DNS hidden tunnel event automatic detection method and device, and electronic equipment

A technology of DNS tunneling and automatic detection, applied in the field of network security, can solve the problems of inability to apply concealed new DNS tunnels, high false positive rate, and inability to provide sufficient

Active Publication Date: 2021-05-18
天际友盟(珠海)科技有限公司
View PDF6 Cites 0 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

However, the current DNS tunnel detection has a high false positive rate, which is not suitable for the detection of covert new DNS tu

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • DNS hidden tunnel event automatic detection method and device, and electronic equipment
  • DNS hidden tunnel event automatic detection method and device, and electronic equipment
  • DNS hidden tunnel event automatic detection method and device, and electronic equipment

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0052] Such as figure 1 As shown, the embodiment of the present invention provides an automatic detection method for DNS covert tunnel events, which uses machine learning algorithms to detect suspected DNS covert tunnel traffic, thereby performing event clue calculation and secondary checksum of suspected DNS covert tunnel traffic Risk calculation.

[0053] The DNS covert tunnel event automatic detection method proposed by the present invention comprises:

[0054] Suspected DNS covert tunnel traffic detection step 101, collecting traffic data of the DNS tunnel and filtering redundant traffic data to obtain traffic samples; analyzing the traffic samples to extract traffic data features; using a preset model to analyze the extracted traffic data features Identify and obtain DNS tunneling events;

[0055]Event clue calculation step 102, performing risk misreporting investigation on the DNS tunneling event under multiple clue dimensions; and

[0056] The event risk calculation ...

Embodiment 2

[0121] Another aspect of the present invention also includes a functional module architecture completely corresponding to the aforementioned method flow. Such as Figure 5 As shown, the embodiment of the present invention also provides a DNS covert tunnel event automatic detection device, including:

[0122] The traffic detection module 201 is configured to collect traffic data of the DNS tunnel and filter redundant traffic data to obtain traffic samples; analyze the traffic samples to extract traffic data features; use a preset model to identify the extracted traffic data features , get the DNS tunnel event;

[0123] An event clue calculation module 202, configured to perform risk misreporting investigation on the DNS tunneling event under multiple clue dimensions; and

[0124] The event risk calculation module 203 is configured to calculate the risk value of the DNS tunnel event according to the investigation result; and output the DNS covert tunnel risk event alarm and th...

Embodiment 3

[0128] The present invention also provides a memory, which stores a plurality of instructions, and the instructions are used to realize the method described in the first embodiment.

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention discloses a DNS hidden tunnel event automatic detection method and device, and electronic equipment. The method comprises the steps: collecting flow data of a DNS tunnel, filtering the redundant flow data, and obtaining a flow sample; analyzing the traffic sample, and extracting traffic data features; identifying the extracted flow data features by using a preset model to obtain a DNS tunnel event; carrying out risk false alarm troubleshooting on the DNS tunnel event under a plurality of clue dimensions; calculating a risk value of the DNS tunnel event according to a troubleshooting result; and outputting the DNS hidden tunnel risk event alarm and the risk value. According to the scheme, various event troubleshooting clues are provided for safety analysts, the false alarm rate is reduced, and the interface friendliness is improved.

Description

technical field [0001] The invention relates to the field of network security, in particular to an automatic detection method, device and electronic equipment for DNS covert tunnel events. Background technique [0002] Network covert channel is an important way for attackers to bypass network security policies for data transmission, and DNS (Domain Name System) is a common means to implement application layer covert channel. Attackers can achieve remote access and control, bypass authority and access control measures, install and spread malware, lateral penetration, communication transfer and steal data through DNS tunnels. As one of the key infrastructures of the Internet, DNS can map domain names and IP addresses to each other. The DNS protocol is hardly blocked by firewall policies. Even in an internal network, it is necessary to set up a DNS server for host name resolution. DNS is also a globally distributed database. Domain name recursive resolution requires the local...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
IPC IPC(8): H04L29/06H04L29/12
CPCH04L63/029H04L63/1458H04L61/4511
Inventor 董龙飞李锟
Owner 天际友盟(珠海)科技有限公司
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap