基于LSTM的DNS隐蔽信道检测方法
信息技术与网络安全 4期
陈解元
(国家计算机网络与信息安全管理中心,北京100032)
摘要:DNS滥用已成为网络空间安全治理中面临的最具挑战性的威胁之一。针对现有检测方法多以DNS请求流量为研究对象,忽略了响应流量特征的问题,提出一种基于长短期记忆网络(Long-Short Term Memory,LSTM)的DNS隐蔽信道检测方法。综合分析请求与响应流量特征,提取响应流量中时间戳、TTL、响应分组长度等特征点,并构建LSTM模型进行训练。实验结果表明,该方法在准确率、F1评分等指标方面取得了良好的结果,较现有方法有显著提高。
中图分类号:TP393.08
文献标识码:A
DOI:10.19358/j.issn.2096-5133.2022.04.009
引用格式: 陈解元. 基于LSTM的DNS隐蔽信道检测方法[J].信息技术与网络安全,2022,41(4):60-64,89.
文献标识码:A
DOI:10.19358/j.issn.2096-5133.2022.04.009
引用格式: 陈解元. 基于LSTM的DNS隐蔽信道检测方法[J].信息技术与网络安全,2022,41(4):60-64,89.
DNS covert channel detection method based on LSTM
Chen Xieyuan
(National Computer Network Emergency Response Technical Team/Coordination Center of China(CNCERT/CC), Beijing 100032,China)
Abstract:DNS abuse has become one of the most challenging threats in cyberspace security governance.As the existing detection methods mostly focus on DNS request traffic but ignore the characteristics of response traffic,this paper proposed a DNS covert channel detection method based on Long Short Term Memory(LSTM). The characteristics of request and response traffic were comprehensively analyzed and the feature points such as timestamp, TTL and response packet length from response traffic were extracted,then the LSTM model was constructed for training.The experimental results show that the proposed method achieves good results in accuracy, F1 score and other indicators, which are significantly improved compared with existing methods.
Key words :DNS covert channel;machine learning;Long-Short Term Memory(LSTM)
0 引言
域名系统(Domain Name System,DNS)是把域名和IP地址相互映射的一种层次化分布式数据库系统,是互联网上进行域名解析的核心基础设施。互联网访问不可避免地需要进行域名解析服务,正由于DNS协议的必要性,大部分网络中的防火墙不会拦截53端口上的数据包[1]。随着DNSCat2、Iodine等工具的开源,越来越多的黑客开始利用DNS协议创建隐蔽信道[2],实现木马控制、数据窃取、高级可持续威胁攻击(Advanced Persistent Threat,APT)等,严重危害信息系统运营者权益和用户个人隐私。
DNS隐蔽信道[3]是指将其他协议的内容封装在DNS数据包的可定义字段中,然后以DNS请求和响应包完成数据传输的通道。常见的可利用字段有QNAME字段、RDATA字段等[4]。
本文详细内容请下载:http://www.chinaaet.com/resource/share/2000004100
作者信息:
陈解元
(国家计算机网络与信息安全管理中心,北京100032)
此内容为AET网站原创,未经授权禁止转载。