北京邮电大学学报

  • EI核心期刊

北京邮电大学学报 ›› 2018, Vol. 41 ›› Issue (6): 83-89.doi: 10.13190/j.jbupt.2018-007

• 研究报告 • 上一篇    下一篇

基于日志信息的DNS查询异常检测算法

吉星1, 黄韬1, 鄂新华2, 孙礼1   

  1. 1. 北京邮电大学 信息与通信工程学院, 北京 100876;
    2. 北京工业大学 北京未来网络科技高精尖创新中心, 北京 100124
  • 收稿日期:2018-01-09 出版日期:2018-12-28 发布日期:2018-12-24
  • 作者简介:吉星(1994-),男,硕士生,E-mail:jixing@bupt.edu.cn;孙礼(1959-),男,副教授.
  • 基金资助:
    国家重点基础研究发展计划(973计划)项目(2012CB315801-1);国家自然科学基金项目(61502049);中国工程院重大咨询研究项目(2012-ZD-6-7)

A DNS Query Anomaly Detection Algorithm Based on Log Information

JI Xing1, HUANG Tao1, E Xin-hua2, SUN Li1   

  1. 1. School of Information and Communication Engineering, Beijing University of Posts and Telecommunications, Beijing 100876, China;
    2. Beijing Advanced Innovation Center for Future Internet Technology, Beijing University of Technology, Beijing 100124, China
  • Received:2018-01-09 Online:2018-12-28 Published:2018-12-24

摘要: 针对域名系统(DNS)中存在异常查询的问题,提出了一种基于日志信息的DNS查询异常检测算法,以检测异常的互联网协议地址(IP).通过分析DNS正常与异常请求行为的区别,提取了DNS日志中多个维度的信息来表征源IP;其次,利用降维处理将数据映射到三维空间,以便直观地可视化呈现和快速地进行数据分析;最后,利用聚类分析和计算各源IP的可信度,检测出异常的源IP.实验结果表明,所提算法不但能直观观察到多维数据集中的关联特性,而且能从全局和局部2个层面识别网络中异常的源IP.

关键词: 域名系统查询, 降维, 聚类分析, 异常检测

Abstract: Point at the anomaly queries existing in domain name system (DNS), an anomaly detection algorithm based on DNS query logs is proposed to detect suspicious and abnormal internet protocol addresses (IP). First, multiple dimensions of information in the DNS logs are extracted to characterize the source IPs after analyzing the difference between normal DNS query behaviors and the abnormal ones. Secondly, the datasets are mapped to a three-dimensional space through dimensionality reduction, which is beneficial for intuitive visualization and rapid data analysis. Finally, clustering the source IPs and calculating the credibility of them to identify the abnormal ones. The experiment results show that this algorithm can not only observe the correlation characteristics of multi-dimensional datasets directly, but also identify the abnormal source IPs in the global and local aspects.

Key words: domain name system query, dimensionality reduction, cluster analysis, anomaly detection

中图分类号: