基于DNS查询行为的Bot检测

Bot detection based on DNS query activities

下载PDF

导出

摘要提出一种基于DNS查询行为的检测方法。根据Bot的自动运行特性,从DNS查询的角度对主机中的进程进行初步过滤,缩小检测范围;分析Bot与其他进程的DNS反应行为模式的异同,构建Bot-DNS检测模型,在此基础上判断可疑进程是否为Bot。实验结果表明,该方法能够检测出处于生命周期早期阶段的Bot,且检测过程与Bot采用的协议结构无关,具有较好的检测效果。 This paper proposes a new method of identifying Bot based on DNS query activities. Firstly, as Bots usually run automatically, detection rage is narrowed down from the point of view of DNS query. Secondly, a Bot-DNS detection model is created on differences of DNS reaction behavior between Bots and normal processes, to judge whether the suspi- cious process is Bot. The experimental results show that the method can detect Bots in the early stage. It is independent of protocol and structure, and has a better detection effect.

作者李晓利汤光明初晓

机构地区信息工程大学中国人民解放军

出处《计算机工程与应用》 CSCD 北大核心 2015年第1期106-109,共4页 Computer Engineering and Applications

关键词僵尸程序自动连接 DNS查询行为 DNS反应行为 Bots automatic connection DNS query activities DNS reaction activities

分类号 TP309.5 [自动化与计算机技术—计算机系统结构]

引文网络
相关文献

参考文献12

1王天佐,王怀民,刘波,史佩昌.僵尸网络中的关键问题[J].计算机学报,2012,35(6):1192-1208. 被引量：23
2方滨兴,崔翔,王威.僵尸网络综述[J].计算机研究与发展,2011,48(8):1315-1331. 被引量：63
3诸葛建伟,韩心慧,周勇林,叶志远,邹维.僵尸网络研究[J].软件学报,2008,19(3):702-715. 被引量：157
4Binsalleeh H,Ormerod T,Boukhtouta A,et al.On the analysis of the Zeus Botnet crimeware toolkit[C]//Proc of the 8th Annual International Conference on Privacy,Security and Trust,2010:31-38.
5Sinha P,Boukhtouta A,Belarde V H,et al.Insights from the analysis of the Mariposa Botnet[C]//Proc of the 5th International Conference on Risks and Security of Internet Systems,2010:1-9.
6Kolbitsch C,Comparetti P M,Kruegel C,et al.Effective and efficient malware detection at the end host[C]//Proc of 18th USENIX Security Symposium,2009:1-16.
7Stison E,Mitchell J C.Characterizing Bots remote control behavior[C]//Proc of the 4th Int Conf on Detection of Intrusions and Malware,and Vulnerability Assessment,2007:89-108.
8Liu Lei,Chen Songqing,Yan Guanhua,et al.Bot Tracer:execution-based Bot-like malware detection[C]//Proc of the 11th Information Security Conference,Taipei,China,2008:97-113.
9Wruzinger P,Bilge L,Holz T,et al.Automatically generating models for Botnet detection[C]//Proc of the 14th European Symposium on Research in Computer Security,2009:232-249.
10Al-Hammadi Y,Aichelin U.Behavioural correlation for detecting P2P Bots[C]//Proc of the 2nd International Conference on Future Networks(ICFN 2010),Sanya,Hainan,China,2010:323-327.

