The 39th IEEE International Conference on Distributed Computing Systems (ICDCS 2019)\u5c06\u4e8e2019\u5e747\u67087\u65e5\u81f37\u670810\u65e5\uff0c\u5728\u7f8e\u56fd\u5fb7\u514b\u8428\u65af\u5dde\u8fbe\u62c9\u65af\u4e3e\u884c\u3002ICDCS\u662f\u5206\u5e03\u5f0f\u8ba1\u7b97\u7cfb\u7edf\u76f8\u5173\u9886\u57df\u7684\u7814\u7a76\u4eba\u5458\u548c\u5176\u4ed6\u4e13\u4e1a\u4eba\u58eb\u7684\u91cd\u8981\u56fd\u9645\u4f1a\u8bae\uff0c\u4e5f\u88abCCF\u63a8\u8350\u4e3a\u8ba1\u7b97\u673a\u4f53\u7cfb\u7ed3\u6784\u65b9\u5411\u7684B\u7c7b\u4f1a\u8bae\u3002<\/p>\n
<\/p>\n
17\u7ea7\u4ed8\u6c42\u7231\u540c\u5b66\u5728\u96f7\u51ef\u8001\u5e08\u548c\u5f90\u5feb\u8001\u5e08\u6307\u5bfc\u4e0b\uff0c\u5b8c\u6210\u4e00\u7bc7\u957f\u6587\u201d Detecting Malicious Domains with Behavioral Modeling and Graph Embedding\u201d\uff0c\u5e76\u5df2\u786e\u8ba4\u88abICDCS 2019\u5f55\u7528\uff01\u4e2d\u7a3f\u8bba\u6587\u7684\u7b80\u4ecb\u5982\u4e0b\uff1a<\/p>\n
<\/p>\n
\u8bba\u6587\u6807\u9898: Detecting Malicious Domains with Behavioral Modeling and Graph Embedding<\/p>\n
<\/p>\n
\u8bba\u6587\u4f5c\u8005: Kai Lei, Qiuai Fu, Jiake Ni, Feiyang Wang, Min Yang, Kuai Xu*<\/p>\n
<\/p>\n
\u82f1\u6587\u6458\u8981: The last decade has witnessed the explosive growth of malicious Internet domains which serve as the fundamental infrastructure for establishing advanced persistent threat command and control communication channels or hosting phishing Web sites. Given the big data nature of Internet traffic data and the ability of algorithmically generating domains and acquiring and registering the domains in a near-automated fashion, detecting malicious domains in real-time is a daunting task for security analysts and network operators. In this paper, we introduce bipartite graphs to capture the interactions between end hosts and domains, identify associated IP addresses of domains, and characterize time-series patterns of DNS queries for domains, and explore one-mode projections of these bipartite graphs for modeling the behavioral, IP-structural, and temporal similarities between domains. We employ graph embedding technique to automatically learn dynamic and discriminative feature representations for over 10,000 labeled domains, and develop an SVM-based classification algorithm for predicting malicious or benign domains. Our model makes the progress towards adapting to the changing and evolving strategies of malicious domains. The experimental results have shown that our proposed algorithm achieves an area under the curve (AUC) of 0.94 based on k-fold cross-validation. To the best of our knowledge, this is the first effort to apply the combination of behavioral modeling and graph embedding for effectively and accurately detecting malicious domains.<\/p>\n
<\/p>\n
\u4e2d\u6587\u7b80\u4ecb: \u6076\u610f\u8f6f\u4ef6\u653b\u51fb\u4ee5\u5165\u4fb5\u5e72\u6270\u7528\u6237\u8ba1\u7b97\u673a\u7cfb\u7edf\u548c\u7a83\u53d6\u4fe1\u606f\u4e3a\u76ee\u7684\uff0c\u662f\u7f51\u7edc\u5b89\u5168\u7684\u4e3b\u8981<\/p>\n
\u5a01\u80c1\u4e4b\u4e00\u3002\u4e3a\u4e86\u9003\u907f\u68c0\u6d4b\u548c\u589e\u5f3a\u653b\u51fb\u6548\u679c\uff0c\u8fd1\u5e74\u6765\u653b\u51fb\u8005\u5728\u6076\u610f\u8f6f\u4ef6\u653b\u51fb\u4e2d\u6ee5\u7528 DNS\u3002<\/p>\n
\u5927\u91cf\u6076\u610f\u57df\u540d\u88ab\u751f\u6210\u5e76\u6ee5\u7528\u4e8e\u50f5\u5c38\u7f51\u7edc\u3001 APT \u653b\u51fb\u548c\u9493\u9c7c\u7f51\u7ad9\u7b49\u6076\u610f\u8f6f\u4ef6\u4e2d\u3002 \u68c0\u6d4b\u6076<\/p>\n
\u610f\u57df\u540d\u6210\u4e3a\u53d1\u73b0\u548c\u963b\u6b62\u6076\u610f\u8f6f\u4ef6\u653b\u51fb\u6269\u6563\u7684\u5173\u952e\u3002 \u73b0\u6709\u7684\u6076\u610f\u57df\u540d\u68c0\u6d4b\u666e\u904d\u91c7\u7528\u673a\u5668<\/p>\n
\u5b66\u4e60\u7684\u65b9\u6cd5\u3002\u7136\u800c\u8fd9\u4e9b\u7814\u7a76\u4f7f\u7528\u4eba\u5de5\u63d0\u53d6\u57df\u540d\u7279\u5f81\uff0c \u4e25\u91cd\u4f9d\u8d56\u4eba\u529b\u548c\u4e13\u4e1a\u77e5\u8bc6\uff0c \u5e76\u4e14\u6709<\/p>\n
\u4e9b\u7279\u5f81\u5bb9\u6613\u8fc7\u65f6\u548c\u88ab\u653b\u51fb\u8005\u9003\u907f\u3002<\/p>\n
\u672c\u6587\u63d0\u51fa\u4e86\u4e00\u79cd\u57fa\u4e8e DNS \u884c\u4e3a\u548c\u56fe\u5d4c\u5165\u7684\u6076\u610f\u57df\u540d\u68c0\u6d4b\u65b9\u6cd5\u3002 \u9996\u5148\uff0c \u672c\u6587\u4f7f\u7528\u4e8c<\/p>\n
\u5206\u56fe\u5bf9\u57df\u540d\u7684\u4e3b\u673a\u4ea4\u4e92\u884c\u4e3a\u3001\u57df\u540d\u7684 IP \u89e3\u6790\u884c\u4e3a\u548c\u57df\u540d\u7684\u65f6\u5e8f\u6a21\u5f0f\u8fdb\u884c\u5efa\u6a21\uff0c\u63a5\u7740\u4f7f<\/p>\n
\u7528\u5355\u6a21\u6620\u5c04\u548c\u76f8\u4f3c\u5ea6\u8ba1\u7b97\u5f97\u5230\u4e09\u79cd\u57df\u540d\u884c\u4e3a\u76f8\u4f3c\u5ea6\u56fe\u3002 \u8fd9\u4e09\u79cd\u884c\u4e3a\u76f8\u4f3c\u5ea6\u56fe\u63ed\u793a\u4e86\u6076<\/p>\n
\u610f\u57df\u540d\u4e4b\u95f4\u7684\u884c\u4e3a\u5173\u8054\u6027\u3002 \u968f\u540e\uff0c\u672c\u6587\u63d0\u51fa\u4e86\u4e00\u79cd\u57fa\u4e8e\u56fe\u5d4c\u5165\u7684\u57df\u540d\u7279\u5f81\u5b66\u4e60\u65b9\u6cd5\u3002\u8be5<\/p>\n
\u65b9\u6cd5\u5728\u57df\u540d\u76f8\u4f3c\u5ea6\u56fe\u4e0a\u81ea\u52a8\u5b66\u4e60\u57df\u540d\u7684\u5411\u91cf\u8868\u793a\uff0c\u5e76\u5c06\u8fd9\u4e9b\u8868\u793a\u5411\u91cf\u4f5c\u4e3a\u57df\u540d\u7684\u7279\u5f81<\/p>\n
\u5411\u91cf\uff0c\u7528\u4e8e\u540e\u7eed\u57fa\u4e8e\u5206\u7c7b\u7684\u6076\u610f\u57df\u540d\u68c0\u6d4b\u548c\u57fa\u4e8e\u805a\u7c7b\u7684\u6076\u610f\u57df\u540d\u7c7b\u7c07\u6316\u6398\u5206\u6790\u3002 \u4e0d\u540c<\/p>\n
\u4e8e\u4ee5\u5f80\u7814\u7a76\u4ece DNS \u6d41\u91cf\u4e2d\u4eba\u5de5\u63d0\u53d6\u57df\u540d\u7279\u5f81\uff0c\u672c\u6587\u57fa\u4e8e\u57df\u540d\u7684 DNS \u884c\u4e3a\u7279\u6027\uff0c\u4f7f\u7528<\/p>\n
\u56fe\u5d4c\u5165\u65b9\u6cd5\u81ea\u52a8\u5b66\u4e60\u57df\u540d\u7684\u5411\u91cf\u8868\u793a\uff0c\u8fd9\u4e9b\u5411\u91cf\u4fdd\u7559\u4e86\u6076\u610f\u57df\u540d\u7684\u884c\u4e3a\u7279\u6027\u548c\u884c\u4e3a\u5173<\/p>\n
\u8054\u6027\uff0c\u80fd\u6709\u6548\u5730\u5e94\u7528\u4e8e\u6076\u610f\u57df\u540d\u68c0\u6d4b\uff0c\u5e76\u4e14\u66f4\u5177\u7a33\u5b9a\u6027\u548c\u5065\u58ee\u6027\u3002<\/p>\n
\u672c\u6587\u4ece\u771f\u5b9e\u7684\u6821\u56ed\u7f51 DNS \u6d41\u91cf\u4e2d\u6807\u8bb0\u4e86\u7ea6\u4e00\u4e07\u4e2a\u57df\u540d\uff0c\u5176\u4e2d\u5305\u62ec\u7ea6 30%\u7684\u6076\u610f\u57df<\/p>\n
\u540d\u548c 70%\u7684\u6b63\u5e38\u57df\u540d\uff0c\u5e76\u8bad\u7ec3 SVM \u5206\u7c7b\u5668\u4ee5\u68c0\u6d4b\u6076\u610f\u57df\u540d\u3002 \u5b9e\u9a8c\u7ed3\u679c\u663e\u793a\uff0c\u5728 10 \u6298<\/p>\n
\u4ea4\u53c9\u9a8c\u8bc1\u4e0b\uff0c\u672c\u6587\u7684\u6076\u610f\u57df\u540d\u68c0\u6d4b\u7b97\u6cd5\u7684 AUC \u503c\u4e3a 0.94\uff0c\u4f18\u4e8e\u5df2\u6709\u7814\u7a76\u5de5\u4f5c\u3002\u672c\u6587\u8fd8<\/p>\n
\u4f7f\u7528\u805a\u7c7b\u65b9\u6cd5\u6316\u6398\u57df\u540d\u7c7b\u7c07\uff0c\u5b9e\u9a8c\u7ed3\u679c\u8868\u660e\u672c\u6587\u65b9\u6cd5\u80fd\u6709\u6548\u5730\u6316\u6398\u6076\u610f\u57df\u540d\u3002<\/p>\n","protected":false},"excerpt":{"rendered":"
The 39th IEEE International Conference on Distributed C […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[16,31,4],"tags":[],"_links":{"self":[{"href":"https:\/\/www.icnlab.cn\/index.php?rest_route=\/wp\/v2\/posts\/6268"}],"collection":[{"href":"https:\/\/www.icnlab.cn\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.icnlab.cn\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.icnlab.cn\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.icnlab.cn\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=6268"}],"version-history":[{"count":1,"href":"https:\/\/www.icnlab.cn\/index.php?rest_route=\/wp\/v2\/posts\/6268\/revisions"}],"predecessor-version":[{"id":6269,"href":"https:\/\/www.icnlab.cn\/index.php?rest_route=\/wp\/v2\/posts\/6268\/revisions\/6269"}],"wp:attachment":[{"href":"https:\/\/www.icnlab.cn\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=6268"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.icnlab.cn\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=6268"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.icnlab.cn\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=6268"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}