一种基于被动DNS数据分析的DNS重绑定攻击检测技术

doi:10.3969/j.issn.1671-1122.2021.03.011

信息网络安全 ›› 2021, Vol. 21 ›› Issue (3): 87-95.doi: 10.3969/j.issn.1671-1122.2021.03.011

一种基于被动DNS数据分析的DNS重绑定攻击检测技术

郭烜臻¹^,²(), 潘祖烈¹^,², 沈毅¹^,², 陈远超¹^,²

1.国防科技大学电子对抗学院,合肥 230037
2.网络空间安全态势感知与评估安徽省重点实验室,合肥 230037

收稿日期:2020-06-18 出版日期:2021-03-10 发布日期:2021-03-16
通讯作者: 郭烜臻 E-mail:guoxuanzhen@nudt.edu.cn
作者简介:郭烜臻（1996—）,男,江西,硕士研究生,主要研究方向为网络空间安全|潘祖烈（1976—）,男,安徽,副教授,博士,主要研究方向为网络空间安全|沈毅（1986—）,男,重庆,讲师,硕士,主要研究方向为网络空间安全|陈远超（1996—）,男,福建,硕士研究生,主要研究方向为网络空间安全
基金资助:
国家重点研发计划(2017YFB0802900)

DNS Rebinding Detection Technology Based on Passive DNS Data Analysis

GUO Xuanzhen¹^,²(), PAN Zulie¹^,², SHEN Yi¹^,², CHEN Yuanchao¹^,²

1. College of Electronic Engineering, National University of Defense Technology, Hefei 230037, China
2. Anhui Province Key Laboratory of Cyberspace Security Situation Awareness and Evaluation, Hefei 230037, China

Received:2020-06-18 Online:2021-03-10 Published:2021-03-16
Contact: GUO Xuanzhen E-mail:guoxuanzhen@nudt.edu.cn

摘要/Abstract

摘要：

基于域名系统（DNS）的DNS重绑定攻击能够有效绕过同源策略、防火墙,窃取敏感信息,控制内网设备,危害巨大。DNS重绑定需要通过设置恶意域名才能实现。针对DNS重绑定相关恶意域名的检测问题,文章提出一种基于被动DNS数据分析的DNS重绑定攻击检测模型（DNS Rebinding Classifier,DRC）。通过引入被动DNS数据,从域名名称、时间、异常通信及恶意行为等4个测度集刻画DNS重绑定相关域名;基于C4.5决策树、KNN、SVM及朴素贝叶斯等分类方法对数据进行混合分类、组合训练及加权求值。交叉验证实验表明,DRC模型对相关恶意域名的识别能够达到95%以上的精确率;与恶意域名检测工具FluxBuster进行对比,DRC模型能够更准确地识别相关恶意域名。

关键词: DNS重绑定, 被动DNS, 恶意域名检测, 混合分类

Abstract:

DNS rebinding attack based on the domain name system (DNS) can effectively bypass the homologous strategy and firewall, steal sensitive information, and control intranet devices, causing great harm to the Internet community. DNS rebinding can only be realized by setting malicious domain name. Aiming at the detection of malicious domain names related to DNS rebinding, this paper proposes a DNS rebinding classifier (DRC) based on passive DNS data analysis. By introducing passive DNS data, the domain names related to DNS rebinding are characterized from the four measure sets of domain name, time, abnormal communication and malicious behavior. Based on C4.5 decision tree, KNN, SVM and naive Bayes classification methods, the data are classified, trained and weighted. Cross validation experiments show that the accuracy of DRC model for identifying related malicious domain names can reach more than 95%. Compared with the malicious domain name detection tool FluxBuster, DRC model can identify related malicious domain names more accurately.

Key words: DNS rebinding, passive DNS, malware domain name detection, mixed classification

中图分类号:

TP309

郭烜臻, 潘祖烈, 沈毅, 陈远超. 一种基于被动DNS数据分析的DNS重绑定攻击检测技术[J]. 信息网络安全, 2021, 21(3): 87-95.

