DGA域名检测相关技术
<div style="-en-clipboard: true"><span style="font-size: 14pt; font-family: "Times New Roman""> 域名生成算法(Domain Generation Algorithm):是一种利用随机字符来生成C&C域名,从而逃避域名黑名单检测的技术手段。</span></div><div><span style="font-size: 14pt; font-family: "Times New Roman"">很显然,在这种方式下,传统基于黑名单的防护手段无法起作用,一方面,黑名单的更新速度远远赶不上DGA域名的生成速度,另一方面,防御者必须阻断所有的DGA域名才能阻断C2通信,因此,DGA域名的使用使得攻击容易,防守困难。</span></div>
<div><span style="font-size: 14pt"> </span></div>
<div><span style="font-size: 14pt"><span style="font-size: 14pt; font-family: "Times New Roman"; font-weight: bold">DGA域名分类</span></span></div>
<div><span style="font-size: 14pt"> </span></div>
<div><span style="font-size: 14pt; font-family: "Times New Roman"">种子分类</span></div>
<div><span style="font-size: 14pt"> </span></div>
<div><span style="font-size: 14pt; font-family: "Times New Roman"">1)基于事件的种子(time dependence) DGA算法会将使用时间信息作为输入,如:感染主机的系统时间,http响应的时间等。</span></div>
<div><span style="font-size: 14pt; font-family: "Times New Roman"">2)是否有确定性(Determinism) 主流的DGA算法输入是确定的,因此DGA可以被提前计算,也有一些DGA的算法的输入是不确定的。</span></div>
<div><span style="font-size: 14pt"> </span></div>
<div><span style="font-size: 14pt; font-family: "Times New Roman"">算法分类</span></div>
<div><span style="font-size: 14pt"> </span></div>
<div><span style="font-size: 14pt; font-family: "Times New Roman"">现在DGA生成算法一般分为以下4类</span></div>
<div><span style="font-size: 14pt"> </span></div>
<div><span style="font-size: 14pt; font-family: "Times New Roman"">(1)基于算数 改类算法会生成一组可用ASCII编码表示的值</span></div>
<div><span style="font-size: 14pt; font-family: "Times New Roman"">(2)基于哈希 用哈希值16进制表示产生DGA域名,常用的哈希算法有md5 sha256</span></div>
<div><span style="font-size: 14pt; color: unset; font-family: "Times New Roman"">(3)基于词典 改方式会从专有词典中挑选单词进行组合,减少域名字符上的随机性,迷惑性强,字典内嵌在恶意程序中或者从公有服务中提取</span></div>
<div><span style="font-size: 14pt; color: unset; font-family: "Times New Roman""> (4) 基于排列组合 对一个初始域名进行字符上的排列组合。</span></div>
<div><span style="font-size: 14pt"> </span></div>
<div><span style="font-size: 14pt; color: unset; font-family: "Times New Roman"">DGA域名存活时间</span></div>
<div><span style="font-size: 14pt; color: unset; font-family: "Times New Roman""> </span></div>
<div><span style="font-size: 14pt; color: unset; font-family: "Times New Roman"">DGA域名的存活时间一般较短,大部分域名存活时间为1-7天</span></div>
<div><span style="font-size: 14pt"> </span></div>
<div><span style="font-size: 14pt; color: unset; font-family: "Times New Roman"">检测方法</span></div>
<div><span style="font-size: 14pt"> </span></div>
<div><span style="font-size: 14pt; color: unset; font-family: "Times New Roman"">朴素贝叶斯 NB</span></div>
<div><span style="font-size: 14pt; color: unset; font-family: "Times New Roman"">长短期记忆网络 LSTM </span></div>
<div>
<div style="-en-clipboard: true"><span style="font-size: 14pt; font-family: "Times New Roman"">C&C:command-and-control命令与控制。简单理解,这是一种机器与机器之间的通讯方式。</span></div>
<div><span style="font-size: 14pt"> </span></div>
<div><span style="font-size: 14pt; font-family: "Times New Roman"">C&C Server:C&C 服务器是由攻击者的计算机将命令发送到受恶意软件入侵的系统,并从目标网络接收被盗的数据。值得一提,现在已经发现许多c&c服务器为IDC服务器以及使用基于云的服务,例如网络邮件和文件共享服务,因为C&C服务器可以与正常流量融合在一起并避免被检测到。</span></div>
<div><span style="font-size: 14pt"> </span></div>
<div><span style="font-size: 14pt; font-family: "Times New Roman"">Botnet:僵尸网络。是指已被恶意软件感染并受到恶意参与者控制的一组计算机。僵尸网络是包括机器、人和网络的组合词,每个受感染的设备都称为僵尸网络。僵尸网络可以实现完成非法或恶意任务,包括发送垃圾邮件,窃取数据,勒索软件,欺诈性点击广告或分布式拒绝服务(DDoS)攻击。</span></div>
<div><span style="font-size: 14pt"> </span></div>
<div><span style="font-size: 14pt; font-family: "Times New Roman"">反弹 shell</span></div>
<div><span style="font-size: 14pt"> </span></div>
<div><span style="font-size: 14pt; font-family: "Times New Roman"">非主动访问目标主机,而是通过反射shell绕过防火墙建立连接。主控端保持监听模式即可(如使用netcat),然后让肉鸡上主动连接主控端。</span></div>
<div><span style="font-size: 14pt"> </span></div>
<div><span style="font-size: 14pt; font-family: "Times New Roman"">C&C服务器</span></div>
<div><span style="font-size: 14pt"> </span></div>
<div><span style="font-size: 14pt; font-family: "Times New Roman"">因为大部分的肉鸡ip为动态ip,所以远控中基本都使用反弹式通信,反弹式通信需要肉鸡每隔一段时间对主控端发送心跳包,但这或许需要保证主控端的公网ip保持不变,所以就需要一台能够集中控制僵尸网络的主机,也就是上述的C&C服务器。</span></div>
<div><span style="font-size: 14pt"> </span></div>
<div><span style="font-size: 14pt; font-family: "Times New Roman"">1.通过IP地址访问C&C服务器</span></div>
<div><span style="font-size: 14pt"> </span></div>
<div><span style="font-size: 14pt; font-family: "Times New Roman"">描述:IP地址硬编码到远控脚本</span></div>
<div><span style="font-size: 14pt; font-family: "Times New Roman"">优点:简单粗暴,成本低</span></div>
<div><span style="font-size: 14pt; font-family: "Times New Roman"">缺点:易识别</span></div>
<div><span style="font-size: 14pt; font-family: "Times New Roman"">防御:ip黑名单</span></div>
<div><span style="font-size: 14pt; font-family: "Times New Roman"">识别程度: *</span></div>
<div><span style="font-size: 14pt"> </span></div>
<div><span style="font-size: 14pt; font-family: "Times New Roman"">2.通过域名访问C&C服务器</span></div>
<div><span style="font-size: 14pt"> </span></div>
<div><span style="font-size: 14pt; font-family: "Times New Roman"">描述:域名硬编码到远控脚本(可注册比较正常的域名伪装,降低被发现的风险)</span></div>
<div><span style="font-size: 14pt; font-family: "Times New Roman"">优点:简单粗暴,成本低</span></div>
<div><span style="font-size: 14pt; font-family: "Times New Roman"">缺点:易识别</span></div>
<div><span style="font-size: 14pt; font-family: "Times New Roman"">防御:域名黑名单,蜜罐</span></div>
<div><span style="font-size: 14pt; font-family: "Times New Roman"">识别程度: **</span></div>
<div><span style="font-size: 14pt"> </span></div>
<div><span style="font-size: 14pt; font-family: "Times New Roman"">3.Fast-flux && Double-flux && Triple-flux</span></div>
<div><span style="font-size: 14pt"> </span></div>
<div><span style="font-size: 14pt; font-family: "Times New Roman"">描述:Fast-flux技术是指不断改变域名和IP地址映射关系的一种技术。Double-flux则是域名和ip均不断轮转。Triple flux在Double flux的基础上,增加一层Name Server通过CNAME方式解析,这样域名有可能指向ip也有可能指向别的域名,然后再指向ip,这些Name Server也会定期轮换,就增加了更多C&C通道和干扰项。</span></div>
<div><span style="font-size: 14pt"> </span></div>
<div><span style="font-size: 14pt; font-family: "Times New Roman"">优点:即使识别部分ip和域名也无法将整个僵尸网络屏蔽</span></div>
<div><span style="font-size: 14pt; font-family: "Times New Roman"">缺点:易识别</span></div>
<div><span style="font-size: 14pt; font-family: "Times New Roman"">防御:利用TTL(存活时间)时间较短以及历史数据等特征挖掘剩余域名和ip</span></div>
<div><span style="font-size: 14pt; font-family: "Times New Roman"">识别程度: ****</span></div>
<div><span style="font-size: 14pt"> </span></div>
<div><span style="font-size: 14pt; font-family: "Times New Roman"">4.使用 web C&C服务器</span></div>
<div><span style="font-size: 14pt"> </span></div>
<div><span style="font-size: 14pt; font-family: "Times New Roman"">描述:通过在一些论坛的冷门区域或者热门网站发送C&C控制指令,然后让恶意软件通过爬虫的方法在访问这些论坛的时候获取指令。</span></div>
<div><span style="font-size: 14pt; font-family: "Times New Roman"">典型案例:2015年俄罗斯攻击者使用twitter作为Hammertoss 的C&C服务器。</span></div>
<div><span style="font-size: 14pt; font-family: "Times New Roman"">优点:不易发现,且不可封禁热门网站</span></div>
<div><span style="font-size: 14pt; font-family: "Times New Roman"">缺点:被发现后会被直接封禁账号损失僵尸网络。</span></div>
<div><span style="font-size: 14pt; font-family: "Times New Roman"">防御:封禁账号</span></div>
<div><span style="font-size: 14pt; font-family: "Times New Roman"">识别程度: ***</span></div>
<div><span style="font-size: 14pt"> </span></div>
<div><span style="font-size: 14pt; font-family: "Times New Roman"">5.使用DGA随机域名生成算法</span></div>
<div><span style="font-size: 14pt"> </span></div>
<div><span style="font-size: 14pt; font-family: "Times New Roman"">描述:这种C&C控制方法的思路就是控制一个确定的随机域名生成算法,用约定好的随机数种子生成大量的随机域名,恶意软件对这些域名全部进行访问。</span></div>
<div><span style="font-size: 14pt; font-family: "Times New Roman"">优点:不易发现,难逆向出随机算法</span></div>
<div><span style="font-size: 14pt; font-family: "Times New Roman"">缺点:灵活性差,需要平衡访问频率与等待时间的成本</span></div>
<div><span style="font-size: 14pt; font-family: "Times New Roman"">防御:机器学习</span></div>
<div><span style="font-size: 14pt; font-family: "Times New Roman"">识别程度: *****</span></div>
</div><br><br>
来源:https://www.cnblogs.com/cybercheck0755/p/14788479.html
頁:
[1]