基于PFEC-Transformer的DNS隐蔽隧道检测
DNS Covert Tunnel Detection Based on PFEC-Transformer
江魁 1黄锐滨 2邓昭蕊 2伍波 1朱思霖2
作者信息
- 1. 深圳大学信息中心,深圳 518060
- 2. 深圳大学电子与信息工程学院,深圳 518060
- 折叠
摘要
DNS作为互联网基础设施,很少受到防火墙的深度监控,导致黑客和APT组织通过DNS隐蔽隧道来窃取数据或控制网络,对网络安全造成严重威胁.针对现有检测方案容易被攻击者绕过以及泛化能力较弱的问题,本研究改进了DNS流量的表征方法,并提出了PFEC-Transformer(pcap features extraction CNN-Transformer)模型.该模型以表征后的十进制数值序列作为输入,在经过CNN模块进行局部特征提取后,再通过Transformer分析局部特征间的长距离依赖模式并进行分类.研究采集了互联网流量以及各类DNS隐蔽隧道工具生成的数据包构建数据集,并使用包含未知隧道工具流量的公开数据集进行泛化能力测试.实验结果表明,该模型在测试数据集上取得了高达 99.97%的准确率,在泛化测试集上也达到了 92.12%的准确率,有效地证明了其在检测未知DNS隐蔽隧道方面的优异性能.
Abstract
As an Internet infrastructure,DNS is rarely subjected to deep monitoring by firewalls,allowing hackers and Asia-Pacific Telecommunity(APT)organizations to exploit DNS covert tunnels for data theft or network control and posing a significant threat to network security.In response to the easily bypassed nature of existing detection methods and their weak generalization capabilities,this study enhances the characterization method of DNS traffic and introduces the pcap features extraction CNN-Transformer(PFEC-Transformer)model.This model uses characterized decimal numerical sequences as input,conducts local feature extraction through CNN modules,and then analyzes long-distance dependency patterns between local features by using the Transformer for classification.The research builds datasets by collecting internet traffic and data packets generated by various DNS covert tunnel tools and conducts generalization testing with publicly available datasets containing traffic from unknown tunneling tools.Experimental results demonstrate that the model achieves an accuracy of 99.97%on the testing dataset and 92.12%on the generalization testing dataset,effectively showcasing its exceptional performance in detecting unknown DNS covert tunnels.
关键词
网络安全/DNS隐蔽隧道/异常流量检测/深度学习/泛化能力Key words
network security/DNS covert tunnel/anomaly traffic detection/deep learning/generalizability引用本文复制引用
出版年
2024
NETL
NSTL
万方数据