Research On Active Defense Architecture And Key Technologies Based On DNS Log Analysis

With the rapid development of the Internet,the problem of network security is becoming more and more prominent from identity theft and private information leak to social and national security endangerment.Therefore,improving network security detection and defense has become a major technical problem in the academic community.The government and enterprises have also invested huge human and financial resources.It has become a hot issue in research to perceive the security risks in the network through an automated system,activity analyze and manage the network information system,accurately locate the security failure points,and accurately evaluate the security risk level of each system.Some progress has been made,but the key technology and accuracy still can be improved.At present,devices used for intrusion prevention,vulnerability scanning,user behavior management,data security audit are installed in the Intranet for security analysis and defense.However,due to massive data volume and false positive rate,these defense devices are often installed by-pass as alarms rather than a proactive defense mechanism in the actual environment.Increased network traffic makes commonly-used full-flow network security detection methods difficult to do its job.With the adoption of largescale distributed Content Distribution Network(CDN)and encryption protocol,it is difficult to effectively identify network security behavior,which increase the risk of data leak and violation of enterprises and user privacy.The cyber-attack detection methods that are based on the logs data often uses those of a single device and system,which lacks granularity and has high detection lag,thus cannot accurately reflect the information of network management comprehensively.There is usually no feedback mechanism between the detection results and with the existing network security defense equipment.With the continuous accumulation of data,the amount of data that needs association analysis keeps increasing,which significantly impedes analysis efficiency.To deal with these problems,this paper propose the network behavior fingerprint database model and cluster analysis based on the Knowledge Graph analyzing the big data of the Domain Name Service(DNS)log dataset.We present the method of active awareness of network security risks and network attack hidden dangers by studying the detection algorithm of the attack behavior in network security.The network billing log is used as an auxiliary accurate analysis and verification method to further improve the detection accuracy.At the same time,we propose to use an intelligent DNS with defense function to establish a security protection system with prior intervention,to prevent attacks against network security and enhance the management and defense ability of network security when users and the system have no awareness.The main contents of this paper are as follows:1.Built an active sercurity defense architecture based on DNS.This paper analyzes the collection method and format of network log based on analyzing log data,mapping dataset,system architecture,category division,resolution process and security of DNS,as well as the security extension function of domain name server's own trust key.Statistical clustering analysis is carried out for the collected domain name set,and the security of CDN acceleration and dynamic IP address in the process of domain name resolution is analyzed based on the whole problems.This paper proposes the architecture of the active defense system based on the function of intelligent DNS.2.Built the fingerprint of DNS based on the research method of the Knowledge Graph.This paper proposes the definitions of various domain name fingerprint data that are used during the research of security active detection situation awareness.And also propose a way to generate the dynamic dataset of blacklist and whitelist that can be used by the intelligent DNS for security defense.And proposes analysis methods for the establishment,generation,storage,comparison,visualization of user query domain name behavior fingerprint datasets based on the Knowledge Graph.The DNS fingerprint and the DNS resolution fingerprint database is generated by using the directed and undirected graph methods of Graph Neural Network(GNN)in a Knowledge Graph.The fingerprint detection algorithm is verified through experiments.To solve the problem that DNS log is not fine-grained enough,network billing log is used as an auxiliary high accuracy analysis and verification method to improve the detection accuracy.3.Proposed the analysis and detection method of fingerprint active detection perception for website,user behavior,and operating system and common application software behavior.The domain name fingerprint is formed by restoring all the active domain name links of the website through each user query.Firstly,this paper proposes a method based on algorithm C4.5 decision tree to analyze and detect the fingerprint characteristics of website domain name behavior.Secondly,we propose a rough clustering algorithm FCM to detect user's behavior by using the fingerprint of the user's domain name query network,to analyze three models of users' fixed,variable,and abnormal behaviors.Finally,we propose the fingerprint of domain name request behavior for all major operating systems and application software,and also present the detection method of this kind of fingerprint by experiment and analysis.4.Proposed analysis and detection method of fingerprint for cyber attack behavior.This paper proposes an algorithm based on the behavior transition probability of the Firstorder Homogeneous Markov chain(FHM)to analyze the cyber attack behavior,by analyzing the characteristics of the typical attack behavior.We conduct experiments to test the common various attack behavior detection,using the Latent Dirichlet Allocation(LDA)probability graph model method to carry on the valuation calculation.Taking mining virus attack and web page hidden hyperlinks attack as examples to test and verify.5.Implemented a network security active defense system based on DNS.Using the coordination between the security analysis system of DNS log and the intelligent DNS,this paper proposes a defense method of the intelligent DNS using the network proxy server to the honeypot system to analyze and block the traffic that may cause security problems.Through the joint analysis with the Dynamic Host Configuration Protocol(DHCP)server log,the domain name analysis system is able to adapt to dynamic addresses,thus meets the requirement of the security analysis and defense under the dynamic IP address network environment such as Internet of Things and IPv6.The mutual feedback mechanism established among the systems can further improve the detection and prevention effect.In a word,through the analysis of DNS log,as well as the research and detection method of domain name access behavior fingerprint,we build an information security detection and active defense system,which also has closed-loop and unified threat control.This system has been applied in real-world network environments.