| DNS(Domain Name System)resolution service is the first step for users to access the Internet,and historically,cybersecurity events such as domain names being stopped in the process of DNS resolution service,intermittent access to service and tampered records have caused great impact and loss to national security,enterprise development and Internet user access.Therefore,how to find,analyze and locate the domain name resolution anomalies such as service outage,service disconnection and tampering is one of the key concerns of national network security.At present,most of the studies related to domain name resolution anomalies at home and abroad mainly focus on the overall resolution anomalies,and the evaluation of resolution anomalies of specific domain names in specific DNS nameservers is not deep enough.To address the resolution anomaly evaluation problem,this paper proposes the outage anomaly evaluation model,the disconnection anomaly evaluation model and the tampering anomaly evaluation method,respectively,to conduct in-depth research on the resolution anomaly evaluation of specific domain names on specific DNS nameservers.The correctness and effectiveness of the above anomaly evaluation models and methods are verified in both real and simulated test network environments.First of all,for the problem of judging outage exceptions,this paper proposes a Decision Tree-based judgment model to quickly and accurately determine the occurrence of outage exceptions.The training data of the model is obtained by building a simulated domain name system and simulating the occurrence of outage anomalies,and the input features of the model are extracted based on the situation that the domain name has no resolution result in the resolution data of the whole hierarchy.For the problem of analyzing the details of the outage anomaly,this paper proposes different levels of outage anomaly analysis algorithms.The construction of the outage abnormality evaluation model is based on the judgment model and the analysis algorithm.Secondly,for the problem of quantifying the degree of disconnection abnormality,this paper proposes the assessment model of the degree of disconnection abnormality based on the Analytic Hierarchy Process.The factors and index factors in the Analytic Hierarchy Process are designed based on the analysis of no-analysis results and the actual analysis situation,and the weights of the factors and index factors are determined by combining the rules of the Analytic Hierarchy Process and the analysis of no-analysis results.The construction of the assessment model of disconnection service anomaly is based on the assessment model of the degree of disconnection service anomaly.Again,for the assessment problem of tampering anomaly,this paper proposes a tampering anomaly assessment method based on domain name trusted resource record maintenance.A combination of statistical and discriminative models is used for dynamic maintenance of different types of resource records.In the training process of the discriminative model of whether a reference new A record is trusted or not,training data are collected based on the set of A records in the trusted resource records,and input features are extracted based on the association relationship between the new A records and the set of related A records in the trusted resource records.Finally,synthesizing the above research results,this paper designs and implements a full hierarchical domain name resolution anomaly monitoring system.The system is able to monitor the full hierarchy resolution data of key domain names,discover the outage,disconnection and tampering anomalies,and dynamically maintain the trusted resource records. |
PDF Full Text Request