【摘要】： 互聯(lián)網(wǎng)的迅猛發(fā)展,給人類社會(huì)帶來(lái)了巨大的進(jìn)步和繁榮,但是網(wǎng)絡(luò)安全問(wèn)題也變得愈發(fā)嚴(yán)重。Fast-flux Service Network(FFSN)就是一種精心設(shè)計(jì)的并且正在發(fā)展中的技術(shù),這項(xiàng)技術(shù)正在被越來(lái)越多的應(yīng)用在諸如釣魚(yú)網(wǎng)站、惡意網(wǎng)站、垃圾郵件和廣告發(fā)送等非法活動(dòng)中。 FFSN由大量被控制的計(jì)算機(jī)組成,這些計(jì)算機(jī)的作用主要有兩個(gè):一是提供了一個(gè)龐大的IP地址池,FFSN的控制者可以選擇其中的IP來(lái)為自己的域名服務(wù);二是這些機(jī)器可以為向該域名的請(qǐng)求提供代理中轉(zhuǎn)服務(wù),以隱藏背后的控制者。FFSN的表現(xiàn)是域名的DNS記錄以非常快的頻率持續(xù)變化。由于它的這些特點(diǎn),它和經(jīng)常被應(yīng)用在非法活動(dòng)中的其它技術(shù)比如普通的釣魚(yú)或者惡意網(wǎng)站相比,有更好的隱蔽性和生存性。 重點(diǎn)分析了FFSN的可用性問(wèn)題。FFSN的可用性問(wèn)題源自它的網(wǎng)絡(luò)節(jié)點(diǎn)的不可控性,利用泊松過(guò)程原理建立了一個(gè)描述可用性的模型,并且分析了FFSN的可用性和它的規(guī)模的關(guān)系。 為了應(yīng)對(duì)FFSN的威脅,找到檢測(cè)它的方法至關(guān)重要。不過(guò)它與循環(huán)DNS和CDN等負(fù)載均衡的技術(shù)有著相似的表現(xiàn),因此要檢測(cè)需要能正確區(qū)分它們。依據(jù)提取的標(biāo)識(shí)域名的特征四元組,包括域名的不同A記錄個(gè)數(shù),TTL值,IP分散度以及域名的創(chuàng)建時(shí)間,提出了一個(gè)FFSN的檢測(cè)機(jī)制,它由兩層的分類器組成,這兩層分類器分別根據(jù)域名的單次DNS查詢和累次DNS查詢進(jìn)行FFSN的檢測(cè)。 根據(jù)提出的檢測(cè)機(jī)制實(shí)現(xiàn)了一個(gè)原型系統(tǒng)進(jìn)行測(cè)試,并且用神經(jīng)網(wǎng)絡(luò)和SVM進(jìn)行了對(duì)比,測(cè)試結(jié)果是二者的漏報(bào)率都為0%,SVM的誤報(bào)率在2%以下,神經(jīng)網(wǎng)絡(luò)的誤報(bào)率在4%以下。實(shí)驗(yàn)結(jié)果表明,提出的檢測(cè)機(jī)制能非常有效的識(shí)別FFSN。
[Abstract]:The rapid development of the Internet has brought great progress and prosperity to the human society, but the problem of network security has become more and more serious. Fast-flux Service Network (FFSN) is a well-designed and developing technology. The technology is increasingly being used in illegal activities such as phishing sites, malicious websites, spam and advertising. FFSN is composed of a large number of controlled computers, which have two main functions: one is to provide a large pool of IP addresses, FFSN controllers can choose one of the IP to serve their domain name; The second is that these machines can provide proxy forwarding services for requests to the domain name to hide the controller behind it. The performance of the FFSN is that the DNS records of the domain name continue to change at a very fast rate. Because of these features, it has better concealment and survivability than other techniques that are often used in illegal activities, such as phishing or malicious websites. The usability of FFSN comes from the uncontrollability of its network nodes. Based on the Poisson process principle, a model describing availability is established, and the relationship between the availability of FFSN and its scale is analyzed. In order to deal with the threat of FFSN, it is important to find a way to detect it. However, it has similar performance with load balancing techniques such as cyclic DNS and CDN, so it is necessary to distinguish them correctly in order to detect them. According to the extracted characteristic quaternion of identifying domain name, including the different A record number of domain name, TTL value, IP dispersion and the creation time of domain name, a detection mechanism of FFSN is proposed, which is composed of two-layer classifier. These two-layer classifiers perform FFSN detection based on single DNS query and repeated DNS query of domain name respectively. According to the proposed detection mechanism, a prototype system is tested and compared with SVM. The results show that the false positive rate of both systems is 0%, and the false positive rate of SVM is less than 2%. The false positive rate of neural network is less than 4%. The experimental results show that the proposed detection mechanism can effectively identify FFSN..
【學(xué)位授予單位】：華中科技大學(xué)
【學(xué)位級(jí)別】：碩士
【學(xué)位授予年份】：2009
【分類號(hào)】：TP393.08

【引證文獻(xiàn)】

相關(guān)期刊論文 前1條

1 褚燕琴;應(yīng)凌云;馮登國(guó);蘇璞睿;;速變服務(wù)網(wǎng)絡(luò)行為特征分析[J];計(jì)算機(jī)系統(tǒng)應(yīng)用;2013年08期

，

本文編號(hào)：2464053