Please wait a minute...
浙江大学学报(工学版)  2017, Vol. 51 Issue (9): 1780-1787    DOI: 10.3785/j.issn.1008-973X.2017.09.012
计算机技术     
基于通信行为分析的DNS隧道木马检测方法
罗友强1, 刘胜利1, 颜猛2, 武东英1
1. 数学工程与先进计算国家重点实验室, 河南 郑州 450001;
2. 西安报业传媒集团, 陕西 西安 710002
DNS tunnel Trojan detection method based on communication behavior analysis
LUO You-qiang1, LIU Sheng-li1, YAN Meng2, WU Dong-ying1
1. State Key Laboratory of Mathematical Engineering and Advanced Computing, Zhengzhou 450001, China;
2. Xi'an Newspaper Media Group, Xi'an 710002, China
 全文: PDF(1843 KB)   HTML
摘要:

传统基于载荷分析和流量监测的DNS隧道检测手段误报率高且不能有效应对新型DNS隧道木马,为此提出一种基于通信行为分析的DNS隧道木马检测方法.从DNS会话的视角对比分析DNS隧道木马通信行为与正常DNS解析行为的差异性,提取7个DNS隧道木马属性,组成DNS会话评估向量,采用随机森林分类算法构建DNS会话评估向量检测分类器,建立基于通信行为分析的DNS隧道木马检测模型.实例测试结果表明:该方法误报率小,漏报率低,对未知的DNS隧道木马同样具有很高的检测能力.

Abstract:

The traditional DNS tunneling detection method based on load analysis and traffic monitoring has high false positive rate and can not effectively cope with the new DNS tunnel Trojan horse. Therefore, a DNS tunnel Trojan detection method based on communication behavior analysis was proposed. First, the difference between DNS tunnel Trojan communication behavior and normal DNS parsing behavior from the point of view of DNS sessions was analyzed. Second, seven features of DNS tunnel Trojan sessions were extracted, which composed DNS session evaluation vector. Then, DNS session evaluation vector classifiers using the random forest classification algorithm was approached; a DNS tunnel detection model based on communication behavior analysis was constructed. The experimental results show that this method not only has small false positive rate and low false negative rate, but also has high detection ability for unknown DNS tunnel Trojans.

收稿日期: 2016-11-18 出版日期: 2017-08-25
CLC:  TP393.08  
基金资助:

国家重点研发计划资助项目(2016YFB0801505,2016YFB0801601);国家自然科学基金资助项目(61271252).

通讯作者: 刘胜利,男,教授.orcid.org/0000-0003-4705-3209.     E-mail: 475737@qq.com
作者简介: 罗友强(1991-),男,硕士生,从事信息安全、网络对抗研究.orcid.org/0000-0003-2260-0624.E-mail:amydylen@sina.com
服务  
把本文推荐给朋友
加入引用管理器
E-mail Alert
作者相关文章  

引用本文:

罗友强, 刘胜利, 颜猛, 武东英. 基于通信行为分析的DNS隧道木马检测方法[J]. 浙江大学学报(工学版), 2017, 51(9): 1780-1787.

LUO You-qiang, LIU Sheng-li, YAN Meng, WU Dong-ying. DNS tunnel Trojan detection method based on communication behavior analysis. JOURNAL OF ZHEJIANG UNIVERSITY (ENGINEERING SCIENCE), 2017, 51(9): 1780-1787.

