DNS作为互联网基础设施,很少受到防火墙的深度监控,导致黑客和APT组织通过DNS隐蔽隧道来窃取数据或控制网络,对网络安全造成严重威胁.针对现有检测方案容易被攻击者绕过以及泛化能力较弱的问题,本研究改进了DNS流量的表征方法,并提出了PFEC-Transformer(pcap features extraction CNN-Transformer)模型.该模型以表征后的十进制数值序列作为输入,在经过CNN模块进行局部特征提取后,再通过Transformer分析局部特征间的长距离依赖模式并进行分类.研究采集了互联网流量以及各类DNS隐蔽隧道工具生成的数据包构建数据集,并使用包含未知隧道工具流量的公开数据集进行泛化能力测试.实验结果表明,该模型在测试数据集上取得了高达 99.97%的准确率,在泛化测试集上也达到了 92.12%的准确率,有效地证明了其在检测未知DNS隐蔽隧道方面的优异性能.
DNS Covert Tunnel Detection Based on PFEC-Transformer
As an Internet infrastructure,DNS is rarely subjected to deep monitoring by firewalls,allowing hackers and Asia-Pacific Telecommunity(APT)organizations to exploit DNS covert tunnels for data theft or network control and posing a significant threat to network security.In response to the easily bypassed nature of existing detection methods and their weak generalization capabilities,this study enhances the characterization method of DNS traffic and introduces the pcap features extraction CNN-Transformer(PFEC-Transformer)model.This model uses characterized decimal numerical sequences as input,conducts local feature extraction through CNN modules,and then analyzes long-distance dependency patterns between local features by using the Transformer for classification.The research builds datasets by collecting internet traffic and data packets generated by various DNS covert tunnel tools and conducts generalization testing with publicly available datasets containing traffic from unknown tunneling tools.Experimental results demonstrate that the model achieves an accuracy of 99.97%on the testing dataset and 92.12%on the generalization testing dataset,effectively showcasing its exceptional performance in detecting unknown DNS covert tunnels.
NETL
NSTL
万方数据
