CN111786993A - DNS tunnel traffic detection method and device - Google Patents

DNS tunnel traffic detection method and device Download PDF

Info

Publication number
CN111786993A
CN111786993A CN202010615367.XA CN202010615367A CN111786993A CN 111786993 A CN111786993 A CN 111786993A CN 202010615367 A CN202010615367 A CN 202010615367A CN 111786993 A CN111786993 A CN 111786993A
Authority
CN
China
Prior art keywords
detected
dns
flow
flows
traffic
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010615367.XA
Other languages
Chinese (zh)
Other versions
CN111786993B (en
Inventor
张婷
於大维
杨升
蒋宇轩
陆晓康
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hillstone Networks Co Ltd
Original Assignee
Hillstone Networks Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hillstone Networks Co Ltd filed Critical Hillstone Networks Co Ltd
Priority to CN202010615367.XA priority Critical patent/CN111786993B/en
Publication of CN111786993A publication Critical patent/CN111786993A/en
Application granted granted Critical
Publication of CN111786993B publication Critical patent/CN111786993B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application discloses a DNS tunnel flow detection method and device. Wherein, the method comprises the following steps: filtering the request traffic to obtain a traffic set to be detected, wherein the request traffic comprises DNS traffic transmitted by using a DNS protocol and DNS tunnel traffic transmitted by using the DNS protocol; detecting a plurality of flows to be detected contained in a flow set to be detected according to a plurality of threshold values respectively to obtain a plurality of detection results corresponding to the plurality of flows to be detected; respectively carrying out weighted calculation on the multiple detection results according to the weight values corresponding to the multiple thresholds to obtain the certainty factor corresponding to each detection result, wherein the certainty factor is used for representing the credibility of the multiple flows to be detected as the DNS tunnel flows; and determining whether the flows to be detected contained in the flow set to be detected are DNS tunnel flows according to the corresponding certainty factor of each detection result. The method and the device solve the technical problem that a DNS tunnel flow detection method is lacked at the present stage.

Description

DNS tunnel traffic detection method and device
Technical Field
The application relates to the field of DNS tunnel detection, in particular to a method and a device for detecting DNS tunnel traffic.
Background
The DNS (Domain name System) is one of the most critical basic services of the Internet, and associates a domain name with an IP address, when a user needs to access a specific domain name, the user can quickly inquire a corresponding target IP through a DNS protocol (the default is 53 ports), and then use other protocols to send data to the target IP. The main principle of the DNS tunnel is to transmit non-DNS traffic on a 53 port by using a DNS protocol, and since a general firewall does not block and protect the DNS protocol traffic transmitted on the 53 port, traffic disguised as a DNS packet can pass through a firewall device to reach an external network, and a communication tunnel from a client to a server is established.
When a DNS tunnel is used for data transmission, a client generally encodes data and encapsulates the encoded data in a request domain name of a DNS request message question field, the encoded data reaches a DNS tunnel server and is decoded, and the server encapsulates the data returned to the client in resource data of a DNS response message answer field. Apparently, a client continuously queries a domain name from a DNS server and receives a response from the DNS server, and actually communicates with the DNS server to send data to the DNS server or receive an instruction from the DNS server.
DNS tunneling can be used as normal traffic to implement some customized traffic, but it also provides a useful means for hackers or network attackers.
Abuse of or use of DNS tunneling as an attack has generally three goals:
(1) client data breakout
After a hacker or a network attacker implants the DNS tunnel tool into a client, the DNS tunnel tool is utilized to encode client data into a domain name of a DNS request message problem field, and the DNS request message reaches a server controlled by the hacker or the network attacker and then is decoded and reconstructed to achieve the purpose of client data leakage.
(2) Remote command and control server (C & C)
By means of the method similar to the method (1), a DNS request message sent by a client arrives at a remote command and control server, a communication tunnel is established, and the server transmits a command or control instruction to the client by encapsulating the message in a DNS response message.
(3) Bypassing web authentication or firewall blocking
In many cases, a firewall at the boundary of the company intranet intercepts the intranet user's access to the extranet or requires web page authentication to access the extranet, but is generally transparent to DNS traffic. At this time, if the intranet client communicates with the DNS tunnel server of the extranet by establishing the DNS tunnel, firewall interception or web authentication can be avoided, and the extranet is accessed through the DNS tunnel server.
In view of the covertness of DNS tunnel communication and the risks of potential data leakage, client control, etc., the detection of DNS tunnels is very important in network boundary security protection.
In view of the above problems, no effective solution has been proposed.
Disclosure of Invention
The embodiment of the application provides a method and a device for detecting DNS tunnel traffic, which are used for solving the technical problem that the existing stage lacks a method for detecting the DNS tunnel traffic.
According to an aspect of an embodiment of the present application, a method for detecting DNS tunnel traffic is provided, including: filtering the request traffic to obtain a traffic set to be detected, wherein the request traffic comprises DNS traffic transmitted by using a DNS protocol and DNS tunnel traffic transmitted by using the DNS protocol; detecting a plurality of flows to be detected contained in a flow set to be detected respectively according to a plurality of thresholds to obtain a plurality of detection results corresponding to the plurality of flows to be detected, wherein the plurality of detection results are all used for representing that the plurality of flows to be detected are suspected DNS tunnel flows, and different thresholds correspond to different detection results; respectively carrying out weighted calculation on the multiple detection results according to the weight values corresponding to the multiple thresholds to obtain the certainty factor corresponding to each detection result, wherein the certainty factor is used for representing the credibility of the multiple flows to be detected as the DNS tunnel flows; and determining whether the flows to be detected contained in the flow set to be detected are DNS tunnel flows according to the corresponding certainty factor of each detection result.
Optionally, filtering the requested traffic to obtain a traffic set to be detected, including: filtering known DNS tunnel flow from the request flow according to DNS tunnel related threat information, wherein message characteristics of the known DNS tunnel flow are recorded in the DNS tunnel related threat information; filtering legal DNS traffic from the request traffic according to a secondary domain name white list, wherein the secondary domain name white list is a set of legal secondary domain names; and taking the request traffic except the known DNS tunnel traffic and the legal DNS traffic in the request traffic as a traffic set to be detected.
Optionally, after filtering the request traffic, the method further includes: and generating a threat log from the known DNS tunnel traffic filtered from the request traffic according to the relevant threat intelligence of the DNS tunnel, wherein the threat log is used for a network administrator to check.
Optionally, before filtering the request traffic, the method further includes: comparing the DNS domain name with the DNS tunnel domain name, and/or comparing the DNS flow with the DNS tunnel flow; and setting a plurality of thresholds and weights corresponding to the thresholds according to the comparison result.
Optionally, the detecting the plurality of flows to be detected included in the flow set to be detected is respectively performed according to a plurality of thresholds, so as to obtain a plurality of detection results corresponding to the plurality of flows to be detected, including: detecting domain names of all messages contained in the flow to be detected, and if the proportion of the messages with domain names of DNS tunnel domain names in all the messages exceeds a first threshold value in a plurality of threshold values, taking the flow to be detected as suspected DNS tunnel flow; detecting request record types of all messages contained in the flow to be detected, and if the request record types are that the proportion of the messages of the DNS tunnel tool common request record types in all the messages exceeds a second threshold value in a plurality of threshold values, taking the flow to be detected as the suspected DNS tunnel flow; and detecting the number of host names under the secondary domain name related to all messages contained in the flow to be detected, and if the number of the host names under the secondary domain name exceeds a third threshold value in a plurality of threshold values, taking the flow to be detected as the flow of the suspected DNS tunnel.
Optionally, detecting the domain names of all messages included in the traffic to be detected includes at least one of the following: detecting the length of a single label of the domain name, the character characteristics of the domain name and the entropy of the domain name; the DNS tunneling tool common request record types include at least one of: MX record type, CNAME record type, TXT record type, and NULL record type.
Optionally, performing weighted calculation on the multiple detection results according to the weights corresponding to the multiple thresholds, respectively, to obtain the certainty factor corresponding to each detection result, including: carrying out standardization processing on each detection result according to the degree that each detection result exceeds the corresponding threshold value of each detection result to obtain the standardized detection result corresponding to each detection result; and carrying out weighted calculation on the normalized detection result corresponding to each threshold according to the weight corresponding to each threshold to obtain the certainty factor corresponding to each detection result.
Optionally, determining whether a plurality of flows to be detected contained in the flow set to be detected are DNS tunnel flows according to the certainty factor corresponding to each detection result, including: calculating the total certainty factor according to the certainty factor corresponding to each detection result; and if the total certainty factor is greater than or equal to the certainty factor threshold value, determining that the plurality of flows to be detected contained in the flow set to be detected are DNS tunnel flows.
Optionally, after determining that a plurality of flows to be detected included in the flow set to be detected are DNS tunnel flows, the method further includes: updating a threat log according to a plurality of flows to be detected, wherein the threat log at least comprises the following information: the method comprises the steps of obtaining a plurality of source IP addresses, destination IP addresses, source ports, destination ports and used domain names of flow to be detected.
Optionally, after determining whether a plurality of flows to be detected included in the flow set to be detected are DNS tunnel flows according to the certainty factor corresponding to each detection result, the method further includes: respectively calculating the flow rate ratio of each threshold in the current detection period, wherein the flow rate ratio is the ratio of the flow rate to be detected according to each threshold in the flow rate set to be detected; respectively calculating the difference value of the flow ratio of each threshold in the current detection period and the flow ratio in the previous period; adjusting the weight value corresponding to each threshold value according to the difference value to obtain the adjusted weight value; and detecting the certainty factor of the next period according to the adjusted weight value.
Optionally, the method further includes receiving an operation instruction, where the operation instruction includes: adding a second-level domain name or deleting an operation instruction of the second-level domain name to a second-level domain name white list; and modifying the operating instructions of the plurality of thresholds.
According to another aspect of the embodiments of the present application, there is also provided a device for detecting DNS tunnel traffic, including: the system comprises a preprocessing module, a flow detection module and a flow detection module, wherein the preprocessing module is used for filtering request flow to obtain a flow set to be detected, and the request flow comprises DNS flow transmitted by utilizing a DNS protocol and DNS tunnel flow transmitted by utilizing the DNS protocol; the detection module is used for respectively detecting a plurality of flows to be detected contained in the flow set to be detected according to a plurality of thresholds to obtain a plurality of detection results corresponding to the plurality of flows to be detected, wherein the plurality of detection results are all used for representing that the plurality of flows to be detected are suspected DNS tunnel flows, and different thresholds correspond to different detection results; the calculation module is used for performing weighted calculation on the plurality of detection results according to the weights corresponding to the plurality of thresholds respectively to obtain the certainty factor corresponding to each detection result, wherein the certainty factor is used for representing the credibility degree that the plurality of flows to be detected are DNS tunnel flows; and the determining module is used for determining whether the plurality of flows to be detected contained in the flow set to be detected are DNS tunnel flows according to the corresponding certainty factor of each detection result.
According to still another aspect of the embodiments of the present application, there is further provided a computer-readable storage medium, where the storage medium includes a stored program, and when the program runs, the device where the storage medium is located is controlled to execute the above method for detecting DNS tunnel traffic.
According to still another aspect of the embodiments of the present application, there is provided a processor, configured to run a program stored in a memory, where the above method for detecting DNS tunnel traffic is performed when the program runs.
In the embodiment of the application, request traffic is filtered to obtain a traffic set to be detected, wherein the request traffic comprises DNS traffic transmitted by using a DNS protocol and DNS tunnel traffic transmitted by using the DNS protocol; detecting a plurality of flows to be detected contained in a flow set to be detected respectively according to a plurality of thresholds to obtain a plurality of detection results corresponding to the plurality of flows to be detected, wherein the plurality of detection results are all used for representing that the plurality of flows to be detected are suspected DNS tunnel flows, and different thresholds correspond to different detection results; respectively carrying out weighted calculation on the multiple detection results according to the weight values corresponding to the multiple thresholds to obtain the certainty factor corresponding to each detection result, wherein the certainty factor is used for representing the credibility of the multiple flows to be detected as the DNS tunnel flows; determining whether a plurality of flows to be detected contained in a flow set to be detected are DNS tunnel flows or not according to the corresponding certainty factor of each detection result, periodically monitoring DNS message flows between a source IP and a target IP, preprocessing initial DNS flows by utilizing threat information related to the DNS tunnel and a secondary domain name white list, and filtering known DNS tunnel flows and most normal DNS flows; and then according to domain name characteristics used in the DNS tunnel and flow characteristics of the DNS tunnel, carrying out multi-dimensional comprehensive detection on the filtered uncertain flow through a detection module, periodically carrying out self-adaptive adjustment feedback on the weight of the DNS tunnel detection module, and allowing an administrator to adjust related parameters in the detection process, thereby realizing the technical effects of improving the detection speed and the detection accuracy of the DNS tunnel flow and further solving the technical problem that the DNS tunnel flow is lack of a detection method at the present stage.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:
fig. 1 is a flowchart of a method for detecting DNS tunnel traffic according to an embodiment of the present application;
fig. 2 is a schematic diagram of a detection sub-module of a DNS tunnel detection apparatus according to an embodiment of the present application;
fig. 3 is a flowchart of adaptive weight adjustment of a DNS tunnel detection method according to an embodiment of the present application;
fig. 4 is a flowchart of a DNS tunnel adaptive detection method according to an embodiment of the present application;
fig. 5 is a schematic diagram of a DNS tunnel traffic detection apparatus according to an embodiment of the present application;
fig. 6 is a schematic diagram of an application scenario of the DNS tunnel traffic monitoring method according to the embodiment of the present application;
fig. 7 is a schematic diagram of another application scenario of the DNS tunnel traffic monitoring method according to the embodiment of the present application;
fig. 8 is a structural diagram of a DNS tunnel traffic detection apparatus according to an embodiment of the present application.
Detailed Description
In order to make the technical solutions better understood by those skilled in the art, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only partial embodiments of the present application, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
It should be noted that the terms "first," "second," and the like in the description and claims of this application and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the application described herein are capable of operation in sequences other than those illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
First, some terms or terms appearing in the description of the embodiments of the present application are applicable to the following explanations:
host name: DNS requests prefixes for domain names, e.g., www in www.baidu.com, translate in google.cn;
and (3) secondary domain name: DNS requests domain name suffixes after domain name minus host name, such as baidu.com, google.cn;
domain name labeling: the DNS requests a certain level of domain name, i.e., each domain name field, e.g., www.baidu.com, separated by ". multidot..
According to an embodiment of the present application, there is provided an embodiment of a method for detecting DNS tunnel traffic, it should be noted that the steps shown in the flowchart of the drawings may be executed in a computer system such as a set of computer executable instructions, and although a logical order is shown in the flowchart, in some cases, the steps shown or described may be executed in an order different from that here.
Fig. 1 is a flowchart of a method for detecting DNS tunnel traffic according to an embodiment of the present application, and as shown in fig. 1, the method includes the following steps:
and S102, filtering the request traffic to obtain a traffic set to be detected, wherein the request traffic comprises DNS traffic transmitted by using a DNS protocol and DNS tunnel traffic transmitted by using the DNS protocol.
And step S104, detecting a plurality of flows to be detected contained in the flow set to be detected respectively according to a plurality of threshold values to obtain a plurality of detection results corresponding to the plurality of flows to be detected, wherein the plurality of detection results are all used for representing that the plurality of flows to be detected are suspected DNS tunnel flows, and different threshold values correspond to different detection results.
And S106, respectively carrying out weighted calculation on the plurality of detection results according to the weight values respectively corresponding to the plurality of threshold values to obtain the certainty factor corresponding to each detection result, wherein the certainty factor is used for representing the credibility degree of the plurality of to-be-detected flows as DNS tunnel flows.
And S108, determining whether a plurality of flows to be detected contained in the flow set to be detected are DNS tunnel flows according to the corresponding certainty factor of each detection result.
Through the steps, by periodically monitoring DNS message traffic between a source IP and a destination IP, preprocessing initial DNS traffic by utilizing threat information related to a DNS tunnel and a secondary domain name white list, and filtering known DNS tunnel traffic and most normal DNS traffic; and then according to domain name characteristics used in the DNS tunnel and flow characteristics of the DNS tunnel, carrying out multi-dimensional comprehensive detection on the filtered uncertain flow through a detection module, periodically carrying out self-adaptive adjustment feedback on the weight of the DNS tunnel detection module, and allowing an administrator to adjust related parameters in the detection process, thereby realizing the technical effects of improving the detection speed and the detection accuracy of the DNS tunnel flow.
According to an alternative embodiment of the present application, step S102 may be implemented by: filtering known DNS tunnel flow from the request flow according to DNS tunnel related threat information, wherein message characteristics of the known DNS tunnel flow are recorded in the DNS tunnel related threat information; filtering legal DNS traffic from the request traffic according to a secondary domain name white list, wherein the secondary domain name white list is a set of legal secondary domain names; and taking the request traffic except the known DNS tunnel traffic and the legal DNS traffic in the request traffic as a traffic set to be detected.
After a detection period T begins, monitoring request flow passing through a detection device, wherein the request flow comprises normal DNS flow and DNS tunnel flow, preprocessing the DNS flow through DNS tunnel related threat information and a secondary domain name white list, filtering out part of known DNS tunnel flow and most of normal DNS flow, and taking the filtered uncertain flow as input of a subsequent detection module, namely a flow set Z to be detected.
The DNS tunnel-related threat intelligence refers to threat intelligence generated by a known DNS tunnel, which includes characteristics of DNS tunnel messages and can be used to discover corresponding DNS tunnel traffic in advance. The secondary domain white list is a set of common legal secondary domain names, including secondary domain names corresponding to some CDN websites, such as: "akands.net", "amazonaws.com", "applet.com", "applet-dns.net", "cloudfront.net", "iclouud.com", "in-addr.arpa", and the like. The threat log and the second-level domain name white list can be updated through the cloud, and the white list supports an administrator to manually add the trusted domain name.
The request traffic is preprocessed through the relevant threat intelligence of the DNS tunnel, the known DNS tunnel traffic can be found and a threat log can be directly generated before the traffic enters the detection submodule. By matching with an updating mechanism of threat information, a novel DNS tunnel can be found in time, and the detection rate and the detection speed are improved.
The request flow is filtered through the function of the secondary domain name white list, normal DNS flow corresponding to most legal domain names can be filtered, particularly DNS flow corresponding to CDN domain names which are often misreported by a common DNS tunnel detection means, and the detection speed is effectively improved. The white list can be updated through the cloud, and can be manually added by an administrator, if the administrator finds that false alarm exists through the threat log, the domain name prompted in the threat log can be manually added into the white list, and the probability of false alarm is reduced.
In an alternative embodiment of the present application, after step S102 is completed, a threat log is generated from known DNS tunnel traffic filtered from the request traffic according to DNS tunnel-related threat intelligence, and the threat log is used for being viewed by a network administrator. And outputting a detection result to the known DNS tunnel flow detected by the threat intelligence to generate a threat log.
In an optional embodiment of the present application, before performing step S102, a DNS domain name and a DNS tunnel domain name need to be compared, and/or DNS traffic and DNS tunnel traffic need to be compared; and setting a plurality of thresholds and weights corresponding to the thresholds according to the comparison result.
Before DNS tunnel flow is detected, a series of default parameters and weights are set for DNS tunnel flow detection through feature extraction and analysis of a normal domain name and a DNS tunnel domain name and comparison and analysis of the normal DNS tunnel flow and the DNS tunnel flow, wherein the parameters comprise related thresholds of detection sub-modules, and the weights comprise weights [ Wa, Wb, Wc ] of detection results of the detection sub-modules participating in final DNS tunnel flow detection result decision.
According to an alternative embodiment of the present application, step S104 is implemented by: detecting domain names of all messages contained in the flow to be detected, and if the proportion of the messages with domain names of DNS tunnel domain names in all the messages exceeds a first threshold value in a plurality of threshold values, taking the flow to be detected as suspected DNS tunnel flow; detecting request record types of all messages contained in the flow to be detected, and if the request record types are that the proportion of the messages of the DNS tunnel tool common request record types in all the messages exceeds a second threshold value in a plurality of threshold values, taking the flow to be detected as the suspected DNS tunnel flow; and detecting the host name number under the secondary domain name related to all messages contained in the flow to be detected, and if the host name number under the secondary domain name exceeds a third threshold value in a plurality of threshold values, taking the flow to be detected as the suspected DNS tunnel flow.
Optionally, detecting the domain names of all messages included in the traffic to be detected includes at least one of the following: detecting the length of a single label of the domain name, the character characteristics of the domain name and the entropy of the domain name; the DNS tunneling tool common request record types include at least one of: MX record type, CNAME record type, TXT record type, and NULL record type.
Fig. 2 is a schematic diagram of detection sub-modules of a DNS tunnel detection apparatus according to an embodiment of the present application, and as shown in fig. 2, a flow set Z to be detected enters a detection module, and each detection sub-module detects a flow according to a preset threshold, where the detection sub-module includes:
(a) and the domain name detection submodule is used for detecting the characteristics of the request domain name in the DNS message. And the domain name detection submodule detects whether the DNS message proportion corresponding to the domain name of the suspicious DNS tunnel exceeds a threshold value. According to the encoding mode of the domain name generated by the DNS tunnel tool, a series of detection dimensions are specified, including the length of a single label of the domain name, the character characteristics of the domain name and the entropy of the domain name, wherein the character characteristics of the domain name include but are not limited to capital letter ratio, numeric character ratio, vowel-consonant character ratio and illegal domain name character number. And presetting a default detection threshold value for the dimensionality, and regarding the domain name exceeding the detection threshold value as a suspicious DNS tunnel domain name.
(b) And the request record type detection submodule is used for detecting the request record type of the DNS message. And the request record type detection sub-module is used for detecting whether the DNS message proportion corresponding to the common request record type of the DNS tunnel tool exceeds a threshold value, wherein the DNS message proportion includes but is not limited to an MX record type, a CNAME record type, a TXT record type and a NULL record type.
(c) And the host name number detection submodule detects the host name number under each secondary domain name. And if the detection value of the detection submodule in the detection period exceeds a preset threshold value, outputting the detection result of the submodule. And the host name number detection submodule detects whether the number of the host names appearing under each secondary domain exceeds a threshold value.
Through the simultaneous detection of a plurality of detection submodules, the flow can be effectively detected according to different types of DNS tunnels, the comprehensive weighting processing is carried out on the result of each submodule, the final detection result is obtained, different application scenes can be met, and the detection efficiency is improved.
In some optional embodiments of the present application, step S106 may be implemented by: carrying out standardization processing on each detection result according to the degree that each detection result exceeds the corresponding threshold value of each detection result to obtain the standardized detection result corresponding to each detection result; and carrying out weighted calculation on the normalized detection result corresponding to each threshold according to the weight corresponding to each threshold to obtain the certainty factor corresponding to each detection result.
When step S106 is executed, the normalization result Q is calculated based on the detection result of each detection submoduleiThen according to the weight W of each detection submoduleiThe normalized result is weighted to calculate the certainty factor Ci=Qi*WiAnd the certainty factor represents the credibility of the DNS tunnel traffic existing in the current period.
In this step, firstly, according to the degree that the detection result value of each submodule exceeds the corresponding threshold value, the detection result value is normalized to obtain a normalized result Qi=(Vi-THi)/THiIn which V isiFor each detection sub-module, the detection result value, THiA threshold for each detection sub-module. And then the weight W of each detection submodule is utilizediTo QiWeighting to obtain confirmationDegree of confidence Ci. Wherein the weight W of each detection submoduleiAnd (3) in an initial state, the weight value is preset in the step (I), and the weight value is fed back subsequently according to a detection result, so that the purpose of self-adaptive adjustment of the weight value is achieved.
According to an alternative embodiment of the present application, step S108 may be implemented by: calculating the total certainty factor according to the certainty factor corresponding to each detection result; and if the total certainty factor is greater than or equal to the certainty factor threshold value, determining that the plurality of flows to be detected contained in the flow set to be detected are DNS tunnel flows.
The certainty factor of all the detection sub-modules is integrated to obtain the total certainty factor
Figure BDA0002563567460000091
If C is judged>And (4) outputting a DNS tunnel detection result, informing an administrator in a threat log mode, and ending the detection period.
In another optional embodiment of the present application, after determining that a plurality of flows to be detected included in a flow set to be detected are DNS tunnel flows, updating a threat log according to the plurality of flows to be detected, where the threat log at least includes the following information: the method comprises the steps of obtaining a plurality of source IP addresses, destination IP addresses, source ports, destination ports and used domain names of flow to be detected.
And after a DNS tunnel detection result is output according to the fact that the total certainty factor exceeds Threshold, a system administrator is informed in a mode of generating a threat log, wherein the threat log comprises information such as a source IP address, a destination IP address, a source port, a destination port and a used domain name. Optionally, the administrator may discard the DNS packet, block the source IP/destination IP address associated with the DNS tunnel, or block the domain associated with the DNS tunnel.
According to another alternative embodiment of the present application, after step S108 is completed, the flow ratio of each threshold in the current detection period needs to be calculated, where the flow ratio is a ratio of the detected flow to be detected in the to-be-detected flow set according to each threshold; respectively calculating the difference value of the flow ratio of each threshold in the current detection period and the flow ratio in the previous period; adjusting the weight value corresponding to each threshold value according to the difference value to obtain the adjusted weight value; and detecting the certainty factor of the next period according to the adjusted weight value.
After the step S108 is completed, new weights [ Wa, Wb, Wc ] of the three detection submodules are calculated according to a weight adjustment algorithm, and are fed back to the certainty factor calculation of the next detection period.
Fig. 3 is a flowchart of adaptive weight adjustment of a DNS tunnel detection method according to an embodiment of the present application, as shown in fig. 3,
after the detection period T is finished, firstly, calculating the flow rate ratio of each DNS tunnel detection submodule in the detection period T: ri,T=Mi,TZ, wherein Mi,TFor detecting the flow rate detected by submodule i in period T, Ri,TThe flow detected by the detection submodule i in the period T is the ratio of the total flow set Z to be detected in the period T.
Secondly, calculating the difference between the traffic ratio of each detection submodule in the detection period T and the traffic ratio of each detection submodule in the last detection period T-1:i,T=Ri,T-Ri,T-1
thirdly, adjusting the weight of each detection submodule according to the difference: wi,T+1=Wi,Ti i,TWherein μ is an adjustment coefficient of each detection module.
Fourthly, the adjusted weight value Wi,T+1The certainty C of the feedback to the next detection period T +1iAnd (4) calculating.
The effect of adjusting the weight of the DNS tunnel detection submodule by the above algorithm can be described as follows: the larger the detected flow rate of a certain detection submodule in the detection period is compared with the ascending amplitude of the previous detection period, the detection submodule occupies a larger weight in the next detection period.
By dynamically adjusting the weight of each detection submodule through a self-adaptive adjustment algorithm at the end of each detection period, the method can track the dynamic change of the DNS tunnel flow characteristics and improve the accuracy of the detection result.
According to an optional embodiment of the present application, the method further includes receiving an operation instruction, where the operation instruction includes: adding a second-level domain name or deleting an operation instruction of the second-level domain name to a second-level domain name white list; and modifying the operating instructions of the plurality of thresholds.
The administrator can manually add or delete the second-level domain name white list and modify the relevant detection threshold parameters, so that the DNS tunnel detection device is more flexible, and a more accurate detection effect is achieved.
Fig. 4 is a flowchart of a DNS tunnel adaptive detection method according to an embodiment of the present application, where the method shown in fig. 4 includes the following steps:
step S402, starting detection, and setting default parameters and weight values;
s404, starting a monitoring period T, monitoring DNS request flow, preprocessing the DNS request flow by using threat information and a white list to obtain a filtered flow set Z to be detected;
step S406, inputting the flow set to be detected into a detection module, and finishing a detection process by each detection submodule of the detection module according to the preset parameters in the step S402 to obtain a detection result of the detection module;
step S408, calculating the normalized detection result of each detection submodule, carrying out weighted calculation on the normalized detection result according to the weight value set in the step S402, and calculating the certainty factor;
step S410, integrating the certainty factors of all detection submodules to obtain a total certainty factor, and outputting a DNS tunnel flow detection result if the certainty factor exceeds a certainty factor threshold;
step S412, calculating new weights of the detection submodules by using a weight feedback adjustment algorithm.
It should be noted that, reference may be made to the description related to the embodiments shown in fig. 1 to 3 for a preferred implementation of the embodiment shown in fig. 4, and details are not repeated here.
Fig. 5 is a schematic diagram of a DNS tunnel traffic detection apparatus according to an embodiment of the present application, and as shown in fig. 5, the apparatus is divided into four units: a DNS traffic preprocessing unit 50; a DNS tunnel detecting unit 52; an adaptive adjustment feedback unit 54; an administrator interaction unit 56.
The DNS traffic preprocessing unit 50 is mainly used to filter all DNS traffic entering the DNS tunnel adaptive detection apparatus. Known DNS tunnels are discovered in advance by using relevant threat intelligence of the DNS tunnels, and threat logs are directly sent out to inform an administrator. And filtering normal DNS traffic corresponding to a legal domain name by using a secondary domain name white list, wherein the part of traffic does not enter a subsequent DNS tunnel detection unit for processing and is directly forwarded.
The DNS tunnel detecting unit 52 mainly includes a DNS tunnel detecting module and a DNS tunnel detection result processing module. The DNS tunnel detection module comprises the three detection submodules and is used for carrying out multi-dimensional detection on DNS traffic entering the DNS tunnel detection unit and obtaining results of the detection submodules. And the DNS tunnel detection result processing module is used for weighting and synthesizing the detection results of the detection sub-modules to obtain the certainty factor, obtain the final DNS tunnel detection result and generate the threat log.
The adaptive adjustment feedback unit 54 is mainly configured to analyze proportion data of the traffic detected by each detection submodule in the current detection period, and adjust the weight of each detection submodule in the next detection period according to dynamic changes of the proportion data.
The administrator interaction unit 56 mainly implements the operation of the administrator on the DNS tunnel detection device, and the administrator can manually add or delete the secondary domain name white list in the DNS traffic preprocessing unit 50 through the unit, and modify the relevant detection threshold parameter in the DNS tunnel detection unit 52, so that the DNS tunnel detection device is more flexible, and a more accurate detection effect is achieved.
According to the self-adaptive detection method and device for the DNS tunnel flow, the DNS flow is preprocessed through relevant threat information of the DNS tunnel and a secondary domain name white list, the flow set to be detected with part of known DNS tunnel flow and most of normal DNS flow filtered out is input into each detection submodule to be detected, and the normalized results of each detection submodule are weighted and integrated by using the weight values to obtain the final detection result. And the weight of each detection submodule is adjusted in a self-adaptive manner periodically according to the flow change, so that the effective detection of DNS tunnel communication is realized, and the hidden communication which is carried out when the DNS tunnel is abused to carry out data transmission or is used as an attack means to control intranet users can be found. After the DNS tunnel result is detected, a threat log informs an administrator of information such as a source/destination IP address, a source/destination port, a used domain name and the like used in DNS tunnel communication, and by utilizing the information, the administrator can choose to intercept the DNS tunnel communication at the boundary of an intranet or in an operator network, so that the aim of protecting intranet data and a host is fulfilled. The technical scheme has good detection effect on DNS tunnel communication, high detection speed and high detection rate.
The DNS tunnel can be divided into a direct connection mode and a relay mode according to different traffic paths for communication between the client and the server. The client is generally an intranet controlled host, and the server refers to a network attacker server or a server for providing DNS tunnel data resolution.
Fig. 6 is a schematic view of an application scenario of the DNS tunnel traffic monitoring method according to the embodiment of the present application, and as shown in fig. 6, a client and a server are in a direct connection mode. The server side opens 53 ports, and the client side is directly connected with the DNS tunnel server through a UDP protocol. The client constructs a message which accords with DNS specification in format, and transmits information of a non-DNS protocol with the server, and a domain name in the message can belong to any secondary domain, can also belong to a non-existent secondary domain, and even can be any character string.
Fig. 7 is a schematic view of another application scenario of the DNS tunnel traffic monitoring method according to the embodiment of the present application, and as shown in fig. 7, the client and the server are in a relay mode. In the application scenario of this mode, a network attacker first needs to register and acquire a certain secondary domain name, and sets an authoritative server of the secondary domain name as a server controlled by the attacker, or controls an authoritative server of an existing secondary domain name through malicious software, worms, trojans, and the like. After the operation, all subsequent DNS messages requesting the sub-domain name under the secondary domain name realize recursive query through the intranet DNS server, and finally go to the controlled authoritative server (i.e., DNS tunnel server) to establish the DNS tunnel.
The method and the device for adaptive detection of DNS tunnel traffic, provided by the invention, are suitable for the two application scenarios, namely detection of DNS tunnel communication in a direct connection mode (as shown in fig. 6) and a relay mode (as shown in fig. 7).
Fig. 8 is a structural diagram of a DNS tunnel traffic detection apparatus according to an embodiment of the present application, and as shown in fig. 8, the apparatus includes:
the preprocessing module 80 is configured to filter the request traffic to obtain a traffic set to be detected, where the request traffic includes DNS traffic transmitted by using a DNS protocol and DNS tunnel traffic transmitted by using the DNS protocol.
The detection module 82 is configured to detect a plurality of flows to be detected included in the flow set to be detected respectively according to a plurality of thresholds, to obtain a plurality of detection results corresponding to the plurality of flows to be detected, where the plurality of detection results are all used to represent that the plurality of flows to be detected are suspected DNS tunnel flows, and different thresholds correspond to different detection results.
And the calculating module 84 is configured to perform weighted calculation on the multiple detection results according to the weights corresponding to the multiple thresholds, respectively, to obtain the certainty factor corresponding to each detection result, where the certainty factor is used to represent the credibility of the multiple flows to be detected as DNS tunnel flows.
And the determining module 86 is configured to determine whether the multiple flows to be detected included in the flow set to be detected are DNS tunnel flows according to the certainty factor corresponding to each detection result.
It should be noted that, reference may be made to the description related to the embodiment shown in fig. 1 for a preferred implementation of the embodiment shown in fig. 8, and details are not repeated here.
The embodiment of the application further provides a computer-readable storage medium, where the storage medium includes a stored program, and when the program runs, the device where the storage medium is located is controlled to execute the above DNS tunnel traffic detection method.
The storage medium stores a program for executing the following functions: filtering the request traffic to obtain a traffic set to be detected, wherein the request traffic comprises DNS traffic transmitted by using a DNS protocol and DNS tunnel traffic transmitted by using the DNS protocol; detecting a plurality of flows to be detected contained in a flow set to be detected respectively according to a plurality of thresholds to obtain a plurality of detection results corresponding to the plurality of flows to be detected, wherein the plurality of detection results are all used for representing that the plurality of flows to be detected are suspected DNS tunnel flows, and different thresholds correspond to different detection results; respectively carrying out weighted calculation on the multiple detection results according to the weight values corresponding to the multiple thresholds to obtain the certainty factor corresponding to each detection result, wherein the certainty factor is used for representing the credibility of the multiple flows to be detected as the DNS tunnel flows; and determining whether the flows to be detected contained in the flow set to be detected are DNS tunnel flows according to the corresponding certainty factor of each detection result.
The embodiment of the application further provides a processor, and the processor is configured to run a program stored in the memory, where the detection method of the DNS tunnel traffic is performed when the program runs.
The processor is used for running a program for executing the following functions: filtering the request traffic to obtain a traffic set to be detected, wherein the request traffic comprises DNS traffic transmitted by using a DNS protocol and DNS tunnel traffic transmitted by using the DNS protocol; detecting a plurality of flows to be detected contained in a flow set to be detected respectively according to a plurality of thresholds to obtain a plurality of detection results corresponding to the plurality of flows to be detected, wherein the plurality of detection results are all used for representing that the plurality of flows to be detected are suspected DNS tunnel flows, and different thresholds correspond to different detection results; respectively carrying out weighted calculation on the multiple detection results according to the weight values corresponding to the multiple thresholds to obtain the certainty factor corresponding to each detection result, wherein the certainty factor is used for representing the credibility of the multiple flows to be detected as the DNS tunnel flows; and determining whether the flows to be detected contained in the flow set to be detected are DNS tunnel flows according to the corresponding certainty factor of each detection result.
The above-mentioned serial numbers of the embodiments of the present application are merely for description and do not represent the merits of the embodiments.
In the above embodiments of the present application, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.
In the embodiments provided in the present application, it should be understood that the disclosed technology can be implemented in other ways. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units may be a logical division, and in actual implementation, there may be another division, for example, multiple units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, units or modules, and may be in an electrical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application may be substantially implemented or contributed to by the prior art, or all or part of the technical solution may be embodied in a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: various media capable of storing program codes, such as a U disk, a read-Only Memory (ROM, ReQK-SSWd-Only Memory), a random access Memory (RQK-SSWM, RQK-SSWndom QK-SSWccess Memory), a mobile hard disk, a magnetic disk or an optical disk.
The foregoing is only a preferred embodiment of the present application and it should be noted that those skilled in the art can make several improvements and modifications without departing from the principle of the present application, and these improvements and modifications should also be considered as the protection scope of the present application.

Claims (14)

1. A DNS tunnel traffic detection method is characterized by comprising the following steps:
filtering request traffic to obtain a traffic set to be detected, wherein the request traffic comprises DNS traffic transmitted by using a DNS protocol and DNS tunnel traffic transmitted by using the DNS protocol;
respectively detecting a plurality of flows to be detected contained in the flow set to be detected according to a plurality of threshold values to obtain a plurality of detection results corresponding to the plurality of flows to be detected, wherein the plurality of detection results are all used for representing that the plurality of flows to be detected are suspected DNS tunnel flows, and different threshold values correspond to different detection results;
respectively carrying out weighted calculation on the multiple detection results according to the weight values corresponding to the multiple thresholds to obtain the certainty factor corresponding to each detection result, wherein the certainty factor is used for representing the credibility of the multiple flows to be detected as the DNS tunnel flows;
and determining whether the flows to be detected contained in the flow set to be detected are the DNS tunnel flows according to the corresponding certainty factor of each detection result.
2. The method of claim 1, wherein filtering the requested traffic to obtain the traffic set to be detected comprises:
filtering known DNS tunnel flow from the request flow according to DNS tunnel related threat information, wherein the DNS tunnel related threat information records message characteristics of the known DNS tunnel flow;
filtering legal DNS traffic from the request traffic according to a secondary domain name white list, wherein the secondary domain name white list is a set of legal secondary domain names;
and taking the request traffic except the known DNS tunnel traffic and the legal DNS traffic in the request traffic as the traffic set to be detected.
3. The method of claim 2, wherein after filtering the request traffic, the method further comprises:
and generating a threat log from the known DNS tunnel traffic filtered from the request traffic according to the relevant threat intelligence of the DNS tunnel, wherein the threat log is used for a network administrator to view.
4. The method of claim 1, wherein prior to filtering the request traffic, the method further comprises:
comparing the DNS domain name with the DNS tunnel domain name, and/or comparing the DNS flow with the DNS tunnel flow;
and setting a plurality of thresholds and weights corresponding to the thresholds respectively according to the comparison result.
5. The method according to claim 1, wherein detecting a plurality of flows to be detected included in the flow set to be detected according to a plurality of thresholds respectively to obtain a plurality of detection results corresponding to the plurality of flows to be detected comprises:
detecting domain names of all messages contained in the flow to be detected, and if the proportion of the messages with the domain names of the DNS tunnel domain names to all the messages exceeds a first threshold value in the threshold values, taking the flow to be detected as the suspected DNS tunnel flow;
detecting request record types of all messages contained in the flow to be detected, and if the request record types are that the proportion of the messages of the DNS tunnel tool common request record types in all the messages exceeds a second threshold value in the multiple threshold values, taking the flow to be detected as the suspected DNS tunnel flow;
and detecting the host name number under the secondary domain name related to all messages contained in the flow to be detected, and if the host name number under the secondary domain name exceeds a third threshold value in the plurality of threshold values, taking the flow to be detected as the flow of the suspected DNS tunnel.
6. The method of claim 5,
detecting the domain names of all messages contained in the flow to be detected, wherein the domain names include at least one of the following: detecting the length of a single label of the domain name, the character characteristics of the domain name and the entropy of the domain name;
the DNS tunneling tool common request record types comprise at least one of the following types: MX record type, CNAME record type, TXT record type, and NULL record type.
7. The method of claim 1, wherein performing a weighted calculation on the plurality of detection results according to weights corresponding to the plurality of thresholds, respectively, to obtain certainty factors corresponding to the detection results comprises:
carrying out standardization processing on each detection result according to the degree that each detection result exceeds the corresponding threshold value of each detection result to obtain the standardized detection result corresponding to each detection result;
and carrying out weighted calculation on the normalized detection result corresponding to each threshold according to the weight corresponding to each threshold to obtain the certainty factor corresponding to each detection result.
8. The method according to claim 3, wherein determining whether a plurality of flows to be detected included in the flow set to be detected are the DNS tunnel flows according to the certainty factor corresponding to each detection result includes:
calculating total certainty factor according to the certainty factor corresponding to each detection result;
and if the total certainty factor is greater than or equal to a certainty factor threshold value, determining that the plurality of flows to be detected contained in the flow set to be detected are the DNS tunnel flows.
9. The method according to claim 8, wherein after determining that the plurality of flows to be detected included in the set of flows to be detected are the DNS tunnel flows, the method further comprises:
updating the threat log according to the plurality of flows to be detected, wherein the threat log at least comprises the following information: and the source IP address, the destination IP address, the source port, the destination port and the used domain name of the flow to be detected.
10. The method according to claim 1, wherein after determining whether a plurality of flows to be detected included in the flow set to be detected are DNS tunnel flows according to the certainty factor corresponding to each detection result, the method further includes:
respectively calculating the flow rate ratio of each threshold in the current detection period, wherein the flow rate ratio is the ratio of the flow rate to be detected according to each threshold in the flow rate set to be detected;
respectively calculating the difference value of the flow ratio of each threshold in the current detection period and the flow ratio in the previous period;
adjusting the weight value corresponding to each threshold value according to the difference value to obtain the adjusted weight value;
and detecting the certainty factor of the next period according to the adjusted weight value.
11. The method of claim 2, further comprising receiving an operation instruction, the operation instruction comprising:
adding a second-level domain name or deleting an operation instruction of the second-level domain name to the second-level domain name white list;
an operating instruction to modify the plurality of thresholds.
12. A device for detecting DNS tunnel traffic is characterized by comprising:
the system comprises a preprocessing module, a flow detection module and a flow detection module, wherein the preprocessing module is used for filtering request flow to obtain a flow set to be detected, and the request flow comprises DNS flow transmitted by utilizing a DNS protocol and DNS tunnel flow transmitted by utilizing the DNS protocol;
the detection module is used for respectively detecting a plurality of flows to be detected contained in the flow set to be detected according to a plurality of threshold values to obtain a plurality of detection results corresponding to the plurality of flows to be detected, wherein the plurality of detection results are all used for representing that the plurality of flows to be detected are suspected DNS tunnel flows, and different threshold values correspond to different detection results;
the calculation module is used for performing weighted calculation on the plurality of detection results according to the weights corresponding to the plurality of thresholds respectively to obtain the certainty factor corresponding to each detection result, wherein the certainty factor is used for representing the credibility of the plurality of flows to be detected as the DNS tunnel flow;
and the determining module is used for determining whether the plurality of flows to be detected contained in the flow set to be detected are the DNS tunnel flows according to the certainty factor corresponding to each detection result.
13. A computer-readable storage medium, characterized in that the storage medium includes a stored program, and when the program runs, the apparatus in which the storage medium is located is controlled to execute the DNS tunnel traffic detection method according to any one of claims 1 to 11.
14. A processor, characterized in that the processor is configured to execute a program stored in a memory, wherein the program executes the method for detecting DNS tunnel traffic according to any one of claims 1 to 11.
CN202010615367.XA 2020-06-30 2020-06-30 DNS tunnel traffic detection method and device Active CN111786993B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010615367.XA CN111786993B (en) 2020-06-30 2020-06-30 DNS tunnel traffic detection method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010615367.XA CN111786993B (en) 2020-06-30 2020-06-30 DNS tunnel traffic detection method and device

