基于请求域名的DNS隐蔽通道检测方法研究

doi:10.3969/j.issn.1671-1122.2019.08.011

摘要/Abstract

摘要：

文章以提升机器学习方法实时检测DNS隐蔽通道的准确率,提升机器学习模型应对未知类型DNS隐蔽通道的检测能力为研究目的,提出基于请求域名的DNS隐蔽通道检测方法。以DNS隐蔽通道为研究对象,通过研究分析DNS合法样本和隐蔽通道样本中的请求域名,充分挖掘DNS请求域名中的相关信息,结合包含域名长度、字符占比、随机性特征和语义特征在内的四类属性特征,使用机器学习算法识别DNS隐蔽通道。实验使用Iodine、Dns2tcp和DNSCat三种隐蔽通道工具产生的DNS隐蔽通道样本,结合决策树算法训练分类器,涵盖计算机网络、信息隐藏、异常检测、数据挖掘、自然语言处理等研究范围。实验结果表明,该模型的精确率、召回率、准确率以及识别未经训练的DNS隐蔽通道的能力均得到了提高。

关键词: DNS, 隐蔽通道, 请求域名, 决策树

Abstract:

In order to improve the accuracy of the machine hidden learning channel in real time, and improve the detection ability of the machine learning model to deal with the unknown type of DNS covert channel, this paper proposed a DNS covert channel detection method based on the requested domain name. Taking the DNS covert channel as the research object, through research and analysis of the request domain name in the DNS legal sample and the covert channel sample,this paper utilized relevant information in the request domain name to build features, including domain name length, character proportion, randomness feature, and semantic feature composition, then used the machine learning algorithm to detect the DNS covert channel. This paper first evaluated the proposed method using data collected from the three most commonly used DNS covert channel tools Iodine, Dns2tcp and DNSCat and trained a decision tree classifier, covering computer network, information hiding, anomaly detection, data mining, natural language processing and other research areas. Evaluation results showsthat the model’s precision, recall, accuracyand ability to identify untrained DNS covert channels have been improved.

Key words: domain name system, covert channel, request domain name, decision tree

中图分类号:

TP309

章航, 郑荣锋, 彭华, 刘嘉勇. 基于请求域名的DNS隐蔽通道检测方法研究[J]. 信息网络安全, 2019, 19(8): 76-82.

Hang ZHANG, Rongfeng ZHENG, Hua PENG, Jiayong LIU. Requested Domain Name-based DNS Covert Channel Detection[J]. Netinfo Security, 2019, 19(8): 76-82.

图/表 9

图1

表1

表2

图2

表3

图3

表4

表5

表6

参考文献 20

[1]	XU Kun.Research on DNS Convert Channel Detection Technology[D]. Chengdu: Southwest Jiaotong University, 2017.
	徐琨. DNS隐蔽通道检测技术研究[D].成都:西南交通大学,2017.
[2]	SHERIDANS, KEANEA.Detection ofDNS Based Covert Channels[C]//ACM. 14th European Conference on Cyber Warfare and Security, July 2-3, 2015, Hatfield, UK. New York: ACM, 2015: 267-275.
[3]	DAS A, SHEN M Y, SHASHANKA M, et al.Detection of Exfiltration and Tunneling over DNS[C]//IEEE. 16th IEEE International Conference on Machine Learning and Applications, December 18-21, 2017, Cancun, Mexico. New York: IEEE, 2017: 737-742.
[4]	SHI Xiaomin, LIU Fei.Analysis of Covert Channel and Monitoring Technology Based on DNS Protocol[J]. Secrecy Science and Technology, 2011, 2(4): 61-65.
	史晓敏,刘飞.浅析基于DNS协议的隐蔽通道及监测技术[J].保密科学技术,2011,2(4):61-65.
[5]	ELLENS W, ZURANIEWSKI P, SPEROTTO A, et al.Flow-Based Detection of DNS Tunnels[C]//Springer. Ifip International Conference on Autonomous Infrastructure, June 25-28, 2013, Barcelona, Spain. Berlin: Springer, 2013: 124-135.
[6]	AIELLO M, MONGELLI M, PAPALEO G.Supervised Learning Approaches with Majority Voting for DNSTunneling Detection[C]//Springer. International Joint Conference SOCO14-CISIS14-ICEUTE14, June 25-27, 2014, Bilbao, Spain. Berlin: Springer, 2014: 463-472.
[7]	WIELOGORSKAM, O’BRIEND.DNS Traffic Analysis for Botnet Detection[C]//CEUR-WS. 25th Irish Conference on Artificial Intelligence and Cognitive Science, December 7-8, 2017, Dublin, Ireland. Aachen: CEUR-WS, 2017: 261-271.
[8]	AIELLO M, MONGELLI M, PAPALEO G.DNS Tunneling Detection through Statistical Fingerprints of Protocol Messages and Machine Learning[J]. International Journal of Communication Systems, 2015, 28(14): 1987-2002.
[9]	BORN K, GUSTAFSON D.Ngviz: Detecting DNS Tunnels through N-Gram Visualization and Quantitative Analysis[C]//ACM. Proceedings of the Sixth Annual Workshop on Cyber Security and Information Intelligence Research, April 21-23, 2010, Oak Ridge, Tennessee, USA. New York: ACM, 2010: 47.
[10]	DAVUTH N, KIM S R.Classification of Malicious Domain Names Using Support Vector Machine and Bi-gram Method[J]. International Journal of Security and Its Applications, 2013, 7(1): 51-58.
[11]	QI C, CHEN X, XU C, et al. A Bigram based Real Time DNS Tunnel Detection Approach[EB/OL]. , 2019-3-23.
[12]	ZHAO G, XU K, XU L, et al. Detecting APT Malware Infections based on Malicious DNS and Traffic Analysis[EB/OL]. , 2015-6-13.
[13]	HUANG Kai, FU Jianming, HUNAG Jianwei, et al.A Malicious Domain Detection Approach Based on Character and Resolution Features[J]. Computer Simulation, 2018, 35(3): 287-292.
	黄凯,傅建明,黄坚伟,等.一种基于字符及解析特征的恶意域名检测方法[J].计算机仿真,2018,35(3):287-292.
[14]	BRUTZKUS A, LEVIN R. Detecting Domain Name System (DNS) Tunneling Based on DNS Logs and Network Data: U.S. Patent Application 15/466, 300[P]. 2018-9-27.
[15]	SONG Jinwei, YANG Jin, LI Tao.Research on Domain Flux Botnet Domain Name Detection Method Based on Weighted Support Vector Machine[J]. Netinfo Security, 2018, 18(12): 66-71.
	宋金伟,杨进,李涛.基于加权支持向量机的Domain Flux僵尸网络域名检测方法研究[J].信息网络安全,2018,18(12):66-71.
[16]	HOMEM I, PAPAPETROU P.Harnessing Predictive Models for Assisting Network Forensic Investigations of DNS Tunnels[C]//Bepress. Annual ADFSL Conference on Digital Forensics, Security and Law, May 15-15, 2017, Daytona Beach, Florida, USA. Berkeley, California: Bepress, 2017: 79-94.
[17]	YU B, OLUMOFIN F, SMITH L, et al.Behavior Analysis based DNS Tunneling Detection and Classification with Big Data Technologies[C]//SciTePress. Proceedings of the International Conference on Internet of Things and Big Data, April 23-25, 2016, Rome, Italy. Setúbal: SciTePress, 2016: 284-290.
[18]	WU Xihong, LIU Baoxu, YANG Peian.Analvsis Botnet Behavior Based on the Domain Name[J]. Netinfo Security, 2013, 13(9): 10-13.
	巫锡洪,刘宝旭,杨沛安.基于域名的僵尸网络行为分析[J].信息网络安全,2013,13(9):10-13.
[19]	MITCHELL J.Learning Semantic Representations in a Bigram Language Model[C]//ACM. Proceedings of the 10th International Conference on Computational Semantics, March 19-22, 2013, University of Potsdam, Potsdam, Germany. New York: ACM, 2013: 362-368.
[20]	SHAFIEIAN S, SMITH D, ZULKERNINE M.Detecting DNS Tunneling Using Ensemble Learning[C]// Springer. International Conference on Network and System Security, August 21-23, 2017, Helsinki, Finland. Berlin: Springer, 2017: 112-127.

字符	频率	排名
e	0.0972	1
a	0.0877	2
o	0.0756	3
i	0.072	4
s	0.0623	5
r	0.0609	6

特征类别	特征均值	编号	特征方差	编号
域名长度	域名字串的长度的均值	F₁	域名字串的长度的方差	F₁₀
字符占比	域名中数字所占比例的均值	F₂	域名中数字所占比例的方差	F₁₁
	域名中英文字母所占比例的均值	F₃	域名中英文字母所占比例的方差	F₁₂
	域名中非正常字符所占比例的均值	F₄	域名中非正常字符所占比例的方差	F₁₃
随机性特征	域名信息熵的均值	F₅	域名信息熵的方差	F₁₄
随机性特征	域名基尼指数的均值	F₆	域名基尼指数的方差	F₁₅
语义特性	域名unigram平均排名分数的均值	F₇	域名unigram平均排名分数的方差	F₁₆
	域名bigram平均排名分数的均值	F₈	域名bigram平均排名分数的方差	F₁₇
	域名trigram平均排名分数的均值	F₉	域名trigram平均排名分数的方差	F₁₈

分类器	测试样本总数	隐蔽通道总数	判断正确个数	判断为隐蔽通道的个数	判断为隐蔽通道的正确个数	精确率 P/%	召回率 R/%	准确率 A/%
随机森林	4800	2400	4752	2352	2352	100%	98.00%	99.00%
朴素贝叶斯	4800	2400	4691	2301	2296	99.78%	95.67%	97.73%
SVM	4800	2400	4728	2328	2328	100%	97.00%	98.50%
决策树	4800	2400	4768	2368	2368	100%	98.67%	99.33%

实验编号	测试样本总数	隐蔽通道总数	判断正确个数	判断为隐蔽通道的个数	判断为隐蔽通道的正确个数	精确率 P/%	召回率 R/%	准确率 A/%
1	4800	2400	4768	2368	2368	100	98.67	99.33
2	4800	2400	4767	2367	2367	100	98.63	99.31

实验名称	测试样本总数	隐蔽通道总数	判断正确个数	判断为隐蔽通道的个数	判断为隐蔽通道的正确个数	精确率 P/%	召回率 R/%	准确率 A/%
基于集成分类器	4800	2400	4698	2304	2301	99.87	95.88	97.88
基于请求域名	4800	2400	4767	2367	2367	100	98.63	99.31