通信学报
通信學報
통신학보
JOURNAL OF CHINA INSTITUTE OF COMMUNICATIONS
2013年
5期
143-151
,共9页
章思宇%邹福泰%王鲁华%陈铭
章思宇%鄒福泰%王魯華%陳銘
장사우%추복태%왕로화%진명
域名系统%隐蔽通道%入侵检测%机器学习%网络安全
域名繫統%隱蔽通道%入侵檢測%機器學習%網絡安全
역명계통%은폐통도%입침검측%궤기학습%망락안전
domain name system%covert channel%intrusion detection%machine learning%network security
为提出一种有效检测各类型 DNS 隐蔽通道的方法,研究了 DNS 隐蔽通信流量特性,提取可区分合法查询与隐蔽通信的12个数据分组特征,利用机器学习的分类器对其会话统计特性进行判别.实验表明,决策树模型可检测训练中全部22种 DNS 隐蔽通道,并可识别未经训练的新型隐蔽通道.提出的检测方法在校园网流量实际部署中成功检出了多个 DNS 隧道的存在.
為提齣一種有效檢測各類型 DNS 隱蔽通道的方法,研究瞭 DNS 隱蔽通信流量特性,提取可區分閤法查詢與隱蔽通信的12箇數據分組特徵,利用機器學習的分類器對其會話統計特性進行判彆.實驗錶明,決策樹模型可檢測訓練中全部22種 DNS 隱蔽通道,併可識彆未經訓練的新型隱蔽通道.提齣的檢測方法在校園網流量實際部署中成功檢齣瞭多箇 DNS 隧道的存在.
위제출일충유효검측각류형 DNS 은폐통도적방법,연구료 DNS 은폐통신류량특성,제취가구분합법사순여은폐통신적12개수거분조특정,이용궤기학습적분류기대기회화통계특성진행판별.실험표명,결책수모형가검측훈련중전부22충 DNS 은폐통도,병가식별미경훈련적신형은폐통도.제출적검측방법재교완망류량실제부서중성공검출료다개 DNS 수도적존재.
To propose an effective detection method for DNS-based covert channel, traffic characteristics were thorough-ly studied. 12 features were extracted from DNS packets to distinguish covert channels from legitimate DNS queries. Sta-tistical characteristics of these features are used as input of the machine learning classifier. Experimental results show that the decision tree model detects all 22 covert channels used in training, and is capable of detecting untrained covert chan-nels. Several DNS tunnels were detected during the evaluation on campus network’s live DNS traffic.
