计算机工程与应用Issue(15):82-86,5.DOI:10.3778/j.issn.1002-8331.1208-0010
基于Counting Bloom Filter的DNS异常检测
DNS anomaly detection based on Counting Bloom Filter
摘要
Abstract
Considering that DNS query failure can serve as communication evidence for activities of malware, this paper provides a DNS anomaly detection method based on Counting Bloom Filter with failure data as its entry point. This method conducts clustering towards domain names queried and IP which initiates the query, using revertible hash function with semantic features. After the clustering, the few Top N hash strings will be worked backwards to get the dominating shorting strings, which will be spliced according to the results of homology judgment. Experimental results prove that this method can effectively identify the anomaly in DNS flow, thus can be applied to early screening and later validation of anomaly detections, such as botnet and DDoS attack.关键词
域名系统(DNS)查询失败/计数型布隆过滤器/异常检测Key words
Domain Name System(DNS)query failure/Counting Bloom Filter/anomaly detection分类
信息技术与安全科学引用本文复制引用
胡蓓蓓,彭艳兵,程光..基于Counting Bloom Filter的DNS异常检测[J].计算机工程与应用,2014,(15):82-86,5.基金项目
国家重点基础研究发展规划(973)(No.2009CB320505);江苏省科技支撑计划(No.BE2011173)。 ()
