|
|
Detection of DNS tunnels based on log statistics feature |
Qi WANG1( ),Kun XIE1,Yan MA1,*( ),Qun CONG2 |
1. Information Network Center, Institute of Network Technology, Beijing University of Posts and Telecommunications, Beijing 100876, China 2. Beijing Wrdtech Co. Ltd, Beijing 100876, China |
|
|
Abstract The log of DNS server was used as the data source to extract the multi-dimensional statistical characteristics of the secondary domain name, such as the entropy of the domain, the number of sub domain names, and the cache hit rate. The logs were quantized as feature vector set, which was used as data source. The random forest algorithm was used for model training, the model parameters were adjusted by the method of ten fold cross validation, and the model was optimized to improve the overall detection accuracy. Finally, comparative experiments were made under different classification algorithms, and compared with the existing research methods. The experimental results show that the proposed detection method had an accuracy rate of not less than 90% when the recall rate was 98.5%, and the detection accuracy was improved. Thus, the proposed algorithm can effectively detect DNS tunnel.
|
Received: 24 September 2019
Published: 22 September 2020
|
|
Corresponding Authors:
Yan MA
E-mail: vinchy_wq@qq.com;mayan@bupt.edu.cn
|
基于日志统计特征的DNS隧道检测
以DNS服务器的日志为数据源,提取出二级域名的熵、子域名个数、缓存命中率等多维日志统计特征, 将日志量化为特征向量集;以特征向量集为数据源,使用随机森林算法进行模型训练,并使用十折交叉验证的方法对模型参数进行调整,对模型进行优化,提高整体检测精度;在不同分类算法下进行对比实验,并将实验结果与已有研究方法进行比较. 实验结果表明,提出的检测方法在召回率达到98.5%的情况下,有不低于90%的准确率,检测精度有所提高,即提出的算法能有效检测DNS隧道.
关键词:
DNS隧道,
日志分析,
DNS缓存,
随机森林,
恶意域名
|
|
[1] |
DIETRICH C J, ROSSOW C, FREILING F C, et al. On botnets that use DNS for command and control [C] // 2011 Seventh European Conference on Computer Network Defense. Washington: IEEE, 2011: 9-16.
|
|
|
[2] |
AHMED J, GHARAKHEILI H H, RAZA Q, et al. Real-time detection of DNS exfiltration and tunneling from enterprise networks [C] // 2019 IFIP/IEEE International Symposium on Integrated Network Management. Washington: IEEE, 2019: 649-653.
|
|
|
[3] |
SPATARO J G. Iranian cyber espionage [D]. Utica: College of America, 2019.
|
|
|
[4] |
杭特 软件供应链安全风险管控, 任重而道远[J]. 中国信息安全, 2018, 107 (11): 61- 63 HANG Te Software supply chain security risk management and control, there is a long way to go[J]. China Information Security, 2018, 107 (11): 61- 63
doi: 10.3969/j.issn.1674-7844.2018.11.025
|
|
|
[5] |
谷传征. DNS协议隐蔽信道的构建和检测技术研究[D]. 上海: 上海交通大学. 2012. GU Chuan-zheng. Research on the construction and detection technology of covert channel based on DNS protocol[D]. Shanghai: Shanghai Jiao Tong University. 2012.
|
|
|
[6] |
YU B, SMITH L, THREEFOOT M, et al. Behavior analysis based DNS tunneling detection and classification with big data technologies [C] // In Proceeding of the International Conference on Internet of Things and Big Data, Rome: SCITEPRESS, 2016: 284-290.
|
|
|
[7] |
LIU J, LI S, ZHANG Y, et al. Detecting DNS tunnel through binary-classification based on behavior features [C] // 2017 16th IEEE International Conference on Trust, Security and Privacy in Computing and Communications. Sydney: IEEE, 2017: 339-346.
|
|
|
[8] |
LIN H, LIU G, YAN Z. Detection of application-layer tunnels with rules and machine learing [C] // International Conference on Security, Privacy and Anonymity in Computation, Communication and Storage. Atlanta: SPACCS, 2019: 441-455.
|
|
|
[9] |
罗友强, 刘胜利, 颜猛, 等 基于通信行为分析的DNS隧道木马检测方法[J]. 浙江大学学报: 工学版, 2017, 51 (9): 1780- 1787 LUO You-qiang LIU Sheng-li, YAN Meng DNS tunnel detection method based on communication behavior analysis[J]. Journal of Zhejiang University: Engineering Science, 2017, 51 (9): 1780- 1787
|
|
|
[10] |
NADLER A, AMINOV A, SHABTAI A Detection of malicious and low throughput data exfiltration over the DNS protocol[J]. Computers and Security, 2019, (80): 36- 53
|
|
|
[11] |
杨建强, 姜洪溪 基于第二级域名的FQDN个数的DNS隐蔽信道检测[J]. 计算机时代, 2016, (2): 53- 55 YANG Jian-qiang, JIANG Hong-xi Using FQDN number of the second-level domain name to detect DNS-based covert channels[J]. Computer Era, 2016, (2): 53- 55
|
|
|
[12] |
HERRMANN D, BANSE C, FEDERRATH H Behavior-based tracking: exploiting characteristic patterns in DNS traffic[J]. Computers and Security, 2013, (39): 17- 33
|
|
|
[13] |
PAUL A, LIU C. Dns and Bind, Fifth Edition[M]. Beijing: Beijing Posts and Telecom Press, 2014.
|
|
|
[14] |
云解析小二. 阿里DNS: 一种不断变化前缀域名攻击检测方法[EB/OL]. (2018-11-12)[2019-7-30]. https://yq.aliyun.com/articles/672435, 2018-11-12.
|
|
|
[15] |
赵越. 基于DNS流量特征的僵尸网络检测方法研究 [D]. 天津大学. 2015. ZHAO Yue. A study on botnet detection method based on DNS flow characteristics [D]. Tianjin: Tianjin University, 2015.
|
|
|
[16] |
SPOOREN J, PREUVENEERS D, DESMET L, et al. Detection of algorithmically generated domain names used by botnets: a dual arms race [C] // Proceedings of the 34th ACM/SIGAPP Symposium on Applied Computing. New York: ACM, 2019: 1916–1923.
|
|
|
[17] |
CROTTI M, DUSI M, GRINGOLI F, et al. Detecting HTTP tunnels with statistical mechanisms [C] // IEEE International Conference on Communication. Glasgow: IEEE, 2007: 6162-6168.
|
|
|
[18] |
HOANG X D, NGUYEN Q C Botnet detection based on machine learning techniques using DNS query data[J]. Future Internet, 2018, 10 (5): 43
doi: 10.3390/fi10050043
|
|
|
[19] |
徐琨. DNS隐蔽通道检测技术研究 [D]. 成都: 西南交通大学, 2017. XU Kun. Research on DNS covert channel detection technology [D]. Chengdu: Souchwest Jiaotong University, 2017.
|
|
|
[20] |
YAN P, YAN Z A Survey on dynamic mobile malware detection[J]. Software Quality Journal, 2018, 26 (3): 891- 919
doi: 10.1007/s11219-017-9368-4
|
|
|
|
Viewed |
|
|
|
Full text
|
|
|
|
|
Abstract
|
|
|
|
|
Cited |
|
|
|
|
|
Shared |
|
|
|
|
|
Discussed |
|
|
|
|