针对局部行为特征信息偏少而使得僵尸网络行为难以全面追踪的问题,提出了一种基于域名共现行为的僵尸网络行为追踪方法.该方法通过域名共现评分算法计算待测域名与已知僵尸域名的域名共现行为来追踪其他僵尸域名,进而发现更多的僵尸主机;为提高域名评分准确性,还提出了过滤基于网络地址转换的主机域名访问、空间区分单个僵尸网络,以及基于观测时长共现行为统计3项改进措施.采集西安交通大学网络域名服务器的域名查询流量作为数据源进行了实验和测试,结果表明:基于改进的域名评分措施不仅将待测域名数量降为原来的1/4,且计算出的前10名域名共现评分更加合理,提高了追踪僵尸主机的准确性.%Botnet activities can't be tracked entirely with traditional methods because of the deficiency of information in local behavioral feature. A novel approach on tracking Botnet activity is presented based on co-occurrence relation of domain name system(DNS) queries. An algorithm is utilized to calculate the co-occurrence between undetermined DNS and known Botnet DNS so as to find some other Botnet DNS. Three improved measures are proposed in order to increase the accuracy of evaluating co-occurrence. The three measures are filtering DNS access by network address translation, differentiating individual spatial Botnet and observation time based statistic of co-occurrence. Experiments are carried out with test data of DNS queries collected in the campus network of Xi an Jiaotong University. The results show that some advantages are acquired obviously with the improved measures, such as the number of undetermined DNS can fall to a quarter of traditional method, the co-occurrence acquired is more suitable for the top ten DNS and the accuracy is improved in finding zombies.
展开▼
