基于LSTM的DNS隱蔽信道檢測(cè)方法
信息技術(shù)與網(wǎng)絡(luò)安全 4期
陳解元
(國(guó)家計(jì)算機(jī)網(wǎng)絡(luò)與信息安全管理中心,北京100032)
摘要: DNS濫用已成為網(wǎng)絡(luò)空間安全治理中面臨的最具挑戰(zhàn)性的威脅之一。針對(duì)現(xiàn)有檢測(cè)方法多以DNS請(qǐng)求流量為研究對(duì)象,忽略了響應(yīng)流量特征的問(wèn)題,提出一種基于長(zhǎng)短期記憶網(wǎng)絡(luò)(Long-Short Term Memory,LSTM)的DNS隱蔽信道檢測(cè)方法。綜合分析請(qǐng)求與響應(yīng)流量特征,提取響應(yīng)流量中時(shí)間戳、TTL、響應(yīng)分組長(zhǎng)度等特征點(diǎn),并構(gòu)建LSTM模型進(jìn)行訓(xùn)練。實(shí)驗(yàn)結(jié)果表明,該方法在準(zhǔn)確率、F1評(píng)分等指標(biāo)方面取得了良好的結(jié)果,較現(xiàn)有方法有顯著提高。
中圖分類(lèi)號(hào): TP393.08
文獻(xiàn)標(biāo)識(shí)碼: A
DOI: 10.19358/j.issn.2096-5133.2022.04.009
引用格式: 陳解元. 基于LSTM的DNS隱蔽信道檢測(cè)方法[J].信息技術(shù)與網(wǎng)絡(luò)安全,2022,41(4):60-64,89.
文獻(xiàn)標(biāo)識(shí)碼: A
DOI: 10.19358/j.issn.2096-5133.2022.04.009
引用格式: 陳解元. 基于LSTM的DNS隱蔽信道檢測(cè)方法[J].信息技術(shù)與網(wǎng)絡(luò)安全,2022,41(4):60-64,89.
DNS covert channel detection method based on LSTM
Chen Xieyuan
(National Computer Network Emergency Response Technical Team/Coordination Center of China(CNCERT/CC), Beijing 100032,China)
Abstract: DNS abuse has become one of the most challenging threats in cyberspace security governance.As the existing detection methods mostly focus on DNS request traffic but ignore the characteristics of response traffic,this paper proposed a DNS covert channel detection method based on Long Short Term Memory(LSTM). The characteristics of request and response traffic were comprehensively analyzed and the feature points such as timestamp, TTL and response packet length from response traffic were extracted,then the LSTM model was constructed for training.The experimental results show that the proposed method achieves good results in accuracy, F1 score and other indicators, which are significantly improved compared with existing methods.
Key words : DNS covert channel;machine learning;Long-Short Term Memory(LSTM)
0 引言
域名系統(tǒng)(Domain Name System,DNS)是把域名和IP地址相互映射的一種層次化分布式數(shù)據(jù)庫(kù)系統(tǒng),是互聯(lián)網(wǎng)上進(jìn)行域名解析的核心基礎(chǔ)設(shè)施。互聯(lián)網(wǎng)訪(fǎng)問(wèn)不可避免地需要進(jìn)行域名解析服務(wù),正由于DNS協(xié)議的必要性,大部分網(wǎng)絡(luò)中的防火墻不會(huì)攔截53端口上的數(shù)據(jù)包[1]。隨著DNSCat2、Iodine等工具的開(kāi)源,越來(lái)越多的黑客開(kāi)始利用DNS協(xié)議創(chuàng)建隱蔽信道[2],實(shí)現(xiàn)木馬控制、數(shù)據(jù)竊取、高級(jí)可持續(xù)威脅攻擊(Advanced Persistent Threat,APT)等,嚴(yán)重危害信息系統(tǒng)運(yùn)營(yíng)者權(quán)益和用戶(hù)個(gè)人隱私。
DNS隱蔽信道[3]是指將其他協(xié)議的內(nèi)容封裝在DNS數(shù)據(jù)包的可定義字段中,然后以DNS請(qǐng)求和響應(yīng)包完成數(shù)據(jù)傳輸?shù)耐ǖ馈3R?jiàn)的可利用字段有QNAME字段、RDATA字段等[4]。
本文詳細(xì)內(nèi)容請(qǐng)下載:http://www.jysgc.com/resource/share/2000004100
作者信息:
陳解元
(國(guó)家計(jì)算機(jī)網(wǎng)絡(luò)與信息安全管理中心,北京100032)
此內(nèi)容為AET網(wǎng)站原創(chuàng),未經(jīng)授權(quán)禁止轉(zhuǎn)載。