Please wait a minute...
浙江大学学报(工学版)  2017, Vol. 51 Issue (9): 1780-1787    DOI: 10.3785/j.issn.1008-973X.2017.09.012
罗友强1, 刘胜利1, 颜猛2, 武东英1
1. 数学工程与先进计算国家重点实验室, 河南 郑州 450001;
2. 西安报业传媒集团, 陕西 西安 710002
DNS tunnel Trojan detection method based on communication behavior analysis
LUO You-qiang1, LIU Sheng-li1, YAN Meng2, WU Dong-ying1
1. State Key Laboratory of Mathematical Engineering and Advanced Computing, Zhengzhou 450001, China;
2. Xi'an Newspaper Media Group, Xi'an 710002, China
 全文: PDF(1843 KB)   HTML



The traditional DNS tunneling detection method based on load analysis and traffic monitoring has high false positive rate and can not effectively cope with the new DNS tunnel Trojan horse. Therefore, a DNS tunnel Trojan detection method based on communication behavior analysis was proposed. First, the difference between DNS tunnel Trojan communication behavior and normal DNS parsing behavior from the point of view of DNS sessions was analyzed. Second, seven features of DNS tunnel Trojan sessions were extracted, which composed DNS session evaluation vector. Then, DNS session evaluation vector classifiers using the random forest classification algorithm was approached; a DNS tunnel detection model based on communication behavior analysis was constructed. The experimental results show that this method not only has small false positive rate and low false negative rate, but also has high detection ability for unknown DNS tunnel Trojans.

收稿日期: 2016-11-18 出版日期: 2017-08-25
CLC:  TP393.08  


通讯作者: 刘胜利,男,教授     E-mail:
作者简介: 罗友强(1991-),男,硕士生,从事信息安全、网络对抗研究
E-mail Alert


罗友强, 刘胜利, 颜猛, 武东英. 基于通信行为分析的DNS隧道木马检测方法[J]. 浙江大学学报(工学版), 2017, 51(9): 1780-1787.

LUO You-qiang, LIU Sheng-li, YAN Meng, WU Dong-ying. DNS tunnel Trojan detection method based on communication behavior analysis. JOURNAL OF ZHEJIANG UNIVERSITY (ENGINEERING SCIENCE), 2017, 51(9): 1780-1787.


[1] KAMINSKY D. Black Ops of DNS[EB/OL]. (2004-12-27)[2016-09-05].
[2] RAMAN D, DE SUTTER B, COPPENS B, et al. DNS tunneling for network penetration[C]//Information Security and Cryptology:ICISC 2012. Berlin Heidelberg:Springer, 2012:65-77.
[3] GRUNZWEIG J, SCOTT M, LEE B, et al. New wekby attacks use DNS requests as command and control mechanism[EB/OL]. (2016-05-24)[2016-09-15].
[4] SKOUDIS E. The six most dangerous new attack techniques and what's coming next[EB/OL]. (2012-08-29)[2016-09-05].
[5] FARNHAM G, ATLASIS A. Detecting DNS tunneling[J]. SANS Institute InfoSec Reading Room, 2013(9):1-32.
[6] BUTLER P, XU K, YAO D D. Quantitatively analyzing stealthy communication channels[C]//International Conference on Applied Cryptography and Network Security. Berlin Heidelberg:Springer, 2011:238-254.
[7] BORN K, GUSTAFSON D. Detecting dns tunnelsusing character frequencyanalysis[J]. Corr, 2010,4(358):2567-2573.
[8] BORN K, GUSTAFSON D. NgViz:detecting DNS tunnels through n-gram visualization and quantitativeanalysis[C]//Proceedings of the Sixth Annual Workshop on Cyber Security and Information Intelligence Research. Oak Ridge:ACM. 2010:1-4.
[9] QI C, CHEN X, XU C, et al. A bigram based real time DNS tunnel detection approach[J]. Procedia Computer Science, 2013, 17(110):852-860.
[10] ELLENS W, URANIEWSKI P, SPEROTTO A, et al. Flow-based detection of DNS tunnels[C]//IFIP International Conference on Autonomous Infrastructure, Management and Security. Barcelona:AIMS, 2013:124-135.
[11] ICHISE H, JIN Y, ⅡDA K. Analysis of via-resolver DNS TXT queries and detection possibility of botnet communications[C]//2015 IEEE Pacific Rim Conference on Communications, Computers and Signal Processing (PACRIM). Victoria:IEEE, 2015:216-221.
[12] 章思宇,邹福泰,王鲁华,等. 基于DNS的隐蔽通道流量检测[J]. 通信学报,2013,34(5):143-151. ZHANG Si-yu, ZOU Fu-tai, WANG Lu-hua, et al. Detecting DNS-based covert channel on live traffic[J]. Journal on Communications, 2013, 34(5):143-151.
[13] RON. DNScat2[EB/OL]. (2016-09-07)[2016-9-15].
[14] 赵博,郭虹,刘勤让,等.基于加权累积和检验的加密流量盲识别算法[J].软件学报,2013, 24(6):1334-1345. ZHAO Bo, GUO Hong, LIU Qin-rang, et al. Protocol independent identification of encrypted traffic based on weighted cumulative sum test[J]. Journal of Software, 2013, 24(6):1334-1345.
[15] LI J J, subDomainBrute[EB/OL]. (2015-04-01)[2016-10-05].
[16] YANG Z R. Classification and regression trees, random forest algorithm[M]//Machine Learning Approaches to Bioinformatics. 2015:120-132.
[17] SVETNIK V, LIAW A, TONG C, et al. Random forest:a classification and regression tool for compound classification and QSAR modeling[J]. Journal of chemical information and computer sciences, 2003, 43(6):1947-1958.
[18] JOHNSON R W. An introduction to the bootstrap[J]. Teaching Statistics, 2001, 23(2):49-54.
[19] AHHH, DNShell v1.7[EB/OL]. (2015-10-11)[2016-10-02].
[20] MUDGE R, Cobalt strike 3.4-operational details[EB/OL]. (2016-07-29)[2016-09-17].

No related articles found!