To evade detection,advanced persistent threat(APT)attackers often employ strategies such as encrypted malicious traffic and covert tunnels to conceal malicious activities,thereby increasing the difficulty of detection.Currently,most methods for detecting DNS covert tunnels are based on characteristics such as statistics,frequency,and packets.These methods are not well-suited for real-time detection,which can lead to data leaks.Therefore,it is necessary to detect based on individual DNS requests rather than performing statistical analysis on traffic,to achieve real-time and reliable detection.When the system determines that a single DNS request is tunnel traffic,it can respond accordingly to prevent data leaks.However,existing methods for detecting encrypted malicious traffic have issues such as the inability to fully extract traffic feature information,limited means of feature extraction,and underutilization of features.Thus,this paper proposed a method for detecting covert tunnel malicious encrypted traffic based on multi-model fusion.For DNS covert tunnels,the paper proposed a detection method that fused MLP,1D-CNN,and RNN models and calculates the fusion results based on a proposed mathematical model.This method can monitor covert tunnels in real-time,further improving the overall detection accuracy.For encrypted malicious traffic,the paper proposed a parallel fusion detection method combining 1D-CNN and LSTM models.The parallel fusion model can more comprehensively extract feature information and reflect the full scope of the traffic data,thereby enhancing the detection accuracy of the model.
encrypt malicious traffic detectionDNS hidden tunnel detectionmulti model fusion
维普
万方数据
