Journal on Communications ›› 2021, Vol. 42 ›› Issue (5): 164-178.doi: 10.11959/j.issn.1000-436x.2021090
• Comprehensive Reviews • Previous Articles Next Articles
Jiawen DIAO1, Binxing FANG1,2, Xiang CUI2, Zhongru WANG3, Ruiling GAN1, Lin FENG2, Hai JIANG4
Revised:
2021-03-24
Online:
2021-05-25
Published:
2021-05-01
Supported by:
CLC Number:
Jiawen DIAO, Binxing FANG, Xiang CUI, Zhongru WANG, Ruiling GAN, Lin FENG, Hai JIANG. Survey of DNS covert channel[J]. Journal on Communications, 2021, 42(5): 164-178.
"
时间 | 恶意代码 | 子域名构成方法(编码) | 字符长度/个 | 域名 |
2016年 | Helminth | 00<SysI><FN><SeqN><RN><ED>(Hex) | 48 | go0gie.com |
2017年 | ALMA Dot | <RN>.IDID.<Vid>.<SeqN>.<TSeqN>.<ED>.<FN>(Base16) | 60 | newusers.tk |
2017年 | ISMAgent | <ED><SeqN>.d.<Vid>(Base64) | 13 | ntpupdateserver.com |
2017年 | BONUPDATER | <RN>4<SeqN><SysI>B007(Base16) | 50 | poison-frog.club |
2017年 | ALMA Dash | <RN>ID<Vid>-<SeqN>-<TN>-<ED>-<FN>(Base16) | 20 | prosalar.com |
2018年 | QUADAGENT | <ED>.<RN>(Base64) | 60 | acrobatverify.com |
2020年 | RDAT | <ED>.<EM><KEY>(Base32 or 64) | 16 | rsshay.com |
注:<SysI>为系统标识符, <FN>为文件名, <SeqN>为序列号, <TSeqN>为序列总数, <RN>为随机数, <ED>为编码后的待传送数据, <EM>为编码方法, <Vid>为受害设备ID, <TN>为总包数, <KEY>为加密密钥。 |
"
时间 | 恶意软件名称 | 应答 | 连接方式 |
2011年 | Feederbot | TXT | 中继 |
2011年 | Morto | TXT | 中继 |
2014年 | FrameworkPOS | A | 中继 |
2015年 | HTTPBrowser | TXT | 中继 |
2016年 | Pisloader | TXT、Base32 | 中继 |
2016年 | C3PRO-RACCOON | CNAME、Base64 | 中继 |
2016年 | Helminth | A | 中继 |
2017年 | Denis | NULL、Base64 | 中继 |
2017年 | Goopy | TXT、Base64 | 直连 |
2017年 | Matroyshka | A | 中继 |
2017年 | POWERSOURCE | TXT | 中继 |
2017年 | Ebury | A、TXT | 中继 |
2017年 | ALMA Communicator | A | 中继 |
2017年 | ISMAGENT | AAAA | 中继 |
2018年 | BONDUPDATER | A、TXT | 中继 |
2018年 | QUADAGENT | AAAA | 中继 |
2018年 | RogueRobin | A、AAAA、TXT、CNAME、MX等 | 中继 |
2019年 | Glimpse | A、TXT | 中继 |
2020年 | RDAT | A、AAAA、TXT | 中继 |
"
时间 | 工具 | 使用记录 | 平台 |
2004年 | OzymanDNS | TXT | Linux, Windows |
2004年 | Dnscat-P/Dnscat2 | A、CNAME | Unix |
2006年 | Iodine | A、CNAME、TXT、MX、SRV、NULL、PRIVATE等 | Linux, Mac OS X, Windows |
2007年 | TUNS | CNAME | Linux |
2008年 | Dns2tcp | TXT、KEY | Linux, Windows |
2008年 | tcp-over-dns | TXT | Windows, Linux and Solaris |
2009年 | Heyoka | TXT、NULL | Windows |
2011年 | DNScapy | CNAME、TXT | Linux |
2015年 | Your Freedom | CNAME、TXT、MX、NULL、WKX | Windows, Mac OSX, Linux and Android |
2015年 | ReverseDns Shell | A、TXT | Windows, Mac OS X, Linux |
2018年 | DNSExfiltrator | TXT | Linux, Windows |
2019年 | DNSlivery | TXT | Linux, Windows |
"
时间 | 文献 | 方法 | 训练集 | 测试集 | 目的 | 结果 |
2013年 | 文献[ | J48决策树、朴素贝叶斯和逻辑回归 | Iodine、Dns2tcp、DNSCat、tcp-overdns、PSUDP | Iodine、Dns2tcp、DNSCat、tcp- over-dns、PSUDP及OzyManDNS、Heyoka | 针对已知及未知数据集的二分类检测问题 | J48决策树AUC最大(平均性能最优),正检率为 95.6%,误报率为0.15% |
2016年 | 文献[ | 随机森林 | Iodine、DNSCat2、Cobalt Strike | Iodine、DNSCat2、Cobalt Strike、Pick Pocket | 针对已知及未知数据集的二分类检测问题 | 对 已 知 数 据 集:99.92%,对未知数据集:95.89% |
