Authors:
Wenbo Wang
1
;
Tianning Zang
2
and
Yuqing Lan
1
Affiliations:
1
School of Computer Science and Engineering and Beihang University, China
;
2
National Internet Emergency Center, China
Keyword(s):
DNS, Amplification Attack, Random Subdomain Attack, Domain Generation Algorithm, Malicious Domain Name.
Abstract:
The network traffic is filled with numerous malicious requests, most of which is generated by amplified at-tacks, random subdomain name attacks and botnets. Through using DNS traffic for malicious behavior anal-ysis, we often need to test each domain alone. Besides, the amount of data is very large and simple filtering cannot quickly reduce the need to detect the number of domain names. As a result, it takes a lot of time to calculate on the premise of limited resources. Therefore, this paper introduces a extraction scheme for DNS traffic. We designed a simple and efficient method for extracting three kinds of attack traffic with the largest proportion of traffic. Besides, the method of statistics and classification was used to deal with all the traffic. We implemented a prototype system and evaluated it on real-world DNS traffic. In the meanwhile, as the recall rate reached almost 100%, the number of secondary domain names to be detected was reduced to 8% of the original quantity, a
nd the DNS record to be detected was reduced to 1% of the original number.
(More)