| In recent years, infrastructures such as Domain Name System (DNS) have been frequently paralyzed by malfunctions or malicious attacks, which dramatically impacting the network security. It is so difficult to guarantee DNS security mainly because Internet is an open complex giant system essentially, with its complex structure and lack of necessary security protection which make DNS exploited by the vulnerability. Currently, DNS security has not been paid enough attention and the related research drops behind. Research has been mainly focused on the specific ways to passively defense the attack, failing to remove the vulnerability thoroughly and unable to deal with the attacks and malicious behaviors with diversity, random, covert and propagation. Therefore, the key problems to protect DNS are reducing the vulnerability in the system architecture design, improving the system availability and controllability and upgrading system active defense capability to intended attacks and unintended failures. This dissertation focuses the in-depth research on DNS availability, vulnerability, controllability and active defense ability.Protocol design vulnerability violates data integrity and authenticity, and the faults are widespread in DNS. At the same time, redundancy is substantially reduced which incurring prevalent single point of failures. As a result of system expansion, management difficulties increase dramatically. Therefore, this dissertation classifies DNS security threats according to the vulnerability in protocol design, implementation and operation, and reviews the related research work and improvement. Concurrently, the security status of the authoritative name server is studied roughly through vulnerability scan and misconfiguration detection. Later, a measurement tool named DNSAuth is introduced to perform name server availability measurement and analysis, and the performance and availability of the authoritative name servers are also quantitatively assessed subsequently. The experiment reveals that the security situation of current DNS is at risk.To solve the research deficiency in DNS vulnerability, this dissertation presents the concept of atomic and composite vulnerability as well as the corresponding classification, and descripts DNS vulnerability in essence. Based on the extended finite state machine, this dissertation outlines the DNS vulnerability analysis model, and the resolution process of DNS is formalized integrating vulnerability classification. Based on the reliability theory, the quantitative assessment method of DNS vulnerability is presented, and the vulnerability index of DNS is evaluated according to the vulnerability classification.DNS traffic anomaly detection is a necessary approach to enhance DNS controllability. In this dissertation, the detection method based on protocol feature association analysis is presented to track both traffic attributes and DNS payload features. Through query and response frequency anomalies, the abnormal behaviors of DNS servers and clients are effectively distinguished. Afterwards, based on the information entropy model, DNS traffic anomaly, especially those without obvious traffic volume disruption, is detected employing traffic feature distribution. Comparative analysis of the experimental results validates the efficiency of these two anomaly detection methods.DNS security protection technology is the fundamental ensurence to enhance the macro ability of the defense system. To achieve the goal of DNS security enhancement, this dissertation presents a hierarchical DNS security enhancement model, and the vulnerability, availability, controllability and survivability of DNS are associated together. Based on the complete life cycle of information security, the dynamic defense mechanism is established to implement a deep defense system from warning, prevention, detection, response to recovery. Finally, based on the DNS security enhancement model, a DNS security protection system named DNSSOS is proposed to associate vulnerability, availability, controllability and survivability of DNS, which systematically combining the DNS security protection means and building a multi-level and full- scale dynamic security defense system.
|
PDF Full Text Request