CN102685145A

CN102685145A - Domain name server (DNS) data packet-based bot-net domain name discovery method

Info

Publication number: CN102685145A
Application number: CN2012101683406A
Authority: CN
Inventors: 王志文; 刘璐; 陶敬; 马小博; 周文瑜
Original assignee: Xian Jiaotong University
Current assignee: Xian Jiaotong University
Priority date: 2012-05-28
Filing date: 2012-05-28
Publication date: 2012-09-19

Abstract

The invention discloses a method for discovering a botnet domain name based on DNS data packets. The DNS data packet is used as the basic data source at the network layer, and under the condition of knowing part of the botnet domain names, the group and persistence of the botnet are utilized. Key features, track and discover more botnet domains using domain co-occurrence scoring method. The present invention shows the domain name of the botnet through the local characteristics of the known botnet, discovers the unknown domain name updated or changed after it changes with time, discovers, grasps and tracks the dynamic changes of the access behavior of the given botnet, to overcome Shortcomings of Existing Botnet Detection Methods. The method of the present invention is characterized by the domain name, which can avoid the limitations of botnet protocol diversity or information encryption when using the feature code as the detection means; the observation object of the co-occurrence behavior of the domain name can make full use of the group and continuous nature of the botnet. Sexual characteristics, discover unknown botnet domains.

Description

A method for discovering botnet domain names based on DNS packets

技术领域 technical field

本方法涉及计算机网络安全领域，涉及僵尸网络域名的发现方法，尤其涉及基于DNS数据包的僵尸网络域名发现方法。 The method relates to the field of computer network security, and relates to a method for discovering a domain name of a botnet, in particular to a method for discovering a domain name of a botnet based on DNS data packets. the

背景技术 Background technique

僵尸网络是一群被僵尸程序（bot）感染的存在命令与控制关系的僵尸主机（zombie）集合，这些僵尸主机分布于家庭、企业、政府机构等各种场合，接收来自控制者（botmaster）的指令，执行DDoS、信息窃取、网络钓鱼、垃圾邮件、广告滥点、非法投票等多种网络攻击，作为一种群体性大规模网络攻击手段，对民用互联网、工业生产控制系统、军用网络等造成了严重的安全威胁。一对多的命令与控制（C&C）是僵尸网络区别于传统病毒、木马、后门等攻击技术的根本特点，僵尸网络具有“大规模、有组织、高可控、高隐蔽、长期潜伏”等典型特征。 A botnet is a collection of zombie hosts (zombie) infected by a bot program (bot) and having a command-and-control relationship. These zombie hosts are distributed in various occasions such as homes, enterprises, and government agencies, and receive instructions from the controller (botmaster). , carry out various network attacks such as DDoS, information theft, phishing, spam, advertising abuse, and illegal voting. serious security threat. One-to-many command and control (C&C) is the fundamental feature that distinguishes botnets from traditional virus, Trojan horse, backdoor and other attack technologies. feature. the

目前，僵尸网络检测的传统方法是利用特征码发现被控僵尸主机，非特征码检测僵尸网络的方法主要有：采用网络特征收集分类、主机间威胁和关联性评分，通过域名词法的语义分析在域名中挖掘恶意域名，通过IP和域名的Fast-Flux现象来检测僵尸网络等。这些方法面临以下问题： At present, the traditional method of botnet detection is to use signature codes to discover accused zombie hosts. Non-signature code detection methods mainly include: collecting and classifying network features, scoring threats and correlations between hosts, and using semantic analysis of domain name lexical Mine malicious domain names in domain names, and detect botnets through the Fast-Flux phenomenon of IP and domain names. These methods face the following problems:

1）僵尸网络长期潜伏等特点决定了控制者与僵尸主机的交互是一个动态命令与控制过程，因此已知特征信息很快被更新，基于特征码的检测方法无法跟上特征信息的脚步，检测失效率随时间将逐步提高。 1) The characteristics of the botnet such as long-term latency determine that the interaction between the controller and the zombie host is a dynamic command and control process, so the known feature information is updated quickly, and the detection method based on the feature code cannot keep up with the pace of the feature information. The failure rate will gradually increase with time. the

2）基于网络的检测方法对数据源要求高，由于数据计算复杂，很难应用于大型网络。 2) Network-based detection methods have high requirements on data sources, and are difficult to apply to large-scale networks due to complex data calculations. the

3）基于字面语义分析的检测方法和利用Fast-Flux现象的检测方法局限性很强，无法有效检测种类繁多的僵尸网络。 3) The detection method based on literal semantic analysis and the detection method using the Fast-Flux phenomenon have strong limitations and cannot effectively detect a wide variety of botnets. the

发明内容 Contents of the invention

本方法的目的在于提供一种基于DNS数据包的僵尸网络域名发现方法，通过已知的僵尸网络的局部特征（表现为僵尸网络的域名），发现其随时间变化后更新或改变的未知域名，发现、掌握和追踪给定僵尸网络的访问行为的动态变化，以克服现有僵尸网络检测方法的不足。本发明方法以域名为特征，可以避免以特征码为检测手段时由于僵尸网络协议多样性或信息加密等的局限性；以域名的共现行为观测对象，可以充分利用僵尸网络的群体性和持续性特征，发现未知的僵尸网络域名。实验表明，本方法能够在数万台主机的网络规模下有效、可靠地发现未知的僵尸网络域名。 The purpose of this method is to provide a method for discovering botnet domain names based on DNS data packets, through known local characteristics of botnets (expressed as botnet domain names), discover unknown domain names that are updated or changed over time, Discover, grasp and track the dynamic changes of access behavior of a given botnet to overcome the shortcomings of existing botnet detection methods. The method of the present invention is characterized by the domain name, which can avoid the limitations of botnet protocol diversity or information encryption when using the feature code as the detection means; the observation object of the co-occurrence behavior of the domain name can make full use of the group and continuous nature of the botnet. Sexual characteristics, discover unknown botnet domains. Experiments show that this method can effectively and reliably discover unknown botnet domain names in a network scale of tens of thousands of hosts. the

为了实现上述目的，本发明采用如下技术方案： In order to achieve the above object, the present invention adopts the following technical solutions:

一种基于DNS数据包的僵尸网络域名发现方法，包括以下步骤， A botnet domain name discovery method based on DNS packets, comprising the following steps,

数据预处理： Data preprocessing:

步骤1.1：以给定网络出口流量为数据源，从数据包中解析DNS查询数据，从中提取包含DNS查询特征信息的四元组r=(t,h,p,d)集合，t为请求发起时间，h为请求发起主机，p为请求的资源记录类型，d为请求的域名； Step 1.1: Take the given network egress traffic as the data source, parse the DNS query data from the data packet, and extract the four-tuple r=(t,h,p,d) set containing DNS query characteristic information, t is the request initiation time, h is the request originating host, p is the requested resource record type, and d is the requested domain name;

步骤1.2：通过域名白名单过滤约简四元组r=(t,h,p,d)集合，将包含域名白名单给定域名的四元组从四元组r=(t,h,p,d)集合中剔除； Step 1.2: Filter the reduced quadruple r=(t,h,p,d) set through the domain name whitelist, and convert the quadruple containing the given domain name from the domain name whitelist from the quadruple r=(t,h,p , d) remove from the set;

步骤1.3：识别NAT（IP网络地址转换器/IP Network Address Translator）主机，过滤NAT网络中NAT主机对域名的访问记录，从四元组r=(t,h,p,d)集合剔除步骤1.2域名白名单给定域名四元组后的四元组集合中剔除；剔除后得到约简后的四元组集合； Step 1.3: Identify NAT (IP Network Address Translator/IP Network Address Translator) hosts, filter the access records of NAT hosts to domain names in the NAT network, and remove step 1.2 from the quaternion r=(t,h,p,d) set Eliminate from the quadruple set after the given domain name quadruple in the domain name whitelist; get the reduced quadruple set after elimination;

步骤1.4：在步骤3得到的约简后的四元组集合上以域名为主体按时间窗口进行统计，统计每个时间窗口中每个域名被每个主机查询的次数，定义为四元组s=(T_i,h,d,n_all)；T_i表示从t_i到t_i+1的时间范围，t_i+1=t_i+T，h为请求发起主机，d为请求的域名，n_all为时间窗口中每个域名被每个主机查询的次数，其中时间窗口大小为T； Step 1.4: On the reduced set of quadruples obtained in step 3, the domain name is used as the subject to make statistics according to the time window, and the number of times each domain name is queried by each host in each time window is counted, which is defined as a quadruple s =(T _i ,h,d,n _all ); T _i represents the time range from t _i to t _i+1 , t _i+1 = t _i +T, h is the requesting host, d is the domain name of the request, n _all is the number of times each domain name is queried by each host in the time window, where the size of the time window is T;

优选的，步骤1.3中识别NAT主机的过程包括以下步骤： Preferably, the process of identifying the NAT host in step 1.3 comprises the following steps:

步骤a：划分时间周期，记录每个主机i在每个时间周期j内访问的域名数量观测值x_ij；j=1,2,3,…N，N为自然数； Step a: Divide the time period, record the observed value x _ij of the number of domain names accessed by each host i in each time period j; j=1,2,3,...N, N is a natural number;

步骤b：计算主机i在n个时间周期内访问域名数量的平均值为

Step b: Calculate the average number of domain names accessed by host i in n time periods as

步骤c：计算阈值M_k，使M_k为随机变量X_ij的上侧k分位数，即P{X_ij>M_k}=k，k∈(0,1)，其中，随机变量X_ij表示主机i在时间周期j内域名查询数；实验表明，k取0.05有最优效果； Step c: Calculate the threshold M _k , so that M _k is the upper k quantile of the random variable X _ij , that is, P{X _ij >M _k }=k, k∈(0,1), where the random variable X _ij Indicates the number of domain name queries of host i in time period j; experiments show that k is 0.05 to have the best effect;

步骤d：判断若

则认为该主机为NAT主机。 Step d: Judging if

The host is considered to be a NAT host.

优选的，所述基于DNS数据包的僵尸网络域名发现方法还包括域名共现评分的步骤： Preferably, the botnet domain name discovery method based on DNS packets also includes the step of domain name co-occurrence scoring:

步骤2.1：对给定僵尸网络，根据给定僵尸网络的域名集合确定在四元组s=(T_i,h,d,n_all)中的待测域名集合；向任一已知的僵尸网络中的域名发出过DNS查询请求的主机为僵尸主机，所有僵尸主机访问过的数据集中的未知域名为待测域名集合； Step 2.1: For a given botnet, determine the set of domain names to be tested in the quadruple s=(T _i ,h,d,n _all ) according to the set of domain names of the given botnet; The hosts that have sent DNS query requests for the domain names in are zombie hosts, and the unknown domain names in the dataset visited by all zombie hosts are the set of domain names to be tested;

步骤2.2：划分时间窗口，对每个时间窗口T_i，计算待测域名集合中的每一个域名与给定僵尸网络域名的共现评分： Step 2.2: Divide the time window, and for each time window T _i , calculate the co-occurrence score of each domain name in the domain name set to be tested and a given botnet domain name:

1）计算时间窗口T_i内，该待测域名与给定僵尸网络的域名集合中每一个域名间的相似系数，相似系数为：

其中，D(h,T_i)为该时间窗口T_i内主机h访问过的域名集合，d_i为该时间窗口内待测域名，d_j为该时间窗口内给定僵尸网络的域名集合中给定域名； 1) Calculate the similarity coefficient between the domain name to be tested and each domain name in the domain name set of a given botnet within the time window T _i . The similarity coefficient is:

Among them, D(h, T _i ) is the set of domain names visited by host h in this time window T _i , d _i is the domain name to be tested in this time window, and d _j is the domain name set of a given botnet in this time window given domain name;

2）计算该时间窗口T_i内，该待测域名d与所有给定僵尸网络中的已知域名集合Z_b的相似系数之和

2) Calculate the sum of similarity coefficients between the domain name d to be tested and the known domain name set Z _b in all given botnets within the time window T _i

3）计算该时间窗口T_i内，该待测域名d的修正系数W(d,T_i)，修正系数为访问过该域名的僵尸主机数除以访问过该域名的所有主机数，即

其中，H(d,T_i)表示在时间窗口T_i内访问过域名d的主机集合； 3) Calculate the correction coefficient W(d,T _i ) of the domain name d under test within the time window T _i , the correction coefficient is the number of zombie hosts that have visited the domain name divided by the number of all hosts that have visited the domain name, that is

Among them, H(d, T _i ) represents the set of hosts that have visited the domain name d within the time window T _i ;

4）计算该时间窗口T_i内，该待测域名与给定僵尸网络域名集合的共现评分S_b(d,T_i)， $S_{b} (d, T_{i}) = (Σ_{d_{b} &Element; Z_{b}} C (d_{b}, {d, T}_{i})) * W (d, T_{i});$ 4) Calculate the co-occurrence score S _b (d,T _i ) of the domain name under test and a given botnet domain name set within the time window T _i , $S_{b} (d, T_{i}) = (Σ_{d_{b} &Element; Z_{b}} C (d_{b}, {d, T}_{i})) * W (d, T_{i});$

步骤2.3：计算多时间窗口的域名共现评分S_b(d)； Step 2.3: Calculate the domain name co-occurrence score S _b (d) of multiple time windows;

1）对x个连续时间窗口，计算域名d与僵尸网络B_b的平均共现评分 ${\overset{&OverBar;}{S}}_{b} (d) = (S_{b} (d, T_{1}) + S_{b} (d, T_{2}) + \cdot \cdot \cdot + S_{b} (d, T_{x})) / x;$ 1) For x consecutive time windows, calculate the average co-occurrence score of domain name d and botnet B _b ${\overset{&OverBar;}{S}}_{b} (d) = (S_{b} (d, T_{1}) + S_{b} (d, T_{2}) + &Center Dot; &Center Dot; \cdot + S_{b} (d, T_{x})) / x;$

2）对x个连续时间窗口，计算域名d与僵尸网络B_b的最大共现评分S_bmax(d)=max(S_b(d,T_i))； 2) For x consecutive time windows, calculate the maximum co-occurrence score S _bmax (d)=max(S _b (d,T _i )) between the domain name d and the botnet B _b ;

3）做归一化，计算多时间窗口的域名共现评分S_b(d)： 3) Do normalization and calculate the domain name co-occurrence score S _b (d) of multiple time windows:

$S_{b} (d) = {\overset{&OverBar;}{S}}_{b} (d) / \max ({\overset{&OverBar;}{S}}_{b} (d_{i})) \cdot α + S_{b \max} (d) / \max (S_{b \max} (d_{i})) \cdot (1 - α),$ α∈(0,1) $S_{b} (d) = {\overset{&OverBar;}{S}}_{b} (d) / \max ({\overset{&OverBar;}{S}}_{b} (d_{i})) &Center Dot; α + S_{b \max} (d) / \max (S_{b \max} (d_{i})) \cdot (1 - α),$ α∈(0,1)

其中，为僵尸网络B_b所有待测域名平均共现评分的最大值，max(S_bmax(d_i))为僵尸网络B_b所有待测域名最大共现评分的最大值，α为反映网络中域名共现评分平均值与最大值比例的比例因子；实验表明，α取值0.8时结果准确率最高。 in, is the maximum value of the average co-occurrence score of all domain names to be tested in botnet B _b , max(S _bmax (d _i )) is the maximum value of the maximum co-occurrence score of all domain names to be tested in botnet B _b , and α is the maximum value reflecting the co-occurrence score of domain names in the network The scale factor of the ratio of the average value of the score to the maximum value; the experiment shows that the accuracy of the result is the highest when the value of α is 0.8.

优选的，所述基于DNS数据包的僵尸网络域名发现方法还包括僵尸网络域名筛选步骤： Preferably, the botnet domain name discovery method based on DNS packets also includes a botnet domain name screening step:

对给定僵尸网络的所有待测域名的域名共现评分进行排序，筛选评分>0.2的待测域名；对评分>0.2的待测域名利用域名恶意性判断规则进行恶意性判断并进行推荐。 Sorting the domain name co-occurrence scores of all domain names to be tested in a given botnet, screening the domain names to be tested with a score > 0.2; using domain name malicious judgment rules to judge the maliciousness of the domain names to be tested with a score > 0.2 and recommending them. the

优选的，域名恶意性判断规则为满足以下任意一条或多条： Preferably, the domain name malicious judgment rule satisfies any one or more of the following:

（1）安全厂商公布该域名为恶意域名或该域名下存在恶意URL； (1) The security vendor announces that the domain name is a malicious domain name or there is a malicious URL under the domain name;

（2）和已知恶意域名具有相同的二级域名，且该二级域名不是动态域名提供商； (2) It has the same second-level domain name as the known malicious domain name, and the second-level domain name is not a dynamic domain name provider;

（3）和已知恶意域名具有相同的前缀； (3) have the same prefix as the known malicious domain name;

（4）通过搜索引擎发现根本没有该域名的信息，但它的确存在，且解析所得IP地址与已知恶意域名解析的IP地址相同。 (4) Through the search engine, it is found that there is no information about the domain name at all, but it does exist, and the resolved IP address is the same as the IP address resolved by the known malicious domain name. the

优选的，步骤1.2中域名白名单中的域名为常用域名、错误配置域名、程序频发域名中一种或多种。 Preferably, the domain names in the white list of domain names in step 1.2 are one or more of commonly used domain names, misconfigured domain names, and frequently used program domain names.

相对于现有技术，本发明具有以下有益效果：本发明方法无需主机层数据支持，在网络层以DNS数据包为基础数据源，在已知部分僵尸网络域名的条件下，利用僵尸网络的群体性和持续性两个关键特征，使用域名共现评分方法追踪和发现更多僵尸网络域名。该方法分为数据预处理，域名共现评分计算和僵尸网络域名筛选三部分。该方法在数据预处理部分排除了网络中NAT主机的干扰；在域名共现评分计算部分从空间维度和时间维度进行评分分析，使僵尸网络所表现出的域名共现行为能够显著区别于其他正常应用所表现出的域名共现行为；最后通过对域名共现评分进行排序，筛选与已知僵尸网络域名相关度最高的域名。 Compared with the prior art, the present invention has the following beneficial effects: the method of the present invention does not need host layer data support, uses DNS packets as the basic data source at the network layer, and uses the group of botnets under the condition of known part of botnet domain names. The two key characteristics of botnet and persistence, using the domain name co-occurrence scoring method to track and discover more botnet domains. The method is divided into three parts: data preprocessing, domain name co-occurrence score calculation and botnet domain name screening. This method eliminates the interference of NAT hosts in the network in the data preprocessing part; in the domain name co-occurrence score calculation part, the score analysis is carried out from the space dimension and time dimension, so that the domain name co-occurrence behavior exhibited by the botnet can be significantly different from other normal domain name co-occurrence behaviors. The domain name co-occurrence behavior exhibited by the application; finally, by sorting the domain name co-occurrence scores, the domain names with the highest correlation with known botnet domain names are screened. the

附图说明 Description of drawings

图1是本方法所述的僵尸网络共现行为示意图。 Fig. 1 is a schematic diagram of the co-occurrence behavior of the botnet described in this method. the

图2是本方法所述的僵尸网络域名发现的详细流程图。 Fig. 2 is a detailed flowchart of the discovery of the botnet domain name described in the method. the

具体实施方式 Detailed ways

为了更清楚的理解本方法，以下对本方法结合附图通过具体实施方式做进一步的详细描述。 In order to understand the method more clearly, the method will be further described in detail below through specific implementation manners in conjunction with the accompanying drawings. the

图1为僵尸网络共现行为示意图。 Figure 1 is a schematic diagram of the co-occurrence behavior of botnets. the

僵尸网络无论是集中式或分布式结构，无论是IRC或HTTP协议，均具有如下共性：（1）空间上的群体性。被同一黑客或者黑客组织控制，接收相同或协同的攻击命令，具有相同的网络访问规律；（2）时间上的持续性。僵尸主机在时间上持续访问相关目标服务器（包括控制服务器、更新服务器等），始终保持与僵尸控制者的联系。僵尸网络在其命令与控制的过程中，通常会使用多个不同域名，且僵尸主机在其生命周期中，会持续访问这些特定域名，以保持、接收攻击者的命令和控制，并保证自身的隐匿性和可靠性。典型的僵尸网络控制案例中，僵尸主机对各种域名的访问过程为：首先访问命令控制服务器域名，完成控制命令的接收；随后访问相关服务器域名执行更新僵尸程序、下载恶意代码、上传窃取信息等控制命令；最后访问受害服务器域名进行网络攻击等。由于接受同一僵尸控制者控制，同一僵尸网络中的僵尸主机对服务器域名的访问必然存在相同或相似的访问行为。 Regardless of the centralized or distributed structure of the botnet, whether it is IRC or HTTP protocol, they all have the following common features: (1) Spatial groupness. Be controlled by the same hacker or hacker organization, receive the same or coordinated attack commands, and have the same network access rules; (2) Time continuity. Zombie hosts continue to access relevant target servers (including control servers, update servers, etc.) in time, and always keep in touch with the zombie controller. Botnets usually use multiple different domain names in the process of command and control, and bot hosts will continue to access these specific domain names during their life cycle to maintain and receive the attacker's command and control, and ensure their own security. Stealth and reliability. In a typical botnet control case, the bot host’s access process to various domain names is as follows: first access the domain name of the command control server to complete the reception of control commands; Control commands; finally access the victim server domain name to conduct network attacks, etc. Because they are controlled by the same bot controller, the bot hosts in the same botnet must have the same or similar access behaviors when accessing the server domain name. the

即僵尸网络的域名访问具有明确的域名共现行为：给定域名集合由已知僵尸域名充当，如捕获所得的命令控制域名；而共现域名集合则涵盖了各种未知僵尸域名，如相关域名和受害域名等。因此本方法基于僵尸网络的域名共现行为进行评分并发现未知的僵尸网络域名。 Namely, the domain name access of the botnet has a clear domain name co-occurrence behavior: a given domain name set is acted by known zombie domain names, such as captured command and control domain names; while the co-occurrence domain name set covers various unknown zombie domain names, such as related domain names and victim domain names, etc. Therefore, this method scores and discovers unknown botnet domain names based on the co-occurrence behavior of botnet domain names. the

图2为利用本方法发现僵尸网络域名的详细流程图。 Fig. 2 is a detailed flowchart of discovering botnet domain names by using the method. the

本方法的数据源是给定网络的流量数据，可采用网络出口的流量镜像，亦可采用区域网络DNS服务器的入口流量，通过winpcap进行数据包解析，提取DNS查询流量中的包含DNS查询特征信息的四元组，并将其作为元数据存储在数据库中。该步骤需长期进行，以取得长时间的数据。在白名单过滤和NAT主机过滤以及数据统计的步骤中，其操作数据均为这些元数据。 The data source of this method is the traffic data of a given network, which can use the traffic mirroring of the network egress, or the ingress traffic of the DNS server of the regional network, and analyze the data packet through winpcap to extract the DNS query characteristic information contained in the DNS query traffic , and store it in the database as metadata. This step needs to be carried out for a long time to obtain long-term data. In the steps of whitelist filtering, NAT host filtering and data statistics, the operation data are these metadata. the

当数据预处理部分结束，通过过滤所得域名特征四元组和通过统计所得统计特征四元组作为域名共现评分计算部分的输入，首先根据给定僵尸网络的已知域名，筛选出待测共现域名集合，待测域名为向任一给定僵尸网络的已知域名发出过DNS查询请求的主机为僵尸主机。随后划分时间窗口，并根据发明内容中所述步骤计算单时间窗口中每个待测域名的域名共现评分，随后根据发明内容中所述步骤计算多时间窗口中每个待测域名的域名共现评分。 When the data preprocessing part is over, the domain name feature quadruples obtained by filtering and the statistical feature quadruples obtained by statistics are used as the input of the domain name co-occurrence score calculation part. Now the collection of domain names, the domain name to be tested is a host that has sent a DNS query request to any known domain name of a given botnet as a zombie host. Then divide the time window, and calculate the domain name co-occurrence score of each domain name to be tested in a single time window according to the steps described in the summary of the invention, and then calculate the domain name co-occurrence score of each domain name to be tested in multiple time windows according to the steps described in the summary of the invention Rate now. the

当域名共现评分计算部分结束，将得到一个待测域名共现评分列表，对这些域名评分按评分进行排序，筛选与已知僵尸网络域名相关度最高的域名。对评分>0.2的域名进行恶意性判断并进行推荐。 When the domain name co-occurrence score calculation part is over, a list of domain name co-occurrence scores to be tested will be obtained, and these domain name scores are sorted by score, and the domain names with the highest correlation with known botnet domain names are screened. Malicious judgments and recommendations are made for domain names with a score >0.2. the

本发明方法分为数据预处理、域名共现评分计算和僵尸网络域名筛选三部分。其中每部分包括以下步骤： The method of the invention is divided into three parts: data preprocessing, domain name co-occurrence score calculation and botnet domain name screening. Each of these sections includes the following steps:

数据预处理部分： Data preprocessing part:

步骤1：以给定网络出口流量为数据源，从数据包中解析DNS查询数据，从中提取包含DNS查询特征信息的四元组r=(t,h,p,d)（t为请求发起时间，h为请求发起主机，p为请求的资源记录类型，d为请求的域名）集合，为后续步骤做好一系列数据准备工作。 Step 1: Take the given network egress traffic as the data source, parse the DNS query data from the data packet, and extract the quaternion r=(t,h,p,d) containing the DNS query feature information (t is the request initiation time , h is the originating host of the request, p is the requested resource record type, d is the requested domain name) set, and a series of data preparations are done for the subsequent steps. the

步骤2：通过“域名白名单”过滤约简四元组r=(t,h,p,d)集合，将包含给定域名的四元组从四元组r=(t,h,p,d)集合中剔除。白名单中的域名主要有以下类型：常用域名、错误配置域名、程序频发域名。 Step 2: Filter the reduced quadruple r=(t,h,p,d) set through the "domain name white list", and convert the quadruple containing the given domain name from the quadruple r=(t,h,p, d) Eliminate from the set. The domain names in the whitelist mainly include the following types: commonly used domain names, misconfigured domain names, and frequently used program domain names. the

步骤3：识别NAT（IP网络地址转换器/IP Network Address Translator）主机，基于网络域名访问统计特性，无需硬件支持，过滤NAT网络中NAT主机对域名的访问记录，从步骤2得到的四元组集合中剔除得到约简后的四元组集合。 Step 3: Identify NAT (IP Network Address Translator) hosts, based on the statistical characteristics of network domain name access, without hardware support, filter the access records of NAT hosts to domain names in the NAT network, and obtain the quaternion from step 2 Eliminate the reduced set of quadruples from the set. the

NAT主机的识别步骤为： The identification steps of the NAT host are:

1）划分时间周期，记录每个主机i在每个时间周期j(j=1,2,3,…)内访问的域名数量观测值x_ij。 1) Divide the time period and record the observed value x _ij of the number of domain names accessed by each host i in each time period j (j=1,2,3,…).

2）计算主机i在n个时间周期内访问域名数量的平均值为 2) Calculate the average number of domain names accessed by host i in n time periods as

3）计算阈值M_k，使M_k为随机变量X_ij的上侧k分位数，即P{X_ij>M_k}=k，k∈(0,1)，其中，随机变量X_ij表示主机i在该时间周期j内域名查询数。实验表明，k取0.05有最优效果。 3) Calculate the threshold M _k so that M _k is the upper k quantile of the random variable X _ij , that is, P{X _ij >M _k }=k, k∈(0,1), where the random variable X _ij represents The number of domain name queries of host i in the time period j. Experiments show that k takes 0.05 to have the best effect.

4）判断若则认为该主机为NAT主机。 4) Judging if The host is considered to be a NAT host.

步骤4：在步骤3得到的约简后的四元组集合上以域名为主体按时间窗口进行统计，统计每个时间窗口（时间窗口优选为1个自然日）中每个域名被每个主机查询的次数，定义为四元组四元组s=(T_i,h,d,n_all)（T_i表示从t_i到t_i+1的时间范围，t_i+1＝t_i+T，h为请求发起主机，d为请求的域名，n_all为时间窗口中每个域名被每个主机查询的次数，其中时间窗口大小为T）。在不丢失有效信息的情况下突出了域名的统计特征并约减了数据集。 Step 4: On the reduced set of quadruples obtained in step 3, the domain name is used as the subject to make statistics according to the time window, and each domain name is counted by each host in each time window (the time window is preferably 1 natural day). The number of queries, defined as a quadruple quadruple s=(T _i ,h,d,n _all ) (T _i represents the time range from t _i to t _i+1 , t _i+1 = t _i +T , h is the requesting host, d is the requested domain name, n _all is the number of times each domain name is queried by each host in the time window, where the time window size is T). It highlights the statistical characteristics of domain names and reduces the data set without losing effective information.

域名共现评分计算部分： Domain name co-occurrence score calculation part:

步骤1：对给定僵尸网络，根据给定僵尸网络的域名集合确定在四元组s=(T_i,h,d,n_all)中的待测域名集合。向任一已知的僵尸网络中的域名发出过DNS查询请求的主机为僵尸主机，所有僵尸主机访问过的四元组s=(T_i,h,d,n_all)中的未知域名（除给定僵尸网络的域名集合外的域名）为待测域名集合。 Step 1: For a given botnet, determine the domain name set to be tested in the quadruple s=(T _i ,h,d,n _all ) according to the domain name set of the given botnet. _A host that has sent a DNS query request to a domain name in any known botnet is a zombie host, and all unknown _domain names (except Domain names outside the domain name set of a given botnet) is the domain name set to be tested.

步骤2：划分时间窗口，对每个时间窗口T_i，计算待测域名集合中的每一个域名与给定僵尸网络域名的共现评分： Step 2: Divide the time window, and for each time window T _i , calculate the co-occurrence score of each domain name in the domain name set to be tested and a given botnet domain name:

1）计算时间窗口T_i内，该待测域名与给定僵尸网络的域名集合中每一个域名间的相似系数，该系数基于雅可比相似系数并作以修正。D(h,T_i)为该时间窗口T_i内主机h访问过的域名集合，d_i为该时间窗口内待测域名，d_j为该时间窗口内给定僵尸网络的域名集合中给定域名，则相似系数为：

1) Calculate the similarity coefficient between the domain name to be tested and each domain name in the domain name set of a given botnet within the time window T _i , and the coefficient is based on the Jacobian similarity coefficient and modified. D(h, T _i ) is the set of domain names visited by host h in this time window T _i , d _i is the domain name to be tested in this time window, and d _j is given in the domain name set of a given botnet in this time window domain name, the similarity coefficient is:

3）计算该时间窗口T_i内，该待测域名d的修正系数，修正系数为访问过该待测域名的僵尸主机数除以访问过该待测域名的所有主机数，即

其中，H(d,T_i)表示在时间窗口T_i内访问过域名d的主机集合。 3) Calculate the correction coefficient of the domain name d to be tested within the time window T _i . The correction coefficient is the number of zombie hosts that have visited the domain name to be tested divided by the number of all hosts that have visited the domain name to be tested, that is

Wherein, H(d, T _i ) represents the set of hosts that have visited the domain name d within the time window T _i .

4）计算该时间窗口T_i内，该待测域名与给定僵尸网络域名集合的共现评分S_b(d,T_i)， $S_{b} (d, T_{i}) = (Σ_{d_{b} &Element; Z_{b}} C (d_{b}, {d, T}_{i})) * W (d, T_{i}) .$ 4) Calculate the co-occurrence score S _b (d,T _i ) of the domain name under test and a given botnet domain name set within the time window T _i , $S_{b} (d, T_{i}) = (Σ_{d_{b} &Element; Z_{b}} C (d_{b}, {d, T}_{i})) * W (d, T_{i}) .$

步骤3：计算多时间窗口的域名共现评分S_b(d)。 Step 3: Calculate the domain name co-occurrence score S _b (d) of multiple time windows.

1）对x个连续时间窗口，计算域名d与僵尸网络B_b的平均共现评分 ${\overset{&OverBar;}{S}}_{b} (d) = (S_{b} (d, T_{1}) + S_{b} (d, T_{2}) + \cdot \cdot \cdot + S_{b} (d, T_{x})) / x .$ 1) For x consecutive time windows, calculate the average co-occurrence score of domain name d and botnet B _b ${\overset{&OverBar;}{S}}_{b} (d) = (S_{b} (d, T_{1}) + S_{b} (d, T_{2}) + \cdot \cdot \cdot + S_{b} (d, T_{x})) / x .$

2）对x个连续时间窗口，计算域名d与僵尸网络B_b的最大共现评分S_bmax(d)=max(S_b(d,T_i))。 2) For x consecutive time windows, calculate the maximum co-occurrence score S _bmax (d)=max(S _b (d,T _i )) between domain name d and botnet B _b .

其中，

为僵尸网络B_b所有待测域名平均共现评分的最大值，max(S_bmax(d_i))为僵尸网络B_b所有待测域名最大共现评分的最大值，α为反映网络中域名共现评分平均值与最大值比例的比例因子。实验表明，α取值0.8时结果准确率最高。 in,

is the maximum value of the average co-occurrence score of all domain names to be tested in botnet B _b , max(S _bmax (d _i )) is the maximum value of the maximum co-occurrence score of all domain names to be tested in botnet B _b , and α is the maximum value reflecting the co-occurrence score of domain names in the network Scale factor for the ratio of the average value of the current rating to the maximum value. Experiments show that the accuracy of the results is the highest when the value of α is 0.8.

僵尸网络域名筛选部分： Botnet domain name filtering section:

步骤1：对给定僵尸网络的所有待测域名的域名共现评分进行排序。 Step 1: Rank the domain co-occurrence scores of all domains under test for a given botnet. the

步骤2：筛选评分>0.2（评分>0.2的待测域名与已知僵尸网络域名相关度高）的待测域名。 Step 2: Screen the domain names to be tested with a score >0.2 (the domain names to be tested with a score >0.2 are highly correlated with known botnet domain names). the

步骤3：对筛选所得待测域名进行恶意性判断，判断规则满足以下任意一条或多条描述： Step 3: Make a malicious judgment on the screened domain names to be tested, and the judgment rules meet any one or more of the following descriptions:

1）安全厂商公布该域名为恶意域名或该域名下存在恶意URL。 1) The security vendor announces that the domain name is a malicious domain name or there is a malicious URL under the domain name. the

2）和已知恶意域名具有相同的二级域名，且该二级域名不是动态域名提供商。 2) It has the same second-level domain name as the known malicious domain name, and the second-level domain name is not a dynamic domain name provider. the

3）和已知恶意域名具有相同的前缀。 3) It has the same prefix as the known malicious domain name. the

4）通过搜索引擎发现根本没有该域名的信息，但它的确存在，且解析所得IP地址与已知恶意域名解析的IP地址相同。 4) Through the search engine, it is found that there is no information about the domain name at all, but it does exist, and the resolved IP address is the same as the IP address resolved by the known malicious domain name. the

Claims

1. A method for discovering a botnet domain name based on DNS packets, characterized in that, comprising a data preprocessing step:

Step 1.1: Take the given network egress traffic as the data source, parse the DNS query data from the data packet, and extract the four-tuple r=(t,h,p,d) set containing DNS query characteristic information, t is the request initiation time, h is the request originating host, p is the requested resource record type, and d is the requested domain name;

Step 1.2: Filter the reduced quadruple r=(t,h,p,d) set through the domain name whitelist, and convert the quadruple containing the given domain name from the domain name whitelist from the quadruple r=(t,h,p , d) remove from the set;

Step 1.3: Identify the NAT host, filter the access records of the NAT host to the domain name in the NAT network, and remove the four-tuple after the given domain name quadruple in the step 1.2 domain name whitelist from the quaternion r=(t,h,p,d) set Eliminate from the tuple set; get the reduced quadruple set after elimination;

Step 1.4: On the reduced set of quadruples obtained in step 3, the domain name is used as the subject to make statistics according to the time window, and the number of times each domain name is queried by each host in each time window T _i is counted, which is defined as a quadruple Group s=(T _i ,h,d,n _all ); T _i represents the time range from t _i to t _i+1 , t _i+1 = t _i +T, h is the requesting host, d is the requested Domain name, n _all is the number of times each domain name is queried by each host in the time window, where the size of the time window is T.

2. the botnet domain name discovery method based on DNS packet as claimed in right 1, it is characterized in that, the process of identifying NAT host among the step 1.3 comprises the following steps:

Step a: Divide the time period, record the observed value x _ij of the number of domain names accessed by each host i in each time period j; j=1,2,3,...N, N is a natural number;

Step c: Calculate the threshold M _k , so that M _k is the upper k quantile of the random variable X _ij , that is, P{X _ij >M _k }=k, k∈(0,1), where the random variable X _ij Indicates the number of domain name queries of host i in time period j; k=0.05;

Step d: Judging if

The host is considered to be a NAT host.

3. the botnet domain name discovery method based on DNS packet as claimed in right 1, is characterized in that, the botnet domain name discovery method based on DNS packet also includes the step of domain name co-occurrence scoring:

Step 2.1: For a given botnet, determine the set of domain names to be tested in the quadruple s=(T _i ,h,d,n _all ) according to the set of domain names of the given botnet; The hosts that have sent DNS query requests for the domain names in are zombie hosts, and the unknown domain names in the dataset visited by all zombie hosts are the set of domain names to be tested;

Step 2.2: Divide the time window, and for each time window T _i , calculate the co-occurrence score of each domain name in the domain name set to be tested and a given botnet domain name:

1) Calculate the similarity coefficient between the domain name to be tested and each domain name in the domain name set of a given botnet within the time window T _i . The similarity coefficient is:

3) Calculate the correction coefficient W(d,T _i ) of the domain name d under test within the time window T _i , the correction coefficient is the number of zombie hosts that have visited the domain name divided by the number of all hosts that have visited the domain name, that is

4) Calculate the co-occurrence score S _b (d,T _i ) of the domain name under test and a given botnet domain name set within the time window T _i ,

S_{b} (d, T_{i}) = (Σ_{d_{b} &Element; Z_{b}} C (d_{b}, {d, T}_{i})) * W (d, T_{i});

Step 2.3: Calculate the domain name co-occurrence score S _b (d) of multiple time windows;

1) For x consecutive time windows, calculate the average co-occurrence score of domain name d and botnet B _b

{\overset{&OverBar;}{S}}_{b} (d) = (S_{b} (d, T_{1}) + S_{b} (d, T_{2}) + &Center Dot; \cdot \cdot + S_{b} (d, T_{x})) / x;

2) For x consecutive time windows, calculate the maximum co-occurrence score S _bmax (d)=max(S _b (d,T _i )) between the domain name d and the botnet B _b ;

3) Do normalization and calculate the domain name co-occurrence score S _b (d) of multiple time windows:

{S S}_{b b} ((d d)) = = {\overset{&OverBar; &OverBar;}{S S}}_{b b} ((d d)) / / max max (({\overset{&OverBar; &OverBar;}{S S}}_{b b} (({d d}_{i i})))) \cdot &Center Dot; α α + + {S S}_{b b max max} ((d d)) / / max max (({S S}_{b b max max} (({d d}_{i i})))) \cdot &Center Dot; ((11 - - α α)),, α α &Element; &Element; ((0,1 0,1))

in,

is the maximum value of the average co-occurrence score of all domain names to be tested in botnet B _b , max(S _bmax (d _i )) is the maximum value of the maximum co-occurrence score of all domain names to be tested in botnet B _b , and α is the maximum value reflecting the co-occurrence score of domain names in the network Scale factor for the ratio of the mean value to the maximum value of the current score; α = 0.8.

4. the botnet domain name discovery method based on DNS packet as claimed in right 3, is characterized in that, the botnet domain name discovery method based on DNS packet also includes botnet domain name screening step:

Sorting the domain name co-occurrence scores of all domain names to be tested in a given botnet, screening the domain names to be tested with a score > 0.2; using domain name malicious judgment rules to judge the maliciousness of the domain names to be tested with a score > 0.2 and recommending them.

5. the botnet domain name discovery method based on DNS data packet as described in right 4, it is characterized in that, domain name malicious judgment rule is to satisfy following any one or more:

(1) The security vendor announces that the domain name is a malicious domain name or there is a malicious URL under the domain name;

(2) It has the same second-level domain name as the known malicious domain name, and the second-level domain name is not a dynamic domain name provider;

(3) have the same prefix as the known malicious domain name;

(4) Through the search engine, it is found that there is no information about the domain name at all, but it does exist, and the resolved IP address is the same as the IP address resolved by the known malicious domain name.

6. The method for discovering botnet domain names based on DNS data packets as claimed in right 1, wherein the domain names in the domain name whitelist in step 1.2 are one or more of common domain names, misconfigured domain names, and program-frequent domain names .