二级参考文献65

1文伟平,卿斯汉,蒋建春,王业君.网络蠕虫研究与进展[J].软件学报,2004,15(8):1208-1219. 被引量：187
2孙彦东,李东.僵尸网络综述[J].计算机应用,2006,26(7):1628-1630. 被引量：29
3Porras P, Saidi H, Yegneswaran V. A foray into Conficker's logic and rendezvous points [R/OL]. Berkeley, CA: USENIX, 2009. [2011-06-10]. http://www, usenix, org/ events/leet09/tech/full papers/porras/porras_html/.
4CNCERT.中国互联网网络安全报告[EB/OL].2011.[201-06-10].http://www.cert.org.cn/UserFiles/File/2010%20first%20half.pdf.2010.
5Symantec Inc. Symantec global Internet security threat report trends for 2009 volume XV [EB/OL]. 2010. E2011 06-101. http://eval, symantee, com/mktginfo/enterprise/white_ papers/b-whitepaper_internet security threat report xv 04 2010. en-us, pdf.
6Holz T, Gorecki C, Rieck C, et al. Detection and mitigation of fast-flux service networks [C] //Proc of the 15th Annual Network and Distributed System Security Symposium. Berkeley, CA: USENIX, 2008.
7Stone-Gross B, Cova M, Cavallaro L, et al. Your botnet is my botnet: Analysis of a botnet takeover[C] //Proc of the 16th ACM Conf on Computer and Communications Security. New York: ACM, 2009:635-647.
8Cui Xiang, Fang Towards advanced Usenix Workshop Threats. Berkeley, Binxing, Yin Lihua, et al. Andbot: mobile bomets [C] //Proc of the 4th on Large-scale Exploits and Emergent CA: USENIX, 2011:No 11.
9Wang P, Sparks S, Zou C C. An advanced hybrid peer-topeer botnet [C] //Proc of the 1st Conf on 1st Workshop on Hot Topics in Understanding Botnets. Berkeley, CA: USENIX, 2007: No 2.
10Holz T, Steiner M, Dahl F, et al. Measurements an mitigation of peer-to peer-based botnets:A case study o storm worm [C] //Proc of the 1st USENIX Workshop o Large-scale Exploits and Emergent Threats. Berkeley, CA USENIX, 2008: No 9.

共引文献243

1杜淑颖,杜鹏,丁世飞.基于CNN的假冒域名识别方法研究[J].中国科学技术大学学报,2020,50(7):1019-1025. 被引量：2
2胡树琪.租售“僵尸网络”控制权行为的刑法思索[J].新闻前哨,2018(3):63-64.
3王伟.基于相同度检测的僵尸网络防御模型研究[J].佳木斯教育学院学报,2012(5):468-469.
4宋元章,何俊婷,张波,王俊杰,王安邦.基于流角色检测P2P botnet[J].通信学报,2012,33(S1):262-269.
5李跃,翟立东,王宏霞,时金桥.一种基于社交网络的移动僵尸网络研究[J].计算机研究与发展,2012,49(S2):1-8. 被引量：10
6李世淙,云晓春,张永铮.一种基于分层聚类方法的木马通信行为检测模型[J].计算机研究与发展,2012,49(S2):9-16. 被引量：12
7王海龙,胡宁,龚正虎.Bot_CODA:僵尸网络协同检测体系结构[J].通信学报,2009,30(S1):15-22. 被引量：9
8张雪松,徐小琳,李青山.算法生成恶意域名的实时检测[J].现代电信科技,2013,43(7):3-8. 被引量：1
9司成祥,孙波,杨文瀚,张慧琳,薛晓楠.基于分布式的僵尸网络主动探测方法研究[J].通信学报,2013,34(S1):197-206.
10蒿敬波,殷建平.蠕虫Agent的智能扫描技术[J].广西师范大学学报（自然科学版）,2008,26(1):249-252.

1李贤昭,谷岩.基于用户偏好的实体化视图选择研究[J].现代计算机,2009,15(3):40-42.
2黄名选,张师超.一种有效的信息检索模型[J].计算机应用研究,2008,25(8):2345-2348. 被引量：1
3桂许军,赵臣,王薇,张永清.微型足球机器人行为产生方法与实现[J].电子技术应用,2006,32(4):5-8.
4张国平,赵臣,桂许军.一种新的足球机器人行为产生方法[J].机械与电子,2006,24(1):51-53.
5宋宝贵,田宝彩.基于Web资源二次查询的信息检索策略研究[J].计算机应用与软件,2013,30(4):183-185. 被引量：1
6白云.可疑进程网上查[J].计算机应用文摘,2005(3):105-105.
7读编往来[J].计算机与网络,2010,36(8):80-80.
8孙秀洪.终结进程，告别手工模式[J].网络运维与管理,2013(23):79-81.
9安全[J].开放系统世界,2005(5):119-120.
10廖三勇.系统进程，一眼看清[J].计算机应用文摘,2008(15):64-64.

计算机工程与应用

2015年第1期

浏览历史

内容加载中请稍等...

基于DNS查询行为的Bot检测

参考文献12

二级参考文献65

共引文献243

相关作者

相关机构

相关主题

浏览历史