【摘要】：在網(wǎng)絡(luò)飛速發(fā)展的今天,DNS作為網(wǎng)絡(luò)服務(wù)的基礎(chǔ)核心設(shè)施,它的正常運行是互聯(lián)網(wǎng)服務(wù)的保障。然而在DNS安全相關(guān)方面,DNS在設(shè)計之初就存在著一些的不完善,DNS服務(wù)器在通信時數(shù)據(jù)沒有進行必要的加密,通信雙方?jīng)]有進行有效的認證機制并且數(shù)據(jù)的完整性也沒有得到保證,這些就決定了它是脆弱的,再加上其在網(wǎng)絡(luò)服務(wù)中的重要作用,也就很容易遭到黑客等不法分子的攻擊傷害。由此也就很有必要對其進行相應(yīng)的測量預(yù)測監(jiān)控了。本文首先闡述了 DNS協(xié)議技術(shù)及DNS設(shè)計之初存在的缺陷,由于DNS在設(shè)計之初缺乏必要的安全機制,再加上系統(tǒng)規(guī)模的不斷加大,人為配置故障頻現(xiàn)等原因,造成DNS存在眾多的安全隱患。DNS協(xié)議在這幾年中也有了一定的發(fā)展,DNSSEC是DNS的一種安全擴展,是為解決DNS欺騙和緩存污染而設(shè)計的一種安全機制。雖然沒有對數(shù)據(jù)進行加密,但是它提供了對數(shù)據(jù)來源的鑒定和對數(shù)據(jù)完整性的驗證功能。然后本文還介紹了幾種常見的DNS攻擊方式:DNS欺騙、DNS緩存中毒、DDOS攻擊、DNS重定向以及利用本機的hosts文件進行本機劫持等。最后我們就上述安全問題,介紹了幾種DNS攻擊檢測的方法,信息熵和時間序列分析都是DNS攻擊檢測中比較常用且有效的方法。本文所做的主要工作有以下幾個方面:1、首先介紹了回歸預(yù)測算法,并大體介紹了幾種回歸預(yù)測算法的具體實現(xiàn)方式—線性回歸算法、局部加權(quán)回歸、嶺回歸、前向逐步回歸等。通過比較選擇了線性回歸預(yù)測算法。通過實驗并結(jié)合平方誤差和相關(guān)系數(shù)這兩個評估參數(shù),最終選定改進降維(固定了省份、運營商)的解析時間作為預(yù)測方案算法的特征值,并給出了回歸預(yù)測方案的設(shè)計。2、設(shè)計并實現(xiàn)了基于云平臺的DNS運行性能狀態(tài)預(yù)測及攻擊檢測系統(tǒng)(簡稱DNS測量預(yù)測系統(tǒng))。系統(tǒng)整體架構(gòu)上分為:應(yīng)用層、云平臺、數(shù)據(jù)層、數(shù)據(jù)分析展示層。設(shè)計并實現(xiàn)了 DNS測量預(yù)測系統(tǒng)的四大功能:(1)網(wǎng)站DNS解析時間的測量(2)指定省份不同運營商的DNS解析性能對比(3)指定運營商不同省份的DNS解析性能對比(4)網(wǎng)站DNS解析時間趨勢的預(yù)測。完成了對DNS測量預(yù)測系統(tǒng)的詳細設(shè)計與實現(xiàn).3、搭建并部署調(diào)試上述DNS測量預(yù)測系統(tǒng),同時還對系統(tǒng)的四大功能性設(shè)計((1)網(wǎng)站DNS解析時間的測量(2)指定省份不同運營商的DNS解析性能對比(3)指定運營商不同省份的DNS解析性能對比(4)網(wǎng)站DNS解析時間趨勢的預(yù)測)進行了功能性的測試,各項功能均達到設(shè)計預(yù)期,充分說明了該系統(tǒng)的預(yù)測方案、設(shè)計與實現(xiàn)都切實可行。最后還在一定程度上給出了 DNS攻擊檢測的建議。通過上述工作,我們提供了一種評估預(yù)測DNS服務(wù)性能好壞的DNS測量預(yù)測系統(tǒng),為企業(yè)跟用戶選擇DNS服務(wù)器提供了實際理論依據(jù)。為改善國內(nèi)DNS服務(wù)器的服務(wù)質(zhì)量提供了真實有效的理論依據(jù)。最后還在一定程度上給出了 DNS攻擊檢測的建議。
[Abstract]:With the rapid development of network, DNS as the core infrastructure of network services, its normal operation is the guarantee of Internet services. However, in the aspect of DNS security, there are some imperfections in the design of DNS. The data of DNS server is not encrypted when communicating, the two sides of communication do not have effective authentication mechanism and the integrity of data is not guaranteed. This determines that it is vulnerable, plus its important role in the network services, so it is vulnerable to hackers and other criminals. Therefore, it is necessary to monitor the corresponding measurement and prediction. In this paper, firstly, the defects of DNS protocol and DNS design are described. Because DNS lacks the necessary security mechanism at the beginning of design, plus the increasing of system scale, the malfunction frequency of artificial configuration, and so on. DNS protocol has been developed in recent years. DNSSEC is a security extension of DNS and a security mechanism designed to solve DNS spoofing and cache pollution. Although data is not encrypted, it provides authentication of data sources and validation of data integrity. Then this paper introduces several common DNS attacks: DNS spoofing, DNS cache poisoning, DDOS attack, DNS redirection and native hijacking using native hosts files. Finally, we introduce several methods of DNS attack detection. Information entropy and time series analysis are common and effective methods in DNS attack detection. The main work of this paper is as follows: 1. Firstly, the regression prediction algorithm is introduced, and the specific realization of several regression prediction algorithms, such as linear regression algorithm, local weighted regression, ridge regression, forward stepwise regression and so on, is introduced. The linear regression prediction algorithm is chosen by comparison. Through experiments and combining the square error and correlation coefficient, the analytical time of the improved dimensionality reduction (fixed provinces, operators) is selected as the eigenvalue of the prediction algorithm. The design of regression prediction scheme is given. 2. The performance state prediction and attack detection system of DNS based on cloud platform is designed and implemented (DNS measurement and prediction system for short). The overall architecture of the system is divided into: application layer, cloud platform, data layer, data analysis display layer. Four functions of DNS measurement and prediction system are designed and implemented: (1) measurement of DNS parsing time of website (2) comparison of DNS parsing performance of different operators in designated provinces (3) comparison of DNS parsing performance of designated operators in different provinces (4) website DNS Analyze the prediction of time trends. The detailed design and implementation of the DNS measurement and prediction system is completed. The DNS measurement and prediction system mentioned above is built and deployed and debugged. At the same time, the four major functional designs of the system (1) the measurement of the DNS parsing time of the website (2) the comparison of the DNS parsing performance of different operators in the designated provinces (3) the comparison of the DNS parsing performance of the designated operators in different provinces (4) the DNS parsing time trend of the website A functional test was carried out. All the functions are up to the design expectation, which fully explains the prediction scheme of the system, and the design and implementation are feasible. Finally, the suggestion of DNS attack detection is given to some extent. Through the above work, we provide a DNS measurement and prediction system to evaluate and predict the performance of DNS service, and provide practical theoretical basis for enterprises and users to select DNS server. It provides a real and effective theoretical basis for improving the service quality of domestic DNS server. Finally, the suggestion of DNS attack detection is given to some extent.
【學位授予單位】：北京郵電大學
【學位級別】：碩士
【學位授予年份】：2017
【分類號】：TP393.08

