基于图注意力网络的DNS隐蔽信道检测

doi:10.3969/j.issn.1671-1122.2023.01.009

摘要/Abstract

摘要：

域名系统（Domain Name System，DNS）隐蔽信道在高级持续性威胁（Advanced Persistent Threat，APT）攻击中呈频发态势，对网络空间安全具有潜在威胁。文章提出基于域名语义表示（Domain Semantic Representation，DSR）和图注意力网络（Graph Attention Network，GAT）的DNS隐蔽信道检测方法DSR-GAT，将域名级别的DNS隐蔽信道检测转化为一种无向图的节点分类任务。首先基于域名的相关性采用无向图构建域名图（Domain Graph，DG）；然后利用域名的文本数据属性，采用一维卷积神经网络提取的语义表示作为DG节点的特征表示；最后通过图注意力网络的消息传播机制及多头自注意力机制，增强每个域名的特征表示。在公开数据集与基于真实APT样本Glimpse的自建数据集上进行实验，实验结果表明，文章提出的DSR-GAT方法检测效果较好，在解决上述问题的同时降低了漏报率，在一定程度上减小了安全风险。

关键词: DNS隐蔽信道, 图注意力网络, 语义表示, 域名相关性, APT

Abstract:

Domain name system (DNS) covert channel is increasingly frequent in APT attacks, which is a potential threat to cyberspace security. Aiming at the lack of correlation analysis in DNS covert channel detection based on domain name, this paper proposed a DNS covert channel detection method DSR-GAT based on domain semantic representation (DSR) and graph attention network (GAT), which transformed DNS covert channel detection at domain name level into an undirected graph node classification task. First, based on domain name correlation, domain graph (DG) was constructed using undirected graph structure. Then, using the text data attribute of domain name and its semantic representation was extracted by one-dimensional convolutional neural network as feature representation of nodes in DG. Finally, the feature representation of each domain name was enhanced by the message propagation mechanism and multiple self-attention mechanism of graph attention network. Experimental results on public dataset and our own dataset based on real APT samples show that the proposed DSR-GAT has an ideal detection effect, reduces the failure rate while solving the above problems, and reduces security risks to some extent.

Key words: DNS covert channel, graph attention network, semantic representation, domain name correlation, APT

中图分类号:

TP309

沈传鑫, 王永杰, 熊鑫立. 基于图注意力网络的DNS隐蔽信道检测[J]. 信息网络安全, 2023, 23(1): 73-83.

SHEN Chuanxin, WANG Yongjie, XIONG Xinli. DNS Covert Channel Detection Based on Graph Attention Network[J]. Netinfo Security, 2023, 23(1): 73-83.

图/表 9

图1

图2

表1

表2

表3

表4

表5

图3

图4

参考文献 21

[1]	WANG Wentong, HU Ning, LIU Bo, et al. A Survey on Technology of Security Enhancement for DNS[J]. Journal of Software, 2020, 31(7): 2205-2220.
	王文通, 胡宁, 刘波, 等. DNS安全防护技术研究综述[J]. 软件学报, 2020, 31(7): 2205-2220.
[2]	360 Advanced Threat Institute. 2020 Global Advanced Persistent Threat APT Research Report[EB/OL]. (2021-02-07)[2022-04-13]. https://www.sohu.com/a/449213257653604.
	360高级威胁研究院. 2020全球高级持续性威胁APT研究报告[EB/OL]. (2021-02-07)[2022-04-13]. https://www.sohu.com/a/449213257653604.
[3]	FALCONE R. DNS Tunneling in the Wild: Overview of OilRig's DNS Tunneling[EB/OL]. (2019-04-16)[2022-04-13]. https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/.
[4]	AHMED J, GHARAKHEILI H H, RAZA Q, et al. Real-Time Detection of DNS Exfiltration and Tunneling from Enterprise Networks[C]// IEEE. 2019 IFIP/IEEE Symposium on Integrated Network and Service Management (IM). New York: IEEE, 2019: 649-653.
[5]	WU Kemeng, ZHANG Yongzheng, YIN Tao. TDAE: Autoencoder-Based Automatic Feature Learning Method for the Detection of DNS Tunnel[C]// IEEE. ICC 2020 IEEE International Conference on Communications (ICC). New York: IEEE, 2020: 215-223.
[6]	CHOWDHARY A, BHOWMIK M, RUDRA B. DNS Tunneling Detection Using Machine Learning and Cache Miss Properties[C]// IEEE. 5th International Conference on Intelligent Computing and Control Systems (ICICCS 2021). New York: IEEE, 2021: 633-645.
[7]	BORN K, GUSTAFSON D. Detecting DNS Tunnels Using Character Frequency Analysis[EB/OL]. (2010-04-25)[2022-05-13]. https://arxiv.org/abs/1004.4358.
[8]	QI Cheng, CHEN Xiaojun, XU Cui, et al. A Bigram Based Real Time DNS Tunnel Detection Approach[J]. Procedia Computer Science, 2013, 17: 852-860. doi: 10.1016/j.procs.2013.05.109 URL
[9]	WU Kemeng, ZHANG Yongzheng, YIN Tao. FTPB: A Three-Stage DNS Tunnel Detection Method Based on Character Feature Extraction[C]// IEEE. 2020 IEEE 19th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom). New York: IEEE, 2020: 552-563.
[10]	YANG Peng, WAN Xinxin, GUANG Shi, et al. Identification of DNS Covert Channel Based on Stacking Method[J]. International Journal of Computer and Communication Engineering, 2021, 10(2): 1-15. doi: 10.17706/IJCCE.2021.10.1.1-8 URL
[11]	ZHANG Jiacheng, LI Yang, YU Shui, et al. A DNS Tunneling Detection Method Based on Deep Learning Models to Prevent Data Exfiltration[M]. Berlin: Springer, 2019.
[12]	LIU Chang, DAI Liang, CUI Wenjing, et al. A Byte-Level CNN Method to Detect DNS Tunnels[C]// IEEE. 2019 IEEE 38th International Performance Computing and Communications Conference (IPCCC). New York: IEEE, 2019: 1-8.
[13]	SPERDUTI A, STARITA A. Supervised Neural Networks for the Classification of Structures[J]. IEEE Transactions on Neural Networks, 1997, 8(3): 714-735. pmid: 18255672
[14]	GORI M, MONFARDINI G, SCARSELLI F. A New Model for Learning in Graph Domains[J]. Joint Conference on Neural Networks, 2005(2): 729-734.
[15]	JIA Zhuosheng, HAN Zhen. Research and Analysis of User Behavior Fingerprint on Security Situational Awareness Based on DNS Log[C]// IEEE. 2019 6th International Conference on Behavioral, Economic and Socio-Cultural Computing (BESC). New York: IEEE, 2019: 1-4.
[16]	SUN Xiaoqing, WANG Zhiliang, YANG Jiahai, et al. Deepdom: Malicious Domain Detection with Scalable and Heterogeneous Graph Convolutional Networks[EB/OL]. (2020-12-01)[2022-04-13]. https://www.sciencedirect.com/science/article/pii/S0167404820303308.
[17]	VELICKOVIC P, CUCURULL G, CASANOVA A, et al. Graph Attention Networks[EB/OL]. (2017-02-04)[2022-04-13]. https://www.semanticscholar.org/reader/33998aff64ce51df8dee45989cdca4b6b1329ec4.
[18]	WANG Yue, ZHOU Anmin, LIAO Shan, et al. A Comprehensive Survey on DNS Tunnel Detection[J]. Computer Networks, 2021, 197(3): 108-122.
[19]	CHEN Shaojie, LANG Bo, LIU Hongyu, et al. DNS Covert Channel Detection Method Using the LSTM Model[EB/OL]. (2021-05-21)[2022-04-13]. https://www.sciencedirect.com/science/article/pii/S0167404820303680.
[20]	Stratosphere. Stratosphere Laboratory Datasets[EB/OL]. (2020-03-13)[2022-04-13]. https://www.stratosphereips.org/datasets-normal.
[21]	ALENAZI A, TRAORE I, GANAME K, et al. Holistic Model for HTTP Botnet Detection Based on DNS Traffic Analysis[EB/OL]. (2017-10-11)[2022-04-13]. https://link.springer.com/chapter/10.1007/978-3-319-69155-8_1.

数据类别	数据集1				数据集2
数据类别	训练集	验证集	测试集	总计	训练集	验证集	测试集	总计
DNS隐蔽信道域名数量/个	12000	4000	8709	24709	28080	9360	9360	46800
正常域名数量/个	3000	1000	11291	15291	28080	9360	9360	46800
总计	15000	5000	20000	40000	56160	18720	18720	93600

方法	F1	Accuracy
Gaussan Naive Bayes	0.64	67.425%
Multinomial Naive Bayes	0.61	43.545%
Bernoulli Naive Bayes	0.61	43.545%
RF	0.91	91.025%
决策树	0.91	91.025%
MLP	0.74	70.710%
Linear SVM	0.74	70.000%
Quadratic SVM	0.74	70.199%
KNN	0.94	93.955%
DSR-GAT	0.99	99.475%

方法	F1	Accuracy
决策树, KNN 和 Gaussian Naive Bayes	0.91	91.390%
RF, 决策树和 Quadratic SVM	0.91	91.025%
RF 和决策树	0.91	91.025%
RF, 决策树和 KNN	0.91	91.025%
DSR-GAT	0.99	99.475%

方法	数据集1				数据集2
方法	F1	Accuracy	Recall	Precision	F1	Accuracy	Recall	Precision
LSTM^[19]	0.92	93.65%	89.49%	95.64%	0.96	96.60%	98.73%	94.69%
1D-CNN^[10]	0.96	96.42%	95.70%	97.98%	0.97	96.96%	99.65%	94.60%
DSR-GAT	0.99	99.47%	99.97%	98.81%	0.99	99.81%	99.70%	99.93%

方法	数据集1				数据集2
方法	F1	Accuracy	Recall	Precision	F1	Accuracy	Recall	Precision
DSR-CNN	0.95	95.11%	94.26%	97.02%	0.97	96.99%	99.86%	94.42%
MFE-GAT	0.97	98.10%	99.32%	96.39%	0.97	97.16%	97.07%	97.24%
DSR-GAT	0.99	99.47%	99.97%	98.81%	0.99	99.81%	99.70%	99.93%