Please wait a minute...
浙江大学学报(工学版)
JOURNAL OF ZHEJIANG UNIVERSITY (ENGINEERING SCIENCE)  2017, Vol. 51 Issue (9): 1780-1787    DOI: 10.3785/j.issn.1008-973X.2017.09.012
Computer Technology     
DNS tunnel Trojan detection method based on communication behavior analysis
LUO You-qiang1, LIU Sheng-li1, YAN Meng2, WU Dong-ying1
1. State Key Laboratory of Mathematical Engineering and Advanced Computing, Zhengzhou 450001, China;
2. Xi'an Newspaper Media Group, Xi'an 710002, China
Download:   PDF(1843KB) HTML
Export: BibTeX | EndNote (RIS)      

Abstract  

The traditional DNS tunneling detection method based on load analysis and traffic monitoring has high false positive rate and can not effectively cope with the new DNS tunnel Trojan horse. Therefore, a DNS tunnel Trojan detection method based on communication behavior analysis was proposed. First, the difference between DNS tunnel Trojan communication behavior and normal DNS parsing behavior from the point of view of DNS sessions was analyzed. Second, seven features of DNS tunnel Trojan sessions were extracted, which composed DNS session evaluation vector. Then, DNS session evaluation vector classifiers using the random forest classification algorithm was approached; a DNS tunnel detection model based on communication behavior analysis was constructed. The experimental results show that this method not only has small false positive rate and low false negative rate, but also has high detection ability for unknown DNS tunnel Trojans.

Received: 18 November 2016      Published: 25 August 2017
CLC:  TP393.08  
Service
E-mail this article
Add to my bookshelf
Add to citation manager
E-mail Alert
RSS
Articles by authors
Cite this article:

LUO You-qiang, LIU Sheng-li, YAN Meng, WU Dong-ying. DNS tunnel Trojan detection method based on communication behavior analysis. JOURNAL OF ZHEJIANG UNIVERSITY (ENGINEERING SCIENCE), 2017, 51(9): 1780-1787.

URL:

http://www.zjujournals.com/eng/10.3785/j.issn.1008-973X.2017.09.012     OR     http://www.zjujournals.com/eng/Y2017/V51/I9/1780


基于通信行为分析的DNS隧道木马检测方法

传统基于载荷分析和流量监测的DNS隧道检测手段误报率高且不能有效应对新型DNS隧道木马,为此提出一种基于通信行为分析的DNS隧道木马检测方法.从DNS会话的视角对比分析DNS隧道木马通信行为与正常DNS解析行为的差异性,提取7个DNS隧道木马属性,组成DNS会话评估向量,采用随机森林分类算法构建DNS会话评估向量检测分类器,建立基于通信行为分析的DNS隧道木马检测模型.实例测试结果表明:该方法误报率小,漏报率低,对未知的DNS隧道木马同样具有很高的检测能力.

[1] KAMINSKY D. Black Ops of DNS[EB/OL]. (2004-12-27)[2016-09-05]. https://events.ccc.de/congress/2004/fahrplan/event/121.de.html.
[2] RAMAN D, DE SUTTER B, COPPENS B, et al. DNS tunneling for network penetration[C]//Information Security and Cryptology:ICISC 2012. Berlin Heidelberg:Springer, 2012:65-77.
[3] GRUNZWEIG J, SCOTT M, LEE B, et al. New wekby attacks use DNS requests as command and control mechanism[EB/OL]. (2016-05-24)[2016-09-15]. http://researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism.
[4] SKOUDIS E. The six most dangerous new attack techniques and what's coming next[EB/OL]. (2012-08-29)[2016-09-05]. https://blogs.sans.org/pentesting/?les/2012/03/RSA-2012-EXP-108-Skoudis-Ullrich.pdf.
[5] FARNHAM G, ATLASIS A. Detecting DNS tunneling[J]. SANS Institute InfoSec Reading Room, 2013(9):1-32.
[6] BUTLER P, XU K, YAO D D. Quantitatively analyzing stealthy communication channels[C]//International Conference on Applied Cryptography and Network Security. Berlin Heidelberg:Springer, 2011:238-254.
[7] BORN K, GUSTAFSON D. Detecting dns tunnelsusing character frequencyanalysis[J]. Corr, 2010,4(358):2567-2573.
[8] BORN K, GUSTAFSON D. NgViz:detecting DNS tunnels through n-gram visualization and quantitativeanalysis[C]//Proceedings of the Sixth Annual Workshop on Cyber Security and Information Intelligence Research. Oak Ridge:ACM. 2010:1-4.
[9] QI C, CHEN X, XU C, et al. A bigram based real time DNS tunnel detection approach[J]. Procedia Computer Science, 2013, 17(110):852-860.
[10] ELLENS W, URANIEWSKI P, SPEROTTO A, et al. Flow-based detection of DNS tunnels[C]//IFIP International Conference on Autonomous Infrastructure, Management and Security. Barcelona:AIMS, 2013:124-135.
[11] ICHISE H, JIN Y, ⅡDA K. Analysis of via-resolver DNS TXT queries and detection possibility of botnet communications[C]//2015 IEEE Pacific Rim Conference on Communications, Computers and Signal Processing (PACRIM). Victoria:IEEE, 2015:216-221.
[12] 章思宇,邹福泰,王鲁华,等. 基于DNS的隐蔽通道流量检测[J]. 通信学报,2013,34(5):143-151. ZHANG Si-yu, ZOU Fu-tai, WANG Lu-hua, et al. Detecting DNS-based covert channel on live traffic[J]. Journal on Communications, 2013, 34(5):143-151.
[13] RON. DNScat2[EB/OL]. (2016-09-07)[2016-9-15]. https://github.com/iagox86/dnscat2
[14] 赵博,郭虹,刘勤让,等.基于加权累积和检验的加密流量盲识别算法[J].软件学报,2013, 24(6):1334-1345. ZHAO Bo, GUO Hong, LIU Qin-rang, et al. Protocol independent identification of encrypted traffic based on weighted cumulative sum test[J]. Journal of Software, 2013, 24(6):1334-1345.
[15] LI J J, subDomainBrute[EB/OL]. (2015-04-01)[2016-10-05]. https://github.com/lijiejie/subDomainsBrute.
[16] YANG Z R. Classification and regression trees, random forest algorithm[M]//Machine Learning Approaches to Bioinformatics. 2015:120-132.
[17] SVETNIK V, LIAW A, TONG C, et al. Random forest:a classification and regression tool for compound classification and QSAR modeling[J]. Journal of chemical information and computer sciences, 2003, 43(6):1947-1958.
[18] JOHNSON R W. An introduction to the bootstrap[J]. Teaching Statistics, 2001, 23(2):49-54.
[19] AHHH, DNShell v1.7[EB/OL]. (2015-10-11)[2016-10-02]. https://github.com/ahhh/Reverse_DNS_Shell.
[20] MUDGE R, Cobalt strike 3.4-operational details[EB/OL]. (2016-07-29)[2016-09-17]. http://blog.cobaltstrike.com/cate-gory/cobalt-strike-2.
No related articles found!