基于DoH流量的DGA识别方法

DGA Identification Method Based on DoH Traffic

现有研究表明,域名生成算法(domain generation algorithm,DGA)已成为僵尸网络建立命令和控制服务通信的关键技术之一。由于利用DGA域名随机性的检测方法已趋于成熟,为逃避检测,DGA算法可能采用加密流量形式进行传输。针对基于域名随机性的检测模型缺乏对加密DGA流量的识别等问题,该文基于DoH(DNS-over-HTTPS)协议验证了DGA流量进行加密传输的可能性,分析了命令控制服务过程所产生的HTTP报文内容、HTTP流量及对应的TCP流量。因利用DoH协议进行传输的数据包中不再包含DNS报文解析过程,最终选取了DoH流量数据包的长度和时序信息等特征进行识别。在DoH网络中DGA流量特征分析的基础上结合KNN分类算法识别DGA域名,设计了一种基于特征工程与机器学习结合的识别方法,提供了DoH网络中DGA流量的检测方法。实验结果表明,基于DoH流量的DGA分类模型在人工数据集上的准确率达到了79%,表现出良好的分类精度,为DoH网络安全提供了保障。

Current research reveals that domain generation algorithm(DGA)has become one of the key technologies for Botnets to connect to C&C(command and control)servers.Since the detection method for the randomness of DGA domain name has become mature,the DGA algorithm may adopt the form of encrypted traffic transmission bypassing the detection mechanisms.In view of the lack of recognition of encrypted DGA traffic based on the randomness of the domain name detection model,we verify the possibility of encrypted transmission of DGA traffic based on the DoH(DNS-over-HTTPS)protocol,analyze HTTP message content,HTTP traffic and corresponding TCP traffic generated during the command and control server transmission process.Because the data packets transmission with the DoH protocol no longer contains the DNS message parsing process,the length and timing information of the DoH traffic data packets are finally selected for identification.Based on the analysis of DGA traffic characteristics in the DoH network,the KNN classification algorithm is used to identify DGA domain names,a recognition method based on the combination of feature engineering and machine learning is designed to provide a detection method for DGA traffic in the DoH network.Experiment shows that the accuracy of DGA recognition model based on DoH traffic on artificial data sets reaches 79%,showing ideal classification accuracy,which provides a guarantee for DoH network.