Network Security Situation Awareness Based On The Analysis Of Domain Names' Behavior Characteristics

Network security situation awareness is the cognitive process about the security state of network system.It includes the steps of gradually fusing the original measurement data,extracting the background state and activity semantics of the system and identifying various types of network activities as well as the intention of the anomalous activity,so as to achieve an understanding of the network security situation and the influence of this situation on the normal behavior of the network.DNS traffic and the corresponding resolved IP flow records collected on the backbone router are used as the main data source to conduct the research of network security situation awareness.The domain names are taken as the observed objects,and study the traffic behavior of their resolved IPs in the thesis.These IP addresses provide resources and services on the network,by profiling their traffic behavior and classifying their service intention to support the realization of network security situation awareness.There are four parts in our thesis,the first two parts belong to the research scope of network security situation perception,the last two parts belong to the research scope of network security situation comprehension and network security situation projection,respectively,and these studies are as follows.The first part of this paper is about detecting malicious AGD names.A malicious domain name detection method is proposed,which combines the clustering algorithm and the classification algorithm to achieve efficient detection under the limited system resources.Firstly,different similar metrics are defined to cluster the observed AGD names respectively,and to identify the domain names generated by the same domain name generation algorithm or its variants through cluster correlation.Secondly,detecting the malicious domain names in it.The literal features of the domain name are no longer used in our work,but studying the features that can effectively distinguish their maliciousness,such as their TTL features,the distribution and attribution features of their resolved IP addresses,their whois features and etc..Finally,an efficient classifier is applied to build the blacklist of AGD names.The second part of this paper is about identifying Fast-Flux domain names at the upper DNS hierarchy.A two-stage detection algorithm is designed to identify the domain names with Fast-Flux features with the aim of solving the problems of high detection delay and low detection accuracy.Firstly,in the online detection stage,short-term available metrics are constructed as the input of the extreme learning algorithm for efficient detection,so as to reduce their detection and escaping window.For some malicious FFSN and legal CDN domain names that cannot be distinguished effectively by features,different filtering rules are designed to filter out the malicious Fast-Flux domain names.Finally,some metrics are explored through using long-term data.An offline monitoring algorithm is designed that can solve the problem of high false positive rate caused by excessive pursuiting “early and timeliness” in the online stage,so as to achieve the tradeoff between the detection efficiency and detection accuracy.The third part of the thesis is the generalizing method of IP address traffic behavior in backbone.The traffic behavior description model of the IP address is designed to profile their traffic behaviors,which can effectively solve the shortcomings of the existing traffic description methods in terms of description granularity and semantics.By analyzing the traffic of the resolved IPs in the CERNET backbone,nine single-attribute metrics and thirty-nine dual-attribute metrics are selected.These metrics can depict the traffic behavior of IP addresses from the dimensions of temporal,spatial,category and intensity.Based these metrics,the composing method of IP address traffic behavior characteristic spectrum is designed,and through it,the traffic behavior characteristics of the IP address in terms of the rhythmic,the cyclical,the stable access and the service diversity can be quantitatively described,so as to achieve the purpose of classifying the IP addresses by behavioral similarity.And this kind of behavior classification achieves the effect of generalizing the behavior of all observed IP addresses.The fourth part of the thesis is the service intention identification of the domain names'.Service intention refers to what service or what kind of service of the servers provide.The former involves service classification,or service type or service behavior classification,while the latter contains service content classification,such as shopping online or uploading or downloading services,and etc.Service intention identification in this thesis is through perceiving the service influences of the resolved IPs,including their service scope,intensity,service category estimates and the impact form(providing content or the implementation of control),etc.,rather than the traditional service classification.In order to achieve the goals,the similar service behavior discovery of IP address is conducted by observing their service scope,the intensity of communication,service category estimation and the impact form.Then,the interpretation method of their service intention is given,such as inferring whether they serve a fixed user group or provide interactive services,and etc..Therefore,using this influence,some important service classes can be tracked to provide better decisions for decision makers,so as to achieve the purpose of situation projection.