基于DNS的隐蔽通道流量检测

通信学报

基于DNS的隐蔽通道流量检测

章思宇1，邹福泰1，王鲁华2，陈铭3

1. 上海交通大学信息安全工程学院，上海 200240； 2. 国家计算机网络与信息安全管理中心，北京 100017；3. 上海交通大学密西根学院，上海 200240

出版日期:2013-05-25 发布日期:2013-05-15
基金资助:
国家自然科学基金资助项目（61071081）；国家242信息安全计划基金资助项目（2011A004）；信息网络安全公安部重点实验室开放课题基金资助项目（C11608）

Detecting DNS-based covert channel on live traffic

Online:2013-05-25 Published:2013-05-15

摘要/Abstract

摘要： 为提出一种有效检测各类型DNS隐蔽通道的方法，研究了DNS隐蔽通信流量特性，提取可区分合法查询与隐蔽通信的12个数据分组特征，利用机器学习的分类器对其会话统计特性进行判别。实验表明，决策树模型可检测训练中全部22种DNS隐蔽通道，并可识别未经训练的新型隐蔽通道。系统在校园网流量实际部署中成功检出多个DNS隧道的存在。

Abstract: To propose an effective detection method for DNS-based covert channel, traffic characteristics are thoroughly studied. 12 features are extracted from DNS packets to distinguish covert channels from legitimate DNS queries. Statistical characteristics of these features are used as input of the machine learning classifier. Experimental results show that the decision tree model detects all 22 covert channels used in training, and is capable of detecting untrained covert channels. Several DNS tunnels were detected during the evaluation on campus network’s live DNS traffic.

章思宇1，邹福泰1，王鲁华2，陈铭3. 基于DNS的隐蔽通道流量检测[J]. 通信学报.