| Domain Name Service(DNS)is an important service on the Internet.Firewalls usually do not block DNS traffic on the network.However,attackers use this feature to hide malicious behavior using the DNS protocol,such as using a DNS tunnel for file circumvention and using the Domain Generate Algorithm(DGA)for botnet control.Since many kinds of network attacks now rely on the DNS protocol to perform data interaction and command control with an attacker,if abnormal DNS traffic can be found,it can effectively combat cybercrime.In order to find abnormal DNS traffic in massive network data,this thesis proposes a machine learning-based detection system,focusing on the detection of DGA domain names.Firstly,the thesis analyzes the causes of abnormal DNS traffic.According to the characteristics of abnormal DNS traffic,it studies the two characteristics of domain name composition and IP address correspondence characteristics.It extracts the proportion of vowels,the proportion of de-duplication,multiple characteristics such as the number of domain name accesses,the degree of dispersion of the returned IP address,and the size of the domain name resolution target IP address set.Then use the black and white list filtering module to filter a large number of known normal DNS traffic and some known malicious DNS traffic.In order to improve the efficiency of black and white list filtering,the Bloom filter is used for query operations.This module reduces the overhead of machine learning and alleviates the problem of unbalanced classification.After data preprocessing,Bayesian classification,decision tree and other algorithms are used for machine learning training.Finally,real DNS traffic is used for verification in experiments,and different machine learning methods are compared.The experimental results show the proposed detection method can effectively detect abnormal DNS traffic. |
PDF Full Text Request