计算机工程与应用
計算機工程與應用
계산궤공정여응용
COMPUTER ENGINEERING AND APPLICATIONS
2014年
15期
82-86
,共5页
域名系统(DNS)查询失败%计数型布隆过滤器%异常检测
域名繫統(DNS)查詢失敗%計數型佈隆過濾器%異常檢測
역명계통(DNS)사순실패%계수형포륭과려기%이상검측
Domain Name System(DNS)query failure%Counting Bloom Filter%anomaly detection
鉴于失败的DNS查询(failed DNS query)能提供恶意网络活动的证据,以DNS查询失败的数据为切入口,提出一种轻量级的基于Counting Bloom Filter的DNS异常检测方法。该方法使用带语义特征的可逆哈希函数对被查询的域名及发起查询的IP进行快速的聚类和还原。实验结果证明该方法能以较少的空间占用和较快的计算速度有效识别出DNS流量中的异常,适用于僵尸网络、分布式拒绝服务(DDoS)攻击等异常检测的前期筛选和后期验证。
鑒于失敗的DNS查詢(failed DNS query)能提供噁意網絡活動的證據,以DNS查詢失敗的數據為切入口,提齣一種輕量級的基于Counting Bloom Filter的DNS異常檢測方法。該方法使用帶語義特徵的可逆哈希函數對被查詢的域名及髮起查詢的IP進行快速的聚類和還原。實驗結果證明該方法能以較少的空間佔用和較快的計算速度有效識彆齣DNS流量中的異常,適用于僵尸網絡、分佈式拒絕服務(DDoS)攻擊等異常檢測的前期篩選和後期驗證。
감우실패적DNS사순(failed DNS query)능제공악의망락활동적증거,이DNS사순실패적수거위절입구,제출일충경량급적기우Counting Bloom Filter적DNS이상검측방법。해방법사용대어의특정적가역합희함수대피사순적역명급발기사순적IP진행쾌속적취류화환원。실험결과증명해방법능이교소적공간점용화교쾌적계산속도유효식별출DNS류량중적이상,괄용우강시망락、분포식거절복무(DDoS)공격등이상검측적전기사선화후기험증。
Considering that DNS query failure can serve as communication evidence for activities of malware, this paper provides a DNS anomaly detection method based on Counting Bloom Filter with failure data as its entry point. This method conducts clustering towards domain names queried and IP which initiates the query, using revertible hash function with semantic features. After the clustering, the few Top N hash strings will be worked backwards to get the dominating shorting strings, which will be spliced according to the results of homology judgment. Experimental results prove that this method can effectively identify the anomaly in DNS flow, thus can be applied to early screening and later validation of anomaly detections, such as botnet and DDoS attack.
