A DNS Tunnel Sliding Window Differential Detection Method Based on Normal Distribution Reasonable Range Filtering

A covert attack method often used by APT organizations is the DNS tunnel, which is used to pass information by constructing C2 networks. And they often use the method of frequently changing domain names and server IP addresses to evade monitoring, which makes it extremely difficult to detect them. However, they carry DNS tunnel information traffic in normal DNS communication, which inevitably brings anomalies in some statistical characteristics of DNS traffic, so that it would provide security personnel with the opportunity to find them. Based on the above considerations, this paper studies the statistical discovery methodology of typical DNS tunnel high-frequency query behavior. Firstly, we analyze the distribution of the DNS domain name length and times and finds that the DNS domain name length and times follow the normal distribution law. Secondly, based on this distribution law, we propose a method for detecting and discovering high-frequency DNS query behaviors of non-single domain names based on the statistical rules of domain name length and frequency and we also give three theorems as theoretical support. Thirdly, we design a sliding window difference scheme based on the above method. Experimental results show that our method has a higher detection rate. At the same time, since our method does not need to construct a data set, it has better practicability in detecting unknown DNS tunnels. This also shows that our detection method based on mathematical models can effectively avoid the dilemma for machine learning methods that must have useful training data sets, and has strong practical significance

Are medical record front page data suitable for risk adjustment in hospital performance measurement? Development and validation of a risk model of in-hospital mortality after acute myocardial infarction

Objectives To develop a model of in-hospital mortality using medical record front page (MRFP) data and assess its validity in case-mix standardisation by comparison with a model developed using the complete medical record data.Design A nationally representative retrospective study.Setting Representative hospitals in China, covering 161 hospitals in modelling cohort and 156 hospitals in validation cohort.Participants Representative patients admitted for acute myocardial infarction. 8370 patients in modelling cohort and 9704 patients in validation cohort.Primary outcome measures In-hospital mortality, which was defined explicitly as death that occurred during hospitalisation, and the hospital-level risk standardised mortality rate (RSMR).Results A total of 14 variables were included in the model predicting in-hospital mortality based on MRFP data, with the area under receiver operating characteristic curve of 0.78 among modelling cohort and 0.79 among validation cohort. The median of absolute difference between the hospital RSMR predicted by hierarchical generalised linear models established based on MRFP data and complete medical record data, which was built as ‘reference model’, was 0.08% (10th and 90th percentiles: −1.8% and 1.6%). In the regression model comparing the RSMR between two models, the slope and intercept of the regression equation is 0.90 and 0.007 in modelling cohort, while 0.85 and 0.010 in validation cohort, which indicated that the evaluation capability from two models were very similar.Conclusions The models based on MRFP data showed good discrimination and calibration capability, as well as similar risk prediction effect in comparison with the model based on complete medical record data, which proved that MRFP data could be suitable for risk adjustment in hospital performance measurement