A covert attack method often used by APT organizations is the DNS tunnel, which is used to pass information by constructing C2 networks. And they often use the method of frequently changing domain names and server IP addresses to evade monitoring, which makes it extremely difficult to detect them. However, they carry DNS tunnel information traffic in normal DNS communication, which inevitably brings anomalies in some statistical characteristics of DNS traffic, so that it would provide security personnel with the opportunity to find them. Based on the above considerations, this paper studies the statistical discovery methodology of typical DNS tunnel high-frequency query behavior. Firstly, we analyze the distribution of the DNS domain name length and times and finds that the DNS domain name length and times follow the normal distribution law. Secondly, based on this distribution law, we propose a method for detecting and discovering high-frequency DNS query behaviors of non-single domain names based on the statistical rules of domain name length and frequency and we also give three theorems as theoretical support. Thirdly, we design a sliding window difference scheme based on the above method. Experimental results show that our method has a higher detection rate. At the same time, since our method does not need to construct a data set, it has better practicability in detecting unknown DNS tunnels. This also shows that our detection method based on mathematical models can effectively avoid the dilemma for machine learning methods that must have useful training data sets, and has strong practical significance.
翻译:亚太防止酷刑协会组织经常使用的一种隐蔽攻击方法,即DNS隧道,它用来通过建立 C2 网络传递信息。它们经常使用经常改变域名和服务器IP地址的方法,以逃避监测,从而极难检测。然而,它们通常在正常的DNS通信中携带DNS隧道信息传输,这不可避免地在DNS交通的某些统计特征中带来异常,从而给安全人员提供找到这些网络的机会。基于上述考虑,本文研究典型的DNS隧道高频查询行为的统计发现方法。首先,我们分析DNS域名的长度和时间分布情况,发现DNS域名的长度和时间遵循正常的分发法。第二,根据这种分发法,我们提出了一种方法,根据域名长度和频率的统计规则,发现和发现高频 DNS 查询非单域名的行为,这样就可以为安全人员提供三个理论支持。第三,我们设计了一个基于上述方法的滑动窗口差异方案。实验结果显示,我们的方法具有较高的探测速度和时间间隔率。根据这个方法,我们的方法必须建立一种未知的测算方法。