| Domain name system(DNS)provides a mapping service between IP address and domain name.It can make people access the Internet very conveniently and quickly.But in recent years,attackers often use DNS to build covert channels to achieve illegal activities,such as stealing trade secret data,remote control equipment and so on,which seriously affects the network and information security of enterprises and institutions.In view of this phenomenon,there are many research methods,but they all ignore the abnormal behavior in DNS response packet,resulting in missing report.To solve this problem,this thesis proposes a DNS covert tunnel abnormal behavior detection method based on traffic characteristics statistics,and designs and implements a DNS covert tunnel abnormal behavior detection system.The main research results are as follows.First,to solve the problem that the existing research methods ignore the DNS response messages,this thesis proposes a traffic based detection scheme for abnormal behavior of DNS covert channel.On the basis of maintaining the characteristics of request traffic,this thesis proposes three characteristics of response traffic:response data length,entropy and DNS TTL mean.These features can effectively express the characteristics of covert channel in response message,and reduce the missing report caused by ignoring the response traffic covert channel data transmission.The detection scheme proposed in this thesis is tested on the experimental test set,and the test results show that this method can effectively solve the problem of missing report of covert channel data transmitted in response packet.In addition,the overall detection accuracy of this method is 98.14%,which is about 3%higher than Nadler's method in 2019.Secondly,in order to further judge the threat type of the abnormal DNS covert channel data identified by the model,this thesis establishes a rule base and adopts the method of multi-protocol sample analysis to construct the threat type judgment system.In this thesis,the threat types are divided into two categories:the threat types with known history and the threat types with unknown history.The known threat types include six categories.The rule base includes threat intelligence resource base and regular expression rule base,which are used to identify the known attack types.Multi-protocol linkage analysis and artificial sample analysis are used to identify the unknown attack types.So as to realize the threat type judgment of DNS covert channel data.Third,in order to better meet the market demand of interactive detection of abnormal behavior of DNS covert channel,this thesis designs and implements the detection system of abnormal behavior of DNS covert channel.The system is presented to users in the form of web pages,which can detect abnormal DNS covert channel data online,and give the specific types of abnormal attacks.The system includes front-end display module,DNS traffic processing and detection module,abnormal behavior judgment module,system storage module and task scheduling module.Finally,the docker Technology is used for automatic deployment. |
PDF Full Text Request