防网络钓鱼的安全域名服务器研究
摘要
钓鱼式网络攻击作为一种典型的网络欺诈犯罪活动,随着电子商务等互联网交易平台的兴起而日益猖獗,给人们带来了越来越大的经济损失。当前的网络钓鱼防御方案大都是在特定的应用、特定的终端上基于过滤技术实现的,这样的应用就具有较大的局限性。网络钓鱼大都是通过DNS达到目的的,被钓者也是在使用基于DNS的网络应用服务中造成损失的。因此,DNS是防御网络钓鱼的第一线。在DNS上开发防御网络钓鱼等安全应用,最大的优点是能够全面覆盖到所有的网络用户和应用。
本文重点研究了网络钓鱼的防御方案和检测算法,主要工作和成果如下:
1、提出了基于支持向量机(SVM)主动学习算法的网络钓鱼检测算法。通过对DNS收集的URL进行及时的检测判定,为DNS反网络钓鱼模块提供钓鱼网络URL黑名单库。在该算法中,还提出了采用网址URL与Web页面内容的综合敏感特征进行检测分类,以保证检测的适应范围和效率。实验结果表明,该算法在小样本集的分类检测中,就达到了较高的检测精度和效率。
2、建立了基于DNS的网络钓鱼防护系统。通过对当前网络钓鱼防御方案的全面分析,总结了当前各种防御方案的优点和不足。结合DNS的安全应用研究,设计并实现了一个由DNS反网络钓鱼过滤系统和基于云计算平台提供性能支撑的网络钓鱼URL检测系统组成的DNS反网络钓鱼应用系统。
3、开发了Bind服务器反钓鱼模块。通过对DNS应用最广泛的服务器软件ISC Bind源码进行分析,开发了Bind服务器上调用的反钓鱼模块,以及系统其他相应功能模块,包括数据整合、透明代理、Web管理等。系统运行试验结果表明,本系统能够为用户提供及时有效的钓鱼式网络攻击防护,对DNS服务器性能影响极小,基于BIND的实现兼容现有的服务器配置,管理维护非常简便。
最后,总结了全文的工作,并讨论了对进一步工作的展望。
Phishing attacks, as a typical online fraud and criminal activities, having become increasingly rampant with the expansion and prosperous of the Internet related e-commerce trading platforms, gave rise to increasing economic losses. The current phishing defense programs, mostly achieved through specific applications and designated filtering technology to the terminal, have greater limitations to its application. In most cases, phishing achieved through DNS and the losses were also caused during the use of network applied services based on DNS. Therefore, DNS is the front line of phishing defense. The biggest advantage to develop anti-phishing and other security applications on the DNS is the full coverage to all network users and applications.
This paper focused on the defense program and detective algorithm of phishing, the main work and achievements are as follows:
1. Proposed a method based on the support vector machine (SVM) active learning algorithm for phishing detection. Through timely detection judgement on the URL collected by DNS, it can provide a black list of phishing Web URL for anti-phishing modules. In this algorithm, it also proposed to classify the detection by combining the comprehensive sensitive features of URL and Web page content so as to ensure the defection’s application scope and efficiency. Experimental results show that the algorithm has achieved high detection accuracy and efficiency.in the classified detection on the small sample set.
2. Established the phishing protective system based on the DNS. Through comprehensive analysis on the current Phishing defense programms, we summarized the strengths and weaknesses of the current defense programs. Integrated with the reseach of DNS security application, we designed and achieved a DNS anti-phishing system consisting of a filter sytem and a URL detection system based on the computing platform . 3. Developed an anti-phishing module for Bind server. By analyzing the
most widely used DNS server software - source code of ISC Bind, we developed anti-phishing modules for Bind server, and other appropriate system modules, including data integration, transparent proxy, Web management etc.. The system-running-experiments results show that the system can provide users with timely and effective protection against phishing attacks, with minimal impact on the DNS server performance, to achieve compatibility with existing BIND-based server configuration, which is also easy for management and maintenance.
Finally, made a summary of the full text of the work, and discussed the prospects for further work.
本文重点研究了网络钓鱼的防御方案和检测算法,主要工作和成果如下:
1、提出了基于支持向量机(SVM)主动学习算法的网络钓鱼检测算法。通过对DNS收集的URL进行及时的检测判定,为DNS反网络钓鱼模块提供钓鱼网络URL黑名单库。在该算法中,还提出了采用网址URL与Web页面内容的综合敏感特征进行检测分类,以保证检测的适应范围和效率。实验结果表明,该算法在小样本集的分类检测中,就达到了较高的检测精度和效率。
2、建立了基于DNS的网络钓鱼防护系统。通过对当前网络钓鱼防御方案的全面分析,总结了当前各种防御方案的优点和不足。结合DNS的安全应用研究,设计并实现了一个由DNS反网络钓鱼过滤系统和基于云计算平台提供性能支撑的网络钓鱼URL检测系统组成的DNS反网络钓鱼应用系统。
3、开发了Bind服务器反钓鱼模块。通过对DNS应用最广泛的服务器软件ISC Bind源码进行分析,开发了Bind服务器上调用的反钓鱼模块,以及系统其他相应功能模块,包括数据整合、透明代理、Web管理等。系统运行试验结果表明,本系统能够为用户提供及时有效的钓鱼式网络攻击防护,对DNS服务器性能影响极小,基于BIND的实现兼容现有的服务器配置,管理维护非常简便。
最后,总结了全文的工作,并讨论了对进一步工作的展望。
Phishing attacks, as a typical online fraud and criminal activities, having become increasingly rampant with the expansion and prosperous of the Internet related e-commerce trading platforms, gave rise to increasing economic losses. The current phishing defense programs, mostly achieved through specific applications and designated filtering technology to the terminal, have greater limitations to its application. In most cases, phishing achieved through DNS and the losses were also caused during the use of network applied services based on DNS. Therefore, DNS is the front line of phishing defense. The biggest advantage to develop anti-phishing and other security applications on the DNS is the full coverage to all network users and applications.
This paper focused on the defense program and detective algorithm of phishing, the main work and achievements are as follows:
1. Proposed a method based on the support vector machine (SVM) active learning algorithm for phishing detection. Through timely detection judgement on the URL collected by DNS, it can provide a black list of phishing Web URL for anti-phishing modules. In this algorithm, it also proposed to classify the detection by combining the comprehensive sensitive features of URL and Web page content so as to ensure the defection’s application scope and efficiency. Experimental results show that the algorithm has achieved high detection accuracy and efficiency.in the classified detection on the small sample set.
2. Established the phishing protective system based on the DNS. Through comprehensive analysis on the current Phishing defense programms, we summarized the strengths and weaknesses of the current defense programs. Integrated with the reseach of DNS security application, we designed and achieved a DNS anti-phishing system consisting of a filter sytem and a URL detection system based on the computing platform . 3. Developed an anti-phishing module for Bind server. By analyzing the
most widely used DNS server software - source code of ISC Bind, we developed anti-phishing modules for Bind server, and other appropriate system modules, including data integration, transparent proxy, Web management etc.. The system-running-experiments results show that the system can provide users with timely and effective protection against phishing attacks, with minimal impact on the DNS server performance, to achieve compatibility with existing BIND-based server configuration, which is also easy for management and maintenance.
Finally, made a summary of the full text of the work, and discussed the prospects for further work.
引文
[1] Justin Ma L K S S. Beyond Blacklists: Learning to Detect Malicious Web Sites from Suspicious URLs[Z]. Paris, France: 2009.
[2] Manish Kumar, Pawan Prakash etc. PhishNet: Predictive Black-Listing to Detect Phishing Attacks, in Proceeding Infocom2010.
[3] Colin Whittaker, Brian Ryner and Marria Nazif.Large-Scale Automatic Classification of Phishing Pages, in Proceeding NDSS2010.
[4] Mark Felegyhazi, Christian Kreibich and Vern Paxson,On the Potential of Proactive Domain Blacklisting, in Proceeding LEEF 2010, San Jose, USA.
[5] P.Mockapetris.Domain Names:Concepts and Facilities.RFC1034,1987
[6] P.Mockapetris.Domain Names:Implementation and Specification.RFC1035,1987
[7]刘鹏.云计算.北京:电子工业出版社, 2010.3,1-7
[8] V. Pappas, Z.G. Xu_ S.W.Lu D. Massey, A. Terzis, L. X. Zhang. Impact of Configuration Errors on DNS Robustness. ACM SIGCOMM Computer Communication Review. 2004, 34(4): 319-330.
[9]曹玖新,毛波,罗军舟,刘波.基于嵌套EMD的钓鱼网页检测算法,计算机学报, Vol.32,No.5,May 2009
[10] Neil Chou, Robert Ledesma, Yuka Teraguchi, Dan Boneh, and John C. Mitchell.Client-side defense against web-based identity theft.In Proc. of the 11th Annual Network and Distributed System Security Symposium (NDSS 2004).
[11] Ye Cao , Weili Han , Yueran Le. Anti-phishing based on automated individual white-list, Proceedings of the 4th ACM workshop on Digital identity management, October 31-31, 2008, Alexandria, Virginia, USA
[12] Zhang, Y., J. Hong, and L. Cranor. CANTINA: A Content-Based Approach to Detecting Phishing Web Sites. In the Proceedings of The 16th International World Wide Web Conference (WWW2007). 2007.
[13] Ram Basnet S M A A. Detection of Phishing Attacks: A Machine Learning Approach[Z]. New Mexico Tech, New Mexico 87801, USA: 2008.
[14]郭敏哲.网络钓鱼Web页面检测算法[Z]. 2008.
[15] Ying Pan X D. Anomaly Based Web Phishing Page Detection[Z]. Computer Security Applications Conference, 2006. ACSAC '06. 22nd Annual
[16]张健沛,徐华.支持向量机(SVM)主动学习方法研究与应用[J].计算机应用. 2004, 24(1).
[17] Chih-Wei Hsu C C A C. A Practical Guide to Support Vector Classification[Z].
[18] Dr Wilson T M. Improved heterogeneous distance functions[Z]. 1997.
[19]张学工, Xuegong Z.关于统计学习理论与支持向量机[J].自动化学报. 2000, 26(1).
[20] Chih-Wei Hsu, Chih-Chung Chang And Chih-Jen. A Practical Guide to Support Vector Classification. Department of Computer Science.
[21]林升梁、刘志.基于RBF核函数的支持向量机参数选择.浙江工业大学学报. 2007, 35(2)
[22]付志超.基于Map/Reduce的分布式智能搜索引擎框架研究[硕士论文],武汉,武汉理工大学
[23]邓自立,云计算中的网络拓扑设计和Hadoop平台研究[硕士论文],北京,中国科学技术大学
[24]袁勋;吴秀清;洪日昌;宋彦;华先胜;基于主动学习SVM分类器的视频分类[J] 2009-05-005
[25] A Bergholz, JH Chang, G Paa?, F Reichartz, Improved Phishing Detection using Model-Based Features, 2008 - ceas.cc
[26] Liu Wenyin; Guanglin Huang; Liu Xiaoyue; Xiaotie Deng; Zhang Min, Phishing Webpage Detection 29 Aug.-1 Sept. 2005, page 560 - 564 Vol. 2
[27] Sujata Garera,Niels Provos, Monica Chew,A Framework for Detection and Measurement of Phishing Attacks, Proceedings of the 2007 ACM workshop on Recurring malcode.
[28] Mike Thelwall,,David Wilkinsona, generic lexical URL segmentation framework for counting links, colinks or URLs Library & Information Science Research, Volume 30, Issue 2, June 2008, Pages 94-101
[29] S. C. O. Ugbolue, Cloud Computing Implementation, Management, and Security, LLC CRC Press
[30] C Ludl, S McAllister, E Kirda, On the Effectiveness of Techniques to Detect Phishing Sites, 2007 - Springer
[31]郭敏哲.基于浏览器的网络钓鱼检测机制的研究与实现[硕士论文].北京.北京林业大学.
[32]王垚.域名系统安全性研究[博士论文].哈尔滨.哈尔滨工业大学.
[33] ISC Bind . http://www.isc.org/software/bind.
[34] R.Chandramouli,S.Rose . Challenges in Securing the Domain Name System.Security&Privacy Magazine.2006,4(1):84-87
[35] J.Pang,J.Hendricks,A.Akella,R.D.Prisco,B.Maggs,S.Seshan.Availability,Usage,and Deployment Characteristics of the Domain Name System.Proceedings of the 4th ACM SIGCOMM Conference on Internet Measurement.Taormina,Sicily,Italy,2004:1-14
[2] Manish Kumar, Pawan Prakash etc. PhishNet: Predictive Black-Listing to Detect Phishing Attacks, in Proceeding Infocom2010.
[3] Colin Whittaker, Brian Ryner and Marria Nazif.Large-Scale Automatic Classification of Phishing Pages, in Proceeding NDSS2010.
[4] Mark Felegyhazi, Christian Kreibich and Vern Paxson,On the Potential of Proactive Domain Blacklisting, in Proceeding LEEF 2010, San Jose, USA.
[5] P.Mockapetris.Domain Names:Concepts and Facilities.RFC1034,1987
[6] P.Mockapetris.Domain Names:Implementation and Specification.RFC1035,1987
[7]刘鹏.云计算.北京:电子工业出版社, 2010.3,1-7
[8] V. Pappas, Z.G. Xu_ S.W.Lu D. Massey, A. Terzis, L. X. Zhang. Impact of Configuration Errors on DNS Robustness. ACM SIGCOMM Computer Communication Review. 2004, 34(4): 319-330.
[9]曹玖新,毛波,罗军舟,刘波.基于嵌套EMD的钓鱼网页检测算法,计算机学报, Vol.32,No.5,May 2009
[10] Neil Chou, Robert Ledesma, Yuka Teraguchi, Dan Boneh, and John C. Mitchell.Client-side defense against web-based identity theft.In Proc. of the 11th Annual Network and Distributed System Security Symposium (NDSS 2004).
[11] Ye Cao , Weili Han , Yueran Le. Anti-phishing based on automated individual white-list, Proceedings of the 4th ACM workshop on Digital identity management, October 31-31, 2008, Alexandria, Virginia, USA
[12] Zhang, Y., J. Hong, and L. Cranor. CANTINA: A Content-Based Approach to Detecting Phishing Web Sites. In the Proceedings of The 16th International World Wide Web Conference (WWW2007). 2007.
[13] Ram Basnet S M A A. Detection of Phishing Attacks: A Machine Learning Approach[Z]. New Mexico Tech, New Mexico 87801, USA: 2008.
[14]郭敏哲.网络钓鱼Web页面检测算法[Z]. 2008.
[15] Ying Pan X D. Anomaly Based Web Phishing Page Detection[Z]. Computer Security Applications Conference, 2006. ACSAC '06. 22nd Annual
[16]张健沛,徐华.支持向量机(SVM)主动学习方法研究与应用[J].计算机应用. 2004, 24(1).
[17] Chih-Wei Hsu C C A C. A Practical Guide to Support Vector Classification[Z].
[18] Dr Wilson T M. Improved heterogeneous distance functions[Z]. 1997.
[19]张学工, Xuegong Z.关于统计学习理论与支持向量机[J].自动化学报. 2000, 26(1).
[20] Chih-Wei Hsu, Chih-Chung Chang And Chih-Jen. A Practical Guide to Support Vector Classification. Department of Computer Science.
[21]林升梁、刘志.基于RBF核函数的支持向量机参数选择.浙江工业大学学报. 2007, 35(2)
[22]付志超.基于Map/Reduce的分布式智能搜索引擎框架研究[硕士论文],武汉,武汉理工大学
[23]邓自立,云计算中的网络拓扑设计和Hadoop平台研究[硕士论文],北京,中国科学技术大学
[24]袁勋;吴秀清;洪日昌;宋彦;华先胜;基于主动学习SVM分类器的视频分类[J] 2009-05-005
[25] A Bergholz, JH Chang, G Paa?, F Reichartz, Improved Phishing Detection using Model-Based Features, 2008 - ceas.cc
[26] Liu Wenyin; Guanglin Huang; Liu Xiaoyue; Xiaotie Deng; Zhang Min, Phishing Webpage Detection 29 Aug.-1 Sept. 2005, page 560 - 564 Vol. 2
[27] Sujata Garera,Niels Provos, Monica Chew,A Framework for Detection and Measurement of Phishing Attacks, Proceedings of the 2007 ACM workshop on Recurring malcode.
[28] Mike Thelwall,,David Wilkinsona, generic lexical URL segmentation framework for counting links, colinks or URLs Library & Information Science Research, Volume 30, Issue 2, June 2008, Pages 94-101
[29] S. C. O. Ugbolue, Cloud Computing Implementation, Management, and Security, LLC CRC Press
[30] C Ludl, S McAllister, E Kirda, On the Effectiveness of Techniques to Detect Phishing Sites, 2007 - Springer
[31]郭敏哲.基于浏览器的网络钓鱼检测机制的研究与实现[硕士论文].北京.北京林业大学.
[32]王垚.域名系统安全性研究[博士论文].哈尔滨.哈尔滨工业大学.
[33] ISC Bind . http://www.isc.org/software/bind.
[34] R.Chandramouli,S.Rose . Challenges in Securing the Domain Name System.Security&Privacy Magazine.2006,4(1):84-87
[35] J.Pang,J.Hendricks,A.Akella,R.D.Prisco,B.Maggs,S.Seshan.Availability,Usage,and Deployment Characteristics of the Domain Name System.Proceedings of the 4th ACM SIGCOMM Conference on Internet Measurement.Taormina,Sicily,Italy,2004:1-14