A DNS Query Anomaly Detection Research Based On Log Information

With the rapid development of mobile network technology,the Internet environment and user groups are becoming more and more complex,which makes network security problems become increasingly serious.The domain name system,which is one of the core infrastructures in the Internet,is the basis of most network applications and services.It realizes the rapid mapping and conversion of domain names and IPs,which is essentially a large-scale distributed database system.However,the existing DNS protocol lacks information protection and authentication mechanisms,and the DNS security extension promoted in the recent stage has problems such as system inefficiency and difficulty in deployment,which pose a huge hidden danger to DNS security.But the query log on the DNS server contains DNS query feature information of the source IP address and domain name,and can be applied to identify the abnormal DNS query behavior.Due to the huge log data and difficult log collection,most DNS security research based on query logs lacks both quantity and depth.In view of the above background,the research in this paper is mainly based on the DNS query log expansion to achieve efficient and accurate identification of abnormal DNS queries.Considering the difficulty of DNS log collection and storage,an efficient log collection and reliable data storage scheme is designed;The real-time unsupervised design and verification is based on the rapid and changeable characteristics of the behavior source IP in the DNS query.Source IP anomaly detection method,which can be effectively adapted to the variable unknown DNS query attack behavior,and the abnormal source IP detection result can be presented by means of low-dimensional visualization and credibility indicators;The DNS query resource entity domain name reflects the stable single feature,and designs and verifies the non-real-time supervised domain name anomaly detection method.This method combines undersampling and oversampling on the basis of multiple cluster analysis of domain name statistical features.In order to solve the problem of sample tilt,the accurate and reliable random forest is finally trained to realize the automatic identification of abnormal domain name categories.After sufficient experimental comparison and analysis,the abnormality detection method based on DNS query log proposed in this paper can effectively identify the abnormal source IP and domain name.Finally,the main work of this paper is summarized,and the advantages and disadvantages of the anomaly detection method are expounded objectively,and further work is expected.