged that

The host is considered to be a NAT host.

Preferably, the botnet domain name discovery method based on the DNS packet further includes the step of domain name co-occurrence scoring:

step 2.1: for a given botnet, determining, from the set of domain names for the given botnet, that there is a quad s = (T =)_i,h,d,n_all) The domain name set to be detected; a host sending a DNS query request to a domain name in any known zombie network is a zombie host, and an unknown domain name in a data set accessed by all the zombie hosts is a domain name set to be tested;

step 2.2: time window divisionFor each time window T_iCalculating the co-occurrence score of each domain name in the domain name set to be detected and the given botnet domain name:

1) calculating a time window T_iAnd the similarity coefficient between the domain name to be detected and each domain name in the domain name set of the given botnet is as follows:

wherein, D (h, T)_i) For the time window T_iSet of domain names visited by the inner host h, d_iFor the domain name to be measured in the time window, d_jA given domain name in a domain name set of a given botnet within the time window;

2) calculating the time window T_iIn the method, the domain name d to be tested and the known domain name set Z in all given botnets_bSum of similarity coefficients of

3) Calculating the time window T_iIn the method, the correction coefficient W (d, T) of the domain name d to be measured_i) The correction factor is the number of zombie hosts visited the domain name divided by the number of all hosts visited the domain name, i.e. the correction factor is the number of zombie hosts visited the domain name

Wherein, H (d, T)_i) Is shown in a time window T_iA host set internally accessed by a domain name d;

4) calculating the time window T_iIn the method, the co-occurrence score S of the domain name to be detected and the given botnet domain name set_b(d,T_i)，

<math><mrow> <msub> <mi>S</mi> <mi>b</mi> </msub> <mrow> <mo>(</mo> <mi>d</mi> <mo>,</mo> <msub> <mi>T</mi> <mi>i</mi> </msub> <mo>)</mo> </mrow> <mo>=</mo> <mrow> <mo>(</mo> <msub> <mi>Σ</mi> <mrow> <msub> <mi>d</mi> <mi>b</mi> </msub> <mo>&Element;</mo> <msub> <mi>Z</mi> <mi>b</mi> </msub> </mrow> </msub> <mi>C</mi> <mrow> <mo>(</mo> <msub> <mi>d</mi> <mi>b</mi> </msub> <mo>,</mo> <msub> <mrow> <mi>d</mi> <mo>,</mo> <mi>T</mi> </mrow> <mi>i</mi> </msub> <mo>)</mo> </mrow> <mo>)</mo> </mrow> <mo>*</mo> <mi>W</mi> <mrow> <mo>(</mo> <mi>d</mi> <mo>,</mo> <msub> <mi>T</mi> <mi>i</mi> </msub> <mo>)</mo> </mrow> <mo>;</mo> </mrow></math>

Step 2.3: calculating a domain name co-occurrence score S for multiple time windows_b(d)；

1) For x continuous time windows, calculating domain name d and botnet B_bAverage co-occurrence score of

<math><mrow> <msub> <mover> <mi>S</mi> <mo>&OverBar;</mo> </mover> <mi>b</mi> </msub> <mrow> <mo>(</mo> <mi>d</mi> <mo>)</mo> </mrow> <mo>=</mo> <mrow> <mo>(</mo> <msub> <mi>S</mi> <mi>b</mi> </msub> <mrow> <mo>(</mo> <mi>d</mi> <mo>,</mo> <msub> <mi>T</mi> <mn>1</mn> </msub> <mo>)</mo> </mrow> <mo>+</mo> <msub> <mi>S</mi> <mi>b</mi> </msub> <mrow> <mo>(</mo> <mi>d</mi> <mo>,</mo> <msub> <mi>T</mi> <mn>2</mn> </msub> <mo>)</mo> </mrow> <mo>+</mo> <mo>·</mo> <mo>·</mo> <mo>·</mo> <mo>+</mo> <msub> <mi>S</mi> <mi>b</mi> </msub> <mrow> <mo>(</mo> <mi>d</mi> <mo>,</mo> <msub> <mi>T</mi> <mi>x</mi> </msub> <mo>)</mo> </mrow> <mo>)</mo> </mrow> <mo>/</mo> <mi>x</mi> <mo>;</mo> </mrow></math>

2) For x continuous time windows, calculating domain name d and botnet B_bMaximum co-occurrence score of S_bmax(d)=max(S_b(d,T_i))；

3) Normalization is carried out, and domain name co-occurrence score S of multiple time windows is calculated_b(d)：

<math><mrow> <msub> <mi>S</mi> <mi>b</mi> </msub> <mrow> <mo>(</mo> <mi>d</mi> <mo>)</mo> </mrow> <mo>=</mo> <msub> <mover> <mi>S</mi> <mo>&OverBar;</mo> </mover> <mi>b</mi> </msub> <mrow> <mo>(</mo> <mi>d</mi> <mo>)</mo> </mrow> <mo>/</mo> <mi>max</mi> <mrow> <mo>(</mo> <msub> <mover> <mi>S</mi> <mo>&OverBar;</mo> </mover> <mi>b</mi> </msub> <mrow> <mo>(</mo> <msub> <mi>d</mi> <mi>i</mi> </msub> <mo>)</mo> </mrow> <mo>)</mo> </mrow> <mo>·</mo> <mi>α</mi> <mo>+</mo> <msub> <mi>S</mi> <mrow> <mi>b</mi> <mi>max</mi> </mrow> </msub> <mrow> <mo>(</mo> <mi>d</mi> <mo>)</mo> </mrow> <mo>/</mo> <mi>max</mi> <mrow> <mo>(</mo> <msub> <mi>S</mi> <mrow> <mi>b</mi> <mi>max</mi> </mrow> </msub> <mrow> <mo>(</mo> <msub> <mi>d</mi> <mi>i</mi> </msub> <mo>)</mo> </mrow> <mo>)</mo> </mrow> <mo>·</mo> <mrow> <mo>(</mo> <mn>1</mn> <mo>-</mo> <mi>α</mi> <mo>)</mo> </mrow> <mo>,</mo> </mrow></math>

α∈(0,1)

Wherein,as botnet B_bMaximum value of average co-occurrence score, max (S), of all domain names to be tested_bmax(d_i) Is botnet B_bThe maximum value of the maximum co-occurrence scores of all the domain names to be detected, and alpha is a scale factor reflecting the ratio of the average value to the maximum value of the domain name co-occurrence scores in the network; experiments show that the result accuracy is highest when the value of alpha is 0.8.

Preferably, the botnet domain name discovery method based on the DNS packet further includes a botnet domain name screening step:

sorting domain name co-occurrence scores of all domain names to be detected of the given botnet, and screening the domain names to be detected with the score greater than 0.2; and judging the maliciousness of the domain name to be detected with the score of more than 0.2 by utilizing a domain name maliciousness judgment rule and recommending.

Preferably, the domain name maliciousness judgment rule satisfies any one or more of the following conditions:

(1) the safety manufacturer publishes the domain name as a malicious domain name or a malicious URL exists under the domain name;

(2) the domain name has the same secondary domain name as the known malicious domain name, and the secondary domain name is not a dynamic domain name provider;

(3) the same prefix as a known malicious domain name;

(4) it is found by the search engine that there is no information for the domain name at all, but it does exist, and the resolved IP address is the same as that resolved by a known malicious domain name.

Preferably, the domain name in the domain name white list in step 1.2 is one or more of a common domain name, a misconfigured domain name and a program frequently-sent domain name.

Compared with the prior art, the invention has the following beneficial effects: the method does not need the support of host layer data, takes a DNS data packet as a basic data source in a network layer, and uses a domain name co-occurrence scoring method to track and find more botnet domain names by utilizing two key characteristics of the group property and the persistence of the botnets under the condition of knowing partial botnet domain names. The method comprises three parts of data preprocessing, domain name co-occurrence score calculation and botnet domain name screening. The method eliminates the interference of the NAT host in the network at the data preprocessing part; performing score analysis from a space dimension and a time dimension in a domain name co-occurrence score calculation part, so that domain name co-occurrence behaviors shown by a botnet can be obviously different from domain name co-occurrence behaviors shown by other normal applications; and finally, sorting the domain name co-occurrence scores and screening the domain names with the highest degree of correlation with the known botnet domain names.

Drawings

Figure 1 is a schematic diagram of the cooccurrence behavior of botnets according to the method.

Fig. 2 is a detailed flow diagram of botnet domain name discovery according to the present method.

Detailed Description

For a more clear understanding of the present method, the present method is described in further detail below by way of specific embodiments in conjunction with the accompanying drawings.

Figure 1 is a schematic diagram of zombie network co-occurrence behavior.

Botnets, whether centralized or distributed, whether IRC or HTTP protocol, have the following commonalities: (1) population in space. Controlled by the same hacker or hacker organization, receiving the same or coordinated attack commands, and having the same network access rule; (2) the persistence over time. The zombie hosts continue to access relevant target servers (including control servers, update servers, etc.) over time, all the while remaining in contact with the zombie controller. Botnets typically use a number of different domain names in their command and control processes, and botnet hosts continue to access these specific domain names for the life of their hosts to maintain, receive commands and control of attackers, and to ensure their privacy and reliability. In a typical botnet control case, the access process of a bot host to various domain names is as follows: firstly, accessing a command control server domain name to complete the receiving of a control command; then accessing a related server domain name to execute control commands such as updating a bot program, downloading malicious codes, uploading stealing information and the like; and finally, accessing the domain name of the victim server to carry out network attack and the like. Access to the server domain name by zombie hosts in the same zombie network necessarily has the same or similar access behavior, as controlled by the same zombie controller.

Namely, domain name access of botnets has definite domain name co-occurrence behavior: the given set of domain names is served by a known zombie domain name, such as a command control domain name resulting from capture; the co-occurrence domain name set covers various unknown zombie domain names, such as related domain names and damaged domain names. Therefore, the method scores and finds unknown botnet domain names based on the domain name co-occurrence behavior of botnets.

Figure 2 is a detailed flow chart of the discovery of botnet domain names using the present method.

The data source of the method is the flow data of a given network, the flow mirror of a network outlet can be adopted, the inlet flow of a regional network DNS server can also be adopted, the data packet analysis is carried out through wincap, the quadruple containing DNS query characteristic information in the DNS query flow is extracted and is stored in a database as metadata. This step needs to be performed for a long time to acquire data for a long time. In the steps of white list filtering, NAT host filtering and data statistics, the operation data are all the metadata.

When the data preprocessing part is finished, the obtained domain name feature quadruple is filtered and the obtained statistical feature quadruple is counted to serve as the input of the domain name co-occurrence score calculating part, firstly, a co-occurrence domain name set to be detected is screened out according to the known domain name of a given botnet, and the host computer of the domain name to be detected which sends a DNS query request to the known domain name of any given botnet serves as a botnet host computer. Then dividing a time window, calculating the domain name co-occurrence score of each domain name to be detected in a single time window according to the steps in the invention content, and then calculating the domain name co-occurrence score of each domain name to be detected in a multi-time window according to the steps in the invention content.

And when the domain name co-occurrence score calculation part is finished, obtaining a list of domain name co-occurrence scores to be detected, sorting the domain name scores according to the scores, and screening the domain name with the highest degree of correlation with the known botnet domain name. And judging the maliciousness of the domain name with the score of more than 0.2 and recommending the domain name.

The method comprises three parts of data preprocessing, domain name co-occurrence score calculation and botnet domain name screening. Wherein each part comprises the following steps:

a data preprocessing part:

step 1: and analyzing DNS query data from a data packet by taking the given network outlet flow as a data source, extracting a quadruplet r = (t, h, p, d) (t is request initiating time, h is a request initiating host, p is a requested resource record type, and d is a requested domain name) set containing DNS query characteristic information, and preparing a series of data for subsequent steps.

Step 2: the quadruplets r = (t, h, p, d) set are reduced through domain name white list filtering, and the quadruplets containing the given domain name are removed from the quadruplet r = (t, h, p, d) set. The domain names in the white list are mainly of the following types: common domain names, misconfigured domain names, and program frequent domain names.

And step 3: and (3) identifying an NAT (IP Network Address converter/IP Network Address Translator) host, filtering an access record of the NAT host to the domain name in the NAT Network based on the access statistical property of the Network domain name without hardware support, and removing the reduced quadruple set from the quadruple set obtained in the step (2).

The identification steps of the NAT host are as follows:

1) dividing the time period, and recording the observed value x of the number of domain names accessed by each host i in each time period j (j =1,2,3, …)_ij。

2) Calculating the average value of the number of domain names accessed by the host i in n time periods as

3) Calculating a threshold M_kLet M stand_kIs a random variable X_ijUpper k quantile of (i.e., P { X)_ij>M_k} = k, k ∈ (0,1), where the random variable X_ijIndicating the number of domain name queries by host i during this time period j. Experiments show that k is 0.05, so that the optimal effect is achieved.

4) If it is judged thatThe host is considered to be a NAT host.

And 4, step 4: counting the time windows on the reduced quaternion set obtained in the step 3 by taking the domain name as a main body, counting the number of times of inquiring each domain name by each host in each time window (the time window is preferably 1 natural day), and defining the number as a quaternion s = (T)_i,h,d,n_all)（T_iRepresents from t_iTo t_i+1Time range of (t)_i+1＝t_i+ T, h is the request initiating host, d is the domain name of the request, n_allThe number of times each domain name is queried by each host in a time window, where the time window is of size T). Without loss of useful informationThe case highlights the statistical nature of the domain name and reduces the data set.

The domain name co-occurrence score calculating part:

step 1: for a given botnet, determining, from the set of domain names for the given botnet, that there is a quad s = (T =)_i,h,d,n_all) The domain name set to be tested. The host that issued the DNS query request to any domain name in any known botnet is the botnet host, and the four-tuple s = (T) that all botnet hosts have accessed_i,h,d,n_all) The unknown domain name in (i.e., the domain name other than the domain name set for the given botnet) is the set of domain names to be tested.

Step 2: dividing the time windows, for each time window T_iCalculating the co-occurrence score of each domain name in the domain name set to be detected and the given botnet domain name:

1) calculating a time window T_iAnd correcting the similarity coefficient between the domain name to be detected and each domain name in the domain name set of the given botnet based on the Jacobian similarity coefficient. D (h, T)_i) For the time window T_iSet of domain names visited by the inner host h, d_iFor the domain name to be measured in the time window, d_jFor a given domain name in the domain name set of a given botnet within the time window, the similarity coefficient is:

3) Calculating the time window T_iAnd the correction coefficient of the domain name d to be detected is the number of zombie hosts which visit the domain name to be detected divided by the number of all hosts which visit the domain name to be detected, namely

Wherein, H (d, T)_i) Is shown in a time window T_iThe set of hosts that have internally visited domain name d.

<math><mrow> <msub> <mi>S</mi> <mi>b</mi> </msub> <mrow> <mo>(</mo> <mi>d</mi> <mo>,</mo> <msub> <mi>T</mi> <mi>i</mi> </msub> <mo>)</mo> </mrow> <mo>=</mo> <mrow> <mo>(</mo> <msub> <mi>Σ</mi> <mrow> <msub> <mi>d</mi> <mi>b</mi> </msub> <mo>&Element;</mo> <msub> <mi>Z</mi> <mi>b</mi> </msub> </mrow> </msub> <mi>C</mi> <mrow> <mo>(</mo> <msub> <mi>d</mi> <mi>b</mi> </msub> <mo>,</mo> <msub> <mrow> <mi>d</mi> <mo>,</mo> <mi>T</mi> </mrow> <mi>i</mi> </msub> <mo>)</mo> </mrow> <mo>)</mo> </mrow> <mo>*</mo> <mi>W</mi> <mrow> <mo>(</mo> <mi>d</mi> <mo>,</mo> <msub> <mi>T</mi> <mi>i</mi> </msub> <mo>)</mo> </mrow> <mo>.</mo> </mrow></math>

And step 3: calculating a domain name co-occurrence score S for multiple time windows_b(d)。

<math><mrow> <msub> <mover> <mi>S</mi> <mo>&OverBar;</mo> </mover> <mi>b</mi> </msub> <mrow> <mo>(</mo> <mi>d</mi> <mo>)</mo> </mrow> <mo>=</mo> <mrow> <mo>(</mo> <msub> <mi>S</mi> <mi>b</mi> </msub> <mrow> <mo>(</mo> <mi>d</mi> <mo>,</mo> <msub> <mi>T</mi> <mn>1</mn> </msub> <mo>)</mo> </mrow> <mo>+</mo> <msub> <mi>S</mi> <mi>b</mi> </msub> <mrow> <mo>(</mo> <mi>d</mi> <mo>,</mo> <msub> <mi>T</mi> <mn>2</mn> </msub> <mo>)</mo> </mrow> <mo>+</mo> <mo>·</mo> <mo>·</mo> <mo>·</mo> <mo>+</mo> <msub> <mi>S</mi> <mi>b</mi> </msub> <mrow> <mo>(</mo> <mi>d</mi> <mo>,</mo> <msub> <mi>T</mi> <mi>x</mi> </msub> <mo>)</mo> </mrow> <mo>)</mo> </mrow> <mo>/</mo> <mi>x</mi> <mo>.</mo> </mrow></math>

2) For x continuous time windows, calculating domain name d and botnet B_bMaximum co-occurrence score of S_bmax(d)=max(S_b(d,T_i))。

α∈(0,1)

Wherein,

as botnet B_bMaximum value of average co-occurrence score, max (S), of all domain names to be tested_bmax(d_i) Is botnet B_bAnd the maximum value of the maximum co-occurrence scores of all the domain names to be detected, wherein alpha is a scale factor reflecting the ratio of the average value to the maximum value of the domain name co-occurrence scores in the network. Experiments show that the result accuracy is highest when the value of alpha is 0.8.

A botnet domain name screening part:

step 1: the domain name co-occurrence scores for all domain names to be tested for a given botnet are ranked.

Step 2: and screening the domain name to be detected with the score of more than 0.2 (the domain name to be detected with the score of more than 0.2 has high correlation degree with the domain name of the known zombie network).

And step 3: and judging the maliciousness of the domain name to be detected obtained by screening, wherein the judgment rule meets any one or more descriptions as follows:

1) the security manufacturer publishes the domain name as a malicious domain name or a malicious URL exists under the domain name.

2) And the known malicious domain name has the same secondary domain name, and the secondary domain name is not a dynamic domain name provider.

3) And known malicious domain names have the same prefix.

4) It is found by the search engine that there is no information for the domain name at all, but it does exist, and the resolved IP address is the same as that resolved by a known malicious domain name.

Claims

1. A botnet domain name discovery method based on DNS data packets is characterized by comprising the following data preprocessing steps:

step 1.3: identifying an NAT host, filtering access records of the NAT host to a domain name in an NAT network, and removing the access records from a quadruple set after a quadruple r = (t, h, p, d) set is removed and a domain name is given by a domain name white list in the step 1.2; eliminating to obtain reduced quadruple set;

step 1.4: counting according to time windows by taking the domain name as a main body on the reduced quaternary set obtained in the step 3, and counting each time window T_iThe number of times each domain name is queried by each host is defined as the quadruple s = (T)_i,h,d,n_all)；T_iRepresents from t_iTo t_i+1Time range of (t)_i+1=t_i+ T, h is the request initiating host, d is the domain name of the request, n_allThe number of times each domain name is queried by each host in a time window, where the time window is of size T.

2. The DNS packet-based botnet domain name discovery method according to claim 1, wherein the process of identifying the NAT host in step 1.3 includes the steps of:

Step c: calculating a threshold M_kLet M stand_kIs a random variable X_ijUpper k quantile of (i.e., P { X)_ij>M_k} = k, k ∈ (0,1), where the random variable X_ijRepresenting the domain name query number of the host i in the time period j; k = 0.05;

step d: if it is judged that

The host is considered to be a NAT host.

3. The DNS packet-based botnet domain name discovery method according to claim 1, wherein the DNS packet-based botnet domain name discovery method further comprises a step of domain name co-occurrence scoring:

step 2.2: dividing the time windows, for each time window T_iCalculating the co-occurrence score of each domain name in the domain name set to be detected and the given botnet domain name:

<math> <mrow> <msub> <mi>S</mi> <mi>b</mi> </msub> <mrow> <mo>(</mo> <mi>d</mi> <mo>,</mo> <msub> <mi>T</mi> <mi>i</mi> </msub> <mo>)</mo> </mrow> <mo>=</mo> <mrow> <mo>(</mo> <msub> <mi>Σ</mi> <mrow> <msub> <mi>d</mi> <mi>b</mi> </msub> <mo>&Element;</mo> <msub> <mi>Z</mi> <mi>b</mi> </msub> </mrow> </msub> <mi>C</mi> <mrow> <mo>(</mo> <msub> <mi>d</mi> <mi>b</mi> </msub> <mo>,</mo> <msub> <mrow> <mi>d</mi> <mo>,</mo> <mi>T</mi> </mrow> <mi>i</mi> </msub> <mo>)</mo> </mrow> <mo>)</mo> </mrow> <mo>*</mo> <mi>W</mi> <mrow> <mo>(</mo> <mi>d</mi> <mo>,</mo> <msub> <mi>T</mi> <mi>i</mi> </msub> <mo>)</mo> </mrow> <mo>;</mo> </mrow> </math>

<math> <mrow> <msub> <mover> <mi>S</mi> <mo>&OverBar;</mo> </mover> <mi>b</mi> </msub> <mrow> <mo>(</mo> <mi>d</mi> <mo>)</mo> </mrow> <mo>=</mo> <mrow> <mo>(</mo> <msub> <mi>S</mi> <mi>b</mi> </msub> <mrow> <mo>(</mo> <mi>d</mi> <mo>,</mo> <msub> <mi>T</mi> <mn>1</mn> </msub> <mo>)</mo> </mrow> <mo>+</mo> <msub> <mi>S</mi> <mi>b</mi> </msub> <mrow> <mo>(</mo> <mi>d</mi> <mo>,</mo> <msub> <mi>T</mi> <mn>2</mn> </msub> <mo>)</mo> </mrow> <mo>+</mo> <mo>·</mo> <mo>·</mo> <mo>·</mo> <mo>+</mo> <msub> <mi>S</mi> <mi>b</mi> </msub> <mrow> <mo>(</mo> <mi>d</mi> <mo>,</mo> <msub> <mi>T</mi> <mi>x</mi> </msub> <mo>)</mo> </mrow> <mo>)</mo> </mrow> <mo>/</mo> <mi>x</mi> <mo>;</mo> </mrow> </math>

<math> <mrow> <msub> <mi>S</mi> <mi>b</mi> </msub> <mrow> <mo>(</mo> <mi>d</mi> <mo>)</mo> </mrow> <mo>=</mo> <msub> <mover> <mi>S</mi> <mo>&OverBar;</mo> </mover> <mi>b</mi> </msub> <mrow> <mo>(</mo> <mi>d</mi> <mo>)</mo> </mrow> <mo>/</mo> <mi>max</mi> <mrow> <mo>(</mo> <msub> <mover> <mi>S</mi> <mo>&OverBar;</mo> </mover> <mi>b</mi> </msub> <mrow> <mo>(</mo> <msub> <mi>d</mi> <mi>i</mi> </msub> <mo>)</mo> </mrow> <mo>)</mo> </mrow> <mo>·</mo> <mi>α</mi> <mo>+</mo> <msub> <mi>S</mi> <mrow> <mi>b</mi> <mi>max</mi> </mrow> </msub> <mrow> <mo>(</mo> <mi>d</mi> <mo>)</mo> </mrow> <mo>/</mo> <mi>max</mi> <mrow> <mo>(</mo> <msub> <mi>S</mi> <mrow> <mi>b</mi> <mi>max</mi> </mrow> </msub> <mrow> <mo>(</mo> <msub> <mi>d</mi> <mi>i</mi> </msub> <mo>)</mo> </mrow> <mo>)</mo> </mrow> <mo>·</mo> <mrow> <mo>(</mo> <mn>1</mn> <mo>-</mo> <mi>α</mi> <mo>)</mo> </mrow> <mo>,</mo> <mi>α</mi> <mo>&Element;</mo> <mrow> <mo>(</mo> <mn>0,1</mn> <mo>)</mo> </mrow> </mrow> </math>

Wherein,

as botnet B_bMaximum value of average co-occurrence score, max (S), of all domain names to be tested_bmax(d_i) Is botnet B_bThe maximum value of the maximum co-occurrence scores of all the domain names to be detected, and alpha is a scale factor reflecting the ratio of the average value to the maximum value of the domain name co-occurrence scores in the network; α = 0.8.

4. The botnet domain name discovery method based on DNS packets according to claim 3, wherein the botnet domain name discovery method based on DNS packets further comprises a botnet domain name screening step:

5. The DNS packet-based botnet domain name discovery method according to claim 4, wherein the domain name maliciousness determination rule is that any one or more of the following are satisfied:

(3) the same prefix as a known malicious domain name;

6. The DNS packet-based zombie network domain name discovery method according to claim 1, wherein the domain name in the domain name white list in step 1.2 is one or more of a common domain name, a misconfigured domain name, and a programmed frequent domain name.