CN114070581B - Method and device for detecting hidden channel of domain name system - Google Patents
Method and device for detecting hidden channel of domain name system Download PDFInfo
- Publication number
- CN114070581B CN114070581B CN202111177431.1A CN202111177431A CN114070581B CN 114070581 B CN114070581 B CN 114070581B CN 202111177431 A CN202111177431 A CN 202111177431A CN 114070581 B CN114070581 B CN 114070581B
- Authority
- CN
- China
- Prior art keywords
- threat
- flow
- data
- response
- counting
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
One or more embodiments of the present disclosure provide a method and an apparatus for detecting a hidden channel in a domain name system, including: extracting request end characteristics and response end characteristics from the flow data; processing the request end characteristics and the response end characteristics into characteristic vectors so as to input a preset flow detection model and obtain a flow detection result; and in response to the fact that the flow detection result is abnormal flow, detecting the flow data by using a preset rule base to obtain a threat detection result. The detection of the hidden channel of the domain name system can be realized, and the detection accuracy is improved.
Description
Technical Field
One or more embodiments of the present disclosure relate to the field of information security technologies, and in particular, to a method and an apparatus for detecting a hidden channel in a domain name system.
Background
A Domain Name System (DNS) protocol is used to manufacture a hidden channel, and malicious attacks such as remote control and data stealing by using the hidden channel are common attack means of attackers. In some existing DNS hidden channel detection methods, a DNS hidden channel is identified by continuously detecting the difference between the flow size of a request end and the normal flow size, and the missing report rate is high because hidden channel characteristics possibly existing in the flow of a response end are not considered; some methods detect the DNS hidden channel based on a Markov decision method, but have high requirements on network environment and are difficult to realize in a large-scale network system.
Disclosure of Invention
In view of this, one or more embodiments of the present disclosure provide a method and an apparatus for detecting a hidden channel in a domain name system, so as to solve the problem of detecting a DNS hidden channel.
In view of the above, one or more embodiments of the present specification provide a method for detecting a hidden channel in a domain name system, including:
extracting request end characteristics and response end characteristics from the flow data;
processing the request end characteristics and the response end characteristics into characteristic vectors so as to input a preset flow detection model and obtain a flow detection result;
and in response to the fact that the flow detection result is abnormal flow, detecting the flow data by using a preset rule base to obtain a threat detection result.
Optionally, after obtaining the threat detection result, the method further includes:
in response to the threat detection result being an unknown threat, determining a duration of the abnormal traffic;
analyzing the file transmission-related behavior in the traffic data during the duration;
and responding to the abnormal behavior, and performing blocking processing on the abnormal behavior.
Optionally, in response to the behavior being an abnormal behavior, the method includes:
the action is to acquire a specific file; alternatively, the first and second electrodes may be,
the behavior is uploading or downloading a file, and the file comprises a specific characteristic.
Optionally, after analyzing the file transmission-related behavior in the traffic data during the duration, the method further includes:
in response to the behavior being an unknown behavior, merging the traffic data with subsequent traffic data;
the extraction of the request end characteristics and the response end characteristics from the traffic data is as follows: request-side data and response-side data are extracted from the merged traffic data.
Optionally, processing the request end feature and the response end feature into a feature vector includes:
for the flow data with the same main domain name, counting the flow characteristics of a request end according to the characteristics of the request end, and counting the flow characteristics of a response end according to the characteristics of the response end;
and vectorizing the flow characteristics of the request end and the response end to obtain a characteristic vector suitable for the flow detection model processing.
Optionally, counting request end traffic characteristics according to the request end characteristics includes:
according to the quintuple of the request end, counting the proportion of the traffic data of the non-IP protocol in all the traffic data; according to the data content of the request end, counting the average length of the data content of the request end; according to the sub-domain names of the request terminal, counting the number of sub-domain levels, the proportion of non-repeated sub-domain names in all sub-domain names and the average Shannon entropy of the sub-domain names; calculating the average Shannon entropy of the sub domain names under the same main domain name according to the main domain name of the request terminal and the sub domain names under the same main domain name;
counting the flow characteristics of the response terminal according to the characteristics of the response terminal, comprising the following steps:
according to the data content of the response end, counting the average length of the data content of the response end; according to the TTL of the response end, counting the average TTL of the response end; and according to the protocol type of the response end, counting the Shannon entropy of the data content of the non-IP protocol.
Optionally, the detecting the flow data by using a preset rule base to obtain a threat detection result, including:
detecting the flow data by using a preset threat database to obtain a threat type result;
and responding to the fact that the threat type result is an unknown threat type, and matching the flow data with a preset threat rule base to obtain a threat matching result.
Optionally, the threat rule base includes a plurality of regular expressions formed by different threat characteristics according to a specific rule;
matching the flow data with a preset threat rule base, including:
extracting features to be matched from the flow data;
and matching the features to be matched with the regular expression.
Optionally, the method further includes:
updating the threat database according to the acquired threat data;
and updating the threat rule base according to the obtained threat rule.
An embodiment of the present specification further provides a device for detecting a hidden channel in a domain name system, including:
the characteristic extraction module is used for extracting request terminal characteristics and response terminal characteristics from the flow data;
the flow classification module is used for processing the request end characteristics and the response end characteristics into characteristic vectors so as to input a preset flow detection model and obtain a flow detection result;
and the threat detection module is used for responding to the abnormal flow of the flow detection result, and detecting the flow data by using a preset rule base to obtain a threat detection result.
As can be seen from the foregoing, in the detection method and apparatus for a hidden channel of a domain name system provided in one or more embodiments of the present disclosure, a request end feature and a response end feature are extracted from traffic data, and the request end feature and the response end feature are processed into a feature vector, so as to input a preset traffic detection model to obtain a traffic detection result, and in response to the traffic detection result being an abnormal traffic, the traffic data is detected by using a preset rule base to obtain a threat detection result. The detection of the hidden channel of the domain name system can be realized, and the detection accuracy is improved.
Drawings
In order to more clearly illustrate one or more embodiments or prior art solutions of the present specification, the drawings that are needed in the description of the embodiments or prior art will be briefly described below, it is obvious that the drawings in the description below are only one or more embodiments of the present specification, and that other drawings may be obtained by those skilled in the art without inventive effort.
FIG. 1 is a schematic flow chart of a method according to one or more embodiments of the present disclosure;
FIG. 2 is a schematic diagram of an apparatus according to one or more embodiments of the present disclosure;
fig. 3 is a schematic structural diagram of an electronic device according to one or more embodiments of the present disclosure.
Detailed Description
For the purpose of promoting a better understanding of the objects, aspects and advantages of the present disclosure, reference is made to the following detailed description taken in conjunction with the accompanying drawings.
It is to be understood that unless otherwise defined, technical or scientific terms used in one or more embodiments of the present disclosure should have the ordinary meaning as understood by one of ordinary skill in the art to which this disclosure belongs. The use of "first," "second," and similar terms in one or more embodiments of the specification is not intended to indicate any order, quantity, or importance, but rather is used to distinguish one element from another. The word "comprising" or "comprises", and the like, means that the element or item listed before the word covers the element or item listed after the word and its equivalents, but does not exclude other elements or items. The terms "connected" or "coupled" and the like are not restricted to physical or mechanical connections, but may include electrical connections, whether direct or indirect. "upper", "lower", "left", "right", and the like are used merely to indicate relative positional relationships, and when the absolute position of the object being described is changed, the relative positional relationships may also be changed accordingly.
As shown in fig. 1, an embodiment of the present specification provides a method for detecting a hidden channel in a domain name system, including:
s101: extracting request end characteristics and response end characteristics from the flow data;
in this embodiment, traffic data is acquired from a network, and when it is detected whether the traffic data is data in a DNS hidden channel or not, the traffic data of a request end is analyzed, and a request end feature is extracted therefrom, and the traffic data of a response end is analyzed, and a response end feature is extracted therefrom.
Analyzing the flow data of the request end, wherein the extracted request end characteristics include but are not limited to quintuple, a main domain name, a sub domain name, data content and the like; analyzing the flow data of the response terminal, wherein the extracted response terminal characteristics include, but are not limited To, data content length and Time To Live (TTL).
S102: processing the characteristics of the request end and the characteristics of the response end into characteristic vectors so as to input a preset flow detection model and obtain a flow detection result;
in this embodiment, the extracted request end feature and response end feature are processed into a feature vector suitable for input processing of the flow detection model, and the flow detection model outputs a flow detection result according to the input feature vector, where the flow detection result is divided into a normal flow and an abnormal flow. The flow detection model may be obtained by training normal flow data samples and abnormal data samples, and may classify input features. Optionally, the flow detection model is implemented based on an isolated forest algorithm model, and abnormal flow can be quickly and accurately identified from a large amount of flow data.
S103: and in response to the fact that the flow detection result is abnormal flow, detecting the flow data by using a preset rule base to obtain a threat detection result.
In this embodiment, when the output result of the traffic detection model is abnormal traffic, the abnormal traffic is further detected by using the rule base, so as to obtain a threat detection result, for example, which threat type the abnormal traffic belongs to.
The method for detecting the hidden channel of the domain name system provided by the embodiment includes extracting characteristics of a request end and characteristics of a response end from traffic data, processing the characteristics of the request end and the characteristics of the response end into characteristic vectors so as to input a preset traffic detection model to obtain a traffic detection result, and detecting the traffic data by using a preset rule base in response to the traffic detection result being abnormal traffic to obtain a threat detection result. The detection is carried out by integrating the characteristics of the request end and the response end, so that the detection accuracy can be improved, and the missing report rate can be reduced.
In some embodiments, after obtaining the threat detection result, the method further includes:
in response to the threat detection result being an unknown threat, determining the duration of the abnormal traffic;
analyzing the file transmission related behaviors in the flow data in the duration;
and responding to the abnormal behavior, and performing blocking processing on the abnormal behavior.
In this embodiment, the rule base is used to detect the abnormal traffic, the obtained threat detection result may be a specific threat type, and the abnormal traffic in which the threat type is not detected is determined as an unknown threat. For unknown threats, further detection analysis is required. Firstly, determining the starting time and the ending time of the abnormal flow, thereby determining the duration of the abnormal flow; and then, analyzing the file transmission behaviors in the flow data within the duration, and blocking the abnormal behaviors in time when judging that the file transmission behaviors are abnormal, such as blocking a file transmission channel, stopping file transmission service and the like, so as to avoid data leakage through a hidden channel. Meanwhile, for the identified abnormal behaviors, the source attack source and the victim host are traced, the relevant characteristics of the abnormal behaviors are analyzed, the characteristic rules are constructed, and the characteristic rules are stored in a rule base.
In some embodiments, responding to the behavior being abnormal behavior comprises:
the action is to obtain a specific file; alternatively, the first and second electrodes may be,
the behavior is to upload a file or download a file, and the file includes a specific feature.
For example, for the traffic data of the File Transfer Protocol (FTP), if there is a behavior of anonymously logging in a shared folder and acquiring a specific File, it may be determined that the behavior is an abnormal behavior, and the threat type of the abnormal traffic may be determined as information stealing by using an FTP anonymous login vulnerability. For another example, for the traffic data of the file uploaded or downloaded by using the HTTP protocol or the SSL protocol, the file uploaded or downloaded is obtained, the file is reversely analyzed to obtain the content of the file, and if the content of the file has a specific characteristic, the threat type can be determined according to the specific characteristic. The method can also be used for pretending the behavior of uploading or downloading the file into a request end by analyzing the acquired quintuple, facilitating the communication with a response end and determining the threat type by continuously detecting the flow data in the communication process. After the file transmission is analyzed and determined to be abnormal, the abnormal behavior can be blocked, a file transmission channel is blocked, and data leakage is avoided.
In some modes, for abnormal traffic, five tuples, data content and other characteristics of the abnormal traffic are extracted, so that an abnormal traffic log is generated conveniently, and traffic statistical results can be displayed according to different times. And the characteristic rule can be constructed according to the related characteristics of the abnormal flow, the characteristic rule is stored in the rule base, and the rule base is updated, so that the subsequent detection accuracy is improved.
In some embodiments, analyzing the behavior regarding file transmission in the traffic data over the duration further comprises:
merging the traffic data with subsequent traffic data in response to the behavior being an unknown behavior;
extracting the request end characteristics and the response end characteristics from the flow data is as follows: request-side data and response-side data are extracted from the merged traffic data.
In this embodiment, for abnormal traffic, a rule base is used to detect that no threat type is determined, and when the behavior of file transmission is not determined to belong to a certain threat type through analysis, the abnormal traffic and the subsequently generated traffic data are merged, re-detection is performed according to steps S101 to S103, and a detection result is obtained through continuous detection.
In some embodiments, processing the request-side features and the response-side features into feature vectors includes:
for the flow data with the same main domain name, counting the flow characteristics of a request end according to the characteristics of the request end, and counting the flow characteristics of a response end according to the characteristics of the response end;
and vectorizing the flow characteristics of the request end and the response end to obtain a characteristic vector suitable for processing the flow detection model.
In this embodiment, after the request end feature and the response end feature are extracted according to the traffic data, the two features are processed in a unified manner to obtain a feature vector, which is convenient for inputting into the traffic detection model. Specifically, according to a main domain name in the characteristics of a request end and a main domain name in the characteristics of a response end, determining flow data with the same main domain name; then, based on the flow data with the same main domain name, counting the flow characteristics of the request end according to the characteristics of the request end, and counting the flow characteristics of the response end according to the characteristics of the response end; and combining the flow characteristics of the request end and the flow characteristics of the response end, and performing vectorization and normalization processing to obtain a characteristic vector suitable for processing the flow detection model, wherein the characteristic vector comprises the characteristics of the request end and the characteristics of the response end, so that the model can identify whether the flow is abnormal flow according to the characteristics of the request end and the characteristics of the response end, and the problem that the abnormal flow cannot be accurately detected due to omission of hidden channel characteristics contained in the response end is avoided.
In some embodiments, counting request-side traffic characteristics according to request-side characteristics includes: according to the quintuple of the request end, counting the proportion of the flow data of non-IP protocols (non-IPv 4 and IPv6 protocols) in all the flow data; according to the data content of the request end, counting the average length of the data content of the request end; according to the sub-domain names of the request terminal, counting the number of sub-domain levels, the proportion of non-repeated sub-domain names in all sub-domain names and the average Shannon entropy of the sub-domain names; according to the main domain name of the request end and each sub domain name under the same main domain name, calculating the average Shannon entropy of the sub domain names under the same main domain name (firstly calculating the Shannon entropy of each sub domain name, and then calculating the average value of the Shannon entropy of each sub domain name as the average Shannon entropy).
Counting the flow characteristics of the response terminal according to the characteristics of the response terminal, comprising the following steps: according to the data content of the response end, counting the average length of the data content of the response end; according to the TTL of the response end, counting the average TTL of the response end; and according to the protocol type of the response end, counting the Shannon entropy of the data content of the non-IP protocol.
In some embodiments, detecting the traffic data by using a preset rule base to obtain a threat detection result includes:
detecting the flow data by using a preset threat database to obtain a threat type result;
and responding to the unknown threat type result, and matching the flow data with a preset threat rule base to obtain a threat matching result.
In this embodiment, the preset rule base includes two types, namely a threat database and a threat rule base. When the flow detection model is used for detecting that the flow data is abnormal flow, the threat database is used for detecting the flow data to obtain a threat type result, and the threat type which the abnormal flow belongs to is directly output for the threat type which can be detected by the threat database. If the threat database fails to detect a particular threat type, an unknown threat type is output. And for the flow data of the unknown threat type, continuing to perform matching detection according to the threat rule base to obtain a threat matching result of the threat rule base.
In some approaches, the threat database may be constructed using known or detected abnormal traffic. For example, in the construction stage, threat data is acquired from an open source threat information website, data cleaning is performed based on the acquired threat data, the unification of data formats is realized, the cleaned data is subjected to data classification, various abnormal flows are sorted and classified according to key fields such as quintuple, main domain name, sub domain name, URL, attack type, attack family, malicious software, discovery time and the like, and the abnormal flows are stored in a threat database after data processing. In the using process, new threat data can be acquired periodically, and the threat database is updated according to the new threat data. Optionally, the threat types detectable by the threat database include APT attack, botnet, DDOS attack, illegal mining, advertisement distribution software, lasso software, and the like, and are not limited specifically.
In some embodiments, the threat rule base includes a plurality of regular expressions formed by different threat characteristics according to a specific rule;
matching the flow data with a preset threat rule base, comprising:
extracting features to be matched from the flow data;
and matching the characteristics to be matched with the regular expression.
In this embodiment, when the specific threat type is not detected in the threat database, the abnormal traffic of the unknown threat type is matched with the threat feature rules in the threat rule base one by one, so as to obtain a matching result. The threat characteristic rules are regular expressions formed by different threat characteristics according to specific rules, and each regular expression can represent a specific threat type. And when matching, extracting the features to be matched from the flow data, accurately matching the features to be matched with the regular expression, and if matching is successful, judging the threat type of the flow data to be the threat type corresponding to the regular expression. And if the features to be matched are not matched with each regular expression in the threat rule base, performing subsequent abnormal behavior detection on the abnormal flow.
In some embodiments, the detection method further comprises:
updating a threat database according to the acquired threat data;
and updating the threat rule base according to the obtained threat rule.
In the embodiment, in the detection process, the threat database is updated by periodically acquiring new threat data, and meanwhile, a new threat rule is periodically acquired (for example, a regular expression can be constructed according to several characteristics of the threat data), so that the threat rule base is updated, and the accuracy of the rule base for detection is ensured.
It should be noted that the method of one or more embodiments of the present disclosure may be performed by a single device, such as a computer or server. The method of the embodiment can also be applied to a distributed scene and completed by the mutual cooperation of a plurality of devices. In such a distributed scenario, one of the devices may perform only one or more steps of the method of one or more embodiments of the present disclosure, and the devices may interact with each other to complete the method.
It should be noted that the above description describes certain embodiments of the present disclosure. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims can be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing may also be possible or may be advantageous.
As shown in fig. 2, an embodiment of the present specification further provides an apparatus for detecting a hidden channel in a domain name system, including:
the characteristic extraction module is used for extracting request terminal characteristics and response terminal characteristics from the flow data;
the flow classification module is used for processing the request end characteristics and the response end characteristics into characteristic vectors so as to input a preset flow detection model and obtain a flow detection result;
and the threat detection module is used for responding to the abnormal flow of the flow detection result, and detecting the flow data by using a preset rule base to obtain a threat detection result.
For convenience of description, the above devices are described as being divided into various modules by functions, and are described separately. Of course, the functionality of the various modules may be implemented in the same one or more pieces of software and/or hardware in implementing one or more embodiments of the present description.
In some embodiments, the detection device for the domain name system hidden channel in the present specification is implemented based on Docker environment deployment, and is convenient to deploy, occupies a small amount of resources, and can implement DNS hidden channel detection in real time, efficiently, and accurately.
The apparatus of the foregoing embodiment is used to implement the corresponding method in the foregoing embodiment, and has the beneficial effects of the corresponding method embodiment, which are not described herein again.
Fig. 3 is a schematic diagram illustrating a more specific hardware structure of an electronic device according to this embodiment, where the electronic device may include: a processor 1010, a memory 1020, an input/output interface 1030, a communication interface 1040, and a bus 1050. Wherein the processor 1010, memory 1020, input/output interface 1030, and communication interface 1040 are communicatively coupled to each other within the device via bus 1050.
The processor 1010 may be implemented by a general-purpose CPU (Central Processing Unit), a microprocessor, an Application Specific Integrated Circuit (ASIC), or one or more Integrated circuits, and is configured to execute related programs to implement the technical solutions provided in the embodiments of the present disclosure.
The Memory 1020 may be implemented in the form of a ROM (Read Only Memory), a RAM (Random Access Memory), a static storage device, a dynamic storage device, or the like. The memory 1020 may store an operating system and other application programs, and when the technical solution provided by the embodiments of the present specification is implemented by software or firmware, the relevant program codes are stored in the memory 1020 and called to be executed by the processor 1010.
The input/output interface 1030 is used for connecting an input/output module to input and output information. The i/o module may be configured as a component in a device (not shown) or may be external to the device to provide a corresponding function. The input devices may include a keyboard, a mouse, a touch screen, a microphone, various sensors, etc., and the output devices may include a display, a speaker, a vibrator, an indicator light, etc.
The communication interface 1040 is used for connecting a communication module (not shown in the drawings) to implement communication interaction between the present apparatus and other apparatuses. The communication module can realize communication in a wired mode (for example, USB, network cable, etc.), and can also realize communication in a wireless mode (for example, mobile network, WIFI, bluetooth, etc.).
It should be noted that although the above-mentioned device only shows the processor 1010, the memory 1020, the input/output interface 1030, the communication interface 1040 and the bus 1050, in a specific implementation, the device may also include other components necessary for normal operation. In addition, those skilled in the art will appreciate that the above-described apparatus may also include only those components necessary to implement the embodiments of the present description, and not necessarily all of the components shown in the figures.
The electronic device of the foregoing embodiment is used for implementing the corresponding method in the foregoing embodiment, and has the beneficial effects of the corresponding method embodiment, which are not described again here.
Computer-readable media, including both permanent and non-permanent, removable and non-removable media, for storing information may be implemented in any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device.
Those of ordinary skill in the art will understand that: the discussion of any embodiment above is meant to be exemplary only, and is not intended to intimate that the scope of the disclosure, including the claims, is limited to these examples; features from the above embodiments, or from different embodiments, may also be combined, steps may be implemented in any order, and there are many other variations of the different aspects of one or more embodiments of the present description, as described above, which are not provided in detail for the sake of brevity.
In addition, well-known power/ground connections to Integrated Circuit (IC) chips and other components may or may not be shown within the provided figures for simplicity of illustration and discussion, and so as not to obscure one or more embodiments of the description. Furthermore, devices may be shown in block diagram form in order to avoid obscuring the understanding of one or more embodiments of the present description, and this also takes into account the fact that specifics with respect to implementation of such block diagram devices are highly dependent upon the platform within which the one or more embodiments of the present description are to be implemented (i.e., specifics should be well within purview of one skilled in the art). Where specific details (e.g., circuits) are set forth in order to describe example embodiments of the disclosure, it should be apparent to one skilled in the art that one or more embodiments of the disclosure can be practiced without, or with variation of, these specific details. Accordingly, the description is to be regarded as illustrative instead of restrictive.
While the present disclosure has been described in conjunction with specific embodiments thereof, many alternatives, modifications, and variations of these embodiments will be apparent to those of ordinary skill in the art in light of the foregoing description. For example, other memory architectures, such as Dynamic RAM (DRAM), may use the discussed embodiments.
It is intended that the one or more embodiments of the present specification embrace all such alternatives, modifications and variations as fall within the broad scope of the appended claims. Therefore, any omissions, modifications, substitutions, improvements, and the like that may be made without departing from the spirit and principles of one or more embodiments of the present disclosure are intended to be included within the scope of the present disclosure.
Claims (6)
1. The detection method of the hidden channel of the domain name system is characterized by comprising the following steps:
extracting request end characteristics and response end characteristics from the flow data;
for the flow data with the same main domain name, counting the flow characteristics of a request end according to the characteristics of the request end, and counting the flow characteristics of a response end according to the characteristics of the response end; the traffic characteristics of the statistical request end comprise: according to the quintuple of the request end, counting the proportion of the traffic data of the non-IP protocol in all the traffic data; according to the data content of the request end, counting the average length of the data content of the request end; according to the sub-domain names of the request terminal, counting the number of sub-domain levels, the proportion of non-repeated sub-domain names in all sub-domain names and the average Shannon entropy of the sub-domain names; calculating the average Shannon entropy of the sub domain names under the same main domain name according to the main domain name of the request end and the sub domain names under the same main domain name; the flow characteristics of the statistical response end comprise: according to the data content of the response end, counting the average length of the data content of the response end; according to the TTL of the response end, counting the average TTL of the response end; according to the protocol type of the response end, counting the Shannon entropy of the data content of the non-IP protocol;
vectorizing the request end flow characteristics and the response end flow characteristics to obtain characteristic vectors so as to input a preset flow detection model and obtain a flow detection result;
responding to the abnormal flow detection result, detecting the flow data by using a preset rule base to obtain a threat detection result;
in response to the threat detection result being an unknown threat, determining a duration of the abnormal traffic;
analyzing the file transmission-related behavior in the traffic data during the duration;
responding to the behavior as abnormal behavior, and performing blocking processing on the abnormal behavior; the abnormal behavior comprises anonymous login of a shared folder and acquisition of a specific file, the uploaded or downloaded file comprises specific characteristics of a specific threat type, and a threat exists in flow data of the uploaded or downloaded file.
2. The method of claim 1, wherein analyzing the traffic data for the duration of time after the activity regarding file transfers further comprises:
in response to the behavior being an unknown behavior, merging the traffic data with subsequent traffic data;
the extraction of the characteristics of the request end and the characteristics of the response end from the flow data is as follows: request-side data and response-side data are extracted from the merged traffic data.
3. The method of claim 1, wherein detecting the traffic data using a predetermined rule base to obtain a threat detection result comprises:
detecting the flow data by using a preset threat database to obtain a threat type result;
and responding to the fact that the threat type result is an unknown threat type, and matching the flow data with a preset threat rule base to obtain a threat matching result.
4. The method of claim 3, wherein the threat rule base comprises a plurality of regular expressions of different threat characteristics according to a specific rule;
matching the flow data with a preset threat rule base, comprising:
extracting features to be matched from the flow data;
and matching the features to be matched with the regular expression.
5. The method of claim 3, further comprising:
updating the threat database according to the obtained threat data;
and updating the threat rule base according to the obtained threat rule.
6. The detection device of the domain name system hidden channel is characterized by comprising:
the characteristic extraction module is used for extracting request terminal characteristics and response terminal characteristics from the flow data;
the flow classification module is used for counting the flow characteristics of the request end according to the characteristics of the request end and counting the flow characteristics of the response end according to the characteristics of the response end for the flow data with the same main domain name; the traffic characteristics of the statistical request end comprise: according to the quintuple of the request end, counting the proportion of the traffic data of the non-IP protocol in all the traffic data; according to the data content of the request end, counting the average length of the data content of the request end; according to the sub-domain names of the request terminal, counting the number of sub-domain levels, the proportion of non-repeated sub-domain names in all sub-domain names and the average Shannon entropy of the sub-domain names; calculating the average Shannon entropy of the sub domain names under the same main domain name according to the main domain name of the request terminal and the sub domain names under the same main domain name; the flow characteristics of the statistical response end comprise: according to the data content of the response end, counting the average length of the data content of the response end; according to the TTL of the response end, counting the average TTL of the response end; according to the protocol type of the response end, counting the Shannon entropy of the data content of the non-IP protocol; vectorizing the flow characteristics of the request end and the response end to obtain a characteristic vector so as to input a preset flow detection model to obtain a flow detection result;
the threat detection module is used for responding to the abnormal flow of the flow detection result, detecting the flow data by using a preset rule base to obtain a threat detection result;
the threat processing module is used for responding to the threat detection result that the threat detection result is an unknown threat and determining the duration of the abnormal flow; analyzing the file transmission-related behavior in the traffic data during the duration; responding to the abnormal behavior, and performing blocking processing on the abnormal behavior; the abnormal behavior comprises anonymous login of a shared folder and acquisition of a specific file, the uploaded or downloaded file comprises specific characteristics of a specific threat type, and a threat exists in flow data of the uploaded or downloaded file.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111177431.1A CN114070581B (en) | 2021-10-09 | 2021-10-09 | Method and device for detecting hidden channel of domain name system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111177431.1A CN114070581B (en) | 2021-10-09 | 2021-10-09 | Method and device for detecting hidden channel of domain name system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114070581A CN114070581A (en) | 2022-02-18 |
| CN114070581B true CN114070581B (en) | 2023-03-14 |
Family
ID=80234416
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111177431.1A Active CN114070581B (en) | 2021-10-09 | 2021-10-09 | Method and device for detecting hidden channel of domain name system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114070581B (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110378124A (en) * | 2019-07-19 | 2019-10-25 | 杉树岭网络科技有限公司 | A kind of network security threats analysis method and system based on LDA machine learning |
| CN111294332A (en) * | 2020-01-13 | 2020-06-16 | 交通银行股份有限公司 | Traffic anomaly detection and DNS channel anomaly detection system and method |
| CN112351018A (en) * | 2020-10-28 | 2021-02-09 | 东巽科技(北京)有限公司 | DNS hidden channel detection method, device and equipment |
| CN112929370A (en) * | 2021-02-08 | 2021-06-08 | 丁牛信息安全科技(江苏)有限公司 | Domain name system hidden channel detection method and device |
| US11095666B1 (en) * | 2018-08-28 | 2021-08-17 | Ca, Inc. | Systems and methods for detecting covert channels structured in internet protocol transactions |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110912889B (en) * | 2019-11-22 | 2021-08-20 | 上海交通大学 | Network attack detection system and method based on intelligent threat intelligence |
| CN112333185B (en) * | 2020-11-02 | 2023-01-17 | 北京金睛云华科技有限公司 | Domain name shadow detection method and device based on DNS (Domain name Server) resolution |
-
2021
- 2021-10-09 CN CN202111177431.1A patent/CN114070581B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US11095666B1 (en) * | 2018-08-28 | 2021-08-17 | Ca, Inc. | Systems and methods for detecting covert channels structured in internet protocol transactions |
| CN110378124A (en) * | 2019-07-19 | 2019-10-25 | 杉树岭网络科技有限公司 | A kind of network security threats analysis method and system based on LDA machine learning |
| CN111294332A (en) * | 2020-01-13 | 2020-06-16 | 交通银行股份有限公司 | Traffic anomaly detection and DNS channel anomaly detection system and method |
| CN112351018A (en) * | 2020-10-28 | 2021-02-09 | 东巽科技(北京)有限公司 | DNS hidden channel detection method, device and equipment |
| CN112929370A (en) * | 2021-02-08 | 2021-06-08 | 丁牛信息安全科技(江苏)有限公司 | Domain name system hidden channel detection method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114070581A (en) | 2022-02-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20180316694A1 (en) | Method and Apparatus for Intelligent Aggregation of Threat Behavior for the Detection of Malware | |
| CN112448947B (en) | Network anomaly determination method, equipment and storage medium | |
| US9584541B1 (en) | Cyber threat identification and analytics apparatuses, methods and systems | |
| CN109474603B (en) | Data packet grabbing processing method and terminal equipment | |
| US11689550B2 (en) | Methods and apparatus to analyze network traffic for malicious activity | |
| KR101859562B1 (en) | Method and Apparatus for Analyzing Vulnerability Information | |
| CN110768875A (en) | Application identification method and system based on DNS learning | |
| CN112565308B (en) | Malicious application detection method, device, equipment and medium based on network traffic | |
| CN111818009A (en) | Protection method and device for message based on MQTT protocol | |
| CN112887329A (en) | Hidden service tracing method and device and electronic equipment | |
| CN116915442A (en) | Vulnerability testing method, device, equipment and medium | |
| CN113419971B (en) | Android system service vulnerability detection method and related device | |
| CN114070581B (en) | Method and device for detecting hidden channel of domain name system | |
| CN116055092A (en) | Hidden tunnel attack behavior detection method and device | |
| JP6813451B2 (en) | Anomaly detection system and anomaly detection method | |
| CN112615713B (en) | Method and device for detecting hidden channel, readable storage medium and electronic equipment | |
| CN115987549A (en) | Abnormal behavior detection method and device of mobile terminal and storage medium | |
| CN114448661B (en) | Method for detecting slow denial of service attack and related equipment | |
| CN113794731B (en) | Method, device, equipment and medium for identifying CDN (content delivery network) -based traffic masquerading attack | |
| CN115827379A (en) | Abnormal process detection method, device, equipment and medium | |
| CN111181756B (en) | Domain name security judgment method, device, equipment and medium | |
| CN112632423B (en) | URL extraction method and device | |
| CN113553370A (en) | Abnormality detection method, abnormality detection device, electronic device, and readable storage medium | |
| CN112307475A (en) | System detection method and device | |
| CN112583827A (en) | Data leakage detection method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |