| A tunneling attack is a standard method to penetrate the other party’s network quickly.If appropriately used,this attack method has extremely high concealment.Due to various imperfections of the network protocol,in the current environment of the so-called "onion network",the target network firewall can be bypassed after artificially wrapping layers of packets,threatening the security of the enterprise or organization’s intranet at all times.Among them,DNS tunneling is the most common tunneling attack method.Because DNS requests and responses are transmitted in plain text,it is easy to monitor.Research over the past decade has made DNS tunneling detection methods nearly mature.DNS-over-HTTPS(DoH)is a recently standardized encrypted DNS protocol initially designed to protect user privacy.Unfortunately,DoH can also be used for tunnel attacks,and due to its encryption characteristics,conventional DNS tunneling detection methods cannot effectively deal with DoH tunneling traffic detection.As a new network standard,researchers are paying more attention to DoH’s protection of user privacy and various problems caused by its deployment.However,more research is needed on DoH tunneling traffic detection.Aiming at the network security problems caused by the abuse of DoH tunneling,this paper aims to study the optimization of machine learning models to detect DoH tunneling traffic effectively.The main contents are as follows:(1)Given the slow convergence speed of the slime mold algorithm and the weakening of the optimization ability with the increase in the number of iterations,different strategies are adopted to improve it.Among them,refraction reverse learning is used to improve the quality of the initial population and enhance the global search ability of the algorithm;the diversity of the population is continuously enriched through the differential mutation strategy to reduce the risk of the algorithm falling into local optimum;and the elite Gaussian perturbation strategy is added to balance the ability of the algorithm’s a global exploration and local development and accelerate its convergence speed.Nine different benchmark functions,including unimodal,multimodal and fixed dimension multimodal,were used for simulation,and compared with four other optimization algorithms and two improved slime mold optimization algorithms,the excellent performance of the proposed improved slime mold optimization algorithm RDGSMA was verified.(2)Aiming at the scarcity of publicly available authoritative DoH tunneling datasets and the sample imbalance in available datasets,this paper proposes two DoH tunneling traffic solutions.The first is to use the nature of ensemble learning to deal with unbalanced samples,select different base classifiers to form a better robust classification model and use the improved slime mold algorithm to optimize the weights between them automatically.The second is to use feature selection and SVM model optimization simultaneously.Correspondingly disassemble the DoH tunneling traffic detection task into two parts.In the feature selection part,this paper first defines the concept of "feature propensity" by using mutual information and Pearson correlation coefficient,and then formulates corresponding screening rules according to the characteristics of the used dataset.Connecting " feature propensity " and SVM to construct A feature selection algorithm of embedded self-adaptive to select the optimal feature subset automatically.In the part of SVM model optimization,the appropriate fitness function is selected to optimize the task,and the improved slime mold algorithm is used to optimize the penalty factor C and kernel parameter γ of SVM.Finally,after the division of labor between the two parts,a high detection rate and low false alarm rate for malicious tunneling traffic are achieved.Experimental results show that both schemes can effectively detect DoH tunneling traffic by training machine learning models in the case of unbalanced sample datasets. |
