1 research outputs found
A DNS Tunnel Sliding Window Differential Detection Method Based on Normal Distribution Reasonable Range Filtering
A covert attack method often used by APT organizations is the DNS tunnel,
which is used to pass information by constructing C2 networks. And they often
use the method of frequently changing domain names and server IP addresses to
evade monitoring, which makes it extremely difficult to detect them. However,
they carry DNS tunnel information traffic in normal DNS communication, which
inevitably brings anomalies in some statistical characteristics of DNS traffic,
so that it would provide security personnel with the opportunity to find them.
Based on the above considerations, this paper studies the statistical discovery
methodology of typical DNS tunnel high-frequency query behavior. Firstly, we
analyze the distribution of the DNS domain name length and times and finds that
the DNS domain name length and times follow the normal distribution law.
Secondly, based on this distribution law, we propose a method for detecting and
discovering high-frequency DNS query behaviors of non-single domain names based
on the statistical rules of domain name length and frequency and we also give
three theorems as theoretical support. Thirdly, we design a sliding window
difference scheme based on the above method. Experimental results show that our
method has a higher detection rate. At the same time, since our method does not
need to construct a data set, it has better practicability in detecting unknown
DNS tunnels. This also shows that our detection method based on mathematical
models can effectively avoid the dilemma for machine learning methods that must
have useful training data sets, and has strong practical significance