【打印本页】      【下载PDF全文】   View/Add Comment  Download reader   Close
←前一篇|后一篇→ 过刊浏览    高级检索
本文已被:浏览 2726次   下载 1071 本文二维码信息
分享到: 微信 更多
(中国科学院信息工程研究所 北京 中国 100093;中国科学院大学网络空间安全学院 北京 中国 100049;中国人民大学信息学院 北京 中国 100872)
关键词:  域名系统  恶意活动  恶意域名检测
Received:September 15, 2020Revised:December 29, 2020
Malicious Domain Names Detection Methods Analysis: A Survey
WANG Qing,HAN Dongxu,LU Zhigang,JIANG Bo,DONG Cong,LIU Junrong,SHI Wenchang,LIU Yuling
Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093, China;School of Cyber Security, University of Chinese Academy of Sciences, Beijing 100049, China;School of Information, Renmin University of China, Beijing 100872, China
In recent years, cyber attacks have become more and more serious, and the domain name system is widely used by attackers because of its simplicity and agility. The domain name system enables fast mapping between domain names and IP addresses, which can be used by attackers to hide their attack addresses, and domain names have thus become one of the main vectors of cyber attacks. With the ever-changing form and dramatic increase in the number of malicious domain names, there is an urgent need to detect and defend against malicious domain names, and the traditional black and white list-based domain name detection methods have become less effective. DNS data-based malicious domain name detection methods can achieve efficient detection of malicious domain names, and are therefore widely proposed. This paper mainly focuses on DNS data-based malicious domain name detection methods to sort out and analyze, firstly, briefly reviewing the hierarchical structure and resolution process and principles of the domain name system, and some abusive techniques generated by attackers based on the domain name system, such as domain flux technology and fast flux technology; secondly, classifying DNS data into active DNS data and passive DNS data according to the different collection methods, and comparing the advantages and disadvantages of these. Then, the malicious domain name detection methods are divided into three categories according to the different detection techniques, including rule-based discovery detection methods, dynamic feature-based detection methods and association-based inference detection methods, and each category of detection method is subdivided again according to the specific type of detection, and the advantages and disadvantages of each method and its application scenarios are analyzed and explained; the evaluation criteria of existing detection methods are divided into those based on classification performance and those based on real environment; finally, the problems in existing research and future work directions are discussed.
Key words:  domain name system  malicious activities  malicious domain names detection