基于DNS查询行为的Bot检测

计算机工程与应用 ›› 2015, Vol. 51 ›› Issue (1): 106-109.

基于DNS查询行为的Bot检测

李晓利1，2，汤光明1，初晓2

1.信息工程大学，郑州 450004
2.中国人民解放军63895部队

出版日期:2015-01-01 发布日期:2015-01-06

Bot detection based on DNS query activities

LI Xiaoli1，2, TANG Guangming1, CHU Xiao2

1.Information Engineering University, Zhengzhou 450004, China
2.Unit 63895 of PLA

Online:2015-01-01 Published:2015-01-06

摘要/Abstract

摘要： 提出一种基于DNS查询行为的检测方法。根据Bot的自动运行特性，从DNS查询的角度对主机中的进程进行初步过滤，缩小检测范围；分析Bot与其他进程的DNS反应行为模式的异同，构建Bot-DNS检测模型，在此基础上判断可疑进程是否为Bot。实验结果表明，该方法能够检测出处于生命周期早期阶段的Bot，且检测过程与Bot采用的协议结构无关，具有较好的检测效果。

关键词: 僵尸程序, 自动连接, DNS查询行为, DNS反应行为

Abstract: This paper proposes a new method of identifying Bot based on DNS query activities. Firstly, as Bots usually run automatically, detection rage is narrowed down from the point of view of DNS query. Secondly, a Bot-DNS detection model is created on differences of DNS reaction behavior between Bots and normal processes, to judge whether the suspicious process is Bot. The experimental results show that the method can detect Bots in the early stage. It is independent of protocol and structure, and has a better detection effect.

Key words: Bots, automatic connection, DNS query activities, DNS reaction activities

李晓利1，2，汤光明1，初晓2. 基于DNS查询行为的Bot检测[J]. 计算机工程与应用, 2015, 51(1): 106-109.

LI Xiaoli1，2, TANG Guangming1, CHU Xiao2. Bot detection based on DNS query activities[J]. Computer Engineering and Applications, 2015, 51(1): 106-109.