Research On Abnormal Domain Detection Based On DNS Log Data

To escape the malicious domain detection system,the present malware families usually equipped with a technique called Domain Generation Algorithm(DGA),which uses specific seeds to generate a large number of random domain names,some of them are selected by attackers to register.Even if the DGA algorithm was reversed,it is impossible to block all DGA domain.Therefore,how to detect the domain used by malicious programs in real-time environment has become a hot issue in the current field of network security.By analyzing the existing technology of malicious domain detection,this thesis uses machine learning algorithm and provides a high speed network traffic capture technology.It provides an effective and efficient malicious domain detection solution,which includes three aspects:1.The DGA domain detection methods based on LSTM(long and short-term memory)neural network.We collect large number of data of DGA domain names for training the LSTM neural network model.In this experiment,the model achieves a high detection accuracy for DGA domain names.2.A malicious domain mining method based on historical data.This method collects global features of malicious domain names(i.e.,DNS authorization,WHOIS update information,and passive DNS data).We use passive DNS data for analyzing the mapping relationship between the domain and IP,and establish a malicious domain map.The graph association algorithm provides the association between an unknown domain and malicious domain map;we use four other features,i)domain whois update information,ii)the ratio of domain IP changed numbers and times,iii)the ratio of shared IP domains and its whois complete degree,iv)a function value of domain IP change rate and its TTL for analyzing the domain history information.We trained the model by XGBoost machine learning algorithm to detect the malicious domain.Experiment results achieved a high detection efficiency and accuracy.3.The third part of this thesis designs and implements a malicious domain detection system which works in a high speed network environment.This system combines the two methods which mentioned above.Finally,experiment uses open malware data to evaluate two algorithm models,and the result shows the detection accuracy of malicious domain which is over 95%.In addition,thesis also tests the flow acquisition in high-speed network environment,results show that the system has the ability to work in high-speed network environment.