基于DNS的隐蔽通道流量检测

doi:10.3969/j.issn.1000-436x.2013.05.017

Abstract

Abstract:

To propose an effective detection method for DNS-based covert channel,traffic characteristics were thor-oughly studied.12 features were extracted from DNS packets to distinguish covert channels from legitimate DNS queries.Statistical characteristics of these features are used as input of the machine learning classifier.Experimental results show that the decision tree model detects all 22 covert channels used in training,and is capable of detecting untrained covert channels.Several DNS tunnels were detected during the evaluation on campus network's live DNS traffic.

Key words: domain name system, covert channel, intrusion detection, machine learning, network security

Si-yu ZHANG,Fu-tai1 ZOU,Lu-hua WANG,Ming CHEN. Detecting DNS-based covert channel on live traffic[J]. Journal on Communications, 2013, 34(5): 143-151.

Figures/Tables 13

References 16

[1]	KAMINSKY D . The black OPS of DNS[A]. Proceedings of the Black Hat USA 2004[C]. Las Vegas, 2004.
[2]	LEIJENHORST T V , CHIN K-W , LOWE D . On the viability and performance of DNS tunneling[A]. Proceedings of the 5th International Conference on Information Technology and Applications[C]. Cairns,Australia, 2008.
[3]	NUSSBAUM L , NEYRON P , RICHARD O . On robust covert channels inside DNS[A]. Proceedings of the 24th IFIP International Security Conference[C]. Pafos,Cyprus, 2009.
[4]	MERLO A , PAPALEO G , VENEZIANO S , et al . A comparativeperformance evaluation of DNS tunneling tools[A].Proceedings of the 5th International Conference on Complex,Intelligent,and Software Intensive Systems[C]. Seoul,Korea, 2011. 84-91.
[5]	REVELLI A , LEIDECKER N . Introducing heyoka: DNS tunneling 2.0[A]. Proceedings of the SOURCE Conference Boston[C]. Boston, 2009.
[6]	BORN K . PSUDP: a passive approach to network-wide covert communication[A]. Proceedings of the Black Hat USA 2010[C]. Las Vegas, 2010.
[7]	ZANDER S , ARMITAGE G , BRANCH P . A survey of covert channels and countermeasures in computer network protocols[J]. Communications Surveys ＆ Tutorials,IEEE, 2007,9(3):44-57.
[8]	DUSI M , CROTTI M , GRINGOLI F , et al . Tunnel hunter: detecting application-layer tunnels with statistical fingerprinting[J]. Computer Networks, 2009,53(1):81-97.
[9]	ANDERSSON B , EKMAN E . Iodine[EB/OL]. 2011.
[10]	BORN K , GUSTAFSON D . NgViz: detecting DNS tunnels through N-gram visualization and quantitative analysis[A]. Proceedings of the Sixth Annual Workshop on Cyber Security and Information Intelligence Research[C]. Oak Ridge,Tennessee, 2010. 1-4.
[11]	BORN K , GUSTAFSON D . Detecting DNS tunnels using character frequency analysis[A]. Proceedings of the 9th Annual Security Conference[C]. Las Vegas,Nevada, 2010.
[12]	GIL T M . NSTX (IP-over-DNS)[EB/OL]. .
[13]	PIETRASZEK T . DNScat[EB/OL]. 2011.
[14]	DEMBOUR O . Dns2tcp[EB/OL]. http://www.hsc.fr/ressources/ outils/dns2tcp/index.html.en, 2011.
[15]	VALENZUELA T . Tcp-over-dns[EB/OL]. http://analogbit.com/ software/tcp-over-dns, 2011.
[16]	HALL M , FRANK E , HOLMES G , et al . The WEKA data mining software: an update[J]. SIGKDD Explorations, 2009,11(1):10-18.

Metrics

Recommended 0

No Suggested Reading articles found!

特征类别	编号	特征名称
	F₁	数据分组解析异常
数据分组解析	F₂F₃	UDP载荷长度DNS消息长度
	F₄	注入数据长度
	F₅	标签数量
请求域名	F₆F₇	子域名字串长度域名包含二进制数据
	F₈	域名存储数据量
	F₉	编码域名含前向指针
DNS消息	F₁₀F₁₁	回答含CNAME记录回答段资源记录数据尺寸
	F₁₂	全部资源记录数据尺寸

特征集	特征集说明	特征数
FS₁	传入、传出及DNS数据分组总数	3
FS₂	含有前向指针、CNAME 记录和二进制域名	3
	的数据分组数量
FS₃	数据分组特征F₂、F₃、F₄、F₅、F₆、F₈、F₁₁、	42
	F₁₂的统计参数

类别	样本来源	样本数
合法请求	校园网DNS流量	6 890
	Iodine（6类资源记录）	78
	Dns2tcp（2类资源记录）	18
隐蔽通道	DNSCat（2类资源记录）	18
	tcp-over-dns	12
	PSUDP	6

分类器	ROC区域（AUC）	正检率/%	误报率/%
J48决策树	0.992	95.6	0.15
朴素贝叶斯	0.793	58.4	1.18
逻辑回归	0.984	95.6	0.04

通道程序	状态	检测结果
OzyManDNS	活动	Yes
	空闲	Yes
Heyoka	活动	Yes
	空闲	Yes
NSChan	活动	Yes
	空闲	No

Detecting DNS-based covert channel on live traffic

RichHTML

PDF

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 13

References 16

Related Articles 15

Metrics

Recommended 0

测试名称	测试结果
样本总数	302 528
检测数	310
独立隐蔽通道	7
样本误报	324 (0.107%)
客户端总数	9 665
客户端误报	38 (0.393%)
域名总数	2 802
域名误报	23 (0.821%)
DNS连接总数	64 473
DNS连接误报	45 (0.070%)

编码步骤	字符串
查询网址	baike.baidu.com/view/671.htm
URL编码的网址	baike%2ebaidu%2ecom%2fview%2f671%2ehtm
DNSBL请求域名	baike-2ebaidu-2ecom-2fview-2f671-2ehtm.ph.bda
	ph.com

[1]	Shiqi ZHAO, Xiaohong HUANG, Zhigang ZHONG. Research and implementation of reputation-based inter-domain routing selection mechanism [J]. Journal on Communications, 2023, 44(6): 47-56.
[2]	Xin SUN, Guifu ZHANG, Hongyan XING, Wang Zenghui. Research on intrusion detection for maritime meteorological sensor network based on balancing generative adversarial network [J]. Journal on Communications, 2023, 44(4): 124-136.
[3]	Qianyi DAI, Bin ZHANG, Song GUO, Kaiyong XU. Blockchain network layer anomaly traffic detection method based on multiple classifier integration [J]. Journal on Communications, 2023, 44(3): 66-80.
[4]	Haiyan KANG, Molan LONG. Research on network attack analysis method based on attack graph of absorbing Markov chain [J]. Journal on Communications, 2023, 44(2): 122-135.
[5]	Leixiao LI, Jinze DU, Hao LIN, Haoyu GAO, Yanyan YANG, Jing GAO. Research progress of blockchain network covert channel [J]. Journal on Communications, 2022, 43(9): 209-223.
[6]	Fenghua LI, Chaoyang LI, Chao GUO, Zifu LI, Liang FANG, Yunchuan GUO. Survey on key technologies of covert channel in ubiquitous network environment [J]. Journal on Communications, 2022, 43(4): 186-201.
[7]	Gaofeng HE, Qianfeng WEI, Xiancai XIAO, Haiting ZHU, Bingfeng XU. Confirmation method for the detection of malicious encrypted traffic with data privacy protection [J]. Journal on Communications, 2022, 43(2): 156-170.
[8]	Yifeng WANG, Yuanbo GUO, Qingli CHEN, Chen FANG, Renhao LIN. Method based on contrastive learning for fine-grained unknown malicious traffic classification [J]. Journal on Communications, 2022, 43(10): 12-25.
[9]	Zhibin FENG, Yuhua XU, Zhiyong DU, Xin LIU, Wen LI, Hao HAN, Xiaobo ZHANG. Active defense technology against intelligent jammer [J]. Journal on Communications, 2022, 43(10): 42-54.
[10]	Yanhui LU, Han LIU, Hang LI, Guangxu ZHU. Time series generation model based on multi-discriminator generative adversarial network [J]. Journal on Communications, 2022, 43(10): 167-176.
[11]	Kai MEI, Haitao ZHAO, Xiaoran LIU, Jun LIU, Jun XIONG, Baoquan REN, Jibo WEI. Efficient model-and-data based channel estimation algorithm [J]. Journal on Communications, 2022, 43(1): 59-70.
[12]	Changgen PENG, Ting GAO, Huilan LIU, Hongfa DING. PCA-based membership inference attack for machine learning models [J]. Journal on Communications, 2022, 43(1): 149-160.
[13]	Futai ZOU, Yue TAN, Lin WANG, Yongkang JIANG. Botnet detection based on generative adversarial network [J]. Journal on Communications, 2021, 42(7): 95-106.
[14]	Hongbin ZHANG, Yan YIN, Dongmei ZHAO, Bin LIU. Network security situational awareness model based on threat intelligence [J]. Journal on Communications, 2021, 42(6): 182-194.
[15]	Jiawen DIAO, Binxing FANG, Xiang CUI, Zhongru WANG, Ruiling GAN, Lin FENG, Hai JIANG. Survey of DNS covert channel [J]. Journal on Communications, 2021, 42(5): 164-178.