摘要
鉴于失败的DNS查询(failed DNS query)能提供恶意网络活动的证据,以DNS查询失败的数据为切入口,提出一种轻量级的基于Counting Bloom Filter的DNS异常检测方法。该方法使用带语义特征的可逆哈希函数对被查询的域名及发起查询的IP进行快速的聚类和还原。实验结果证明该方法能以较少的空间占用和较快的计算速度有效识别出DNS流量中的异常,适用于僵尸网络、分布式拒绝服务(DDoS)攻击等异常检测的前期筛选和后期验证。
Considering that DNS query failure can serve as communication evidence for activities of malware, this paper provides a DNS anomaly detection method based on Counting Bloom Filter with failure data as its entry point. This method conducts clustering towards domain names queried and IP which initiates the query, using revertible hash function with semantic features. After the clustering, the few Top N hash strings will be worked backwards to get the dominating shorting strings, which will be spliced according to the results of homology judgment. Experimental results prove that this method can effectively identify the anomaly in DNS flow, thus can be applied to early screening and later validation of anomaly detections, such as botnet and DDoS attack.
出处
《计算机工程与应用》
CSCD
2014年第15期82-86,共5页
Computer Engineering and Applications
基金
国家重点基础研究发展规划(973)(No.2009CB320505)
江苏省科技支撑计划(No.BE2011173)
