CN110602100A - DNS tunnel flow detection method - Google Patents
DNS tunnel flow detection method Download PDFInfo
- Publication number
- CN110602100A CN110602100A CN201910871973.5A CN201910871973A CN110602100A CN 110602100 A CN110602100 A CN 110602100A CN 201910871973 A CN201910871973 A CN 201910871973A CN 110602100 A CN110602100 A CN 110602100A
- Authority
- CN
- China
- Prior art keywords
- dns
- detected
- traffic
- analysis unit
- tunnel
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4505—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
- H04L61/4511—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Abstract
The invention relates to a DNS tunnel flow detection method, which comprises the following steps: establishing a training model, self-building DNS tunnel flow data, and capturing DNS normal flow data; respectively acquiring DNS protocol tunnel traffic and DNS protocol normal traffic; setting an intercepting frame to intercept DNS protocol tunnel flow and DNS protocol normal flow so as to obtain a training analysis unit; acquiring the characteristics of each training analysis unit to establish a training model, and detecting machine learning of the training model; detecting to obtain DNS traffic data to be detected and DNS protocol traffic to be detected therein; intercepting DNS protocol flow to be detected by adopting an intercepting frame to obtain analysis units to be detected, acquiring the characteristics of each analysis unit to be detected, and inputting the characteristics of each analysis unit to be detected into the detection machine so as to detect each analysis unit to be detected according to a training model, thereby detecting the DNS tunnel flow. The invention can flexibly detect the flow of various DNS tunnels, reduce the detection cost and prevent the detection process from being bypassed easily.
Description
Technical Field
The invention relates to the technical field of network security, in particular to a DNS tunnel flow detection method.
Background
In most enterprise intranet environments at present, a DNS protocol is one of indispensable network communication protocols, and in order to access internet and intranet resources, a DNS can provide a domain name resolution service to convert a domain name and an IP address. Network devices and border guard devices typically rarely filter, analyze, or mask DNS, and thus hiding data or instructions from being transmitted in the DNS protocol is a covert and efficient means. In an actual scene, when an attacker takes down a certain server right or the server is infected by malicious software, worms or trojans and the like, the purposes of stealing sensitive information, transmitting files, returning control instructions, rebounding Shell and the like can be achieved by establishing a DNS tunnel.
Aiming at the safety problem, most of the existing safety products carry out DNS tunnel detection based on rules such as domain names with abnormal length requested by a monitoring terminal, but an attacker can quickly and easily construct a DNS hidden tunnel by using a commercial penetration suite such as Metasplait or Cobalt stripe string, or by adopting some open source software iododine, ozymandns, DNS2tcp, dnscat2 and the like, and can easily bypass the traditional detection model for detecting the DNS tunnel based on the rules by modifying the characteristics such as domain name length or request frequency and the like. Therefore, the existing safety product has the defects of more limited conditions, limited detection capability, high false alarm and easy waste.
Therefore, it is necessary to provide a new method for detecting DNS tunnel traffic to flexibly detect various types of DNS tunnel traffic, reduce the detection cost, and prevent the detection process from being bypassed.
Disclosure of Invention
The invention aims to provide a DNS tunnel flow detection method, which is used for flexibly detecting various DNS tunnel flows, reducing the detection cost and preventing the detection process from being bypassed easily.
In order to solve the problems in the prior art, the invention provides a method for detecting DNS tunnel traffic, which comprises the following steps:
establishing a training model, self-building DNS tunnel flow data, and capturing DNS normal flow data; respectively acquiring DNS protocol tunnel traffic in the DNS tunnel traffic data and DNS protocol normal traffic in the DNS normal traffic data; setting an intercepting frame to intercept DNS protocol tunnel flow and DNS protocol normal flow so as to obtain a training analysis unit; acquiring the characteristics of each training analysis unit to establish a training model, and detecting machine learning of the training model;
detecting, acquiring DNS traffic data to be detected, and acquiring DNS protocol traffic to be detected in the DNS traffic data to be detected; and intercepting the DNS protocol flow to be detected by adopting the intercepting frame to obtain analysis units to be detected, acquiring the characteristics of each analysis unit to be detected, and inputting the characteristics of each analysis unit to be detected into the detection machine so as to detect each analysis unit to be detected according to a training model, so as to detect the DNS tunnel flow.
Optionally, in the method for detecting DNS tunnel traffic, intercepting DNS protocol tunnel traffic and DNS protocol normal traffic includes the following steps:
the interception frame is set to contain a plurality of flows, and the interception frame is used for intercepting the DNS protocol tunnel flow and the DNS protocol normal flow;
moving the DNS protocol tunnel traffic or the DNS protocol normal traffic;
and intercepting the DNS protocol tunnel traffic or the DNS protocol normal traffic once every time when the DNS protocol tunnel traffic or the DNS protocol normal traffic is moved, wherein a plurality of pieces of DNS protocol tunnel traffic or a plurality of pieces of DNS protocol normal traffic intercepted every time are a training analysis unit.
Optionally, in the method for detecting DNS tunnel traffic, intercepting DNS protocol traffic to be detected includes the following steps:
setting the interception frame to contain a plurality of flows, wherein the interception frame during detection has the same window configuration as the interception frame during establishment of a training model, and the interception frame is used for intercepting the DNS protocol flow to be detected;
moving the DNS protocol flow to be detected;
and intercepting the DNS protocol traffic to be detected once every time the DNS protocol traffic to be detected is moved, wherein a plurality of intercepted DNS protocol traffic to be detected is an analysis unit to be detected.
Optionally, in the method for detecting DNS tunnel traffic, the characteristics of each training analysis unit and each analysis unit to be detected include:
response time interval mean and variance; inquiring the length average value and variance of the domain name; response segment length mean and variance; inquiring the entropy average value and variance of each character information of the sub-domain; query type frequency.
Optionally, in the DNS tunnel traffic detection method,
the character information entropy of the query sub-domain name comprises unigram information entropy, trigram information entropy and bigram information entropy;
the query types include a type a, AAAA type, TXT type, NULL type, CNAME type, MX type, SRV type, and OTHER type.
Optionally, in the DNS tunnel traffic detection method,
after the characteristics of each training analysis unit are obtained, the method further comprises the following steps: normalizing the characteristics of each training analysis unit to form a training model;
after the characteristics of each analysis unit to be detected are obtained and before detection, the method further comprises the following steps: and carrying out normalization processing on the characteristics of each analysis unit to be detected so as to participate in detection.
Optionally, in the DNS tunnel flow detection method, inputting the characteristics of each analysis unit to be detected into the detection machine to detect each analysis unit to be detected according to a training model, the method includes the following steps:
carrying out suspicion degree judgment and presetting a suspicion degree threshold k1And acquiring the suspicious degree y of each to-be-detected analysis unit calculated by the detection machine, if y is<k1Then it is not questionable; if y is greater than or equal to k1If yes, suspicious and performing second-level domain name judgment;
performing second-level domain name judgment, and presetting a second-level domain name threshold k2Acquiring the suspicious second-level domain names of the DNS protocol flows to be detected in each analysis unit to be detected, attributing the DNS protocol flows to be detected with the same second-level domain name in the same analysis unit to be detected to the same second-level domain name, and calculating the number and the ratio of the DNS protocol flows to be detected corresponding to various second-level domain names in the same analysis unit to be detectedThe ratio p of the number of all DNS protocol flows to be detected in the analysis unit to be detected is larger than or equal to k2Judging that the DNS protocol traffic to be detected corresponding to the secondary domain name participating in the ratio calculation is DNS tunnel traffic; if p is<k2And judging that the DNS protocol flow to be detected corresponding to the secondary domain name participating in the ratio calculation is the normal DNS flow.
Optionally, in the method for detecting DNS tunnel traffic, after detecting DNS tunnel traffic, the method includes the following steps:
and displaying the detection result, the original data of each DNS flow data to be detected and the characteristics of each analysis unit to be detected.
Optionally, in the method for detecting DNS tunnel traffic, capturing DNS normal traffic data includes the following steps:
according to the ranking of the global website domain names, acquiring a preset number of website names ranked in front, and adopting a grabbing tool to grab the DNS normal flow data of the website corresponding to the acquired website names.
Optionally, in the DNS tunnel traffic detection method, the learning algorithm of the detection machine includes: a random forest algorithm, a support vector machine algorithm, or a logistic regression algorithm.
In the method for detecting the DNS tunnel flow, the self-made DNS protocol tunnel flow and the historical DNS protocol normal flow are intercepted to obtain the training analysis unit, and then the training model is obtained according to the characteristics of the training analysis unit, so that the training model can be completed in an offline mode, and the training model has the advantages of zero rule, zero dependence, low maintenance cost and the like; in addition, the invention obtains the analysis unit to be detected by intercepting the DNS protocol flow to be detected, and then the analysis unit to be detected and the characteristics thereof participate in the detection to detect the DNS tunnel flow, and because the analysis unit to be detected and the characteristics thereof which do not have any limitation participate in the detection, the invention can flexibly detect various DNS tunnel flows; in addition, the detection of the features can effectively avoid the detection process from being easily bypassed.
Drawings
Fig. 1 is a flowchart of a DNS tunnel traffic detection method according to an embodiment of the present invention.
Detailed Description
The following describes in more detail embodiments of the present invention with reference to the schematic drawings. The advantages and features of the present invention will become more apparent from the following description. It is to be noted that the drawings are in a very simplified form and are not to precise scale, which is merely for the purpose of facilitating and distinctly claiming the embodiments of the present invention.
Hereinafter, if the method described herein comprises a series of steps, the order of such steps presented herein is not necessarily the only order in which such steps may be performed, and some of the described steps may be omitted and/or some other steps not described herein may be added to the method.
Most of the existing security products perform DNS tunnel detection based on rules such as domain names with abnormal length requested by a monitoring terminal, but an attacker can quickly and easily construct a DNS hidden tunnel by using a commercial penetration suite such as Metasplait or Cobalt stripe suite or by adopting some open source software iodine, ozymandns, DNS2tcp, dnscat2 and the like, and can easily bypass the traditional detection model for detecting the DNS tunnel based on the rules by modifying the characteristics such as domain name length or request frequency and the like. Therefore, the existing safety product has the defects of more limited conditions, limited detection capability, high false alarm and easy waste.
Therefore, it is necessary to provide a method for detecting DNS tunnel traffic, where the method for detecting DNS tunnel traffic includes the following steps:
establishing a training model, self-building DNS tunnel flow data, and capturing DNS normal flow data; respectively acquiring DNS protocol tunnel traffic in the DNS tunnel traffic data and DNS protocol normal traffic in the DNS normal traffic data; setting an intercepting frame to intercept DNS protocol tunnel flow and DNS protocol normal flow so as to obtain a training analysis unit; acquiring the characteristics of each training analysis unit to establish a training model, and detecting machine learning of the training model;
detecting, acquiring DNS traffic data to be detected, and acquiring DNS protocol traffic to be detected in the DNS traffic data to be detected; and intercepting the DNS protocol flow to be detected by adopting the intercepting frame to obtain analysis units to be detected, acquiring the characteristics of each analysis unit to be detected, and inputting the characteristics of each analysis unit to be detected into the detection machine so as to detect each analysis unit to be detected according to a training model, so as to detect the DNS tunnel flow.
According to the invention, the self-built DNS protocol tunnel flow and the historical DNS protocol normal flow are intercepted to obtain the training analysis unit, and then the training model is obtained according to the characteristics of the training analysis unit, so that the training model can be completed in an off-line mode, and therefore, the training model has the advantages of zero rule, zero dependence, low maintenance cost and the like; in addition, the invention obtains the analysis unit to be detected by intercepting the DNS protocol flow to be detected, and then the analysis unit to be detected and the characteristics thereof participate in the detection to detect the DNS tunnel flow, and because the analysis unit to be detected and the characteristics thereof which do not have any limitation participate in the detection, the invention can flexibly detect various DNS tunnel flows; in addition, the detection of the features can effectively avoid the detection process from being easily bypassed.
In an embodiment, as shown in fig. 1, fig. 1 is a flowchart of a DNS tunnel traffic detection method provided by the embodiment of the present invention, and in step S1: the DNS data generator is mainly used for manufacturing DNS tunnel traffic data, DNS tunnel tools such as iododine, ozymandns, DNS2tcp and dnscat2 are mainly used for generating traffic, and the DNS tunnel traffic data are obtained by randomly combining parameter resolution types and encryption modes in the tunnel tools, wherein the parameter resolution types comprise A, CNAME, MX, TXT, NULL, SRV, PRIVATE and the like, and the encryption modes comprise base32, base64, base64u, base128 and the like.
For example, the self-made DNS tunnel traffic data includes:
inquiring a domain name:
query type: a;
and (3) response:
further, capturing the DNS normal traffic data may include the following steps: according to the ranking of the domain names of the global websites, for example, the global websites can be ranked in an Alexa website to obtain the ranking of the domain names of the websites, and a preset number of the website names ranked at the top are obtained, for example, the preset number can be 50, 100, 200 or 500, then the names of 50, 100, 200 or 500 websites ranked at the top of the domain names can be obtained, and the DNS normal traffic data of the websites corresponding to the obtained website names is captured by using a capture tool.
Step S2 is then executed: and respectively acquiring DNS protocol tunnel traffic in the DNS tunnel traffic data and DNS protocol normal traffic in the DNS normal traffic data, and establishing a training model.
Step S3 is then executed: respectively intercepting the DNS protocol tunnel traffic and the DNS protocol normal traffic comprises the following steps:
sequencing the tunnel traffic of all DNS protocols according to time, sequencing the normal traffic of all DNS protocols according to time, and generating a training analysis unit after intercepting;
the intercepting frame is set to accommodate a plurality of flows and is used for respectively intercepting the sequentially arranged tunnel flows of the DNS protocol and the sequentially arranged normal flows of the DNS protocol;
when the DNS protocol tunnel traffic is intercepted, the sequentially arranged DNS protocol tunnel traffic is moved, and the moving step length can be the length of one data packet; when intercepting the normal flow of the DNS protocol, moving the normal flow of the DNS protocol which is sequentially arranged, wherein the moving step length can be the length of one data packet;
and intercepting the DNS protocol tunnel traffic or the DNS protocol normal traffic once every time when the DNS protocol tunnel traffic or the DNS protocol normal traffic is moved, wherein a plurality of pieces of DNS protocol tunnel traffic or a plurality of pieces of DNS protocol normal traffic intercepted every time are a training analysis unit.
Step S4 is executed: the method for acquiring the characteristics of each training analysis unit to establish the training model comprises the following steps:
firstly, acquiring the characteristics of each training analysis unit: the characteristics are divided into five categories, namely response time interval, query domain name length, response segment length, query sub-domain name character information entropy and query type frequency.
Furthermore, the response time interval takes the average value and the variance of the response time interval as two characteristics, for the DNS protocol tunnel traffic, because the subdomain of each request changes, the local cache cannot be hit, and the request packet and the response packet time interval are longer than the normal traffic of the DNS protocol. For DNS protocol normal traffic, request and response packet time intervals are typically short due to the local caching mechanism controlled by RTT.
The domain name length is inquired, the average value and the variance of the inquired domain name length are used as two characteristics, for the DNS protocol tunnel traffic, the bandwidth is generally used for transmitting more information for the maximum efficiency, and the request domain name of the DNS protocol tunnel traffic is generally longer. For normal flow of the DNS protocol, a request packet can submit a query domain name, and the domain name is a normal website access domain name and is moderate in length.
And the response segment length takes the average value and the variance of the response segment length as two characteristics, and the response segment length can be the sum of the data lengths of the answer segments.
Querying each character information entropy of the sub domain name, taking the average value and the variance of three character information entropies of the queried sub domain name as six characteristics, respectively using unigram, trigram and bigram as unit segmentation of the sub domain name, and respectively calculating the average value and the variance of the unigram information entropy, the average value and the variance of the trigram information entropy and the average value and the variance of the bigram information entropy. In the present invention, the sub-domain name in the query sub-domain name may be a portion of the domain name remaining after removing a top level domain name (TLD). The writing specification of subdomain in DNS protocol normal traffic queries generally conforms to RFC specifications, starting with letters and ending with letters or numbers, and intermediate presentable formats including: the lower case letters a-Z, the upper case letters a-Z, the numbers 0-9 and the separator "-" are 63 characters in total. The total length of the domain name is not more than 255 bytes, and each sub-domain name has a maximum length of 63 bytes. However, in the DNS protocol tunnel traffic, encryption processing is usually performed on transmission data (such as base64, base32, and the like), and a large number of characters other than 63 character sets are used, so unit segmentation is performed by using unigram, trigram, and bigram, and an average value and a variance of each information entropy are respectively calculated, so that various sub domain names of the DNS protocol tunnel traffic can be included, and flexible detection of various DNS tunnel traffic is realized.
Query type frequency, selecting frequencies of eight query types as eight features, where the eight query types may be: type A, type AAAA, type TXT, type NULL, type CNAME, type MX, type SRV, and type OTHER. Among them, the normal traffic of the DNS protocol is usually a type a or AAAA type, and TXT type, NULL type or other types are rarely used; DNS protocol tunnel traffic is typically of the TXT type, CNAME type or MX type.
And enabling the training model to comprise a training analysis unit and characteristics thereof of the DNS protocol tunnel traffic and a training analysis unit and characteristics thereof of the DNS protocol normal traffic.
And then, normalizing the characteristics of each training analysis unit, and normalizing the values of all the characteristics to be 0-1.
And finally, forming a training model by the normalized characteristics of each training analysis unit.
Step S5 is then executed: the training model is learned by a detection machine, and the learning algorithm of the detection machine can comprise: a random forest algorithm, a support vector machine algorithm, or a logistic regression algorithm.
Step S6 is executed: the DNS data generator may be used to obtain DNS traffic data to be detected in a real production environment in a traffic mirroring manner for detection, and a protocol analysis tool may be used to obtain DNS protocol traffic to be detected in the DNS traffic data to be detected, where the protocol analysis tool may include software tools such as bro and argus.
Step S7 is executed: intercepting DNS protocol traffic to be detected by adopting the intercepting box to obtain an analysis unit to be detected, wherein the method comprises the following steps:
sequencing all DNS protocol flows to be detected according to time, and generating an analysis unit to be detected after intercepting;
setting the interception frame to contain a plurality of flows, wherein the interception frame during detection has the same window configuration as the interception frame during establishment of a training model, namely the window configuration is the same, namely the window length, the window step length and the like, and the interception frame is used for intercepting the DNS protocol flow to be detected;
when the DNS protocol traffic to be detected is intercepted, the sequentially arranged DNS protocol traffic to be detected is moved, and the moving step length can be the length of one data packet;
and intercepting the DNS protocol traffic to be detected once every time the DNS protocol traffic to be detected is moved, wherein a plurality of intercepted DNS protocol traffic to be detected is an analysis unit to be detected.
Step S8 is executed: acquiring the characteristics of each to-be-detected analysis unit: the characteristics are divided into five categories, namely response time interval, query domain name length, response segment length, query sub-domain name character information entropy and query type frequency.
Further, for the response time interval, the mean and variance of the response time interval are taken as two features; for the length of the query domain name, taking the average value and the variance of the length of the query domain name as two characteristics; regarding the length of the response segment, the average value and the variance of the length of the response segment are used as two characteristics, and the length of the response segment can be the sum of the data lengths of the answer segment; for each character information entropy of a query sub-domain name, taking the average value and the variance of three character information entropies of the query sub-domain name as six features, specifically, respectively using unigram, trigram and bigram as unit segmentation for the sub-domain name, and respectively calculating the average value and the variance of the unigram information entropy, the average value and the variance of the trigram information entropy and the average value and the variance of the bigram information entropy, wherein the sub-domain name in the query sub-domain name can be the residual part of the domain name after a top level domain name (TLD) is removed; for the query type frequency, the frequencies of eight query types are selected as eight features, and the eight query types can be: type A, type AAAA, type TXT, type NULL, type CNAME, type MX, type SRV, and type OTHER.
Preferably, after the characteristics of each analysis unit to be detected are obtained, before the detection, the method further comprises the following steps: and normalizing the characteristics of each analysis unit to be detected, and normalizing the values of all the characteristics to be 0-1 to participate in detection.
Finally, steps S9 and S10 are performed: inputting the characteristics of each analysis unit to be detected into the detection machine to detect each analysis unit to be detected according to the training model, comprising the following steps:
carrying out suspicion degree judgment and presetting a suspicion degree threshold k1And acquiring the suspicious degree y of each to-be-detected analysis unit calculated by the detection machine, if y is<k1Then it is not questionable; if y is greater than or equal to k1If yes, suspicious and performing second-level domain name judgment;
performing second-level domain name judgment, and presetting a second-level domain name threshold k2Acquiring suspicious second-level domain names of DNS protocol flows to be detected in each analysis unit to be detected, attributing the DNS protocol flows to be detected with the same second-level domain name in the same analysis unit to be detected to the same second-level domain name, calculating the ratio p of the number of the DNS protocol flows to be detected corresponding to various second-level domain names in the same analysis unit to be detected to the number of all DNS protocol flows to be detected in the analysis unit to be detected, and if p is more than or equal to k2Judging that the DNS protocol traffic to be detected corresponding to the secondary domain name participating in the calculation of the ratio is DNS tunnel traffic; if p is<k2And judging that the DNS protocol traffic to be detected corresponding to the secondary domain name participating in the calculation of the ratio is the normal DNS traffic.
Wherein k is1And k2The a priori threshold may be set according to the security expert advice.
After detecting the DNS tunnel traffic, the method can further comprise the following steps:
the detection result, the original data of each DNS traffic data to be detected and the characteristics of each analysis unit to be detected are displayed, for example, the judged result DNS tunnel traffic can be displayed; the method can display the original data of the DNS traffic data to be detected, including time, access source, access target, query domain name, query type, query response and the like; and the characteristics of each analysis unit to be detected can be displayed, including response time interval, query domain name length, response segment length, query subdomain name character information entropy, query type frequency and the like.
In summary, in the DNS tunnel traffic detection method provided by the present invention, the self-created DNS protocol tunnel traffic and the historical DNS protocol normal traffic are intercepted to obtain the training analysis unit, and then the training model is obtained by the characteristics of the training analysis unit, so that it can be known that the training model can be completed in an offline mode, and therefore the training model in the present invention has the advantages of zero rule, zero dependency, low maintenance cost, and the like; in addition, the invention obtains the analysis unit to be detected by intercepting the DNS protocol flow to be detected, and then the analysis unit to be detected and the characteristics thereof participate in the detection to detect the DNS tunnel flow, and because the analysis unit to be detected and the characteristics thereof which do not have any limitation participate in the detection, the invention can flexibly detect various DNS tunnel flows; in addition, the detection of the features can effectively avoid the detection process from being easily bypassed. By carrying out the suspicious degree detection and the second-level domain name judgment on each analysis unit to be detected, the detection efficiency is improved, and the false alarm of the detection result is reduced.
The above description is only a preferred embodiment of the present invention, and does not limit the present invention in any way. It will be understood by those skilled in the art that various changes, substitutions and alterations can be made herein without departing from the spirit and scope of the invention as defined by the appended claims.
Claims (10)
1. A DNS tunnel flow detection method is characterized by comprising the following steps:
establishing a training model, self-building DNS tunnel flow data, and capturing DNS normal flow data; respectively acquiring DNS protocol tunnel traffic in the DNS tunnel traffic data and DNS protocol normal traffic in the DNS normal traffic data; setting an intercepting frame to intercept DNS protocol tunnel flow and DNS protocol normal flow so as to obtain a training analysis unit; acquiring the characteristics of each training analysis unit to establish a training model, and detecting machine learning of the training model;
detecting, acquiring DNS traffic data to be detected, and acquiring DNS protocol traffic to be detected in the DNS traffic data to be detected; and intercepting the DNS protocol flow to be detected by adopting the intercepting frame to obtain analysis units to be detected, acquiring the characteristics of each analysis unit to be detected, and inputting the characteristics of each analysis unit to be detected into the detection machine so as to detect each analysis unit to be detected according to a training model, so as to detect the DNS tunnel flow.
2. The method for detecting DNS tunnel traffic according to claim 1, wherein intercepting DNS protocol tunnel traffic and DNS protocol normal traffic includes the steps of:
the interception frame is set to contain a plurality of flows, and the interception frame is used for intercepting the DNS protocol tunnel flow and the DNS protocol normal flow;
moving the DNS protocol tunnel traffic or the DNS protocol normal traffic;
and intercepting the DNS protocol tunnel traffic or the DNS protocol normal traffic once every time when the DNS protocol tunnel traffic or the DNS protocol normal traffic is moved, wherein a plurality of pieces of DNS protocol tunnel traffic or a plurality of pieces of DNS protocol normal traffic intercepted every time are a training analysis unit.
3. The method for detecting DNS tunnel traffic according to claim 1, wherein intercepting the DNS protocol traffic to be detected comprises the steps of:
setting the interception frame to contain a plurality of flows, wherein the interception frame during detection has the same window configuration as the interception frame during establishment of a training model, and the interception frame is used for intercepting the DNS protocol flow to be detected;
moving the DNS protocol flow to be detected;
and intercepting the DNS protocol traffic to be detected once every time the DNS protocol traffic to be detected is moved, wherein a plurality of intercepted DNS protocol traffic to be detected is an analysis unit to be detected.
4. The DNS tunnel traffic detection method according to claim 1, wherein the characteristics of each training analysis unit and each analysis unit to be detected include:
response time interval mean and variance; inquiring the length average value and variance of the domain name; response segment length mean and variance; inquiring the entropy average value and variance of each character information of the sub-domain; query type frequency.
5. The method for detecting DNS tunnel traffic of claim 4,
the character information entropy of the query sub-domain name comprises unigram information entropy, trigram information entropy and bigram information entropy;
the query types include a type a, AAAA type, TXT type, NULL type, CNAME type, MX type, SRV type, and OTHER type.
6. The method for detecting DNS tunnel traffic of claim 1,
after the characteristics of each training analysis unit are obtained, the method further comprises the following steps: normalizing the characteristics of each training analysis unit to form a training model;
after the characteristics of each analysis unit to be detected are obtained and before detection, the method further comprises the following steps: and carrying out normalization processing on the characteristics of each analysis unit to be detected so as to participate in detection.
7. The DNS tunnel traffic detection method according to claim 1, wherein inputting the characteristics of each analysis unit to be detected into the detection machine to detect each analysis unit to be detected according to a training model, comprises the steps of:
carrying out suspicion degree judgment and presetting a suspicion degree threshold k1And acquiring the suspicious degree y of each to-be-detected analysis unit calculated by the detection machine, if y is<k1Then it is not questionable; if y is greater than or equal to k1If yes, suspicious and performing second-level domain name judgment;
performing second-level domain name judgment, and presetting a second-level domain name threshold k2Acquiring suspicious second-level domain names of DNS protocol flows to be detected in each analysis unit to be detected, attributing the DNS protocol flows to be detected with the same second-level domain name in the same analysis unit to be detected to the same second-level domain name, calculating the ratio p of the number of the DNS protocol flows to be detected corresponding to various second-level domain names in the same analysis unit to be detected to the number of all DNS protocol flows to be detected in the analysis unit to be detected, and if p is more than or equal to k2Judging that the DNS protocol traffic to be detected corresponding to the secondary domain name participating in the ratio calculation is DNS tunnel traffic; if p is<k2And judging that the DNS protocol flow to be detected corresponding to the secondary domain name participating in the ratio calculation is the normal DNS flow.
8. The DNS tunnel traffic detection method according to claim 1, wherein after detecting the DNS tunnel traffic, the method includes the steps of:
and displaying the detection result, the original data of each DNS flow data to be detected and the characteristics of each analysis unit to be detected.
9. The DNS tunnel traffic detection method according to claim 1, wherein capturing DNS normal traffic data includes the steps of:
according to the ranking of the global website domain names, acquiring a preset number of website names ranked in front, and adopting a grabbing tool to grab the DNS normal flow data of the website corresponding to the acquired website names.
10. The DNS tunnel traffic detection method according to claim 1, wherein the learning algorithm of the detection machine includes: a random forest algorithm, a support vector machine algorithm, or a logistic regression algorithm.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910871973.5A CN110602100B (en) | 2019-09-16 | 2019-09-16 | DNS tunnel flow detection method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910871973.5A CN110602100B (en) | 2019-09-16 | 2019-09-16 | DNS tunnel flow detection method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110602100A true CN110602100A (en) | 2019-12-20 |
| CN110602100B CN110602100B (en) | 2023-02-28 |
Family
ID=68859815
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910871973.5A Active CN110602100B (en) | 2019-09-16 | 2019-09-16 | DNS tunnel flow detection method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110602100B (en) |
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111683096A (en) * | 2020-06-10 | 2020-09-18 | 北京天融信网络安全技术有限公司 | Data processing method based on domain name service protocol and electronic equipment |
| CN111756735A (en) * | 2020-06-23 | 2020-10-09 | 北京天融信网络安全技术有限公司 | DNS tunnel traffic detection method and device |
| CN111756874A (en) * | 2020-06-24 | 2020-10-09 | 北京天融信网络安全技术有限公司 | Method and device for identifying type of DNS tunnel upper layer protocol |
| CN111786993A (en) * | 2020-06-30 | 2020-10-16 | 山石网科通信技术股份有限公司 | DNS tunnel traffic detection method and device |
| CN111835763A (en) * | 2020-07-13 | 2020-10-27 | 北京邮电大学 | DNS tunnel traffic detection method and device and electronic equipment |
| CN111935097A (en) * | 2020-07-16 | 2020-11-13 | 上海斗象信息科技有限公司 | Method for detecting DGA domain name |
| CN111953673A (en) * | 2020-08-10 | 2020-11-17 | 深圳市联软科技股份有限公司 | DNS hidden tunnel detection method and system |
| CN113114524A (en) * | 2021-03-04 | 2021-07-13 | 北京六方云信息技术有限公司 | Spark streaming based DNS tunnel detection method and device and electronic equipment |
| CN113839948A (en) * | 2021-09-26 | 2021-12-24 | 新华三信息安全技术有限公司 | DNS tunnel traffic detection method and device, electronic equipment and storage medium |
| CN115086080A (en) * | 2022-08-03 | 2022-09-20 | 上海欣诺通信技术股份有限公司 | DNS hidden tunnel detection method based on flow characteristics |
| WO2022199867A1 (en) * | 2021-03-25 | 2022-09-29 | Telefonaktiebolaget Lm Ericsson (Publ) | Methods and apparatuses for providing an analytic result relating to tunneling traffic to a consumer network function |
| CN115134168A (en) * | 2022-08-29 | 2022-09-30 | 成都盛思睿信息技术有限公司 | Method and system for detecting cloud platform hidden channel based on convolutional neural network |
| CN115348188A (en) * | 2022-10-18 | 2022-11-15 | 安徽华云安科技有限公司 | DNS tunnel traffic detection method and device, storage medium and terminal |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107733851A (en) * | 2017-08-23 | 2018-02-23 | 刘胜利 | DNS tunnels Trojan detecting method based on communication behavior analysis |
| US20180227229A1 (en) * | 2015-03-18 | 2018-08-09 | Fortinet, Inc. | Application-based network packet forwarding |
| CN109218124A (en) * | 2017-07-06 | 2019-01-15 | 杨连群 | DNS tunnel transmission detection method and device |
-
2019
- 2019-09-16 CN CN201910871973.5A patent/CN110602100B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20180227229A1 (en) * | 2015-03-18 | 2018-08-09 | Fortinet, Inc. | Application-based network packet forwarding |
| CN109218124A (en) * | 2017-07-06 | 2019-01-15 | 杨连群 | DNS tunnel transmission detection method and device |
| CN107733851A (en) * | 2017-08-23 | 2018-02-23 | 刘胜利 | DNS tunnels Trojan detecting method based on communication behavior analysis |
Non-Patent Citations (2)
| Title |
|---|
| 杨建强、姜洪溪: "《基于第二级域名的FQDN个数的DNS隐蔽信道检测》", 《计算机时代》 * |
| 章航、郑荣锋等: "《基于请求域名的DNS隐蔽通道检测方法研究》", 《技术研究》 * |
Cited By (18)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111683096A (en) * | 2020-06-10 | 2020-09-18 | 北京天融信网络安全技术有限公司 | Data processing method based on domain name service protocol and electronic equipment |
| CN111756735A (en) * | 2020-06-23 | 2020-10-09 | 北京天融信网络安全技术有限公司 | DNS tunnel traffic detection method and device |
| CN111756874A (en) * | 2020-06-24 | 2020-10-09 | 北京天融信网络安全技术有限公司 | Method and device for identifying type of DNS tunnel upper layer protocol |
| CN111786993A (en) * | 2020-06-30 | 2020-10-16 | 山石网科通信技术股份有限公司 | DNS tunnel traffic detection method and device |
| CN111786993B (en) * | 2020-06-30 | 2022-08-23 | 山石网科通信技术股份有限公司 | DNS tunnel traffic detection method and device |
| CN111835763A (en) * | 2020-07-13 | 2020-10-27 | 北京邮电大学 | DNS tunnel traffic detection method and device and electronic equipment |
| CN111935097A (en) * | 2020-07-16 | 2020-11-13 | 上海斗象信息科技有限公司 | Method for detecting DGA domain name |
| CN111935097B (en) * | 2020-07-16 | 2022-07-19 | 上海斗象信息科技有限公司 | Method for detecting DGA domain name |
| CN111953673A (en) * | 2020-08-10 | 2020-11-17 | 深圳市联软科技股份有限公司 | DNS hidden tunnel detection method and system |
| CN111953673B (en) * | 2020-08-10 | 2022-07-05 | 深圳市联软科技股份有限公司 | DNS hidden tunnel detection method and system |
| CN113114524A (en) * | 2021-03-04 | 2021-07-13 | 北京六方云信息技术有限公司 | Spark streaming based DNS tunnel detection method and device and electronic equipment |
| WO2022199867A1 (en) * | 2021-03-25 | 2022-09-29 | Telefonaktiebolaget Lm Ericsson (Publ) | Methods and apparatuses for providing an analytic result relating to tunneling traffic to a consumer network function |
| CN113839948A (en) * | 2021-09-26 | 2021-12-24 | 新华三信息安全技术有限公司 | DNS tunnel traffic detection method and device, electronic equipment and storage medium |
| CN113839948B (en) * | 2021-09-26 | 2023-10-24 | 新华三信息安全技术有限公司 | DNS tunnel traffic detection method and device, electronic equipment and storage medium |
| CN115086080A (en) * | 2022-08-03 | 2022-09-20 | 上海欣诺通信技术股份有限公司 | DNS hidden tunnel detection method based on flow characteristics |
| CN115086080B (en) * | 2022-08-03 | 2024-05-07 | 上海欣诺通信技术股份有限公司 | DNS hidden tunnel detection method based on flow characteristics |
| CN115134168A (en) * | 2022-08-29 | 2022-09-30 | 成都盛思睿信息技术有限公司 | Method and system for detecting cloud platform hidden channel based on convolutional neural network |
| CN115348188A (en) * | 2022-10-18 | 2022-11-15 | 安徽华云安科技有限公司 | DNS tunnel traffic detection method and device, storage medium and terminal |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110602100B (en) | 2023-02-28 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110602100B (en) | DNS tunnel flow detection method | |
| US11797671B2 (en) | Cyberanalysis workflow acceleration | |
| JP6894003B2 (en) | Defense against APT attacks | |
| CN107454109B (en) | Network privacy stealing behavior detection method based on HTTP traffic analysis | |
| CN108289088B (en) | Abnormal flow detection system and method based on business model | |
| Lu et al. | Clustering botnet communication traffic based on n-gram feature selection | |
| EP3528462A1 (en) | A method for sharing cybersecurity threat analysis and defensive measures amongst a community | |
| US8260914B1 (en) | Detecting DNS fast-flux anomalies | |
| CN107770132B (en) | Method and device for detecting algorithmically generated domain name | |
| US20070226803A1 (en) | System and method for detecting internet worm traffics through classification of traffic characteristics by types | |
| US11888882B2 (en) | Network traffic correlation engine | |
| US20230012220A1 (en) | Method for determining likely malicious behavior based on abnormal behavior pattern comparison | |
| Bou-Harb et al. | Behavioral analytics for inferring large-scale orchestrated probing events | |
| CN112118154A (en) | ICMP tunnel detection method based on machine learning | |
| CN110061998B (en) | Attack defense method and device | |
| KR100950079B1 (en) | Network abnormal state detection device using HMMHidden Markov Model and Method thereof | |
| KR102057459B1 (en) | System for analyzing and recognizing network security state using network traffic flow | |
| Asha et al. | Analysis on botnet detection techniques | |
| TWI744545B (en) | Decentralized network flow analysis approach and system for malicious behavior detection | |
| Chu et al. | Ddos attack detection with packet continuity based on LSTM model | |
| CN111371917B (en) | Domain name detection method and system | |
| KR20140006408A (en) | Apparatus and method for abnormality quantification of suspicious host | |
| Suzuki et al. | Man-machine Cooperative Monitoring System to Support Detection of DoS/DDoS Attacks Through Continuous SOM Diagram Generation | |
| WO2021210998A1 (en) | Malicious domain hosting type classification systems and methods | |
| Noguchi et al. | Discriminating DRDoS Packets using Time Interval Analysis |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |