The technique of domain flux has been used by many botnets to avoid being blocked by domain blacklists.A new technique is proposed to detect botnets by analyzing the patterns inherent to domains that comprise alphanumeric characters and query behavior of hosts.The method analyzes failed domain queries through support vector machine (SVM) to identify suspicious compromised hosts.Clustering analyses are then performed to generate new successful domains and the groups of hosts that query these domains,and to examine if these host groups are composed of compromised hosts.Then,the command and control (C&C) domains and related IP addresses used by botnets are detected.Experimental results show that the accuracy of SVM prediction reaches more than 98.5% after training,and that the system can accurately detect compromised hosts and IP of C&C servers when DNS traffic from the ISP is monitored.%针对僵尸网络为避免域名黑名单封堵而广泛采用域名变换技术的问题,提出一种域名请求行为特征与域名构成特征相结合的僵尸网络检测方法.该方法通过支持向量机(SVM)分类器对网络中主机解析失败的域名进行分析,提取出可疑感染主机;通过新域名聚类分析,将请求同一组新域名的主机集合作为检测对象,分析请求主机集合是否由可疑感染主机构成,提取出僵尸网络当前使用的域名集合以及命令与控制(Command and Control,C&C)服务器使用的IP地址集合.实验结果表明:训练后SVM分类器可达98.5%以上的准确率;经对ISP域名服务器监测,系统可准确提取出感染主机和C&C服务器的IP地址.
展开▼
