Research And Implementation Of Low-speed DNS Covert Channel Communication Detection

The covert channel is a network attack method used for data leakage.The DNS covert channel uses the widely used DNS protocol as a medium to achieve this purpose.Based on DNS traffic detection,covert channel communication can be detected.In the past ten years,this field has been continuously studied,but the current method cannot cover all types of DNS covert channels,such as low-speed multi-domain DNS covert channels.In order to solve the above problems,this thesis proposes a complete solution for DNS covert channel communication detection using DNS traffic.Specifically:For general DNS covert channel communication,this thesis proposes a DNS covert channel communication detection scheme based on a two-stage model.The scheme combines the characteristics of the covert channel communication process and the communication content.The first-stage anomaly detection model separates the abnormal point data,and the second-stage false positive perception model is used to detect the false positive generated by the first-stage model.In this way,the false positive rate is as low as 5E-6 and a low latency of 10 minute.This thesis proposes corresponding solutions based on the two-stage detection model for low-speed single-domain DNS covert channel communication and low-speed multi-domain DNS covert channel communication.Based on the multi-time window scheme,the accuracy and recall rate of detecting low-speed single-domain covert channels are kept consistent with ordinary covert channels.Based on the co-occurrence domain name discovery scheme,the system has certain detection capab-ilities for low-speed multi-domain DNS covert channel communication.Based on the proposed scheme and actual environment application requirements,this paper designs and builds a complete DNS covert channel communication detection system.The system can autonomously complete a series of tasks such as traffic acquisition,traffic analysis,data storage,data preprocessing,covert channel detection,and result reporting.It has been operating continuously and stably for 4 weeks in an actual enviro-nment,and the test results are consistent with the experimental results.