Research On Malicious Domain Detection And Protection Based On SDN And Machine Learning

With the continuous development of Internet applications and the number of Internet users explosive growth,the threat of malicious domain names to Internet users is increasing rapidly.Many of the pitfalls of domain name resolution services(DNS)are often exploited by malicious network behavior such as botnets,phishing sites,and so on.The traditional network's protection of malicious domain name generally installed antivirus software and firewall in the user's host or network's outport,but not every user is willing or have the ability to install them,and the current detection method of malicious domain name is mainly based on blacklist matching,need timely update and maintenance the blacklist,so protection is often carried out only after hazards occur.What's more,the application of new network technology,such as Fast-flux technology and DGA(domain name generation algorithm),has increased the difficulty of detecting and protecting malicious domain names.In view of the current malicious domain name detection and protection method's problem,such as high cost,low flexibility,and low accuracy and so on.This paper studied the characteristics of SDN network framework and its related technology in detail,and combined the detailed research on SVM classification algorithm in machine learning.Finally,this paper proposed a method of detecting and protecting malicious domain name based on SDN new network architecture and machine learning technology.The method used the SDN's characteristics of separation of Data forwarding layer and control layer.it can identify and intercept malicious domain name at it's resolution period in real time,and it can be flexibly controlled in the application layer for redirection and proxy access,as well as real-time monitoring of data streams.In the malicious domain name detection stage,used the black and white list and the machine learning classification algorithm to detect the domain name,which can effectively improve the detection accuracy rate.In this paper,a malicious domain name detection and protection system was designed and implemented according to the proposed method,and experiment was carried out in Mininet virtual simulation network topology to verify the method.The malicious domain name detection and protection system was divided into three layers,namely the forwarding layer,control layer and application layer.The control layer used Floodlight as the controller.The controller has a global network view,which can collectively manage and configure the resources of the entire network.In the controller,the Floodlight system module API and the SVM classification algorithm were used to realize the malicious domain name detection and protection system.The system was divided into four major functional modules,namely,DNS packet analysis,domain name detection classification,data flow redirection,proxy access and data flow monitoring,and opened some related REST API to Application layer;Application layer used nodejs and python call controller's REST API respectively to realize the visual interface of malicious domain name detection and protection manager and DNS redirect server.Experiments show that the system can accurately identify the malicious domain name and intercept it,according to the configuration requirements can realize domain name resolution redirection and data flow redirection and proxy access and real-time monitoring of data flow,with low cost,high flexibility,transparency,real-time detection and many other advantages.This paper's method has high research value and practical value.