DNS隧道流量检测特征分析研究  被引量：1

作　　者：丁峤 刘俊延 刘林云 杨璐铭 DING Qiao;LIU Junyan;LIU Linyun;YANG Luming(Center of Equipment Simulation Training,Shijiazhuang Campus of Army Engineering University,Shijiazhuang 050003,China;College of Computer,National University of Defense Technology,Changsha 410003,China)

机构地区：[1]陆军工程大学石家庄校区装备模拟训练中心,河北石家庄050003 [2]国防科技大学计算机学院,湖南长沙410003

出　　处：《无线电工程》2022年第4期671-677,共7页Radio Engineering

基　　金：国家自然科学基金青年基金(61602505);国家自然科学基金(51377170,61271152)。

摘　　要：域名系统(Domain Name System,DNS)隧道是一种典型的网络隐蔽通道,攻击者窃取的信息被编码并封装到DNS报文中进行传输。在攻击者具备受控服务器和受控域的前提下,只要被攻击者的网络需要进行域名解析服务,DNS隧道就可以实现,IDS也不会因此触发警报。目前流行的基于载荷和基于流量的检测方法都不够灵活,且误报率高。为了更有效地识别DNS隧道攻击,对DNS报文特征进行分析,提取出5大类共15个特征标记一条完整的DNS会话,选用XGboost分类模型进行分类识别。实验结果表明,实验选用的15个特征可以有效检测DNS隧道流量,对于4种不同隧道软件产生的隧道流量识别率达95%。在此基础上,对所选特征的重要性进行了评估,成功筛选出能够保持分类模型稳定性下的最小特征子集。DNS tunneling is a typical network covert channel where the information stolen by the attacker is encoded and encapsulated in DNS messages for transmission.As long as the attacker has a controlled server and a controlled domain,DNS tunneling can be achieved and the IDS would not trigger an alert when the attacked network requires domain name resolution services.The popular load-based and traffic-based detection methods are not flexible enough and have a high false alarm rate.In order to identify DNS tunneling attacks more effectively,a framework for DNS tunneling traffic detection based on session features is proposed.15 features in 5 categories are extracted to mark a complete DNS session,and the XGboost classification model is selected for classification and identification.The experimental results show that the 15 features selected can detect the DNS tunnel traffic effectively and the model output by this framework has a recognition rate of 95%for the tunnel traffic generated by the four different tunnel software.On this basis,the importance of the selected features is evaluated and the smallest subset of features that can maintain the stability of the classification model is successfully screened out.

关 键 词：域名系统隧道 特征分析 XGboost算法 特征选择 

分 类 号：TP309.2[自动化与计算机技术—计算机系统结构]