| As the most critical infrastructure on the Internet,DNS's primary role is to map easy-to-remember host names to boring IP addresses.The vast majority of network access requests are related to domain names resolution functions,such as e-mail,Web services,microblogging and other network applications.This thesis studies dependence of domain names under the specific network environment,mainly monitors domain names activities in Jiangsu Province Education Network.Firstly,domain names database was established to storage domain names activities of the managed network JSERNET.The main role of the domain names database was to provide the data source for monitoring of dependence of domain names,moreover,it not only satisfy the query function of domain names information needed by IPCIS,but also provide the data basis for malicious service detection,especially botnet detection.Domain names were divided into two categories according to their literal characteristics:non-DGA domain names and DGA domain names,and the corresponding information were stored in the corresponding data tables.Domain names information stored in domain names database included the ownership information of domain names,mapping information between domain names and resolved IP,and the association infonnation between the domain name and DNS authority server.Secondly,botnet detection was carried out based on the established domain names database.The botnet detection was mainly to achieve the classification of the service type of the domain names,preventing and suppressing the harm of the malicious service,especially the botnet,and also providing the data support for the detection of dependence of domain names.In this thesis,the detection method of botnet based on domain names was to design the C&C detection model.The C&C domain names of botnet can be detected by using the literal feature of the domain names,Whois information of domain names and association relationship of resolved IP to analyze C&C server.On this basis,the data packets of the peer IP communicated with C&C server were collected,and then the characteristics of the acquired message were analyzed.Botnet detection was carried out by using the communication characteristics of botnets.Finally,availability and effectiveness of domain names database was verified by dependence of domain names,which can contribute to detect and suppress malicious services.In this thesis,dependence of domain names was mainly used to describe the use of domain names within the managed network as well as its own activities.This thesis selected two aspects of domain names to describe dependence of domain names:the size of the domain names and the stability of domain names activities.The stability of domain names activities contained active situation of domain names themselves and association relationship of the domain names and specific IP.According to the definition of dependence of domain names,reasonable monitoring measures were designed to analyze and studie domain names stored in domain name database,which included the size of the domain names,activities of domain names and Flux behavior. |
PDF Full Text Request