IDN Detection And Service Discovery Based On Domain Traffic Activity

With the continuous development of network technology,large-scale network security issues have become increasingly prominent.Malicious network behaviors have disrupted the normal network order,harmed the interests of Internet users,and even threatened national security.In the face of new network security problems,traditional network security technologies are slow and inefficient.Big data security analysis is increasingly applied in network management and network security situational awareness.In the domain name security field,DNS traffic monitoring technology combined with big data storage is widely used.This technology collects,monitors and analyzes real-time DNS traffic,so as to find the domain name objects that need to be monitored in the network,obtain useful threat intelligence information,and facilitate the construction of security situational awareness system.This paper is to monitor the DNS flow between Jiangsu provincial network and CERNET backbone network,identify IDN and multi-layer multi-domain names,and carry out service discovery and influence analysis on IDN to reveal the status of IDN's existence in the managed network.First of all,in order to achieve real-time efficiently for DNS traffic acquisition,processing,testing and storage,meet the needs of the IDN domain monitoring and service discovery,the paper in view of the current security system defects and problems of the domain name in the monitoring subsystem made improvements,including adding the IDN detection algorithm,designing the IDN information storage table,introducing multi-threaded to improve the processing speed of the source data files,breaking up the tables of domain information to improve the usability of database.Secondly,this paper analyzes the multi-layer and multi-domain name structure found in the process of domain monitoring.The multi-layer multi-domain name detection algorithm based on DNS flow is designed and implemented,so as to eliminate interference factors in the process of domain name monitoring,and select the site domain name of service significance,thus improving the accuracy and efficiency of domain name monitoring.Then,service classification and further service discovery are carried out for the IDN identified.The port-based service classification algorithm can roughly divide the service categories that the server behind the domain name may provide according to the protocol,while the service discovery algorithm based on IP traffic can carry out more detailed identification and discovery of the business carried by the WEB service site.In this paper,a variety of supervised learning classification algorithms are compared and analyzed.Finally,the classification model of the service discovery algorithm constructed by random forest is selected.The classification measure is selected by analyzing the traffic difference between the websites providing different services and the clients.It realizes the judgment and discovery of the service role played by the IDN main domain name providing site services.Finally,in order to better understand the basic situation and changes of IDN in the managed network,the penetration degree and survival status of IDN are revealed.This paper analyzes the influence of IDN from both macro and micro perspectives.At the macro level,the overall influence of IDN includes the distribution,geographical distribution,service distribution and service scale of all IDN languages in the managed network.At the micro level,an IDN influence level evaluation model is constructed based on the "4C" evaluation method to analyze and judge the influence level of a single IDN.In order to better show the influence of IDN,the paper also designs and realizes the visualization of the distribution and communication of all IDN discovered at the boundary of the CERNET backbone network in Jiangsu province from the multidimensional dimensions of time,space and quantity of the IDN observation system.