{"title":"Zombie Hosts Identification Based on DNS Log","authors":"Renjie Wang, Yangsen Zhang, Ruixue Duan, Zhuofan Huang","doi":"10.1109/IC-NIDC54101.2021.9660578","DOIUrl":null,"url":null,"abstract":"Although the academia has done a lot of research on DNS abnormal behavior, whether from the perspective of traffic or irregular domain name recognition, the mechanism behind DNS is ignored in the pre-processing of DNS logs and other data. In addition, most studies focus on traffic anomaly detection and unconventional domain name recognition, and lack of systematic research on the combination of the two, so the proposed algorithm has no practical application. This paper proposes a clustering method based on DNS client IP address traffic characteristics, which divides DNS logs into five access modes. Then, a DNS log preprocessing algorithm is designed to preprocess the logs that may exist in zombie hosts. Finally, a two-layer GRU network detection algorithm based on domain name text features is proposed. Experimental results show that this method can effectively identify zombie hosts in DNS logs.","PeriodicalId":264468,"journal":{"name":"2021 7th IEEE International Conference on Network Intelligence and Digital Content (IC-NIDC)","volume":"7 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2021-11-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2021 7th IEEE International Conference on Network Intelligence and Digital Content (IC-NIDC)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/IC-NIDC54101.2021.9660578","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 0
Abstract
Although the academia has done a lot of research on DNS abnormal behavior, whether from the perspective of traffic or irregular domain name recognition, the mechanism behind DNS is ignored in the pre-processing of DNS logs and other data. In addition, most studies focus on traffic anomaly detection and unconventional domain name recognition, and lack of systematic research on the combination of the two, so the proposed algorithm has no practical application. This paper proposes a clustering method based on DNS client IP address traffic characteristics, which divides DNS logs into five access modes. Then, a DNS log preprocessing algorithm is designed to preprocess the logs that may exist in zombie hosts. Finally, a two-layer GRU network detection algorithm based on domain name text features is proposed. Experimental results show that this method can effectively identify zombie hosts in DNS logs.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
