基于PFEC-Transformer的DNS隐蔽隧道检测

doi:10.15888/j.cnki.csa.009691

AIPUB归智期刊联盟

微信公众号

网站二维码

2025年4月18日 2:46 星期五

首页 > 过刊浏览>2024年第33卷第12期 >55-66. DOI:10.15888/j.cnki.csa.009691

PDF HTML阅读 XML下载导出引用引用提醒

基于PFEC-Transformer的DNS隐蔽隧道检测
DOI:
                        10.15888/j.cnki.csa.009691
                    
CSTR:
                        32024.14.csa.009691
                    
作者:
                        江魁江魁
深圳大学 信息中心, 深圳 518060
在期刊界中查找
在百度中查找
在本站中查找
黄锐滨黄锐滨
深圳大学 电子与信息工程学院, 深圳 518060
在期刊界中查找
在百度中查找
在本站中查找
邓昭蕊邓昭蕊
深圳大学 电子与信息工程学院, 深圳 518060
在期刊界中查找
在百度中查找
在本站中查找
伍波伍波
深圳大学 信息中心, 深圳 518060
在期刊界中查找
在百度中查找
在本站中查找
朱思霖朱思霖
深圳大学 电子与信息工程学院, 深圳 518060
在期刊界中查找
在百度中查找
在本站中查找

                    
作者单位:
作者简介:
通讯作者:
中图分类号:
基金项目:教育部科技发展中心-中国高校产学研创新基金新一代信息技术创新项目(2021ITA01009)

DNS Covert Tunnel Detection Based on PFEC-Transformer

Author:

JIANG Kui
JIANG Kui
Information Center, Shenzhen University, Shenzhen 518060, China
在期刊界中查找
在百度中查找
在本站中查找
HUANG Rui-Bin
HUANG Rui-Bin
College of Electronics and Information Engineering, Shenzhen University, Shenzhen 518060, China
在期刊界中查找
在百度中查找
在本站中查找
DENG Zhao-Rui
DENG Zhao-Rui
College of Electronics and Information Engineering, Shenzhen University, Shenzhen 518060, China
在期刊界中查找
在百度中查找
在本站中查找
WU Bo
WU Bo
Information Center, Shenzhen University, Shenzhen 518060, China
在期刊界中查找
在百度中查找
在本站中查找
ZHU Si-Lin
ZHU Si-Lin
College of Electronics and Information Engineering, Shenzhen University, Shenzhen 518060, China
在期刊界中查找
在百度中查找
在本站中查找

Affiliation:

Fund Project:

摘要

图/表

访问统计

参考文献 [27]

相似文献 [20]

引证文献

资源附件

文章评论

摘要:

DNS作为互联网基础设施, 很少受到防火墙的深度监控, 导致黑客和APT组织通过DNS隐蔽隧道来窃取数据或控制网络, 对网络安全造成严重威胁. 针对现有检测方案容易被攻击者绕过以及泛化能力较弱的问题, 本研究改进了DNS流量的表征方法, 并提出了PFEC-Transformer (pcap features extraction CNN-Transformer)模型. 该模型以表征后的十进制数值序列作为输入, 在经过CNN模块进行局部特征提取后, 再通过Transformer分析局部特征间的长距离依赖模式并进行分类. 研究采集了互联网流量以及各类DNS隐蔽隧道工具生成的数据包构建数据集, 并使用包含未知隧道工具流量的公开数据集进行泛化能力测试. 实验结果表明, 该模型在测试数据集上取得了高达99.97%的准确率, 在泛化测试集上也达到了92.12%的准确率, 有效地证明了其在检测未知DNS隐蔽隧道方面的优异性能.

关键词:网络安全;DNS隐蔽隧道;异常流量检测;深度学习;泛化能力

Abstract:

As an Internet infrastructure, DNS is rarely subjected to deep monitoring by firewalls, allowing hackers and Asia-Pacific Telecommunity (APT) organizations to exploit DNS covert tunnels for data theft or network control and posing a significant threat to network security. In response to the easily bypassed nature of existing detection methods and their weak generalization capabilities, this study enhances the characterization method of DNS traffic and introduces the pcap features extraction CNN-Transformer (PFEC-Transformer) model. This model uses characterized decimal numerical sequences as input, conducts local feature extraction through CNN modules, and then analyzes long-distance dependency patterns between local features by using the Transformer for classification. The research builds datasets by collecting internet traffic and data packets generated by various DNS covert tunnel tools and conducts generalization testing with publicly available datasets containing traffic from unknown tunneling tools. Experimental results demonstrate that the model achieves an accuracy of 99.97% on the testing dataset and 92.12% on the generalization testing dataset, effectively showcasing its exceptional performance in detecting unknown DNS covert tunnels.

Key words:network security;DNS covert tunnel;anomaly traffic detection;deep learning;generalizability

参考文献

[1] 罗杰云, 贺敏伟. DNS协议的安全浅析. 计算机系统应用, 2004, 13(1): 36–38, 35.

[2] Pearson O. DNS tunnel-through bastion hosts. https://seclists.org/bugtraq/1998/Apr/79. (1998-04-13).

[3] Mandiant. Highly evasive attacker leverages SolarWinds supply chain to compromise multiple global victims with SUNBURST backdoor. https://www.mandiant.com/resources/blog/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor. (2022-12-06).

[4] Wang Y, Zhou AM, Liao S, et al. A comprehensive survey on DNS tunnel detection. Computer Networks, 2021, 197: 108322.

[5] van Horenbeeck M. Detection of DNS tunneling. https://www.daemon.be/maarten/dnstunnel.html#detect. (2006-05-27).

[6] Sheridan S, Keane A. Detection of DNS based covert channels. Proceedings of the 2015 European Conference on Cyber Warfare and Security. Academic Conferences International Limited, 2015. 267.

[7] Farnham G, Atlasis A. Detecting DNS tunneling. SANS Institute InfoSec Reading Room, 2013, 9: 1–32.

[8] Born K, Gustafson D. Detecting and visualizing domain-based DNS tunnels through n-gram frequency analysis. Journal of Information System Security, 2011, 7(2): 27–48.

[9] Ellens W, Żuraniewski P, Sperotto A, et al. Flow-based detection of DNS tunnels. Proceedings of the 2013 IFIP International Conference on Autonomous Infrastructure, Management and Security. Barcelona: Springer, 2013. 124–135.

[10] Alharbi T, Koutny M. Domain name system (DNS) tunnelling detection using structured occurrence nets (SONs). Proceedings of the 2019 International Workshop on Petri Nets and Software Engineering (PNSE 2019). Newcastle University, 2019.

[11] Aiello M, Mongelli M, Papaleo G. Basic classifiers for DNS tunneling detection. Proceedings of the 2013 IEEE Symposium on Computers and Communications. Split: IEEE, 2013. 880–885.

[12] Buczak AL, Hanke PA, Cancro GJ, et al. Detection of tunnels in PCAP data by random forests. Proceedings of the 11th Annual Cyber and Information Security Research Conference. Oak Ridge: ACM, 2016. 16.

[13] Almusawi A, Amintoosi H. DNS tunneling detection method based on multilabel support vector machine. Security and Communication Networks, 2018, 2018: 6137098.

[14] Jiang K, Wang F. Detecting DNS tunnel based on multidimensional analysis. Proceedings of the 5th International Conference on Mechanical, Control and Computer Engineering (ICMCCE). Harbin: IEEE, 2020. 272–275.

[15] Mahdavifar S, Salem AH, Victor P, et al. Lightweight hybrid detection of data exfiltration using DNS based on machine learning. Proceedings of the 11th International Conference on Communication and Network Security. Weihai: ACM, 2021. 80–86.

[16] 刁嘉文, 方滨兴, 田志宏, 等. 基于攻击流量自生成的DNS隐蔽信道检测方法. 计算机学报, 2022, 45(10): 2190–2206.

[17] Do VT, Engelstad P, Feng BN, et al. Detection of DNS tunneling in mobile networks using machine learning. Proceedings of the 2017 International Conference on Information Science and Applications. Singapore: Springer, 2017. 221–230.

[18] Nadler A, Aminov A, Shabtai A. Detection of malicious and low throughput data exfiltration over the DNS protocol. Computers & Security, 2019, 80: 36–53.

[19] Luo M, Wang QY, Yao YP, et al. Towards comprehensive detection of DNS tunnels. Proceedings of the 2020 IEEE Symposium on Computers and Communications (ISCC). Rennes: IEEE, 2020. 1–7.

[20] Hind J. Catching DNS tunnels with A.I. https://defcon.org/images/defcon-17/dc-17-presentations/defcon-17-jhind-dns_tunnels_with_ai.pdf. (2009-07-31).

[21] Zhang X, Zhao JB, LeCun Y. Character-level convolutional networks for text classification. Proceedings of the 28th International Conference on Neural Information Processing Systems. Montreal: MIT Press, 2015. 649–657.

[22] Liu C, Dai L, Cui WJ, et al. A byte-level CNN method to detect DNS tunnels. Proceedings of the 38th IEEE International Performance Computing and Communications Conference (IPCCC). London: IEEE, 2019. 1–8.

[23] 张猛, 孙昊良, 杨鹏. 基于改进卷积神经网络识别DNS隐蔽信道. 通信学报, 2020, 41(1): 169–179.

[24] Chen SJ, Lang B, Liu HY, et al. DNS covert channel detection method using the LSTM model. Computers & Security, 2021, 104: 102095.

[25] 沈传鑫, 王永杰, 熊鑫立. 基于图注意力网络的DNS隐蔽信道检测. 信息网络安全, 2023, 23(1): 73–83.

[26] Liang JB, Wang SX, Zhao S, et al. FECC: DNS tunnel detection model based on CNN and clustering. Computers & Security, 2023, 128: 103132.

[27] IsGt93. DNS-tunnel-datasets. https://github.com/isGt93/dns-tunnel-datasets. (2022-03-13).

引用本文

江魁,黄锐滨,邓昭蕊,伍波,朱思霖.基于PFEC-Transformer的DNS隐蔽隧道检测.计算机系统应用,2024,33(12):55-66

复制

文章指标

点击次数:173
下载次数: 725
HTML阅读次数: 424
引用次数: 0

历史

收稿日期:2024-05-17
最后修改日期:2024-06-12
录用日期:
在线发布日期: 2024-10-25
出版日期:

微信公众号

网站二维码

引用本文

分享

文章指标

历史

文章二维码

微信公众号

网站二维码

引用本文

分享

微信扫一扫：分享

文章指标

历史

文章二维码