Research On Precise Detection Technology Of DNS Covert Channel Based On Self-Generated Data

The Advanced Persistent Threat(APT)is currently one of the most serious network security threats.Due to its ubiquity and penetration,DNS Covert Channel(DCC)has become an ideal secret channel in the hands of attackers,which remains active nowadays.The DCC detection method powered by artificial intelligence(AI)is gradually becoming popular,but the difficulty in obtaining malicious samples related to APT attacks and low activity have caused obvious imbalances in training data,which seriously affects the detection performance of the model.At the same time,no matter what method is used for detection,the problem of false positives is unavoidable.This is also the "last mile" dilemma in the current network security defense system—that is,what kind of conclusion should be drawn when the defense system cannot ensure that the judgment result is correct.Based on the above background,this paper conducts the following four researches from the four aspects of DCC:construction mechanism,traffic generation,detection,and security defense.(1)Threat model and mechanism of DNS Covert ChannelAccording to the new features of DCC in the current network environment,the definition and systematic introduction of DCC are given.Based on a large number of real APT threat reports and the recurrence of DCC tools,the attack Tactics,Techniques,and Procedures(TTPs)are summarized,and we extract some characteristics that are difficult for attackers to bypass for forward-looking research.Aiming at the problem of unknown threats,we scientifically predict the sample space covered by unknown attacks from the source of the attack,and form an interactive and evolving knowledge base of unknown threat,which provides strong support for threat identification.(2)Completeness controllable attack traffic self-generation technologyAiming at the problem of data imbalance caused by the difficulty of obtaining DNS Covert Channel malware variants,the difficulty of current operation caused by harsh reproduction conditions,and the difficulty of real-time capture of network attack traffic,a method for self-generation of attack traffic is proposed from the perspective of attackers.We generate data based on the rules of attack TTPs to transform the malicious training data environment from the traditional small data environment to the big data environment,generate large-scale,realistic,completeness controllable malicious traffic data sets,and establish high-quality malicious datasets towards unknown sample space.(3)DNS Covert Channel detection method based on multidimensional spatio-temporal characteristicsAiming at the problem that non-real attack traffic is commonly used for training and detection in existing research work,we propose a new attack detection mode,which uses self-generated traffic instead of real sample traffic as malicious traffic for training,and using real attack samples to evaluate model performance.We deeply analyze some features that are difficult for attackers to bypass,optimize existing work involving abnormal points and propose new ones,and evaluate the contribution of abnormal points.Based on Hash and SLD,8 real malware traffic samples are collected on various platforms to conduct a more objective,comprehensive and real evaluation of the system.Experiments prove that the system can discover real attacks more accurately and is able to discover unknown and powerful variants.(4)Prototype system development for practical applicationFocusing on the "last mile" dilemma commonly faced in attack detection,that is,the problem of magnified false positives for massive data detection.We propose a DNS-based data exfiltration defense method based on sticky random mechanism,and transform deterministic decisionmaking into dynamic human-computer interaction decision-making,to alleviate the problem of false positives and provide a solid foundation for the implementation of AI models.Through dynamic human-computer interaction technology,threat detection and response technology,we build a malicious domain detection and defense integrated system,block the attack behavior on the device from the root cause,achieve the effect of precise protection,and combat and deter malicious activities.At the same time,the covert channel detection can be used as an index for digging out more hidden unknown APT attacks.