Domain-Flux Malicious Domain Name Detection and Analysis Based on HMM

doi:10.3969/j.issn.1671-1122.2021.12.001

Abstract

Abstract:

With widely using domain generation algorithm (DGA) to generate a large number of random domain names to avoid detection, botnet has become the primary threat to network security today. In addition, the research on DGA domain name identification methods has important practical significance for countering malicious programs, fighting botnet and ensuring information security. This paper designed a DGA domain name detection and analysed framework based on the ELK big data platform. On the basis of fully studying the existing DGA domain name identification methods such as blacklists, this paper collected the request query log of the DNS business system. By adopting the hidden Markov model to perform cluster analysis on malicious domain names, the judgment of DGA domain names could be realized, and further ideas could be provided for evidence collection and source tracing of botnet and other cyber-attacks. Experimental results show that the lightweight detection classifier used in this paper can distinguish between normal domain names and malicious domain names more clearly.

Key words: network forensics, hidden Markov model, malicious domain name detection, ELK

CLC Number:

TP309

GUO Xiangmin, LIANG Guangjun, XIA Lingling. Domain-Flux Malicious Domain Name Detection and Analysis Based on HMM[J]. Netinfo Security, 2021, 21(12): 1-8.

Figures/Tables 7

References 18

[1]	XU Guotian. Crack of Malicious Program Domain Name Generation Algorithm Based on DGA[J]. Netinfo Security, 2017, 17(9):4-8.
	徐国天. 基于DGA的恶意程序域名生成算法破解[J]. 信息网络安全, 2017, 17(9):4-8.
[2]	McAfee Labs. Threats Report[EB/OL]. https://www.mcafee.com/enterprise/zh-cn/assets/reports/rp-quarterly-threats-nov-2020.pdf, 2020-11-13.
[3]	ACARALIA D, RAJARAJANA M, KOMNINOSA N, et al. Survey of Approaches and Features for the Identification of HTTP-based Botnet Traffic[J]. Journal of Network and Computer Applications, 2016, 16(76):1-15.
[4]	ZHAUNIAROVICH Y, KHALIL I, YU Ting, et al. A Survey on Malicious Domains Detection Through DNS Data Analysis[J]. ACM Computing Surveys, 2018, 51(4):1-35.
[5]	ZANG Xiaodong, GONG Jian, HU Xiaoyan. Malicious Domain Name Detection Based on AGD[J]. Journal on Communications, 2018, 39(7):15-25.
	臧小东, 龚俭, 胡晓艳. 基于AGD的恶意域名检测[J]. 通信学报, 2018, 39(7):15-25.
[6]	JIN Jiandong, YANG Jia, ZHOU Changling, et al. Network Forensics Analysis on Email Scam Botnet[J]. Journal of Shenzhen University(Science & Engineering), 2020, 37(z1):78-83.
	金建栋, 杨加, 周昌令, 等. 勒索欺诈邮件僵尸网络的检测与分析[J]. 深圳大学学报理工版, 2020, 37(z1):78-83.
[7]	THAPLIYAL M, BIJALWAN A, GARG N, et al. A Generic Process Model for Botnet Forensic Analysis[EB/OL]. https://www.atlantis-press.com/proceedings/cac2s-13/6285, 2013-04-24.
[8]	ANTONAKAKIS M, PERDISCI R, NADJI Y, et al. From Throw-away Traffic to Bots: Detecting the Rise of DGA-based Malware[EB/OL]. https://dl.acm.org/doi/10.5555/2362793.2362817, 2012-08-10.
[9]	SHARIFNYA R, ABADI M. DFBotKiller: Domain-flux Botnet Detection Basedon the History of Group Activities and Failures in DNS Traffic[J]. Digital Investigation, 2015, 13(12):15-26. doi: 10.1016/j.diin.2015.02.002 URL
[10]	ZHAO Yue. Research on Botnet Detection Method Based on DNS Traffic Characteristics[D]. Tianjin: Tianjin University, 2016.
	赵越. 基于DNS流量特征的僵尸网络检测方法研究[D]. 天津:天津大学, 2016.
[11]	WAJEEHA A. Why Botnets Persist: Designing Effective Technical and Policy Interventions[J]. MIT Internet Policy Research Initiative (IPRI), 2019, 23(2):1-5.
[12]	XIONG Yan, CHENG Chuanhu, WU Jianshuang, et al. Research on Premise Selection Technology Based on Machine Learning Classification Algorithm[J]. Netinfo Security, 2021, 21(11):9-16.
	熊焰, 程传虎, 武建双, 等. 基于机器学习分类算法的前提选择技术研究[J]. 信息网络安全, 2021, 21(11):9-16.
[13]	LI Deqi, HU Dasha, LIU Yunxia, et al. Research on Command Control Channel of Botnet Based on Blockchain Technology[J]. Modern Computer, 2020, 49(8):30-36.
	李德奇, 胡大裟, 刘云霞, 等. 基于区块链技术的僵尸网络命令控制信道研究[J]. 现代计算机, 2020, 49(8):30-36.
[14]	LIU Yi, CAO Jianjun, DIAO Xingchun, et al. Review on Stability of Feature Selection[J]. Journal of Software, 2018, 29(9):2559-2579.
	刘艺, 曹建军, 刁兴春, 等. 特征选择稳定性研究综述[J]. 软件学报, 2018, 29(9):2559-2579.
[15]	ZHANG Xiao, MEI Changlin, CHEN Degang, et al. Feature Selection in Mixed Data: A Method Using A Novel Fuzzy Rough Set-based Information Entropy[J]. Pattern Recognition, 2016, 56(1):1-15. doi: 10.1016/j.patcog.2016.02.013 URL
[16]	ZHAO Cheng, CHEN Junxin. Reflective XSS Detection Technology Based on Hidden Markov Model[J]. Journal of Zhejiang University of Technology, 2019, 47(4):6-12.
	赵澄, 陈君新. 基于隐马尔可夫模型的反射型XSS检测技术[J]. 浙江工业大学学报, 2019, 47(4):6-12.
[17]	ZHANG Xiao, YING Shi, ZHANG Tao. Collection and Service Processing Framework of Application Software Running Log[J]. Computer Engineering and Applications, 2018, 54(10):81-89, 142.
	张骁, 应时, 张韬. 应用软件运行日志的收集与服务处理框架[J]. 计算机工程与应用, 2018, 54(10):81-89, 142.
[18]	JIANG Hongling, DAI Junwei. DGA Malicious Domain Name Detection Method[J]. Journal of Beijing Institute of Machinery (Natural Science Edition), 2019, 34(5):6-22.
	蒋鸿玲, 戴俊伟. DGA恶意域名检测方法[J]. 北京信息科技大学学报(自然科学版), 2019, 34(5):6-22.

正常域名（长度）	crytolocker中域名（长度）	post-tovar-goz中域名（长度）
google.com （9）	wwkahhnyqvxdfq.com（17）	1vw732fl1xtlak0d9gcdqts1.com（27）
youtube.com（10）	kpudegrfqeuadh.net （17）	1hhxat2jy9ifweb2yvdkxcoo1.net（28）
facebook.com（11）	xraxhxvadmpgdn.biz（17）	fnh1oolf37hjgasfma1p40f80.biz（28）
baidu.com （8）	ldjhqijygqrudp.ru （16）	y4vv24qb5q13q9m9y115hf8cp.org（28）
wikipedia.org（12）	yfoctantsymbmt.org （17）	17ag7la1cpqv96x4kc210zbouf.com（29）

恶意域名	DGA家族	信息熵
wwkahhnyqvxdfq.com	Crytolocker	3.73
kpudegrfqeuadh.net	Crytolocker	3.57
xraxhxvadmpgdn.biz	Crytolocker	3.57
1vw732fl1xtlak0d9gcdqts1.com	post-tovar-goz	4.00
1hhxat2jy9ifweb2yvdkxcoo1.net	post-tovar-goz	3.96
fnh1oolf37hjgasfma1p40f80.biz	post-tovar-goz	3.82

消息字段	说明
5-Apr-2021 12:11:34.121	查询日志获取的时间,日—月—年时:分:秒
queries	日志类别为查询日志
info	日志消息等级为“info（消息）”
client 192.168.241.2#54915	请求源地址及端口
view telecom	发起请求使用的区域解析库文件
query: test.com	查询的域名记录
IN PTR	域名解析记录
+/-	是否设置递归查询,是为+,否为-
192.168.241.10	DNS服务器地址

指标	文献[9]	文献[18]	本文方法
检测计算量	×	×	√
隐私保护	×	√	√
网络安全	×	√	√