链接本文:

http://www.zjujournals.com/eng/CN/10.3785/j.issn.1008-973X.2017.09.012        http://www.zjujournals.com/eng/CN/Y2017/V51/I9/1780

[1] KAMINSKY D. Black Ops of DNS[EB/OL]. (2004-12-27)[2016-09-05]. https://events.ccc.de/congress/2004/fahrplan/event/121.de.html.
[2] RAMAN D, DE SUTTER B, COPPENS B, et al. DNS tunneling for network penetration[C]//Information Security and Cryptology:ICISC 2012. Berlin Heidelberg:Springer, 2012:65-77.
[3] GRUNZWEIG J, SCOTT M, LEE B, et al. New wekby attacks use DNS requests as command and control mechanism[EB/OL]. (2016-05-24)[2016-09-15]. http://researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism.
[4] SKOUDIS E. The six most dangerous new attack techniques and what's coming next[EB/OL]. (2012-08-29)[2016-09-05]. https://blogs.sans.org/pentesting/?les/2012/03/RSA-2012-EXP-108-Skoudis-Ullrich.pdf.
[5] FARNHAM G, ATLASIS A. Detecting DNS tunneling[J]. SANS Institute InfoSec Reading Room, 2013(9):1-32.
[6] BUTLER P, XU K, YAO D D. Quantitatively analyzing stealthy communication channels[C]//International Conference on Applied Cryptography and Network Security. Berlin Heidelberg:Springer, 2011:238-254.
[7] BORN K, GUSTAFSON D. Detecting dns tunnelsusing character frequencyanalysis[J]. Corr, 2010,4(358):2567-2573.
[8] BORN K, GUSTAFSON D. NgViz:detecting DNS tunnels through n-gram visualization and quantitativeanalysis[C]//Proceedings of the Sixth Annual Workshop on Cyber Security and Information Intelligence Research. Oak Ridge:ACM. 2010:1-4.
[9] QI C, CHEN X, XU C, et al. A bigram based real time DNS tunnel detection approach[J]. Procedia Computer Science, 2013, 17(110):852-860.
[10] ELLENS W, URANIEWSKI P, SPEROTTO A, et al. Flow-based detection of DNS tunnels[C]//IFIP International Conference on Autonomous Infrastructure, Management and Security. Barcelona:AIMS, 2013:124-135.
[11] ICHISE H, JIN Y, ⅡDA K. Analysis of via-resolver DNS TXT queries and detection possibility of botnet communications[C]//2015 IEEE Pacific Rim Conference on Communications, Computers and Signal Processing (PACRIM). Victoria:IEEE, 2015:216-221.
[12] 章思宇,邹福泰,王鲁华,等. 基于DNS的隐蔽通道流量检测[J]. 通信学报,2013,34(5):143-151. ZHANG Si-yu, ZOU Fu-tai, WANG Lu-hua, et al. Detecting DNS-based covert channel on live traffic[J]. Journal on Communications, 2013, 34(5):143-151.
[13] RON. DNScat2[EB/OL]. (2016-09-07)[2016-9-15]. https://github.com/iagox86/dnscat2
[14] 赵博,郭虹,刘勤让,等.基于加权累积和检验的加密流量盲识别算法[J].软件学报,2013, 24(6):1334-1345. ZHAO Bo, GUO Hong, LIU Qin-rang, et al. Protocol independent identification of encrypted traffic based on weighted cumulative sum test[J]. Journal of Software, 2013, 24(6):1334-1345.
[15] LI J J, subDomainBrute[EB/OL]. (2015-04-01)[2016-10-05]. https://github.com/lijiejie/subDomainsBrute.
[16] YANG Z R. Classification and regression trees, random forest algorithm[M]//Machine Learning Approaches to Bioinformatics. 2015:120-132.
[17] SVETNIK V, LIAW A, TONG C, et al. Random forest:a classification and regression tool for compound classification and QSAR modeling[J]. Journal of chemical information and computer sciences, 2003, 43(6):1947-1958.
[18] JOHNSON R W. An introduction to the bootstrap[J]. Teaching Statistics, 2001, 23(2):49-54.
[19] AHHH, DNShell v1.7[EB/OL]. (2015-10-11)[2016-10-02]. https://github.com/ahhh/Reverse_DNS_Shell.
[20] MUDGE R, Cobalt strike 3.4-operational details[EB/OL]. (2016-07-29)[2016-09-17]. http://blog.cobaltstrike.com/cate-gory/cobalt-strike-2.

No related articles found!