Publications (2)

Publication Number Publication Date
CN111786993A true CN111786993A (en) 2020-10-16
CN111786993B CN111786993B (en) 2022-08-23

Family

ID=72760032

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010615367.XA Active CN111786993B (en) 2020-06-30 2020-06-30 DNS tunnel traffic detection method and device

Country Status (1)

Country Link
CN (1) CN111786993B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112367312A (en) * 2020-10-30 2021-02-12 北京亚鸿世纪科技发展有限公司 Detection method and device for studying and judging DNS hidden tunnel
CN112822223A (en) * 2021-04-19 2021-05-18 北京智源人工智能研究院 DNS hidden tunnel event automatic detection method and device and electronic equipment
CN112822204A (en) * 2021-01-28 2021-05-18 深信服科技股份有限公司 NAT detection method, device, equipment and medium
CN113783727A (en) * 2021-09-07 2021-12-10 山石网科通信技术股份有限公司 Method and device for adjusting bandwidth of distributed equipment, storage medium and processor

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120054860A1 (en) * 2010-09-01 2012-03-01 Raytheon Bbn Technologies Corp. Systems and methods for detecting covert dns tunnels
CN110602100A (en) * 2019-09-16 2019-12-20 上海斗象信息科技有限公司 DNS tunnel flow detection method

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120054860A1 (en) * 2010-09-01 2012-03-01 Raytheon Bbn Technologies Corp. Systems and methods for detecting covert dns tunnels
CN110602100A (en) * 2019-09-16 2019-12-20 上海斗象信息科技有限公司 DNS tunnel flow detection method

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112367312A (en) * 2020-10-30 2021-02-12 北京亚鸿世纪科技发展有限公司 Detection method and device for studying and judging DNS hidden tunnel
CN112367312B (en) * 2020-10-30 2022-10-11 北京亚鸿世纪科技发展有限公司 Detection method and device for studying and judging DNS hidden tunnel
CN112822204A (en) * 2021-01-28 2021-05-18 深信服科技股份有限公司 NAT detection method, device, equipment and medium
CN112822223A (en) * 2021-04-19 2021-05-18 北京智源人工智能研究院 DNS hidden tunnel event automatic detection method and device and electronic equipment
CN113783727A (en) * 2021-09-07 2021-12-10 山石网科通信技术股份有限公司 Method and device for adjusting bandwidth of distributed equipment, storage medium and processor
CN113783727B (en) * 2021-09-07 2024-04-26 山石网科通信技术股份有限公司 Method and device for adjusting bandwidth of distributed equipment, storage medium and processor

Also Published As

Publication number Publication date
CN111786993B (en) 2022-08-23

Similar Documents

Publication Publication Date Title
CN111786993B (en) DNS tunnel traffic detection method and device
US11606385B2 (en) Behavioral DNS tunneling identification
Zhao et al. Detecting APT malware infections based on malicious DNS and traffic analysis
US7953969B2 (en) Reduction of false positive reputations through collection of overrides from customer deployments
Iacovazzi et al. Network flow watermarking: A survey
CN110730175A (en) Botnet detection method and detection system based on threat information
Young et al. The hacker's handbook: the strategy behind breaking into and defending networks
US20040240447A1 (en) Method and system for identifying bidirectional packet flow
Grill et al. Malware detection using http user-agent discrepancy identification
Fraunholz et al. YAAS-On the Attribution of Honeypot Data.
Form et al. Phishing email detection technique by using hybrid features
Rajendran DNS amplification & DNS tunneling attacks simulation, detection and mitigation approaches
Sood et al. Cybercrime at a scale: A practical study of deployments of HTTP-based botnet command and control panels
CN110493253B (en) Botnet analysis method of home router based on raspberry group design
Miller et al. Traffic classification for the detection of anonymous web proxy routing
Ren et al. Enabling secure and versatile packet inspection with probable cause privacy for outsourced middlebox
Lin et al. A novel method of mining network flow to detect P2P botnets
CN117354024A (en) DNS malicious domain name detection system and method based on big data
US20240039890A1 (en) Detecting shadowed domains
CN111031075B (en) Network service security access method, terminal, system and readable storage medium
CN111371917B (en) Domain name detection method and system
GUDEKLI et al. DNS Tunneling Effect on DNS Packet Sizes
Ageyev et al. Data Sets Selection for Distributed Infocommunication Networks Traffic Abnormality Detection
Mohammed Network-Based Detection and Prevention System Against DNS-Based Attacks
Cao et al. A selective re-query case sensitive encoding scheme against DNS cache poisoning attacks

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant