恶意域名检测方法研究进展

王青; 韩冬旭; 卢志刚; 姜波; 董聪; 刘俊荣; 石文昌; 刘玉岭

引用本文：

王青,韩冬旭,卢志刚,姜波,董聪,刘俊荣,石文昌,刘玉岭.恶意域名检测方法研究进展[J].信息安全学报,2024,9(5):229-249 [点击复制]
WANG Qing,HAN Dongxu,LU Zhigang,JIANG Bo,DONG Cong,LIU Junrong,SHI Wenchang,LIU Yuling.Malicious Domain Names Detection Methods Analysis: A Survey[J].Journal of Cyber Security,2024,9(5):229-249 [点击复制]

本文已被：浏览 314次下载 106次	码上扫一扫！
恶意域名检测方法研究进展
王青^1,2, 韩冬旭^1,2, 卢志刚^1,2, 姜波^1,2, 董聪^1,2, 刘俊荣^1,2, 石文昌³, 刘玉岭^1,2
0 字体:加大+\|默认\|缩小-
(1.中国科学院信息工程研究所北京中国 100093;2.中国科学院大学网络空间安全学院北京中国 100049;3.中国人民大学信息学院北京中国 100872)

摘要:

近年来,网络攻击事件愈发严重,域名系统因其简单性和敏捷性而受到攻击者的广泛使用。域名系统可以实现域名与IP地址之间的快速映射,从而可以被攻击者用来隐藏其攻击地址,域名也因此成为网络攻击的主要载体之一。随着恶意域名不断变化的形式以及数量的剧增,迫切需要对恶意域名进行检测和防御,而传统的基于黑白名单的域名检测方法已变得不再有效。基于DNS数据的恶意域名检测方法可以实现对恶意域名的高效检测,因此被广泛提出。本文主要针对基于DNS数据的恶意域名检测方法进行梳理分析,首先简要回顾域名系统的层次结构和解析过程及原理,以及攻击者基于域名系统所产生的一些滥用技术,例如域通量技术和快速通量技术;其次对DNS数据按照收集方式的不同将其分为主动DNS数据和被动DNS数据,并对这两类数据进行优缺点的对比;然后按照检测技术的不同将恶意域名检测方法分为三大类,包括基于规则发现的检测方法、基于动态特征的检测方法和基于关联推理的检测方法,并依次对每一类检测方法按照类型的不同再次进行细分,并对各方法的优缺点、适用场景等进行分析说明;文中对现有检测方法的评估准则进行了划分,将其分为基于分类性能的评估准则和基于真实环境的评估准则;最后讨论了现有研究中存在的问题和未来工作方向。

关键词: 域名系统恶意活动恶意域名检测

DOI：10.19363/J.cnki.cn10-1380/tn.2022.12.12

投稿时间：2020-09-15修订日期：2020-12-29

基金项目:本论文得到国家重点研发计划(No.2019QY1303,No.2019QY1302,No.2018YFB0803602)、中国科学院战略性先导C类(No.XDC02040100)、国家自然科学青年基金(No.61702508,No.61802404)的资助。这项工作也得到了中国科学院网络评估技术重点实验室和北京市网络安全与保护技术重点实验室的部分支持。

Malicious Domain Names Detection Methods Analysis: A Survey

WANG Qing^1,2, HAN Dongxu^1,2, LU Zhigang^1,2, JIANG Bo^1,2, DONG Cong^1,2, LIU Junrong^1,2, SHI Wenchang³, LIU Yuling^1,2

(1.Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093, China;2.School of Cyber Security, University of Chinese Academy of Sciences, Beijing 100049, China;3.School of Information, Renmin University of China, Beijing 100872, China)

Abstract:

In recent years, cyber attacks have become more and more serious, and the domain name system is widely used by attackers because of its simplicity and agility. The domain name system enables fast mapping between domain names and IP addresses, which can be used by attackers to hide their attack addresses, and domain names have thus become one of the main vectors of cyber attacks. With the ever-changing form and dramatic increase in the number of malicious domain names, there is an urgent need to detect and defend against malicious domain names, and the traditional black and white list-based domain name detection methods have become less effective. DNS data-based malicious domain name detection methods can achieve efficient detection of malicious domain names, and are therefore widely proposed. This paper mainly focuses on DNS data-based malicious domain name detection methods to sort out and analyze, firstly, briefly reviewing the hierarchical structure and resolution process and principles of the domain name system, and some abusive techniques generated by attackers based on the domain name system, such as domain flux technology and fast flux technology; secondly, classifying DNS data into active DNS data and passive DNS data according to the different collection methods, and comparing the advantages and disadvantages of these. Then, the malicious domain name detection methods are divided into three categories according to the different detection techniques, including rule-based discovery detection methods, dynamic feature-based detection methods and association-based inference detection methods, and each category of detection method is subdivided again according to the specific type of detection, and the advantages and disadvantages of each method and its application scenarios are analyzed and explained; the evaluation criteria of existing detection methods are divided into those based on classification performance and those based on real environment; finally, the problems in existing research and future work directions are discussed.

Key words: domain name system malicious activities malicious domain names detection