DNS (Domain Name System) tunnel Trojan detection method based on communication behavior analysis

A technology of DNS tunneling and behavior analysis, which is applied in the direction of instruments, character and pattern recognition, digital transmission systems, etc., and can solve the problems that the DNS tunnel detection method cannot be fully applied to detection

Active Publication Date: 2018-02-23
PLA STRATEGIC SUPPORT FORCE INFORMATION ENG UNIV PLA SSF IEU
View PDF4 Cites 38 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

Therefore, the traditional DNS tunnel detection method based on load analysis and tra

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • DNS (Domain Name System) tunnel Trojan detection method based on communication behavior analysis
  • DNS (Domain Name System) tunnel Trojan detection method based on communication behavior analysis
  • DNS (Domain Name System) tunnel Trojan detection method based on communication behavior analysis

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0053] The framework design of DNS tunnel Trojan horse detection system see figure 1 . The DNS tunnel Trojan horse detection system has four parts: data packet collection integration collection module, DNS session reorganization module, random forest classification training module and DNS tunnel Trojan horse traffic detection module, plus user management interface interface.

[0054] The data packet collection integration module mainly uses the underlying filtering mechanism of Winpcap capture technology to capture DNS traffic. The DNS session reorganization module clusters the captured DNS traffic according to quintuples to form a DNS session, and extracts the DNS session data flow into a DNS session evaluation vector representation, which is used as a random forest classification training module and DNS tunnel Trojan traffic detection input to the module. This detection model also considers the IP direct-connected DNS tunneling Trojan horse. If an untrusted external network ...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention discloses a DNS (Domain Name System) tunnel Trojan detection method based on communication behavior analysis. The DNS tunnel Trojan detection method mainly comprises four parts, namely,a data packet acquisition and integration module, a DNS session reorganization module, a random forest classification training and learning module and a DNS tunnel Trojan traffic detection module. Thecommunication mode of DNS tunnel Trojan is analyzed from the perspective of DNS session; seven attributes which are different from normal DNS session characteristics are extracted; a classification trainer is constructed with an improved random forest algorithm; and finally, a DNS tunnel Trojan detection model is built. As proved by experimental testing, a DNS tunnel Trojan detection technology based on communication behavior analysis disclosed by the invention can effectively detect high-concealment DNS tunnel Trojans, and has the advantages of low false alarm rate, low missing report rate and a very good detection effect on unknown DNS tunnel Trojans.

Description

Technical field: [0001] The invention relates to a method for detecting a DNS tunnel Trojan horse, in particular to a method for detecting a DNS tunnel Trojan horse with high concealment based on communication behavior analysis. Background technique: [0002] DNS tunneling technology refers to the establishment of covert communication based on the DNS network protocol to realize the covert transmission of confidential data. DNS covert channels can be used maliciously, and some penetration tools can remotely control or even steal data through DNS covert channels. Daan Raman and others have proved that under the Metasploit penetration testing platform, using the internal network machine buffer or other vulnerabilities, it is possible to establish a fully functional DNS tunnel from the private internal network to the external network controller, and use the established DNS tunnel to perform Command and control the attack. In March 2017, the Cisco Talos team discovered an atta...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
IPC IPC(8): H04L29/06H04L29/12G06K9/62H04L12/26
CPCH04L63/1425H04L63/145H04L43/026H04L43/10H04L61/4511G06F18/214G06F18/24323
Inventor 刘胜利罗友强陈石肖达林伟丁岚
Owner PLA STRATEGIC SUPPORT FORCE INFORMATION ENG UNIV PLA SSF IEU
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap