Zombie Hosts Identification Based on DNS Log

Abstract

Although the academia has done a lot of research on DNS abnormal behavior, whether from the perspective of traffic or irregular domain name recognition, the mechanism behind DNS is ignored in the pre-processing of DNS logs and other data. In addition, most studies focus on traffic anomaly detection and unconventional domain name recognition, and lack of systematic research on the combination of the two, so the proposed algorithm has no practical application. This paper proposes a clustering method based on DNS client IP address traffic characteristics, which divides DNS logs into five access modes. Then, a DNS log preprocessing algorithm is designed to preprocess the logs that may exist in zombie hosts. Finally, a two-layer GRU network detection algorithm based on domain name text features is proposed. Experimental results show that this method can effectively identify zombie hosts in DNS logs.