DNS Covert Channel Detection Based on Graph Attention Network

doi:10.3969/j.issn.1671-1122.2023.01.009

Abstract

Abstract:

Domain name system (DNS) covert channel is increasingly frequent in APT attacks, which is a potential threat to cyberspace security. Aiming at the lack of correlation analysis in DNS covert channel detection based on domain name, this paper proposed a DNS covert channel detection method DSR-GAT based on domain semantic representation (DSR) and graph attention network (GAT), which transformed DNS covert channel detection at domain name level into an undirected graph node classification task. First, based on domain name correlation, domain graph (DG) was constructed using undirected graph structure. Then, using the text data attribute of domain name and its semantic representation was extracted by one-dimensional convolutional neural network as feature representation of nodes in DG. Finally, the feature representation of each domain name was enhanced by the message propagation mechanism and multiple self-attention mechanism of graph attention network. Experimental results on public dataset and our own dataset based on real APT samples show that the proposed DSR-GAT has an ideal detection effect, reduces the failure rate while solving the above problems, and reduces security risks to some extent.

Key words: DNS covert channel, graph attention network, semantic representation, domain name correlation, APT

CLC Number:

TP309

SHEN Chuanxin, WANG Yongjie, XIONG Xinli. DNS Covert Channel Detection Based on Graph Attention Network[J]. Netinfo Security, 2023, 23(1): 73-83.

Figures/Tables 9

References 21

[1]	WANG Wentong, HU Ning, LIU Bo, et al. A Survey on Technology of Security Enhancement for DNS[J]. Journal of Software, 2020, 31(7): 2205-2220.
	王文通, 胡宁, 刘波, 等. DNS安全防护技术研究综述[J]. 软件学报, 2020, 31(7): 2205-2220.
[2]	360 Advanced Threat Institute. 2020 Global Advanced Persistent Threat APT Research Report[EB/OL]. (2021-02-07)[2022-04-13]. https://www.sohu.com/a/449213257653604.
	360高级威胁研究院. 2020全球高级持续性威胁APT研究报告[EB/OL]. (2021-02-07)[2022-04-13]. https://www.sohu.com/a/449213257653604.
[3]	FALCONE R. DNS Tunneling in the Wild: Overview of OilRig's DNS Tunneling[EB/OL]. (2019-04-16)[2022-04-13]. https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/.
[4]	AHMED J, GHARAKHEILI H H, RAZA Q, et al. Real-Time Detection of DNS Exfiltration and Tunneling from Enterprise Networks[C]// IEEE. 2019 IFIP/IEEE Symposium on Integrated Network and Service Management (IM). New York: IEEE, 2019: 649-653.
[5]	WU Kemeng, ZHANG Yongzheng, YIN Tao. TDAE: Autoencoder-Based Automatic Feature Learning Method for the Detection of DNS Tunnel[C]// IEEE. ICC 2020 IEEE International Conference on Communications (ICC). New York: IEEE, 2020: 215-223.
[6]	CHOWDHARY A, BHOWMIK M, RUDRA B. DNS Tunneling Detection Using Machine Learning and Cache Miss Properties[C]// IEEE. 5th International Conference on Intelligent Computing and Control Systems (ICICCS 2021). New York: IEEE, 2021: 633-645.
[7]	BORN K, GUSTAFSON D. Detecting DNS Tunnels Using Character Frequency Analysis[EB/OL]. (2010-04-25)[2022-05-13]. https://arxiv.org/abs/1004.4358.
[8]	QI Cheng, CHEN Xiaojun, XU Cui, et al. A Bigram Based Real Time DNS Tunnel Detection Approach[J]. Procedia Computer Science, 2013, 17: 852-860. doi: 10.1016/j.procs.2013.05.109 URL
[9]	WU Kemeng, ZHANG Yongzheng, YIN Tao. FTPB: A Three-Stage DNS Tunnel Detection Method Based on Character Feature Extraction[C]// IEEE. 2020 IEEE 19th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom). New York: IEEE, 2020: 552-563.
[10]	YANG Peng, WAN Xinxin, GUANG Shi, et al. Identification of DNS Covert Channel Based on Stacking Method[J]. International Journal of Computer and Communication Engineering, 2021, 10(2): 1-15. doi: 10.17706/IJCCE.2021.10.1.1-8 URL
[11]	ZHANG Jiacheng, LI Yang, YU Shui, et al. A DNS Tunneling Detection Method Based on Deep Learning Models to Prevent Data Exfiltration[M]. Berlin: Springer, 2019.
[12]	LIU Chang, DAI Liang, CUI Wenjing, et al. A Byte-Level CNN Method to Detect DNS Tunnels[C]// IEEE. 2019 IEEE 38th International Performance Computing and Communications Conference (IPCCC). New York: IEEE, 2019: 1-8.
[13]	SPERDUTI A, STARITA A. Supervised Neural Networks for the Classification of Structures[J]. IEEE Transactions on Neural Networks, 1997, 8(3): 714-735. pmid: 18255672
[14]	GORI M, MONFARDINI G, SCARSELLI F. A New Model for Learning in Graph Domains[J]. Joint Conference on Neural Networks, 2005(2): 729-734.
[15]	JIA Zhuosheng, HAN Zhen. Research and Analysis of User Behavior Fingerprint on Security Situational Awareness Based on DNS Log[C]// IEEE. 2019 6th International Conference on Behavioral, Economic and Socio-Cultural Computing (BESC). New York: IEEE, 2019: 1-4.
[16]	SUN Xiaoqing, WANG Zhiliang, YANG Jiahai, et al. Deepdom: Malicious Domain Detection with Scalable and Heterogeneous Graph Convolutional Networks[EB/OL]. (2020-12-01)[2022-04-13]. https://www.sciencedirect.com/science/article/pii/S0167404820303308.
[17]	VELICKOVIC P, CUCURULL G, CASANOVA A, et al. Graph Attention Networks[EB/OL]. (2017-02-04)[2022-04-13]. https://www.semanticscholar.org/reader/33998aff64ce51df8dee45989cdca4b6b1329ec4.
[18]	WANG Yue, ZHOU Anmin, LIAO Shan, et al. A Comprehensive Survey on DNS Tunnel Detection[J]. Computer Networks, 2021, 197(3): 108-122.
[19]	CHEN Shaojie, LANG Bo, LIU Hongyu, et al. DNS Covert Channel Detection Method Using the LSTM Model[EB/OL]. (2021-05-21)[2022-04-13]. https://www.sciencedirect.com/science/article/pii/S0167404820303680.
[20]	Stratosphere. Stratosphere Laboratory Datasets[EB/OL]. (2020-03-13)[2022-04-13]. https://www.stratosphereips.org/datasets-normal.
[21]	ALENAZI A, TRAORE I, GANAME K, et al. Holistic Model for HTTP Botnet Detection Based on DNS Traffic Analysis[EB/OL]. (2017-10-11)[2022-04-13]. https://link.springer.com/chapter/10.1007/978-3-319-69155-8_1.

数据类别	数据集1				数据集2
数据类别	训练集	验证集	测试集	总计	训练集	验证集	测试集	总计
DNS隐蔽信道域名数量/个	12000	4000	8709	24709	28080	9360	9360	46800
正常域名数量/个	3000	1000	11291	15291	28080	9360	9360	46800
总计	15000	5000	20000	40000	56160	18720	18720	93600

方法	F1	Accuracy
Gaussan Naive Bayes	0.64	67.425%
Multinomial Naive Bayes	0.61	43.545%
Bernoulli Naive Bayes	0.61	43.545%
RF	0.91	91.025%
决策树	0.91	91.025%
MLP	0.74	70.710%
Linear SVM	0.74	70.000%
Quadratic SVM	0.74	70.199%
KNN	0.94	93.955%
DSR-GAT	0.99	99.475%

方法	F1	Accuracy
决策树, KNN 和 Gaussian Naive Bayes	0.91	91.390%
RF, 决策树和 Quadratic SVM	0.91	91.025%
RF 和决策树	0.91	91.025%
RF, 决策树和 KNN	0.91	91.025%
DSR-GAT	0.99	99.475%

方法	数据集1				数据集2
方法	F1	Accuracy	Recall	Precision	F1	Accuracy	Recall	Precision
LSTM^[19]	0.92	93.65%	89.49%	95.64%	0.96	96.60%	98.73%	94.69%
1D-CNN^[10]	0.96	96.42%	95.70%	97.98%	0.97	96.96%	99.65%	94.60%
DSR-GAT	0.99	99.47%	99.97%	98.81%	0.99	99.81%	99.70%	99.93%

方法	数据集1				数据集2
方法	F1	Accuracy	Recall	Precision	F1	Accuracy	Recall	Precision
DSR-CNN	0.95	95.11%	94.26%	97.02%	0.97	96.99%	99.86%	94.42%
MFE-GAT	0.97	98.10%	99.32%	96.39%	0.97	97.16%	97.07%	97.24%
DSR-GAT	0.99	99.47%	99.97%	98.81%	0.99	99.81%	99.70%	99.93%