c&c domain name identification method based on domain name features

Abstract

The present invention discloses a C&C domain name identification method based on domain name features, including: S1, based on the qualitative features of the domain name, generating quantitative indicators for determining the domain name category for a given domain name; S2, randomly extracting from the given domain name Part of the domain names enter the training data set, and the remaining domain names enter the test data set, and apply the decision tree integration algorithm to generate a domain name category judgment model based on the training data set; S3. Apply the generated domain name category judgment model to the domain name category of the remaining domain names in the test data set Make a judgment and compare it with the actual category of the remaining domain names, and calculate the predictive performance index of the domain name category determination model; S4. Correct the domain name category determined by applying the domain name category determination model; S5. Based on the corrected domain name category , to generate statistical results for a single domain name. The invention can accurately find the C&C domain name, and enhances the robustness, feasibility and comprehensibility of the model.

Description

technical field [0001] The invention relates to the field of network security, in particular to a C&C domain name identification method based on domain name features. Background technique [0002] The prior art on C&C domain name (a type of domain name) identification in this field is specifically as follows: [0003] 1. Topic: Using Machine Learning to Identify Randomly Generated C&C Domain Names [0004] Content: Take the C&C domain names generated by the DGA algorithm (domain name generation algorithm) and the top 100,000 legitimate domain names in the Alexa ranking (the world ranking of websites) as positive and negative examples, and generate quantitative indicators that can effectively identify the two types of domain names. After generating the corresponding indicators, use the support vector machine model to judge the domain name category. [0005] Disadvantages: The C&C domain name generated by the DGA algorithm contains a single type of domain name, resulting in ...

AI Technical Summary

Problems solved by technology

[0005] Disadvantages: The C&C domain name generated by the DGA algorithm contains a single type of domain name, resulting in a single type of domain name contained in the training data set. Therefore, the prediction model generated by training in this way has low applicability and generalizability, and it is difficult to realize the category of the actual domain name. Accurate discrimination

[0008] Disadvantages: The thresholds taken for some features are subjective and arbitrary, not calculated by the model, and lack a certain degree of objectivity

[0011] Disadvantages: Two detection algorithms based on DNS invalidation, DGA domain name detection and invalid C&C domain name detection, are easily affected by IP (interconnection protocol between networks) spoofing and DNS spoofing

Invalid DNS request sequence detected by C&C has a division boundary of 0 points, which is easy to mistakenly divide the host domain name request sequence and affect the accuracy of periodic judgments

Images