全部 标题 作者
关键词 摘要

OALib Journal期刊
ISSN: 2333-9721
费用:99美元
投递稿件

查看量下载量

相关文章

更多...

基于子域上下文关系的DNS隐蔽信道检测方法
Toward DNS-Based Covert Channel Detection Using Subdomain Context Relation

DOI: 10.12677/CSA.2021.116187, PP. 1823-1833

Keywords: DNS隐蔽信道,流量特征分析
DNS Covert Channel, Traffic Feature Analysis

Full-Text   Cite this paper   Add to My Lib

Abstract:

目前,攻击者进行私密信息传输、信息泄露、恶意信息传播等活动的主要手段之一是使用DNS协议作为隐蔽信道,特别是在僵尸网络和匿名通信网络中。为此,提出一种基于子域上下文关系的DNS隐蔽信道检测方法,该方法不仅提取了请求应答时间间隔、请求/应答报文大小、子域熵值以及资源记录类型频率等基础异常流量统计特征,同时对子域内容本身及其上下文关系进行了特征学习和提取。实验结果表明,该方法获得了99%以上的精度和召回率,具有很好的检测性能。
At present, one of the main means for attackers to conduct private information transmission, information leakage, malicious information dissemination and other activities is to use the DNS protocol as a covert channel, especially in botnets and anonymous communication networks. To this end, a DNS covert channel detection method based on sub-domain context is proposed. This method not only extracts the basic anomaly traffic statistics such as request response time interval, request/response message size, sub-domain entropy value and resource record type frequency. At the same time, the sub-domain content itself and its context relationship are characterized and extracted. The experimental results show that the method achieves more than 99% accuracy and recall rate, and has good detection performance.

References

[1]  Aiello, M., Mongelli, M. and Papaleo, G. (2015) DNS Tunneling Detection through Statistical Fingerprints of Protocol Messages and Machine Learning. International Journal of Communication Systems, 28, 1987-2002. https://doi.org/10.1002/dac.2836
[2]  王永吉, 吴敬征, 曾海涛, 等. 隐蔽信道研究[J]. 软件学报, 2010, 21(9): 2262-2288.
[3]  谷传征. DNS协议隐蔽信道的构建和检测技术研究[D]: [硕士学位论文]. 上海: 上海交通大学, 2012.
[4]  章思宇, 邹福泰, 王鲁华, 等. 基于DNS的隐蔽信道流量检测[J]. 通信学报, 2017, 34(5): 143-151.
[5]  Born, K. and Gustafson, D. (2010) Detecting DNS Tunnels Using Character Frequency Analy-sis.
[6]  Qi, C., Chen, X., Xu, C., et al. (2013) A Bigram Based Real Time DNS Tunnel Detection Approach. Procedia Computer Science, 17, 852-860.
https://doi.org/10.1016/j.procs.2013.05.109
[7]  Romana, D.A.L. and Musashi, Y. (2008) Entropy Based Analysis of DNS Query Traffic in the Campus Network. Journal of Systemics, 6, 42-44.
[8]  Homem, I., Papapetrou, P. and Dosis, S. (2017) Entropy-Based Prediction of Network Protocols in the Fo-rensic Analysis of DNS Tunnels.
[9]  Ellens, W., ?uraniewski, P., Sperotto, A., et al. (2013) Flow-Based Detection of DNS Tunnels. In: IFIP International Conference on Autonomous Infrastructure, Management and Security, Springer, Berlin, 124-135.
https://doi.org/10.1007/978-3-642-38998-6_16
[10]  Singh, M., Singh, M. and Kaur, S. (2018) Detecting Bot-Infected Machines Using DNS Fingerprinting. Digital Investigation, 28, 14-33.
https://doi.org/10.1016/j.diin.2018.12.005
[11]  Dietrich, C.J., Rossow, C., Freiling, F.C., et al. (2011) On Botnets That Use DNS for Command and Control. 2011 Seventh European Conference on Computer Network Defense IEEE, Gothenburg, 6-7 September 2011, 9-16.
https://doi.org/10.1109/EC2ND.2011.16
[12]  Zander, S., Armitage, G. and Branch, P. (2007) A Survey of Covert Channels and Countermeasures in Computer Network Protocols. IEEE Communications Surveys & Tutorials, 9, 44-57.
https://doi.org/10.1109/COMST.2007.4317620
[13]  李彦冬, 郝宗波, 雷航. 卷积神经网络研究综述[J]. 计算机应用, 2016, 36(9): 2508-2515.
[14]  Kara, A.M., Binsalleeh, H., Mannan, M., et al. (2014) Detection of Malicious Payload Distribution Channels in DNS. 2014 IEEE International Conference on Communications (ICC), Sydney, 10-14 June 2014, 853-858.
https://doi.org/10.1109/ICC.2014.6883426
[15]  Almusawi, A. and Amintoosi, H. (2018) DNS Tunneling Detec-tion Method Based on Multilabel Support Vector Machine. Security and Communication Networks, 2018, Article ID: 6137098.
https://doi.org/10.1155/2018/6137098
[16]  Homem, I., Papapetrou, P. and Dosis, S. (2018) Infor-mation-Entropy-Based DNS Tunnel Prediction. In: IFIP International Conference on Digital Forensics, Springer, Cham, 127-140.
https://doi.org/10.1007/978-3-319-99277-8_8
[17]  List of DNS Record Types.
https://en.wikipedia.org/wiki/List_of_DNS_record_types
[18]  Shafieian, S., Smith, D. and Zulkernine, M. (2017) Detecting DNS Tunneling Using Ensemble Learning. In: International Conference on Network and System Security, Springer, Cham, 112-127.
https://doi.org/10.1007/978-3-319-64701-2_9
[19]  Nadler, A., Aminov, A. and Shabtai, A. (2017) Detection of Malicious and Low Throughput Data Exfiltration over the DNS Protocol.

Full-Text

Contact Us

service@oalib.com

QQ:3279437679

WhatsApp +8615387084133