【摘要】： 互聯(lián)網(wǎng)的迅猛發(fā)展,給人類社會帶來了巨大的進(jìn)步和繁榮,但是網(wǎng)絡(luò)安全問題也變得愈發(fā)嚴(yán)重。Fast-flux Service Network(FFSN)就是一種精心設(shè)計的并且正在發(fā)展中的技術(shù),這項技術(shù)正在被越來越多的應(yīng)用在諸如釣魚網(wǎng)站、惡意網(wǎng)站、垃圾郵件和廣告發(fā)送等非法活動中。 FFSN由大量被控制的計算機(jī)組成,這些計算機(jī)的作用主要有兩個:一是提供了一個龐大的IP地址池,FFSN的控制者可以選擇其中的IP來為自己的域名服務(wù);二是這些機(jī)器可以為向該域名的請求提供代理中轉(zhuǎn)服務(wù),以隱藏背后的控制者。FFSN的表現(xiàn)是域名的DNS記錄以非常快的頻率持續(xù)變化。由于它的這些特點(diǎn),它和經(jīng)常被應(yīng)用在非法活動中的其它技術(shù)比如普通的釣魚或者惡意網(wǎng)站相比,有更好的隱蔽性和生存性。 重點(diǎn)分析了FFSN的可用性問題。FFSN的可用性問題源自它的網(wǎng)絡(luò)節(jié)點(diǎn)的不可控性,利用泊松過程原理建立了一個描述可用性的模型,并且分析了FFSN的可用性和它的規(guī)模的關(guān)系。 為了應(yīng)對FFSN的威脅,找到檢測它的方法至關(guān)重要。不過它與循環(huán)DNS和CDN等負(fù)載均衡的技術(shù)有著相似的表現(xiàn),因此要檢測需要能正確區(qū)分它們。依據(jù)提取的標(biāo)識域名的特征四元組,包括域名的不同A記錄個數(shù),TTL值,IP分散度以及域名的創(chuàng)建時間,提出了一個FFSN的檢測機(jī)制,它由兩層的分類器組成,這兩層分類器分別根據(jù)域名的單次DNS查詢和累次DNS查詢進(jìn)行FFSN的檢測。 根據(jù)提出的檢測機(jī)制實(shí)現(xiàn)了一個原型系統(tǒng)進(jìn)行測試,并且用神經(jīng)網(wǎng)絡(luò)和SVM進(jìn)行了對比,測試結(jié)果是二者的漏報率都為0%,SVM的誤報率在2%以下,神經(jīng)網(wǎng)絡(luò)的誤報率在4%以下。實(shí)驗(yàn)結(jié)果表明,提出的檢測機(jī)制能非常有效的識別FFSN。
[Abstract]:The rapid development of the Internet has brought great progress and prosperity to the human society, but the problem of network security has become more and more serious. Fast-flux Service Network (FFSN) is a well-designed and developing technology. The technology is increasingly being used in illegal activities such as phishing sites, malicious websites, spam and advertising. FFSN is composed of a large number of controlled computers, which have two main functions: one is to provide a large pool of IP addresses, FFSN controllers can choose one of the IP to serve their domain name; The second is that these machines can provide proxy forwarding services for requests to the domain name to hide the controller behind it. The performance of the FFSN is that the DNS records of the domain name continue to change at a very fast rate. Because of these features, it has better concealment and survivability than other techniques that are often used in illegal activities, such as phishing or malicious websites. The usability of FFSN comes from the uncontrollability of its network nodes. Based on the Poisson process principle, a model describing availability is established, and the relationship between the availability of FFSN and its scale is analyzed. In order to deal with the threat of FFSN, it is important to find a way to detect it. However, it has similar performance with load balancing techniques such as cyclic DNS and CDN, so it is necessary to distinguish them correctly in order to detect them. According to the extracted characteristic quaternion of identifying domain name, including the different A record number of domain name, TTL value, IP dispersion and the creation time of domain name, a detection mechanism of FFSN is proposed, which is composed of two-layer classifier. These two-layer classifiers perform FFSN detection based on single DNS query and repeated DNS query of domain name respectively. According to the proposed detection mechanism, a prototype system is tested and compared with SVM. The results show that the false positive rate of both systems is 0%, and the false positive rate of SVM is less than 2%. The false positive rate of neural network is less than 4%. The experimental results show that the proposed detection mechanism can effectively identify FFSN..
【學(xué)位授予單位】：華中科技大學(xué)
【學(xué)位級別】：碩士
【學(xué)位授予年份】：2009
【分類號】：TP393.08

【引證文獻(xiàn)】

相關(guān)期刊論文 前1條

1 褚燕琴;應(yīng)凌云;馮登國;蘇璞睿;;速變服務(wù)網(wǎng)絡(luò)行為特征分析[J];計算機(jī)系統(tǒng)應(yīng)用;2013年08期

，

本文編號：2464053