| Botnet is one of the major menaces to cyber security,whose sustainability is greatly amplified by implementing the technique of Domain-flux.So it has become extremely important to study how to detect them.Existing Domain-flux detection methods can be classified as online/offline or bot/DNS record based methods.After analyzed the advantages and dis advantages of each methods,this paper focuses on designing an off-line method which aiming at detecting botnet domain names within 24 hours.The proposed method is a hybrid model which combined GBDT and K-means together for detecting Domain-flux activities among DNS records.The core idea of the method is to initialize K-means with trained GBDT model and modify the K-means algorithm to make the K vary properly.Thus,made it effective to detect botnet which is not collected in the training set and less computational exhaustive.Then I implemented the program which extracts relevant attributes from DNS records in form of binary.pcap file,computes the selected features so that the formatted information could be properly input into the proposed method and then output the detection results.Comparisons were made between the proposed method and other widely-used supervised and unsupervised algorithms through experiments.The superiority of the proposed method were proofed by experiments in which different scenarios were simulated by different partitions of experiment data. |
PDF Full Text Request