[1]张千帆,郭晓军,周鹏举.基于 DoH 流量的 DGA 识别方法[J].计算机技术与发展,2021,31(12):122-127.[doi:10. 3969 / j. issn. 1673-629X. 2021. 12. 021]
 ZHANG Qian-fan,GUO Xiao-jun,ZHOU Peng-ju.DGA Identification Method Based on DoH Traffic[J].,2021,31(12):122-127.[doi:10. 3969 / j. issn. 1673-629X. 2021. 12. 021]
点击复制

基于 DoH 流量的 DGA 识别方法()
分享到:

《计算机技术与发展》[ISSN:1006-6977/CN:61-1281/TN]

卷:
31
期数:
2021年12期
页码:
122-127
栏目:
网络与安全
出版日期:
2021-12-10

文章信息/Info

Title:
DGA Identification Method Based on DoH Traffic
文章编号:
1673-629X(2021)12-0122-06
作者:
张千帆郭晓军周鹏举
西藏民族大学 信息工程学院,陕西 咸阳 712000
Author(s):
ZHANG Qian-fanGUO Xiao-junZHOU Peng-ju
School of Information Engineering,Xizang Minzu University,Xianyang 712000,China
关键词:
僵尸网络命令控制服务域名生成算法DNS-over-HTTPS / DoH 协议网络流量分析
Keywords:
Botnetcommand & control / C&C serverdomain generation algorithmDNS-over-HTTPS / DoH protocolnetwork traffic analysis
分类号:
TP391.5
DOI:
10. 3969 / j. issn. 1673-629X. 2021. 12. 021
摘要:
现有研究表明,域名生成算法( domain generation algorithm,DGA)已成为僵尸网络建立命令和控制服务通信的关键技术之一。 由于利用 DGA 域名随机性的检测方法已趋于成熟,为逃避检测,DGA 算法可能采用加密流量形式进行传输。针对基于域名随机性的检测模型缺乏对加密 DGA 流量的识别等问题,该文基于 DoH( DNS-over-HTTPS)协议验证了 DGA流量进行加密传输的可能性,分析了命令控制服务过程所产生的 HTTP 报文内容、HTTP 流量及对应的 TCP 流量。 因利用DoH 协议进行传输的数据包中不再包含 DNS 报文解析过程,最终选取了 DoH 流量数据包的长度和时序信息等特征进行识别。 在 DoH 网络中 DGA 流量特征分析的基础上结合 KNN 分类算法识别 DGA 域名,设计了一种基于特征工程与机器学习结合的识别方法,提供了 DoH 网络中 DGA 流量的检测方法。 实验结果表明,基于 DoH 流量的 DGA 分类模型在人工数据集上的准确率达到了 79% ,表现出良好的分类精度,为 DoH 网络安全提供了保障。
Abstract:
Current research reveals that domain generation algorithm ( DGA) has become one of the key technologies for Botnets to connect to C&C ( command and control) servers. Since the detection method for the randomness of DGA domain name has become mature,the DGA algorithm may adopt the form of encrypted traffic transmission bypassing the detection mechanisms. In view of the lack of recognition of encrypted DGA traffic based on the randomness of the domain name detection model, we verify the possibility of encrypted transmission of DGA traffic based on the DoH ( DNS-over-HTTPS) protocol,analyze HTTP message content,HTTP traffic and corresponding TCP traffic generated during the command and control server transmission process. Because the data packets transmission with the DoH protocol no longer contains the DNS message parsing process,the length and timing information of the DoH traffic data packets are finally selected for identification. Based on the analysis of DGA traffic characteristics in the DoH network,the KNN classification algorithm is used to identify DGA domain names, a recognition method based on the combination of feature engineering and machine learning is designed to provide a detection method for DGA traffic in the DoH network. Experiment shows that the accuracy of DGA recognition model based on DoH traffic on artificial data sets reaches 79% ,showing ideal classification accuracy,which provides a guarantee for DoH network.

相似文献/References:

[1]刘旭勇.DDoS攻击及主动防御模型研究[J].计算机技术与发展,2008,(07):143.
 LIU Xu-yong.Research on DDoS Attacks and Proactive Defense Model[J].,2008,(12):143.
[2]郭晓军,何磊,赵江波.僵尸网络流量检测与控制追踪技术研究[J].计算机技术与发展,2013,(09):135.
 GUO Xiao-jun,HE Lei,ZHAO Jiang-bo.Research on Botnet Traffic Detection with Control and Tracking[J].,2013,(12):135.
[3]李雪妍,陈 伟,杜俊雄.物联网僵尸网络的恶意域名检测技术研究[J].计算机技术与发展,2019,29(08):113.[doi:10. 3969 / j. issn. 1673-629X. 2019. 08. 022]
 LI Xue-yan,CHEN Wei,DU Jun-xiong.Research on Malicious Domain Name Detection Technology in IoT Botnet[J].,2019,29(12):113.[doi:10. 3969 / j. issn. 1673-629X. 2019. 08. 022]
[4]何娅蓥,覃仁超,舒 月,等.BRNet:基于特征复用的僵尸网络检测模型[J].计算机技术与发展,2023,33(04):108.[doi:10. 3969 / j. issn. 1673-629X. 2023. 04. 016]
 HE Ya-ying,QIN Ren-chao,SHU Yue,et al.BRNet:Botnet Detection Model Based on Feature Reuse[J].,2023,33(12):108.[doi:10. 3969 / j. issn. 1673-629X. 2023. 04. 016]

更新日期/Last Update: 2021-12-10