GUO Xuanzhen, PAN Zulie, SHEN Yi, CHEN Yuanchao. DNS Rebinding Detection Technology Based on Passive DNS Data Analysis[J]. Netinfo Security, 2021, 21(3): 87-95.

图/表 11

图1

图2

图3

表1

表2

表3

图4

图5

图6

表4

图7

参考文献 20

[1]	HONG Bo, GENG Guanggang, WANG Liming, et al. System to Discover Phishing Attacks Actively Based on DNS[J]. Application Research of Computers, 2013,30(12):3771-3774.
	洪博, 耿光刚, 王利明, 等. 一种基于DNS主动检测钓鱼攻击的系统[J]. 计算机应用研究, 2013,30(12):3771-3774.
[2]	TATANG D, SUURLAND T, HOLZ T. Study of DNS Rebinding Attacks on Smart Home Devices[EB/OL]. https://www.researchgate.net/publication/335243263_Study_of_DNS_Re-bin-ding_At-tacks_on_Smart_Home_De-vices, 2020-01-20.
[3]	JACKSON C, BORTZ A, BONEH D, et al. Protecting Browser State from Web Privacy Attacks [C]//ACM. The 15th International Conference on World Wide Web, May 23-26, 2006, Edinburgh, Scotland, UK. New York: ACM, 2006: 737-744.
[4]	DAI Yunxing, RESIG R. FireDrill: Interactive DNS Rebinding [C]// USENIX. The 7th USENIX Conference on Offensive Technologies, August 13, 2013, Washington, DC, USA. Berkeley: USENIX Association, 2013: 2.
[5]	DORSEY B. Attacking Private Networks from the Internet with DNS Rebinding[EB/OL]. https://medium.com/@brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325, 2018-06-19.
[6]	Armis. DNS Rebinding Exposes Half a Billion Devices in the Enterprise[EB/OL]. https://www.armis.com/resources/iot-security-blog/dns-rebinding-exposes-half-a-billion-iot-devices-in-the-enterprise/, 2020-01-20.
[7]	F-Secure. Minikube RCE & VM Escape[EB/OL]. https://labs.f-secure.com/advisories/minikube-rce/, 2020-01-20.
[8]	ZHA Chengji. Analysis of Mobile Internet Based on DNS Log[D]. Beijing: Beijing University of Posts and Telecommunications, 2014.
	查诚吉. 基于DNS日志的移动互联网分析[D]. 北京:北京邮电大学, 2014.
[9]	TIAN Shiqi. Implementation and Traffic Analysis of DNS Traffic Collection System[D]. Beijing: Beijing University of Posts and Telecommunications, 2018.
	田世奇. DNS流量采集系统的实现与流量分析[D]. 北京:北京邮电大学, 2018.
[10]	ANTONAKAKIS M, PERDISCI R, DAGON D, et al. Building a Dynamic Reputation System for DNS [C]// USENIX. The 19th USENIX Conference on Security, August 11-13, 2010, Washington, DC, USA. Berkeley: USENIX Association, 2010: 18.
[11]	BILGE L, SEN S, BALZAROTTI D, et al. Exposure: A Passive DNS Analysis Service to Detect and Report Malicious Domains[J]. ACM Transactions on Information and System Security, 2014,16(4):1-28.
[12]	RAHBARINIA B, PERDISCI R, et al. Efficient and Accurate Behavior-based Tracking of Malware-control Domains in Large ISP Networks[J]. ACM Transactions on Privacy and Security, 2016,2016(19):1-31.
[13]	PERDISCI R, CORONA I, GIACINTO G. Early Detection of Malicious Flux Networks via Large-scale Passive DNS Traffic Analysis[J]. IEEE Transactions on Dependable and Secure Computing, 2012,9(5):714-726.
[14]	ZHANG Weiwei, GONG Jian, LIU Shangdong, et al. DNS Surveillance on Backbone[J]. Journal of Software, 2017,28(9):2370-2387.
	张维维, 龚俭, 刘尚东, 等. 面向主干网的DNS流量监测[J]. 软件学报, 2017,28(9):2370-2387.
[15]	WEIMER F. Passive DNS Replication[EB/OL]. https://www.researchgate.net/publication/265577184_Passive_DNS_Replication, 2020-01-20.
[16]	FARID D M, ZHANG Li, RAHMAN C M, et al. Hybrid Decision Tree and Naive Bayes Classifiers for Multi-class Classification Tasks[J]. Expert Systems with Applications, 2014,41(4):1937-1946.
[17]	RISKIQ. RiskIQ PassiveTotal[EB/OL]. https://www.riskiq.com/products/passivetotal/, 2020-01-20.
[18]	circl. lu. CIRCL Passive DNS[EB/OL]. https://www.circl.lu/services/passive-dns/, 2020-01-20.
[19]	ZHOU Changling, CHEN Kai, GONG Xuxiao, et al. Detection of Fast-flux Domains Based on Passive DNS Analysis[J]. Acta Scientiarum Naturalium Universitatis Pekinensis, 2016,52(3):396-402.
	周昌令, 陈恺, 公绪晓, 等. 基于Passive DNS的速变域名检测[J]. 北京大学学报(自然科学版), 2016,52(3):396-402.
[20]	Alexa. The Top 500 Sites on the Web[EB/OL]. https://www.alexa.com/topsites, 2020-01-20.

种类	描述
基于时间变化	同一域名在较短时间内有多个不同IP的DNS解析报文,利用此特点进行DNS重绑定攻击,往往与速变域名相联系
基于A记录	利用从接收到的A记录中解析出的多个IP进行DNS重绑定攻击
基于插件	利用浏览器插件漏洞进行DNS重绑定攻击

正常域名	DNS重绑定相关恶意域名
容易记忆	记忆复杂
域名解析行为正常	域名解析行为异常
域名存活时间长	域名存活时间短
IP解析结果正常	IP解析返回私有IP
网页源码正常	网页源码返回恶意攻击脚本
应答报文TTL值正常	应答报文TTL值偏短

测度集	编号	特征名	描述
域名名称	1	Domain_special	特殊字符
	2	Famous_domain	与著名域名相关
	3	Malware_domain	与恶意域名相关
	4	Num_word	域名字母数量
	5	Num_digit	域名数字数量
	6	Domain_length	域名长度
异常通信	7	NS	域名解析服务器是否正常
	8	Geo_feature	地理位置信息
	9	Num_IP	解析是否对应多个IP
	10	Private_IP	是否为私有IP
时间	11	Survival_time	域名存活时间
	12	Min_TTL	最小TTL值
	13	Max_TTL	最大TTL值
	14	Change_ttl	TTL值变化次数
恶意行为	15	Abnormal_behavior	是否有异常解析行为
恶意行为	16	Flood_behavior	是否有洪泛DNS解析

算法	类别	作用	提取特征
Exposure	决策树	识别僵尸网络相关恶意域名	域名字面特征、资源记录、时间特征等18个特征
Kopis	随机森林	识别恶意域名	请求密度、解析IP声誉等23个特征
Fluxbuster	决策树	识别速变恶意域名	IP地址数量、解析行为等13个特征
DRC	混合分类算法	识别DNS重绑定相关恶意域名	域名名称、时间、异常通信和恶意行为等4个测度集的16个特征

一种基于被动DNS数据分析的DNS重绑定攻击检测技术

DNS Rebinding Detection Technology Based on Passive DNS Data Analysis

RichHTML

PDF (PC)

可视化

摘要/Abstract

引用本文

使用本文

图/表 11

参考文献 20

相关文章 1

编辑推荐

Metrics

本文评价