2017年 | 文献[ | 支持向量机、决策树和逻辑回归 | Dnscat2、Iodine、Dns2tcp、OzymanDNS | Dnscat2、Iodine、Dns2tcp、OzymanDNS | 针对已知数据集的二分类检测问题 | 使用SVM效果最佳,准确率为99.96%,精度为99.98%,召回率为99.93% |
2018年 | 文献[ | 多标签支持向量机(Kernel SVM) | Iodine、Dns2tcp | Iodine、Dns2tcp | 针对已知数据集的多分类检测问题 | Kernel SVM 效果更佳,平均精度为0.795,召回率为 0.805 6, F-measure为0.800 028 |
2019年 | 文献[ | iForest | 良性流量 | Iodine、Dns2tcp、FrameworkPOS、Backdoor.Win32.Denis | 异常检测模型 | 阈值为0.653,检测率为100% |
2020年 | 文献[ | iForest | 良性流量 | DET、Iodine、BernhardPOS、DNSMessenger、FrameworkPOS、DNSpoinage | 针对未知数据的二分类检测问题 | 准确率为99.50%,误报率为0.55% |
"
时间 | 文献 | 方法 | 训练集 | 测试集 | 目的 | 结果 |
2019年 | 文献[ | CNN | Iodine、Dns2tcp、Dnscat2、OzymanDNS、Reverse_DNS_hell | Iodine、Dns2tcp、Dnscat2、OzymanDNS、Reverse_DNS_ hell | 针对已知数据集的二分类检测问题 | 准确率为 99.98%,精度为1.00,召回率为 99.96%, F1-Score为0.999 8 |
2020年 | 文献[ | 改进CNN (RDCC-CNN) | DNSCat、Iodine、PSUDP、Dns2tcp、tcp-over-dns | DNSCat、Iodine、PSUDP、Dns2tcp、tcp-over-dns | 针对已知数据集的二分类检测问题 | 准确率为 99.50%,误报率为0.55% |
[1] | MOCKAPETRIS P V . Domain names-implementation and specification[R]. RFC Editor, 1987. |
[2] | HINCHLIFFE A . DNS tunneling:how DNS can be (ab)used by malicious actors[R]. Unit42, 2019. |
[3] | PISCITELLO D . What is a DNS covert channel?[R]. ICANN, 2016. |
[4] | ARENDS R . Domain name system (DNS) parameters[R]. IANA, 2020. |
[5] | Black Lotus Labs Alina point of sale malware still lurking in DNS[R]. LUMEN, 2020. |
[6] | KREMEZ V . FIN6 “FrameworkPOS”:point-of-sale malware analysis& internals[R]. Sentinel LABS, 2019. |
[7] | REAVES J . Anchor project for Trickbot adds ICMP[R]. Sentinel LABS, 2020. |
[8] | BARBEHENN B . Threat assessment:Ryuk ransomware and Trickbot targeting U.S.healthcare and public health sector[R]. Unit42, 2020. |
[9] | FALCONE R . xHunt campaign:newly discovered backdoors using deleted email drafts and DNS tunneling for command and control[R]. Unit42, 2020. |
[10] | FALCON R . OilRig targets middle eastern telecommunications organization and adds novel C2 channel with steganography to its inventory[R]. Unit42, 2020. |
[11] | EKMAN E . Iodine[R]. GitHub, 2021. |
[12] | ANDERSSON B . Iodine[R]. kryo.se, 2014. |
[13] | ARNO0X. DNSExfiltrator[R]. GitHub, 2017. |
[14] | RON. Dnscat2[R]. Skullsecurity, 2019. |
[15] | BORGES D . Reverse_DNS_shell[R]. GitHub, 2015. |
[16] | MILLER T . Reverse DNS tunneling staged loading shellcode[R]. Black Hat, 2008. |
[17] | DEMBOUR O . Dns2tcp[R]. GitHub, 2017. |
[18] | CIMPANU C . Iranian hacker group becomes first known APT to weaponize DNS-over-HTTPS(DoH)[R]. ZDNet, 2020. |
[19] | WINNTI GROUP:Insights from the past[R]. Quointelligence, 2020. |
[20] | PAGANINI P . China-linked Winnti APT targets south korean gaming firm[R]. Securityaffairs, 2020. |
[21] | Application Layer Protocol:DNS[R]. MITRE ATT&CK, 2020. |
[22] | DIETRICH C J , ROSSOW C , FREILING F C ,et al. On botnets that use DNS for command and control[C]// 2011 Seventh European Conference on Computer Network Defense. Piscataway:IEEE Press, 2011: 9-16. |
[23] | GRUNZWEIG J . New Wekby attacks use DNS requests as command and control mechanism[R]. Unit42, 2016. |
[24] | Global Research,Analysis Team The projectsauron APT[R]. Kaspersky, 2016. |
[25] | SEALS T . OilRig APT drills into malware innovation with unique backdoor[R]. Unit42, 2020. |
[26] | WILHOIT K . OilRig uses updated BONDUPDATER to target middle eastern government[R]. Unit42, 2018. |
[27] | SZERB T . NSTX[R]. Nongnu, 2002. |
[28] | KAMINSKY D . Black ops of DNS[R]. Black Hat USA, 2004. |
[29] | REVELLI A . Introducing Heyoka:DNS tunneling 2.0[R]. SOURCE Boston, 2009. |
[30] | BORN K . PSUDP:a passive approach to network-wide covert communication[J]. Black Hat USA, 2010. |
[31] | Morto worm sets a (DNS) record[R]. Symantec, 2011. |
[32] | PEARSON O . DNS tunnel-through bastion hosts[R]. Gray-world.net, 1998. |
[33] | REVELLI A . Playing with Heyoka:spoofed tunnels,undetectable data exfiltration and more fun with DNS packets[R]. Shakacon, 2009. |
[34] | BORN K . PSUDP:passive network covert communication slides[R]. Black Hat USA, 2010. |
[35] | BROMBERGER S . DNS as a covert channel within protected networks[R]. NESCO, 2011. |
[36] | XU K , BUTLER P , SAHA S ,et al. DNS for massive-scale command and control[J]. IEEE Transactions on Dependable and Secure Computing, 2013,10(3): 143-153. |
[37] | New Framework POS variant exfiltrates data via DNS requests[R]. GDATA, 2014. |
[38] | FALCONE R . DNS tunneling in the wild:overview of OilRig’s DNS tunneling[R]. Unit42, 2019. |
[39] | PAGANINI P . APT34:Glimpse project[R]. Securityaffairs, 2019. |
[40] | LEE B . Behind the scenes with OilRig[R]. Unit42, 2019. |
[41] | PAXSON V , CHRISTODORESCU M , JAVED M ,et al. Practical comprehensive bounds on surreptitious communication over DNS[C]// 22nd USENIX Security Symposium. Berkeley:USENIX Association, 2013: 17-32. |
[42] | BARR D . Common DNS operational and configuration errors[R]. RFC Editor, 1996. |
[43] | BORN K , GUSTAFSON D . Detecting DNS tunnels using character frequency analysis[J]. arXiv Preprint,arXiv:1004.4358, 2010. |
[44] | KARASARIDIS A , MEIER-HELLSTERN K , HOEFLIN D . NIS04-2:detection of DNS anomalies using flow data analysis[C]// IEEE Globecom. Piscataway:IEEE Press, 2006: 1-6. |
[45] | ELLENS W , ?URANIEWSKI P , SPEROTTO A ,et al. Flow-based detection of DNS tunnels[C]// IFIP International Conference on Autonomous Infrastructure,Management and Security. Berlin:Springer, 2013: 124-135. |
[46] | KARA A M , BINSALLEEH H , MANNAN M ,et al. Detection of malicious payload distribution channels in DNS[C]// 2014 IEEE International Conference on Communications. Piscataway:IEEE Press, 2014: 853-858. |
[47] | FARNHAM G . Detecting DNS tunneling[R]. SANS, 2013. |
[48] | BILGE L , KIRDA E , KRUEGEL C ,et al. EXPOSURE:finding malicious domains using passive DNS analysis[C]// Proceedings of the Network and Distributed System Security Symposium.[S.n.:s.l.], 2011: 1-17. |
[49] | BILGE L , SEN S , BALZAROTTI D ,et al. Exposure[J]. ACM Transactions on Information and System Security, 2014,16(4): 1-28. |
[50] | AIELLO M , MONGELLI M , PAPALEO G . Basic classifiers for DNS tunneling detection[C]// 2013 IEEE Symposium on Computers and Communications. Piscataway:IEEE Press, 2013: 880-885. |
[51] | 章思宇, 邹福泰, 王鲁华 ,等. 基于 DNS 的隐蔽通道流量检测[J]. 通信学报, 2013,34(5): 143-151. |
ZHANG S Y , ZOU F T , WANG L H ,et al. Detecting DNS-based covert channel on live traffic[J]. Journal on Communications, 2013,34(5): 143-151. | |
[52] | BUCZAK A L , HANKE P A , CANCRO G J ,et al. Detection of tunnels in PCAP data by random forests[C]// Proceedings of the 11th Annual Cyber and Information Security Research Conference. New York:ACM Press, 2016: 1-4. |
[53] | LIU J K , LI S H , ZHANG Y Z ,et al. Detecting DNS tunnel through binary-classification based on behavior features[C]// 2017 IEEE Trustcom/BigDataSE/ICESS. Piscataway:IEEE Press, 2017: 339-346. |
[54] | ALMUSAWI A , AMINTOOSI H . DNS tunneling detection method based on multilabel support vector machine[J]. Security and Communication Networks, 2018: 1-9. |
[55] | HOMEM I , PAPAPETROU P , DOSIS S . Information-entropy-based DNS tunnel prediction[C]// IFIP International Conference on Digital Forensics. Geneva:IFIP Newsletter, 2018: 127-140. |
[56] | 单康康, 郭晔, 陈文智 ,等. 基于混合分类算法模型的DNS隧道检测[J]. 通信学报, 2018,39(S1): 53-57. |
SHAN K K , GUO Y , CHEN W Z ,et al. Detection of DNS tunneling based on combined classification algorithm model[J]. Journal on Communications, 2018,39(S1): 53-57. | |
[57] | NADLER A , AMINOV A , SHABTAI A . Detection of malicious and low throughput data exfiltration over the DNS protocol[J]. Computers& Security, 2019,80: 36-53. |
[58] | AHMED J , GHARAKHEILI H H , RAZA Q ,et al. Monitoring enterprise DNS queries for detecting data exfiltration from internal hosts[J]. IEEE Transactions on Network and Service Management, 2020,17(1): 265-279. |
[59] | HIND J . Catching DNS tunnels with A.I[R]. Defcon, 2009. |
[60] | LIU C , DAI L , CUI W J ,et al. A byte-level CNN method to detect DNS tunnels[C]// 2019 IEEE 38th International Performance Computing and Communications Conference. Piscataway:IEEE Press, 2019: 1-8. |
[61] | 张猛, 孙昊良, 杨鹏 . 基于改进卷积神经网络识别DNS隐蔽信道[J]. 通信学报, 2020,41(1): 169-179. |
ZHANG M , SUN H L , YANG P . Identification of DNS covert channel based on improved convolutional neural network[J]. Journal on Communications, 2020,41(1): 169-179. | |
[62] | WU K M , ZHANG Y Z , YIN T . TDAE:autoencoder-based automatic feature learning method for the detection of DNS tunnel[C]// 2020 IEEE International Conference on Communications. Piscataway:IEEE Press, 2020: 1-7. |
[1] | Yang GAO, Hongli ZHANG. Survey on community detection method based on random walk [J]. Journal on Communications, 2023, 44(6): 198-210. |
