引用本文
  • 李依馨,徐震,王利明,宋晨.基于DNS数据分析的恶意实体检测研究综述[J].信息安全学报,已采用    [点击复制]
  • liyixin,Xu Zhen,Wang Liming,Song Chen.A survey of Malicious Entities Detection through DNS Data Analysis[J].Journal of Cyber Security,Accept   [点击复制]
【打印本页】 【下载PDF全文】 查看/发表评论下载PDF阅读器关闭

过刊浏览    高级检索

本文已被:浏览 14261次   下载 12866  
基于DNS数据分析的恶意实体检测研究综述
李依馨, 徐震, 王利明, 宋晨
0
(信息工程研究所)
摘要:
域名系统(Domain Name System, DNS)是互联网重要的组成部分,作为互联网重要基础设施之一,DNS 极易被攻 击者滥用,例如,攻击者注册近似域名进行网络钓鱼攻击、使用算法生成域名与受控主机通信、污染 DNS 服务器将用户导 向恶意网站等。为了识别 DNS 活动中存在的安全风险,近年来,基于 DNS 数据分析的恶意实体检测方法受到研究人员的青 睐,而这一领域的现有综述工作大多以攻击类型作为分类标准,难以全面覆盖恶意实体类型,具有一定的局限性。本文从 恶意实体的角度出发,全面回顾了该领域近十年的研究工作。首先,定义了 DNS 活动中涉及的恶意实体,包括:恶意域名、 失陷主机及网络和受损 DNS 服务,并分别介绍了相关的攻击场景;其次,总结梳理了相关研究工作中使用的 DNS 数据,从 基础数据、补充数据、标记数据以及数据收集四个角度对 DNS 数据进行全面介绍;然后,将恶意实体作为研究对象,从恶 意域名检测、失陷主机及网络检测、受损 DNS 服务检测三个角度对现有工作进行了全面的回顾,梳理了检测方法并分析相 应的优缺点,并进一步指出了这些工作中存在的问题;最后,展望了基于 DNS 数据分析的恶意实体检测技术的发展趋势和 后续研究方向。本文对基于 DNS 的恶意实体检测工作进行了全面的回顾和探讨,以期为今后的研究工作提供启发和参考。
关键词:  DNS安全  DNS数据分析  恶意域名  失陷主机  受损DNS服务
DOI:10.19363/J.cnki.cn10-1380/tn.2024.02.22
投稿时间:2022-03-24修订日期:2022-11-01
基金项目:
A survey of Malicious Entities Detection through DNS Data Analysis
liyixin, Xu Zhen, Wang Liming, Song Chen
(Institute of Information Engineering, Chinese Academy of Sciences,)
Abstract:
Domain Name System (DNS) is one of the most critical components of Internet. Given the infrastructure role DNS plays in the Internet, it is not surprising that it has been widely abused by attackers to supply various malicious activities. For example, attackers register typo squatting domains to launch phishing attacks, leverage algorithm genera- tion domains to communicate with compromised host, contaminate records in DNS servers and lead clients to malicious websites, and etc. In order to identify security threats existing in DNS activities, in recent years, researchers tend to de- tect malicious entities by analyzing DNS data. However, existing review works have certain limitations. Most works hardly comprehensively cover the malicious entity type since they usually use the attack type as classification criteria. In order to resolve this problem, we summarize research works during the past ten years and provide a comprehensive re- view from the perspective of malicious entities. In this paper, we first classify malicious entities involved in DNS activi- ties into three categories: malicious domain names, compromised hosts and networks, and compromised DNS services. For each category, we briefly explain its definition and further introduce their relevant attack scenarios. Secondly, we investigate DNS data that commonly used in researches and make a systemic introduction from four dimensions: basic data, supplemental data, labeled data, and data collection. Then, we take the malicious entity as the research object and summarize existing researches from three dimensions: malicious domains detection, compromised hosts and networks detection and compromised DNS services detection. We review these works systematically, discuss their methods, ana- lyze their advantages and disadvantages, and further point out existing problems. Finally, we look forward to the future direction of malicious entity detection through analyzing DNS data. In summary, this paper makes a comprehensive re- view and analysis of malicious entity detection, aiming to provide inspiration and reference for future research.
Key words:  DNS security  DNS data analysis  malicious domain  compromised host  compromised DNS service