一种基于被动DNS数据分析的DNS重绑定攻击检测技术

基于域名系统(DNS)的DNS重绑定攻击能够有效绕过同源策略、防火墙,窃取敏感信息,控制内网设备,危害巨大。DNS重绑定需要通过设置恶意域名才能实现。针对DNS重绑定相关恶意域名的检测问题,文章提出一种基于被动DNS数据分析的DNS重绑定攻击检测模型(DNS Rebinding Classifier,DRC)。通过引入被动DNS数据,从域名名称、时间、异常通信及恶意行为等4个测度集刻画DNS重绑定相关域名;基于C4.5决策树、KNN、SVM及朴素贝叶斯等分类方法对数据进行混合分类、组合训练及加权求值。交叉验证实验表明,DRC模型对相关恶意域名的识别能够达到95%以上的精确率;与恶意域名检测工具FluxBuster进行对比,DRC模型能够更准确地识别相关恶意域名。

DNS Rebinding Detection Technology Based on Passive DNS Data Analysis

DNS rebinding attack based on the domain name system (DNS) can effectivelybypass the homologous strategy and firewall, steal sensitive information, and control intranetdevices, causing great harm to the Internet community. DNS rebinding can only be realized bysetting malicious domain name. Aiming at the detection of malicious domain names related toDNS rebinding, this paper proposes a DNS rebinding classifier (DRC) based on passive DNSdata analysis. By introducing passive DNS data, the domain names related to DNS rebinding are characterized from the four measure sets of domain name, time, abnormal communicationand malicious behavior. Based on C4.5 decision tree, KNN, SVM and naive Bayes classificationmethods, the data are classified, trained and weighted. Cross validation experiments show that theaccuracy of DRC model for identifying related malicious domain names can reach more than 95%.Compared with the malicious domain name detection tool FluxBuster, DRC model can identifyrelated malicious domain names more accurately.