基于子域上下文关系的DNS隐蔽信道检测方法
Toward DNS-Based Covert Channel Detection Using Subdomain Context Relation
DOI: 10.12677/CSA.2021.116187, PDF,   
作者: 王杉杉:中国联合网络通信有限公司河南省分公司,河南 郑州;杜 飞:北京锐驰信安技术有限公司,北京
关键词: DNS隐蔽信道流量特征分析DNS Covert Channel Traffic Feature Analysis
摘要: 目前,攻击者进行私密信息传输、信息泄露、恶意信息传播等活动的主要手段之一是使用DNS协议作为隐蔽信道,特别是在僵尸网络和匿名通信网络中。为此,提出一种基于子域上下文关系的DNS隐蔽信道检测方法,该方法不仅提取了请求应答时间间隔、请求/应答报文大小、子域熵值以及资源记录类型频率等基础异常流量统计特征,同时对子域内容本身及其上下文关系进行了特征学习和提取。实验结果表明,该方法获得了99%以上的精度和召回率,具有很好的检测性能。
Abstract: At present, one of the main means for attackers to conduct private information transmission, information leakage, malicious information dissemination and other activities is to use the DNS protocol as a covert channel, especially in botnets and anonymous communication networks. To this end, a DNS covert channel detection method based on sub-domain context is proposed. This method not only extracts the basic anomaly traffic statistics such as request response time interval, request/response message size, sub-domain entropy value and resource record type frequency. At the same time, the sub-domain content itself and its context relationship are characterized and extracted. The experimental results show that the method achieves more than 99% accuracy and recall rate, and has good detection performance.
文章引用:王杉杉, 杜飞. 基于子域上下文关系的DNS隐蔽信道检测方法[J]. 计算机科学与应用, 2021, 11(6): 1823-1833. https://doi.org/10.12677/CSA.2021.116187

参考文献

[1] Aiello, M., Mongelli, M. and Papaleo, G. (2015) DNS Tunneling Detection through Statistical Fingerprints of Protocol Messages and Machine Learning. International Journal of Communication Systems, 28, 1987-2002. [Google Scholar] [CrossRef
[2] 王永吉, 吴敬征, 曾海涛, 等. 隐蔽信道研究[J]. 软件学报, 2010, 21(9): 2262-2288.
[3] 谷传征. DNS协议隐蔽信道的构建和检测技术研究[D]: [硕士学位论文]. 上海: 上海交通大学, 2012.
[4] 章思宇, 邹福泰, 王鲁华, 等. 基于DNS的隐蔽信道流量检测[J]. 通信学报, 2017, 34(5): 143-151.
[5] Born, K. and Gustafson, D. (2010) Detecting DNS Tunnels Using Character Frequency Analy-sis.
[6] Qi, C., Chen, X., Xu, C., et al. (2013) A Bigram Based Real Time DNS Tunnel Detection Approach. Procedia Computer Science, 17, 852-860. [Google Scholar] [CrossRef
[7] Romana, D.A.L. and Musashi, Y. (2008) Entropy Based Analysis of DNS Query Traffic in the Campus Network. Journal of Systemics, 6, 42-44.
[8] Homem, I., Papapetrou, P. and Dosis, S. (2017) Entropy-Based Prediction of Network Protocols in the Fo-rensic Analysis of DNS Tunnels.
[9] Ellens, W., Żuraniewski, P., Sperotto, A., et al. (2013) Flow-Based Detection of DNS Tunnels. In: IFIP International Conference on Autonomous Infrastructure, Management and Security, Springer, Berlin, 124-135. [Google Scholar] [CrossRef
[10] Singh, M., Singh, M. and Kaur, S. (2018) Detecting Bot-Infected Machines Using DNS Fingerprinting. Digital Investigation, 28, 14-33. [Google Scholar] [CrossRef
[11] Dietrich, C.J., Rossow, C., Freiling, F.C., et al. (2011) On Botnets That Use DNS for Command and Control. 2011 Seventh European Conference on Computer Network Defense IEEE, Gothenburg, 6-7 September 2011, 9-16. [Google Scholar] [CrossRef
[12] Zander, S., Armitage, G. and Branch, P. (2007) A Survey of Covert Channels and Countermeasures in Computer Network Protocols. IEEE Communications Surveys & Tutorials, 9, 44-57. [Google Scholar] [CrossRef
[13] 李彦冬, 郝宗波, 雷航. 卷积神经网络研究综述[J]. 计算机应用, 2016, 36(9): 2508-2515.
[14] Kara, A.M., Binsalleeh, H., Mannan, M., et al. (2014) Detection of Malicious Payload Distribution Channels in DNS. 2014 IEEE International Conference on Communications (ICC), Sydney, 10-14 June 2014, 853-858. [Google Scholar] [CrossRef
[15] Almusawi, A. and Amintoosi, H. (2018) DNS Tunneling Detec-tion Method Based on Multilabel Support Vector Machine. Security and Communication Networks, 2018, Article ID: 6137098. [Google Scholar] [CrossRef
[16] Homem, I., Papapetrou, P. and Dosis, S. (2018) Infor-mation-Entropy-Based DNS Tunnel Prediction. In: IFIP International Conference on Digital Forensics, Springer, Cham, 127-140. [Google Scholar] [CrossRef
[17] List of DNS Record Types.
https://en.wikipedia.org/wiki/List_of_DNS_record_types
[18] Shafieian, S., Smith, D. and Zulkernine, M. (2017) Detecting DNS Tunneling Using Ensemble Learning. In: International Conference on Network and System Security, Springer, Cham, 112-127. [Google Scholar] [CrossRef
[19] Nadler, A., Aminov, A. and Shabtai, A. (2017) Detection of Malicious and Low Throughput Data Exfiltration over the DNS Protocol.