Research On DNS Attack Detection Based On Deep Learning

Domain Name System(DNS)is one of the core infrastructures in the Internet,and many Internet applications need to rely on DNS services to run effectively.However,the security of DNS protocol was not considered at the beginning of its design,which led to an endless stream of attacks related to DNS protocol,which posed a serious threat to the security of the Internet.At present,DNS attack detection methods can be divided into detection methods based on DNS traffic and detection methods based on DNS domain names.The former uses feature extraction and machine learning for attack detection,and cannot learn a comprehensive and reasonable data representation,and traditional feature extraction methods are difficult to represent persistent and concealed DNS attacks.The latter uses deep learning for attack detection of domain name dimension and can only detect part of DNS attacks.In order to solve the above problems,this paper studies the DNS attack detection method based on deep learning from several dimensions.The main contribution are as follows.(1)Aiming at the problem of persistent and concealed DNS attacks that are difficult to represent,this paper proposes a long-term DNS data processing method.We design attack behavior representation methods from the three dimensions of DNS domain name,DNS request,and DNS resolution.In the dimension of DNS domain name,three methods of numerical feature extraction,One Hot coding and word embedding are used for feature representation.In the DNS request and DNS resolution dimensions,numerical statistics and data tiling are used to aggregate data from the short-time domain to the full time domain to obtain a total of 919 dimensions representation data.This method realizes the multidimensional representation of DNS attack behavior,and can well support the deep learning algorithm.(2)Aiming at the problem that machine learning can not learn comprehensive data representation,this paper proposes a long-term DNS attack detection method based on deep learning.Using the three-dimensional DNS representation data obtained by the long-timedomain DNS data processing method,this paper constructs 12 DNS attack detection models based on deep learning,and designs several groups of comparative experiments.By comparing the detection results of each model in different time domain dimensions,the accuracy of the full-time-domain dimension detection model is the highest.At the same time,compared with the three machine learning algorithms of SVM,decision tree and random forest,the model proposed in this paper based on deep learning has better detection capabilities in both the DNS domain name and DNS request dimensions.(3)Aiming at the bias of single dimensional detection,this paper proposes a DNS attack detection method based on a multi-dimensional fusion model.This method fusion the attack detection model of DNS domain name,DNS request and DNS parsing,and constructs a multi-dimensional fusion detection model WD-DNS based on deep learning.Finally,a number of comparative experiments were designed to evaluate the performance of the WDDNS model.The experimental results show that compared with the independent detection model of each dimension before fusion,the WD-DNS model has a great improvement in detection capability.At the same time,compared with the machine learning fusion algorithm XGboost,the proposed WD-DNS model has better detection capability,and the detection accuracy reached 95.46%.