《计算机应用》唯一官方网站

• •    下一篇

DNS隧道检测技术研究综述

郑智强1,王锐棋2,范子静3,何发镁4,姚叶鹏3,汪秋云3,姜政伟3   

  1. 1. 首都师范大学信息工程学院
    2. 贵州师范大学大数据与计算机科学学院
    3. 中国科学院信息工程研究所
    4. 北京理工大学
  • 收稿日期:2024-07-10 修回日期:2024-10-09 发布日期:2024-11-19 出版日期:2024-11-19
  • 通讯作者: 郑智强

Survey of DNS tunneling detection technology research

  • Received:2024-07-10 Revised:2024-10-09 Online:2024-11-19 Published:2024-11-19
  • Contact: Zhiqiang ZHENG

PDF

摘要: 域名系统(DNS)作为将IP地址和域名互相转换的系统,是互联网中的重要基础协议之一。由于DNS在互联网中的重要性,一些安全设施如防火墙、入侵检测系统(IDS)等的安全策略默认允许DNS流量通过,给了攻击者利用DNS隧道进行通信的机会。目前,已经有许多恶意软件支持DNS通信,甚至默认使用DNS通信,给网络安全工具、安全运营中心带来了很大的挑战。然而,现有的研究主要聚焦于具体的检测方法,即使绝大部分作者在他们的研究中依赖隧道工具来生成样本,却很少对隧道工具本身进行探索。因此,系统阐述了DNS隧道的发展历史、研究现状和现有的检测方案,并对过去10年中检测方案的优缺点进行探讨。随后,对检测方案中常见的dnscat2, Iodine, dns2tcp等6种通信工具进行了评估与实验,并公开了实验数据。研究发现,绝大多数检测方案都没有公开他们的隧道样本数据集或使用隧道工具生成流量时所设定的参数,使他们提出的检测方案几乎无法复现。此外,部分检测方案使用的DNS隧道工具具有明显签名特征。使用具有签名特征的样本对基于模型的检测方案进行训练时将会导致模型的泛化能力存疑,即无从得知这一类模型在真实世界中是否具有良好表现。最后,展望了未来的工作方向。

关键词: DNS隧道, 隐蔽通信, 隧道工具, 隧道通信检测, 隧道检测特征, 隧道工具评估

Abstract: As a system that converts IP addresses and domain names to each other, Domain Name System (DNS) is one of the important basic protocols in the Internet. Due to the importance of DNS in the Internet, the security policies of some security facilities such as firewalls and Intrusion Detection Systems (IDS) allow DNS traffic to pass by default, giving attackers the opportunity to use DNS tunneling for communication. This fact gives attackers the opportunity to use DNS tunneling for communication. Recently, there are many malwares that support DNS communication or even use DNS communication by default, which brings great challenges to current IDS or security departments. However, existing research mainly focuses on specific detection methods and rarely explores the tunneling tool itself, even though majority of authors rely on tunneling tools to generate samples in their solution. This article systematically elaborates on the development history and research status of DNS tunneling and existing detection solutions, as well as discusses the advantages and disadvantages of detection methods in the past 10 years. Subsequently, 6 communication tools such as dnscat2, Iodine, and dns2tcp, which are commonly used in these detection solutions, were evaluated and tested, and the experimental data were made public. According to our research, most detection solutions did not disclose their tunneling sample datasets or the configure when using tunneling tools to generate traffic, making their proposed solutions almost impossible to reproduce. In addition, some detection solutions use DNS tunneling tools with obvious signature features. Using samples with signature features to train model-based detection solutions will lead to doubts about the generalization ability of the model, that is, it is impossible to know whether this type of model will perform well in the real world. Finally, suggestions for future work directions are provided.

Key words: DNS tunneling, covert communication, tunneling tool, tunneling communication detection, tunneling detection feature, tunneling tool evaluation

中图分类号: 

版权所有 © 2021 四川计算机应用杂志社有限公司
蜀ICP备 05010208 号-3 新出网证(川)字026号
技术支持:北京玛格泰克科技发展有限公司
访问总数:
今日访问: