基于报文特征的DNS隐信道检测技术研究  被引量：2

作　　者：杨路辉 马雪婧 翟江涛 戴跃伟[1,3] Yang Lu-hui;MA Xue-jing;ZHAI Jiang-tao;DAI Yue-wei(School of Automation,Nanjing University of Science&Technology,Nanjing Jiangsu 210094,China;724th Research Institute of China Shipbuilding Industry Group,Nanjing Jiangsu 211153,China;School of Electronics&Information Engineering,Nanjing University of Information Science&Technology,Nanjing Jiangsu 210044,China)

机构地区：[1]南京理工大学自动化学院,江苏南京210094 [2]中国船舶重工集团第七二四研究所,江苏南京211153 [3]南京信息工程大学电子与信息工程学院,江苏南京210044

出　　处：《计算机仿真》2021年第8期212-216,共5页Computer Simulation

摘　　要：现有的DNS隐信道检测算法大多数依赖多次的DNS信息交互数据,然而在大规模流量的网络环境中,DNS数据难以收集完整并分流,从而导致检测模型失效。针对上述问题,提出了一种基于单次DNS请求和响应报文特征的DNS隐信道检测模型,并分析并提取了DNS请求与响应报文多维度的长度和字符特征,最终提取19维特征,并使用四种机器学习算法进行分类,其中J48决策树综合结果最好,对DNS隐信道检测率为99.4%,误检率为0.2%,同样情况下对比算法的检测率为98.5%,误检率为0.8%。实验结果表明,在基于单次DNS请求和响应报文数据的情况下,提出的模型对DNS隐信道具备不错的检测能力,且检测效果优于对比算法。Most of the existing DNS covert channel detection algorithms rely on multiple DNS interaction data.However,in a large-scale network environment,it is difficult to collect and split DNS data completely,which leads to the failure of these detection models.To solve the above problem,this paper proposed a DNS covert channel detection model based on the characteristics of single DNS request and response message,analyzed and extracted the multi-dimensional length and character features of DNS request and response datagrams,and finally extracted 19-dimensional features and classified them using four machine learning algorithms.Among them,J48 decision tree has the best comprehensive result,with 99.4% detection rate and 0.2% false detection rate for DNS covert channel.The detection rate and false detection rate of comparison algorithm are 98.5% and 0.8% under the same circumstance.The experimental results show that only relying on single DNS request and response datagrams,the proposed model has a good detection capability for DNS covert channels,and the detection results are better than comparison algorithm.

关 键 词：隐信道 机器学习 特征工程 信息安全 

分 类 号：TP391[自动化与计算机技术—计算机应用技术]