CN102938769A - Detection method of Domain flux botnet domain names - Google Patents
Detection method of Domain flux botnet domain names Download PDFInfo
- Publication number
- CN102938769A CN102938769A CN 201210475596 CN201210475596A CN102938769A CN 102938769 A CN102938769 A CN 102938769A CN 201210475596 CN201210475596 CN 201210475596 CN 201210475596 A CN201210475596 A CN 201210475596A CN 102938769 A CN102938769 A CN 102938769A
- Authority
- CN
- China
- Prior art keywords
- domain name
- domain
- name
- botnet
- flux
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to a detection method of Domain flux botnet domain names, which is based on domain name active character, aiming at the problem that a botnet positions and hides by virtue of a domain-flux technology. The detection method comprises the steps of: receiving and analyzing a DNS (Domain Name Server) response message and recording the IP (Internet Protocol) resolution content of the domain names according to a fixed time interval; grouping the domain names according to second-level domain names and resolution ip so as to obtain a plurality of domain name sets, wherein each domain name set comprises one or more domain names; calculating the time interval of each domain name in each set from the beginning to the last time when the domain name appears, wherein the time interval serves as the domain resolution effective duration; calculating the maximum proportion of each duration accounting for the total domain in the set; and outputting a domain name list using the domain-flux technology according to a preliminary defined threshold.
Description
Technical field
This detection method relates to network safety filed.
Background technology
Domain name system (Domain Name System, DNS) is mainly used in finishing the translation translation function from domain name to the IP address as important Internet service infrastructure.Current most of internet, applications is before carrying out concrete business, and the addressing that all needs to utilize domain name system to finish from domain name to the IP address is changed.
As the main body botnet that a lot of rogue activitys on the current network are carried out, although part has adopted new technology and agreement, such as p2p, most botnet is also utilizing DNS to carry out resource acquisition, Control Server location etc.For the survival ability that improves self and reach and better hide and flexible effect, obtain larger interests, these botnet have utilized some technology, such as fast flux and domain flux.Nearly 2 years, botnet presented zooming trend to the utilization of domain flux.
ICANN is described as fast flux the resource record of quick and lasting conversion main frame, the behavior that the ip that causes domain name mapping to go out changes fast, and domain flux and fast flux are just the opposite, refer to ceaselessly to change and distribute a plurality of domain names to the behavior of one or more ip.
These two kinds of technology all can be used for the C﹠amp of Botnet; Aspect, C location, what the most famous Botnet storm utilized is fast flux method, according to the report of RSA fraudaction team issue, this technology of also having used is organized in the rock fishing in their framework; And some botnet such as Conficker, Kraken and Torpig etc., the domain name of then utilizing domain flux method to generate is got in touch with and is controlled.Take Conficker as example, generated 250 domain names in its per 3 hours, and wherein 32 of random choose obtain ip to attempt connecting control end.
Because fast flux utilizes a domain name, there is the defective of easy single point failure in botnet in use, so a lot of botnet utilizes domain flux to remedy this problem.Simultaneously, a large amount of domain names of generation can increase safety analysis personnel's analysis cost, prolong analysis time.
Aspect correlative study, early stage, utilization and the correlative study of fast flux were many, to the research of domain flux and pay close attention to these 2 years then rapider.
Current detection to domain flux mainly concentrates in the analysis to the domain name character feature.Because the domain name generating algorithm differs greatly, be easy to revise and replace, the domain name character feature performance of its generation is also just different, because current detection method spininess is to concrete character feature, so the variation of character feature can be escaped the detection for its Botnet.Be compared to the domain name character feature, because domain name access has stronger stable and rule, the use characteristic of domain flux domain name is more stable, and the domain name access that therefore generates for domain flux enlivens situation, proposes a kind of method that detects domain flux Botnet domain name.
Summary of the invention
For existing domain flux Botnet, provide the domain name detection method that enlivens feature based on subdomain name.
Detection method in this paper is based on such observation conclusion: botnet when utilizing domain flux, and its domain name has obvious difference with legal domain name at the appearance of subdomain name quantity, new subdomain name and subdomain name aspect enlivening.
In the botnet based on domian flux, each bot is periodic to generate a series of domain names for contact c﹠amp; The c server, As time goes on, its domain name quantity is on the increase.Figure 1 shows that the subdomain name quantity that several these type of samples generate.
Because the restriction of disposing, it is very difficult capturing all analysis request for certain domain name.But even if for the part request msg of obtaining, the subdomain concrete number of increase with time can be used as the primary filtercondition of screening domain name from a large amount of domain name datas
[2]
For a large amount of domain names that domain flux generates, it has certain generating algorithm and organizational form.In order to guarantee that each bot can navigate to same C﹠amp certain period; C, its algorithm often can utilize such as time, hot issue etc. as seed.In the organizational aspects of domain name, a lot of botnet utilize a plurality of second level domains (or three grades of domain names) to generate subdomain name.Domain name for generating as required, is mapped to one or more ip with domain name and gets on;
Each subdomain name that generates, except in the certain feature of performance aspect the morphology of domain name, as character distribution, string length, comprise a little quantity etc.Except the cost that improves analysis, the domain name of hiding real use reach the purpose of fascination, automatically the domain name main task that generates is the approach as inner contact, it is aspect the request of domain name in use, can show some features, obviously is different from the access mode of legitimate domain name.
As shown in Figure 2, the figure left side is the requested situation of an illegal domain name, and the figure right side is the requested parsing situation of a legitimate domain name.Transverse axis represents the time, and the longitudinal axis is ip corresponding to domain name, and asterisk is illustrated in certain time this domain name ip and is resolved by client-requested.
Can see that from Fig. 2 contrast it accesses legal domain name more at random, and the upper duration of time was longer; And the domain name of malice sample utilization is only used within a certain short time.
Fig. 3 is the access situation of a certain malice domain name its subdomain name within a period of time:
As shown in Figure 3, although the passing of time constantly has the requested parsing of new subdomain name, each subdomain name enliven asynchronism(-nization), and non-intersect, it enlivens time span is consistent.
Can see, each subdomain name that generates for domain flux, because its use, it enlivens the time in the time to live of whole botnet, only accounts for just wherein one section.Although this subdomain name can also be resolved to the ip data in the back, each bot is according to using agreement to abandon this subdomain name.For each subdomain name, because its occupation mode is the same, in general, if according to secondary or three grades of such forms of domain name domain name is divided into groups, the enlivening time span and should be consistent of each subdomain name in the set, namely all subdomain names to enliven time span very concentrated.
A given period of time T, domain name in the time range is divided into groups according to secondary or three grades of domain names, obtain each the subdomain name set D={s1 under this domain name, s2 ..., sn}, if the sn subdomain name is in for the first time requested parsing of T1 time, in the last requested parsing of T2 time, then the time of enlivening of this domain name is from T1 to T2, enlivens time span Δ T=T
2-T
1, enliven the subdomain name quantity that time span is Δ T with count (Δ T) expression length, then the subdomain name of D enlivens the distributed number of time span and is:
{count(ΔT
1),count(ΔT
2),...,count(ΔT
n)}
When count (Δ T) accounts for the proportion of total subdomain concrete number when larger, this group subdomain name is more concentrated in the distribution that enlivens time span.
Represent the time of the enlivening distribution situation of gathering D with Distribute (D), definition:
When the value of Distribute (D) is larger, illustrate that the time span of enlivening of subdomain name distributes more concentrated.Distribute (D)<=1 wherein.
In the correlative study in front, what large multi-method adopted is by collecting certain given data as training set, utilizing sorting algorithm that unknown data is classified.This method comparative maturity and perfect, but need the support of given data, and the effect of classification is subjected to the impact of training data.This paper calculates each Distribute (D) by the grouping domain name, observe Distribute (D) situation of different domain names, filter the output domain name by the threshold values of specifying Distribute (D), and utilize the mode such as cross validation to verify relevant Output rusults.By many experiments, when threshold values greater than 0.9, can filter out preferably malice domain name.
Description of drawings
The subdomain name quantity that Fig. 1 malice sample generates
Fig. 2 domain name is enlivened the situation contrast
Fig. 3 malice domain name subdomain name access situation
Fig. 4 deployment architecture
Fig. 5 testing process
Embodiment
For above-mentioned purpose of the present invention, feature and advantage can be become apparent more, the present invention is further detailed explanation below in conjunction with accompanying drawing.
Below in conjunction with Fig. 4 the inventive method is described.System flow as shown in Figure 5.
Step 1: crawl DNS data.The data of utilizing are from the traffic mirroring of dns server, for be the employed caching server of dns client.The flow of mirror image is directed on the network interface card of harvester.
Step 2: start-up routine on harvester, carry out the crawl of data;
Step 3: start analysis program, to the data that grab, resolve according to DNS RFC agreement, distinguish request and response data packet.To response data, according to the resource record form, parse each field contents.The content of all parsings according to regular time the interval be saved in file.Suppose that the time interval is 5 minutes, then per 5 minutes, generate a text.Text was named to distinguish with the time.
Step 4: the startup analysis calculation procedure, read the export of analysis program within a period of time, suppose intraday export is analyzed.The All Files content is read in internal memory, divide into groups to calculate, output results to database table.
Step 5: filter domain name according to threshold values in database table, output is also showed.
Claims (6)
1.Domain flux Botnet domain name detection method is characterized in that, comprising:
The IP that presses Fixed Time Interval record domain name resolves content;
According to second level domain and domain name mapping ip domain name is divided into groups;
Calculate the consistency numerical value of the domain name access time of grouping.
2. described Domain flux Botnet domain name detection method according to claim 1 is characterized in that, the IP that presses Fixed Time Interval record domain name according to following steps resolves content:
On the network interface card of the DNS data to data harvester of mirror cache server, crawl DNS data.
According to DNS Protocol resolution response resource record, with each protocol fields content, preserve the resource record that parses according to Fixed Time Interval.
3. described Domain flux Botnet domain name detection method according to claim 1 is characterized in that, according to following domain name is divided into groups:
Divide into groups by the domain name grade, each subdomain name that belongs to a domain name is divided in the set;
The ip that parses according to domain name divides into groups, and is divided in the set resolving the consistent domain name of ip.
4. described Domain flux Botnet domain name detection method according to claim 1 is characterized in that, according to the domain name access time consistency numerical value of following steps computational fields name grouping:
To each domain name, calculate domain name and resolve for the first time writing time and the last new record time of occurrence difference of separating, enliven the duration as domain name;
With all differences that set of domains obtains, calculate each difference percentage, keep largest percentage numerical value as the access time consistency numerical value of this set of domains.
5. a system that detects for Botnet domain name converter technique is characterized in that, comprising:
Data capture engine is used for gathering the DNS initial data on the network interface;
The Data Analysis engine is used for the DNS initial data to collecting, and resolve according to the agreement regulation, and form is on demand preserved the DNS resource record content that parses;
Domain name is filtered and output engine, domain name divided into groups, and the domain name access time consistency numerical value of computational fields name grouping, by threshold values requirement domain output list of file names.
6. a kind of system that detects for Botnet domain name converter technique according to claim 5 is characterized in that, domain name is filtered and output engine comprises:
The domain name grouped element is used for the record domain name is divided into groups by father field name and ip;
The consistency computing unit calculates the domain name access consensus information;
The domain name filter element filters and the output domain name according to threshold values;
Display unit to the domain name tabulation of output, is showed its visit information: the access time, return parsing content, number of times etc.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 201210475596 CN102938769A (en) | 2012-11-22 | 2012-11-22 | Detection method of Domain flux botnet domain names |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 201210475596 CN102938769A (en) | 2012-11-22 | 2012-11-22 | Detection method of Domain flux botnet domain names |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN102938769A true CN102938769A (en) | 2013-02-20 |
Family
ID=47697637
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 201210475596 Pending CN102938769A (en) | 2012-11-22 | 2012-11-22 | Detection method of Domain flux botnet domain names |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102938769A (en) |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103399912A (en) * | 2013-07-30 | 2013-11-20 | 腾讯科技(深圳)有限公司 | Fishing web page clustering method and device |
| CN103685230A (en) * | 2013-11-01 | 2014-03-26 | 上海交通大学 | Distributed cooperation detection system and method for botnet malicious domain name |
| CN104579773A (en) * | 2014-12-31 | 2015-04-29 | 北京奇虎科技有限公司 | Domain name system analysis method and device |
| CN104618354A (en) * | 2015-01-19 | 2015-05-13 | 中国科学院信息工程研究所 | Cache optimization method and system for resisting continuous variable-domain name prefix attack |
| CN103685230B (en) * | 2013-11-01 | 2016-11-30 | 上海交通大学 | The distributed collaboration detecting system of Botnet malice domain name and method |
| CN106713371A (en) * | 2016-12-08 | 2017-05-24 | 中国电子科技网络信息安全有限公司 | Fast Flux botnet detection method based on DNS anomaly mining |
| CN107122987A (en) * | 2017-06-20 | 2017-09-01 | 深圳安巽科技有限公司 | A kind of early warning system and method for order for arrest swindle |
| CN107547488A (en) * | 2016-06-29 | 2018-01-05 | 华为技术有限公司 | A kind of DNS tunnel detection methods and DNS tunnel detectors |
| CN110177123A (en) * | 2019-06-20 | 2019-08-27 | 电子科技大学 | Botnet detection method based on DNS mapping association figure |
| CN110266739A (en) * | 2019-08-06 | 2019-09-20 | 杭州安恒信息技术股份有限公司 | In conjunction with the detection method for the Fast-Flux Botnet for threatening information |
| CN114363062A (en) * | 2021-12-31 | 2022-04-15 | 深信服科技股份有限公司 | Domain name detection method, system, equipment and computer readable storage medium |
-
2012
- 2012-11-22 CN CN 201210475596 patent/CN102938769A/en active Pending
Cited By (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103399912B (en) * | 2013-07-30 | 2016-08-17 | 腾讯科技(深圳)有限公司 | A kind of fishing webpage clustering method and device |
| WO2015014279A1 (en) * | 2013-07-30 | 2015-02-05 | Tencent Technology (Shenzhen) Company Limited | Method and device for clustering phishing webpages |
| CN103399912A (en) * | 2013-07-30 | 2013-11-20 | 腾讯科技(深圳)有限公司 | Fishing web page clustering method and device |
| CN103685230A (en) * | 2013-11-01 | 2014-03-26 | 上海交通大学 | Distributed cooperation detection system and method for botnet malicious domain name |
| CN103685230B (en) * | 2013-11-01 | 2016-11-30 | 上海交通大学 | The distributed collaboration detecting system of Botnet malice domain name and method |
| CN104579773A (en) * | 2014-12-31 | 2015-04-29 | 北京奇虎科技有限公司 | Domain name system analysis method and device |
| CN104618354A (en) * | 2015-01-19 | 2015-05-13 | 中国科学院信息工程研究所 | Cache optimization method and system for resisting continuous variable-domain name prefix attack |
| CN104618354B (en) * | 2015-01-19 | 2018-04-27 | 中国科学院信息工程研究所 | A kind of cache optimization method and system resisted continuation and become the attack of domain name prefix |
| CN107547488A (en) * | 2016-06-29 | 2018-01-05 | 华为技术有限公司 | A kind of DNS tunnel detection methods and DNS tunnel detectors |
| CN106713371A (en) * | 2016-12-08 | 2017-05-24 | 中国电子科技网络信息安全有限公司 | Fast Flux botnet detection method based on DNS anomaly mining |
| CN106713371B (en) * | 2016-12-08 | 2020-04-21 | 中国电子科技网络信息安全有限公司 | Fast Flux botnet detection method based on DNS abnormal mining |
| CN107122987A (en) * | 2017-06-20 | 2017-09-01 | 深圳安巽科技有限公司 | A kind of early warning system and method for order for arrest swindle |
| CN110177123A (en) * | 2019-06-20 | 2019-08-27 | 电子科技大学 | Botnet detection method based on DNS mapping association figure |
| CN110266739A (en) * | 2019-08-06 | 2019-09-20 | 杭州安恒信息技术股份有限公司 | In conjunction with the detection method for the Fast-Flux Botnet for threatening information |
| CN114363062A (en) * | 2021-12-31 | 2022-04-15 | 深信服科技股份有限公司 | Domain name detection method, system, equipment and computer readable storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102938769A (en) | Detection method of Domain flux botnet domain names | |
| Ihm et al. | Towards understanding modern web traffic | |
| Jagger et al. | Tenure and forest income: Observations from a global study on forests and poverty | |
| CN105490854B (en) | Real-time logs collection method, system and application server cluster | |
| CN109905288B (en) | Application service classification method and device | |
| CN105183873A (en) | Malicious clicking behavior detection method and device | |
| CN106294101A (en) | The page gets method of testing and device ready | |
| CN105376217B (en) | A kind of malice jumps and the automatic judging method of malice nested class objectionable website | |
| Rogers et al. | National Web studies: The case of Iran online | |
| Schomp et al. | Towards a model of DNS client behavior | |
| Kayacık et al. | Analysis of three intrusion detection system benchmark datasets using machine learning algorithms | |
| Tamibini | How advertising fuels fake news | |
| CN104253875B (en) | A kind of DNS flow analysis methods | |
| CN104202418A (en) | Method and system for recommending commercial content distribution network for content provider | |
| Wan et al. | A random indexing approach for web user clustering and web prefetching | |
| CN112348041B (en) | Log classification and log classification training method and device, equipment and storage medium | |
| CN117220968A (en) | Honey point domain name optimizing deployment method, system, equipment and storage medium | |
| Pennekamp et al. | Hi doppelgänger: Towards detecting manipulation in news comments | |
| CN103530297B (en) | A kind of automatic method and device for carrying out web analytics | |
| CN115604032B (en) | Method and system for detecting complex multi-step attack of power system | |
| Chandra et al. | A survey on web spam and spam 2.0 | |
| Vidya et al. | Web mining-concepts and application | |
| Ben-David | National web histories at the fringe of the Web: Palestine, Kosovo, and the quest for online self-determination | |
| CN104539452A (en) | Method for conducting statistics on Web application access regional characteristics | |
| EP3361405B1 (en) | Enhancement of intrusion detection systems |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20130220 |