基于LSTM的DNS隱蔽信道檢測方法
信息技術(shù)與網(wǎng)絡(luò)安全 4期
陳解元
(國家計算機(jī)網(wǎng)絡(luò)與信息安全管理中心,北京100032)
摘要: DNS濫用已成為網(wǎng)絡(luò)空間安全治理中面臨的最具挑戰(zhàn)性的威脅之一。針對現(xiàn)有檢測方法多以DNS請求流量為研究對象,忽略了響應(yīng)流量特征的問題,提出一種基于長短期記憶網(wǎng)絡(luò)(Long-Short Term Memory,LSTM)的DNS隱蔽信道檢測方法。綜合分析請求與響應(yīng)流量特征,提取響應(yīng)流量中時間戳、TTL、響應(yīng)分組長度等特征點,并構(gòu)建LSTM模型進(jìn)行訓(xùn)練。實驗結(jié)果表明,該方法在準(zhǔn)確率、F1評分等指標(biāo)方面取得了良好的結(jié)果,較現(xiàn)有方法有顯著提高。
中圖分類號: TP393.08
文獻(xiàn)標(biāo)識碼: A
DOI: 10.19358/j.issn.2096-5133.2022.04.009
引用格式: 陳解元. 基于LSTM的DNS隱蔽信道檢測方法[J].信息技術(shù)與網(wǎng)絡(luò)安全,2022,41(4):60-64,89.
文獻(xiàn)標(biāo)識碼: A
DOI: 10.19358/j.issn.2096-5133.2022.04.009
引用格式: 陳解元. 基于LSTM的DNS隱蔽信道檢測方法[J].信息技術(shù)與網(wǎng)絡(luò)安全,2022,41(4):60-64,89.
DNS covert channel detection method based on LSTM
Chen Xieyuan
(National Computer Network Emergency Response Technical Team/Coordination Center of China(CNCERT/CC), Beijing 100032,China)
Abstract: DNS abuse has become one of the most challenging threats in cyberspace security governance.As the existing detection methods mostly focus on DNS request traffic but ignore the characteristics of response traffic,this paper proposed a DNS covert channel detection method based on Long Short Term Memory(LSTM). The characteristics of request and response traffic were comprehensively analyzed and the feature points such as timestamp, TTL and response packet length from response traffic were extracted,then the LSTM model was constructed for training.The experimental results show that the proposed method achieves good results in accuracy, F1 score and other indicators, which are significantly improved compared with existing methods.
Key words : DNS covert channel;machine learning;Long-Short Term Memory(LSTM)
0 引言
域名系統(tǒng)(Domain Name System,DNS)是把域名和IP地址相互映射的一種層次化分布式數(shù)據(jù)庫系統(tǒng),是互聯(lián)網(wǎng)上進(jìn)行域名解析的核心基礎(chǔ)設(shè)施。互聯(lián)網(wǎng)訪問不可避免地需要進(jìn)行域名解析服務(wù),正由于DNS協(xié)議的必要性,大部分網(wǎng)絡(luò)中的防火墻不會攔截53端口上的數(shù)據(jù)包[1]。隨著DNSCat2、Iodine等工具的開源,越來越多的黑客開始利用DNS協(xié)議創(chuàng)建隱蔽信道[2],實現(xiàn)木馬控制、數(shù)據(jù)竊取、高級可持續(xù)威脅攻擊(Advanced Persistent Threat,APT)等,嚴(yán)重危害信息系統(tǒng)運營者權(quán)益和用戶個人隱私。
DNS隱蔽信道[3]是指將其他協(xié)議的內(nèi)容封裝在DNS數(shù)據(jù)包的可定義字段中,然后以DNS請求和響應(yīng)包完成數(shù)據(jù)傳輸?shù)耐ǖ馈3R姷目衫米侄斡蠶NAME字段、RDATA字段等[4]。
本文詳細(xì)內(nèi)容請下載:http://www.xxav2194.com/resource/share/2000004100
作者信息:
陳解元
(國家計算機(jī)網(wǎng)絡(luò)與信息安全管理中心,北京100032)
此內(nèi)容為AET網(wǎng)站原創(chuàng),未經(jīng)授權(quán)禁止轉(zhuǎn)載。