【參考文獻】

相關(guān)期刊論文 前7條

1 倪彤光;顧曉清;王洪元;;基于時間序列分析的DNS服務(wù)器的DDoS攻擊檢測[J];常州大學學報(自然科學版);2015年02期

2 杜躍進;張兆心;王克;楊逍;胡萍;任立昊;;基于貢獻度分析的DNS服務(wù)質(zhì)量評價模型[J];南京理工大學學報;2013年06期

3 林成虎;李曉東;金鍵;尉遲學彪;吳軍;;基于W-Kmeans算法的DNS流量異常檢測[J];計算機工程與設(shè)計;2013年06期

4 杜躍進;張兆心;王克;楊逍;胡萍;;基于用戶感知的DNS解析網(wǎng)絡(luò)性能測量技術(shù)[J];南京航空航天大學學報;2013年01期

5 翟光群;高凱楠;;DNS服務(wù)器的DDoS攻擊檢測系統(tǒng)的研究[J];計算機工程與應(yīng)用;2011年33期

6 羅瑋;何黎明;;DNSSEC與DNS安全防范研究[J];科技廣場;2011年09期

7 丁森林;吳軍;毛偉;;利用熵檢測DNS異常[J];計算機系統(tǒng)應(yīng)用;2010年12期

相關(guān)博士學位論文 前1條

1 王W，

本文編號：2291648