Netinfo Security ›› 2023, Vol. 23 ›› Issue (1): 73-83.doi: 10.3969/j.issn.1671-1122.2023.01.009

Previous Articles     Next Articles

DNS Covert Channel Detection Based on Graph Attention Network

SHEN Chuanxin1,2, WANG Yongjie1,2(), XIONG Xinli1,2   

  1. 1. College of Electronic Engineering, National University of Defense Technology, Hefei 230037, China
    2. Anhui Province Key Laboratory of Cyberspace Security Situation Awareness and Evaluation, Hefei 230037, China
  • Received:2022-06-13 Online:2023-01-10 Published:2023-01-19
  • Contact: WANG Yongjie E-mail:wangyongjie17@nudt.edu.cn

Abstract:

Domain name system (DNS) covert channel is increasingly frequent in APT attacks, which is a potential threat to cyberspace security. Aiming at the lack of correlation analysis in DNS covert channel detection based on domain name, this paper proposed a DNS covert channel detection method DSR-GAT based on domain semantic representation (DSR) and graph attention network (GAT), which transformed DNS covert channel detection at domain name level into an undirected graph node classification task. First, based on domain name correlation, domain graph (DG) was constructed using undirected graph structure. Then, using the text data attribute of domain name and its semantic representation was extracted by one-dimensional convolutional neural network as feature representation of nodes in DG. Finally, the feature representation of each domain name was enhanced by the message propagation mechanism and multiple self-attention mechanism of graph attention network. Experimental results on public dataset and our own dataset based on real APT samples show that the proposed DSR-GAT has an ideal detection effect, reduces the failure rate while solving the above problems, and reduces security risks to some extent.

Key words: DNS covert channel, graph attention network, semantic representation, domain name correlation, APT

CLC Number: