Malicious Services Detection And Threat Evaluation Based On DNS Activity Analysis

As an important infrastructure of the Internet,DNS is primarily responsible for mutual mappings between domain names and IP addresses,and closely associated with various network applications.Meanwhile,domain name service has also become a main tool for generating diverse Internet security threats.For example,a botnet uses DNS to locate the C&C server during its spread and communication.Phishing,malicious code downloads and the like frequently change their IP addresses of the domain names and NS records so as to hide their real servers.Compared to network traffic with complete packet,DNS traffic is small and unencrypted,thus capable of monitoring traffic of backbone in real time.Moreover,since DNS requests are always before actual attacks,DNS traffic monitoring can technically detect and restrain malicious activities in the first time.Therefore,malicious service monitoring based on DNS activities is a new tendency in network security.Aim to find ways to tackle with worsening network security problems,and guarantee backbone of ISP network's safe and reliable running,this thesis explores the threat detecting and assessment methods of botnet,phishing websites,and spam mails and alike based on DGA domain name monitoring.The study approach is through observing literal features of visible domain names in the monitored network,DNS activity features and communication features.The study includes six aspects:1.To relief performance pressure of real-time traffic detecting on ISP backbone network,the thesis designs a light-weight detecting algorithm by extracting morpheme features literally,wich can rapidly discover the suspect domain name.This algorithm can raise the detection precision of Yadav classic algorithm which is based on "two-tuple frequency distribution",and can also remedy both the inability to withstand attackers' escaping strategy of prior feature statistics,and the shortcoming of randomly generating names with dictionaries or the Kwyjibo tool.2.To raise the precision of real-time DNS traffic detection on ISP backbone network,and particularly to tackle the problem that DNS traffic detection algorithm fails on lower layer because DNS cache blocks end-users' query requests,the article proposes a metric group of "Domain Name Dependency",on the basis of obtaining the visit relationship between users and domain names through flow record data.To solve the problem that Fast-Flux features cannot distinguish CDN and cause frequent false alarms,the article sets a metric group of "Domain-Name-Using Location",through analyzing the differences in underlying infrastructure between FFSN and CDN.And then the article applies a supervised multiple classifier model,to balance the efficiency of parallelization measure statistics and the precision of multi-result data fusion.The algorithm uses the minimum metric set,though,it is higher in detection precision than current generic domain detection algorithms Notos[144]?Exposure[146-147]and Kopis[141].3.To increase the semantic processing on attacks of suspect domains,and track their DNS activity features and communication features,the article develops a method to recognize botnets,phishing websites,spam mails and other malicious services.As experiments prove,combing DNS data with flow record data has higher detection precision than merely depending on one data origin.4.As for tremendous domain alarms,the article develops an aggregation algorithm based on spatial attribute similarities,and an association algorithm for digging domain-name access sequence patterns.The former algorithm can effectively reduce domain alarms by analyzing same resolved IP addresses and similar user IP addresses,but cannot analyze causal links between alarms.The latter algorithm,targeting“domain-name access sequence correlation",only focuses on limitations in alarms of two adjacent domains,and applies the sequential pattern mining algorithm in data mining to alarm association.Through finding out frequent subsequences from domain sequences,it can gain causal relations of domains,and then reproduce the scene of an attack.5.The article designs a hierarchical threat quantitative indicator system,through analyzing the relation among the number of attacks,the number of victim hosts and the duration when lacking information about the network vulnerability.And then based on distributed system architecture,it sets up a security threat quantitative evaluation model for backbone networks,balancing timeliness,globality and objectivity of threat evaluation.On the one hand,by simultaneously watching the current security conditions and trends of both the attacker and the defender,the model can reflect timely and correctly the global security situation of the backbone network.It can not only discover the periodical change pattern of network security conditions,but can also timely notice security problems through curve saltation.On the other hand,considering that one indicator is not enough to represent abundant information about security situation,the hierarchical threat quantitative indicator system can cut bottom-up computation costs for higher overall efficiency.It is as well convenient for the network security administrator to track problems from the local to the global when discovering security loopholes.6.Last but not least,the prototype system of DAOS is designed and realized by integrating all the algorithms above.Deployed and run on the backbone network border of JSERNET(Jiangsu Education and Research Network),DAOS could detect the DGA domain names from DNS traffic timely,identify the malicious services behind them accurately,evaluate the effect of these services on the managed network globally,and then send the final report to the emergency response system.Moreover,DAOS is steady and moderate in its CPU and memory consumption,and capable of real-time DNS traffic monitoring on backbone nodes.