[2] | Ying FANG, Yiwen XU, Tiesong ZHAO. Joint vibrotactile coding for machine recognition and human perception [J]. Journal on Communications, 2023, 44(5): 42-51. |
[3] | Jinzhi ZHENG, Ruyi JI, Libo ZHANG, Chen ZHAO. End-to-end scene text detection and recognition algorithm based on Transformer decoders [J]. Journal on Communications, 2023, 44(5): 64-78. |
[4] | Xin SUN, Guifu ZHANG, Hongyan XING, Wang Zenghui. Research on intrusion detection for maritime meteorological sensor network based on balancing generative adversarial network [J]. Journal on Communications, 2023, 44(4): 124-136. |
[5] | Qianyi DAI, Bin ZHANG, Song GUO, Kaiyong XU. Blockchain network layer anomaly traffic detection method based on multiple classifier integration [J]. Journal on Communications, 2023, 44(3): 66-80. |
[6] | Bingpeng ZHOU, Shanshan MA. Simultaneous vehicular location and velocity detection towards 6G integrated communication and sensing [J]. Journal on Communications, 2023, 44(3): 81-92. |
[7] | Yanshuo ZHANG, Ning LIU, Yuqi YUAN, Yatao YANG. Adaptor signature scheme based on ISRSAC digital signature algorithm [J]. Journal on Communications, 2023, 44(3): 178-185. |
[8] | Helin SUN, Hongyuan GAO, Yanan DU, Jianhua CHENG, Yapeng LIU. Joint estimation method of target number and orientation parameters for FDA-MIMO radar [J]. Journal on Communications, 2023, 44(2): 41-51. |
[9] | Wei CUI, Ying YU, Haixia YU, Chao CHEN, Yunpeng LI. Sparse channel fast reconstruction algorithm for OFDM system based on IOC-CSMP [J]. Journal on Communications, 2023, 44(2): 52-58. |
[10] | Weigang HUO, Rui LIANG, Yonghua LI. Anomaly detection model for multivariate time series based on stochastic Transformer [J]. Journal on Communications, 2023, 44(2): 94-103. |
[11] | Xiaoyun WANG, Xiaozhou ZHANG, Liang MA, Yajuan WANG, Mengting LOU, Tao JIANG, Jing JIN, Qixing WANG, Guangyi LIU. Research and optimization on the sensing algorithm for 6G integrated sensing and communication network [J]. Journal on Communications, 2023, 44(2): 219-230. |
[12] | Guojun LI, Cuiling XIANG, Changrong YE, Zunli WANG. Fast link-establishment method of integrated of communication and detection based on short-wave digital channelization [J]. Journal on Communications, 2023, 44(1): 89-102. |
[13] | Hongyu YANG, Haiyun YANG, Liang ZHANG, Xiang CHENG. Feature dependence graph based source code loophole detection method [J]. Journal on Communications, 2023, 44(1): 103-117. |
[14] | Zheng YANG, Yun ZHENG, Yuehao YU, Yi WU, Zhicheng DONG, Song XING. Performance analysis for cooperative NOMA networks based SWIPT with adaptive power splitting [J]. Journal on Communications, 2023, 44(1): 177-188. |
[15] | Yanhua LIU, Jiaqi LI, Zhengui OU, Xiaoling GAO, Ximeng LIU, Weizhi MENG, Baoxu LIU. Adversarial training driven malicious code detection enhancement method [J]. Journal on Communications, 2022, 43(9): 169-180. |
Viewed | ||||||
Full text |
|
|||||
Abstract |
|
|||||
|