基于TDRI的多视图关联DNS流量可视分析
Correlative Visual Analytics for DNS Traffic with Multiple Views Based on TDRI
作者:陈兴蜀(四川大学 网络空间安全学院, 四川 成都 610065;四川大学 网络空间安全研究院, 四川 成都 610065);陈敬涵(四川大学 计算机学院, 四川 成都 610065);曾雪梅(四川大学 网络空间安全研究院, 四川 成都 610065);韩珍辉(四川大学 网络空间安全学院, 四川 成都 610065);朱毅(四川大学 计算机学院, 四川 成都 610065);邵国林(四川大学 计算机学院, 四川 成都 610065)
Author:CHEN Xingshu(College of Cyber Security, Sichuan Univ., Chengdu 610065, China;Cyber Security Research Inst. Sichuan Univ., Chengdu 610065, China);CHEN Jinghan(College of Computer Sci., Sichuan Univ., Chengdu 610065, China);ZENG Xuemei(Cyber Security Research Inst. Sichuan Univ., Chengdu 610065, China);HAN Zhenhui(College of Cyber Security, Sichuan Univ., Chengdu 610065, China);ZHU Yi(College of Computer Sci., Sichuan Univ., Chengdu 610065, China);SHAO Guolin(College of Computer Sci., Sichuan Univ., Chengdu 610065, China)
收稿日期:2017-08-05 年卷(期)页码:2018,50(4):123-129
期刊名称:工程科学与技术
Journal Name:Advanced Engineering Sciences
关键字:DNS;可视分析;DNS流量分析模型;大数据
Key words:DNS;visual analytics;model of DNS traffic analysis;big data
基金项目:国家自然科学基金资助项目(61272447);国家“双创”示范基地之变革性技术国际研发转化平台资助项目(C700011);四川省重点研发项目资金资助项目(2018G20100);四川省科技支撑计划资助项目(2016GZ0038);中央高校基本科研业务费专项资金资助项目(2017SCU11059;2017SCU11065;SCU2016D009)
中文摘要
针对现有DNS流量分析方法受大规模网络中大数据量限制的问题,及可视分析方法还未应用到DNS流量分析中的现状,提出了一种TDRI(trend to domain and request information)DNS流量分析模型,并采用DNS流量分析模型和网络安全及大数据可视分析方法相结合的方式,设计并实现了基于TDRI DNS流量分析模型的多视图关联DNS流量可视分析系统。首先,对复杂大规模真实网络中长期、大量DNS流量数据进行观测和描述性分析。然后,从DNS服务中域名请求者、域名及域名访问3个基本要素的角度抽象并提出一种包含DNS流量特征值时序变化趋势、请求域名及域名访问情况的DNS流量分析模型。最后,以提出的DNS流量分析模型为指导,设计了包括数据选择和关联交互视图的DNS流量可视分析系统,支撑问题分析为驱动的DNS流量数据分析过程。将基于TDRI的多视图关联DNS流量可视分析系统应用于校园网真实环境,帮助分析者从DNS流量中发现了网络中的恶意访问行为以及针对DNS的恶意行为。实验结果表明,本文提出的分析方法可提高大规模网络环境下DNS流量分析效率,分析出DNS流量中表现出的恶意行为,为DNS安全稳定运行提供了保障。
英文摘要
In order to solve the problems that the existing DNS traffic analysis is limited by large data in complex large-scale networks, and the current visual analysis is not yet applied to DNS traffic analysis, a DNS traffic analysis model based on trend to domain and request information(TDRI) is proposed. The combined with network security and visual analysis method of big data, a multi view association DNS traffic visual analysis system based on TDRI DNS traffic analysis model is designed and implemented. First, the long-term and massive DNS traffic data of complex large-scale real networks are observed and analyzed. Then, a DNS traffic analysis model that includes DNS traffic eigenvalue time-series trend, request domain, and domain request information is abstracted and presented from three perspectives of requester, domain and request. Finally, based on the proposed DNS flow analysis model, the DNS traffic visual analysis system, which includes data selection and interrelated interactive view, is designed to support the analysis process of DNS traffic data driven by the problem analysis. The multi-view associated DNS traffic visual analysis system based on TDRI is applied to the real environment of campus network, which helps analysts find malicious access behavior in the network from DNS traffic and maliciousbehavior for DNS.The experimental results show that the proposed analysis method can improve the efficiency of DNS traffic analysis in the large-scale network environment and analyze the malicious behavior in the DNS traffic, which provides a guarantee for the safe and stable operation of the campus network DNS.
【关闭】
