Design And Implemention Of Malicions Domain Detecting System On Domain Flux Botnet

With the advance of the Internet,people's life is more convenient,such as SNS(Social Networking Services),Taobao,e-mail,online banking transactions,e-commerce.On the one hand,the progress of the Internet brings people convenience of life,on the other hand,hackers attackers steal important informations of Internet users in a lot of ways,which threatens the security of Internet users.Hackers carry out a large number of malicious activities with botnets on the hosts which are infected viruses,while the security threat of Internet is rapidly increasing.However,the botnet has widely adopted Domain Flux technology with a specific domain generation algorithm(Domain Generation Algorithms,DGA)which can regularly generate a large number of new domains to request against the blacklist of domains.Therefore,on the base of collecting DNS domains,the paper analysises the features of DGA domains to detect DGA domains.This paper presents a DGA detection system based on domain datas,which is designed to study how to identify the malicious domains generated by DGA algorithm.DGA algorithm can generate a large number of domains in a short time,and hackers just register one or two of them as C&C IP.And characteristics of DGA domains are different from normal domains.Therefore,this paper argues that the malicious domains generated by DGA algorithm can be detected on above conditions.Firstly,with the invalid domains(NXDomain)of DNS analysis domain clustering in groups,according to the one-to-many relationship between malicious active domains and IP,the system chooses IP that numbers of corresponding domains are greater than a certain threshold.Then the matrix formed by IP and Nx Domain clusters by two maps,and k suspicious infected hosts are found with singular value dimension(SVD).Secondly,the system gets the active C&C domains which are accessed by suspicious infected hosts.Then the system filters the active domains with the whitelist to find the active C&C domains.Thirdly,the active domains are classified by the offline SVM classifier,then the domain is marked as a kind of 45 kinds of DGA domains.And the system gets IP addresses of C&C server.Finally,the system uses realistic domains of Shanxi province for functional testing and performance testing to evaluate the performance of the DGA detection system,result shows that the system can meet business needs and be in practical use.