DNS通道检测 国外学术界研究情况——研究方法:基于流量,使用机器学习分类算法居多,也有使用聚类算法的;此外使用域名zif low也有
2017-06-28 16:41
567 查看
http://www.ijrter.com/papers/volume-2/issue-4/dns-tunneling-detection.pdf
《DNS Tunneling Detection》
In this paper we have presented a method of the DNS tunneling detection based on the clustering of the DNS traffic images.
检测手段也分为两种:
DNS packet analysis and DNS traffic analysis. Packet analysis denotes the request and response payload examination. Traffic analysis denotes the packets study in time to collect statistics – such as count of the packets from a single host, submission frequency, etc.
DNS packet analysis方法:
1. Request and response packet size analysis.
2. Domain names entropy analysis.
3. Usage of the non-common types of DNS resource records.
4. Frequency of the digit occurrences in the domain names.
DNS traffic analysis techniques:
1. The DNS traffic volume from a single IP address.
2. 2. The DNS traffic volume for certain domains.
3. The DNS server geographic location.
4. Time of the DNS resource records creation.
http://onlinelibrary.wiley.com/wol1/doi/10.1002/dac.2836/full DNS tunneling detection through statistical fingerprints of protocol messages and machine learning
The proposed monitoring mechanism looks at simple statistical properties of protocol messages, such as statistics of packets inter-arrival times and of packets sizes.
https://arxiv.org/abs/1004.4358 Detecting DNS Tunnels Using Character Frequency Analysis
This paper explores the possibility of detecting DNS tunnels by analyzing the unigram, bigram, and trigram character frequencies of domains in DNS queries and responses. It is empirically shown how domains follow Zipf's law in a similar pattern to natural languages, whereas tunneled traffic has more evenly distributed character frequencies. This approach allows tunnels to be detected across multiple domains, whereas previous methods typically concentrate on monitoring point to point systems. Anomalies are quickly discovered when tunneled traffic is compared to the character frequency fingerprint of legitimate domain traffic.
http://www.sciencedirect.com/science/article/pii/S1389128608003071 Tunnel Hunter: Detecting application-layer tunnels with statistical fingerprinting
In this paper we propose a statistical classification mechanism that could represent an important step towards new techniques for securing network boundaries. The mechanism, called Tunnel Hunter, relies on the statistical characterization at the IP-layer of the traffic that is allowed by a given security policy, such as HTTP or SSH. The statistical profiles of the allowed usages of those protocols can then be dynamically checked against traffic flows crossing the network boundaries, identifying with great accuracy when a flow is being used to tunnel another protocol.
类似文章在:A Bigram based Real Time DNS Tunnel Detection Approach http://www.sciencedirect.com/science/article/pii/S1877050913002421 http://ieeexplore.ieee.org/abstract/document/6755060/?reload=true Basic classifiers for DNS tunneling detection
The paper deals with DNS tunneling detection by means of simple supervised learning schemes, applied to statistical features of DNS queries and answers.
https://link.springer.com/chapter/10.1007/978-3-319-07995-0_46 Supervised Learning Approaches with Majority Voting for DNS Tunneling Detection
To do that, we pose a classification problem on several statistical fingerprints
(features) of query and answers, acquired during the system evolution. More
specifically, let q and a be the packet sizes of a query and the corresponding
answer。
https://link.springer.com/chapter/10.1007/978-3-642-38998-6_16 Flow-Based Detection of DNS Tunnels
In this paper we develop such a technique, based on the monitoring and analysis of network flows. Our methodology combines flow information with statistical methods for anomaly detection. The contribution of our paper is twofold. Firstly, based on flow-derived variables that we identified as indicative of DNS tunnelling activities, we identify and evaluate a set of non-parametrical statistical tests that are particularly useful in this context. Secondly, the efficacy of the resulting tests is demonstrated by extensive validation experiments in an operational environment, covering many different usage scenarios.
《DNS Tunneling Detection》
In this paper we have presented a method of the DNS tunneling detection based on the clustering of the DNS traffic images.
检测手段也分为两种:
DNS packet analysis and DNS traffic analysis. Packet analysis denotes the request and response payload examination. Traffic analysis denotes the packets study in time to collect statistics – such as count of the packets from a single host, submission frequency, etc.
DNS packet analysis方法:
1. Request and response packet size analysis.
2. Domain names entropy analysis.
3. Usage of the non-common types of DNS resource records.
4. Frequency of the digit occurrences in the domain names.
DNS traffic analysis techniques:
1. The DNS traffic volume from a single IP address.
2. 2. The DNS traffic volume for certain domains.
3. The DNS server geographic location.
4. Time of the DNS resource records creation.
http://onlinelibrary.wiley.com/wol1/doi/10.1002/dac.2836/full DNS tunneling detection through statistical fingerprints of protocol messages and machine learning
The proposed monitoring mechanism looks at simple statistical properties of protocol messages, such as statistics of packets inter-arrival times and of packets sizes.
https://arxiv.org/abs/1004.4358 Detecting DNS Tunnels Using Character Frequency Analysis
This paper explores the possibility of detecting DNS tunnels by analyzing the unigram, bigram, and trigram character frequencies of domains in DNS queries and responses. It is empirically shown how domains follow Zipf's law in a similar pattern to natural languages, whereas tunneled traffic has more evenly distributed character frequencies. This approach allows tunnels to be detected across multiple domains, whereas previous methods typically concentrate on monitoring point to point systems. Anomalies are quickly discovered when tunneled traffic is compared to the character frequency fingerprint of legitimate domain traffic.
http://www.sciencedirect.com/science/article/pii/S1389128608003071 Tunnel Hunter: Detecting application-layer tunnels with statistical fingerprinting
In this paper we propose a statistical classification mechanism that could represent an important step towards new techniques for securing network boundaries. The mechanism, called Tunnel Hunter, relies on the statistical characterization at the IP-layer of the traffic that is allowed by a given security policy, such as HTTP or SSH. The statistical profiles of the allowed usages of those protocols can then be dynamically checked against traffic flows crossing the network boundaries, identifying with great accuracy when a flow is being used to tunnel another protocol.
类似文章在:A Bigram based Real Time DNS Tunnel Detection Approach http://www.sciencedirect.com/science/article/pii/S1877050913002421 http://ieeexplore.ieee.org/abstract/document/6755060/?reload=true Basic classifiers for DNS tunneling detection
The paper deals with DNS tunneling detection by means of simple supervised learning schemes, applied to statistical features of DNS queries and answers.
https://link.springer.com/chapter/10.1007/978-3-319-07995-0_46 Supervised Learning Approaches with Majority Voting for DNS Tunneling Detection
To do that, we pose a classification problem on several statistical fingerprints
(features) of query and answers, acquired during the system evolution. More
specifically, let q and a be the packet sizes of a query and the corresponding
answer。
https://link.springer.com/chapter/10.1007/978-3-642-38998-6_16 Flow-Based Detection of DNS Tunnels
In this paper we develop such a technique, based on the monitoring and analysis of network flows. Our methodology combines flow information with statistical methods for anomaly detection. The contribution of our paper is twofold. Firstly, based on flow-derived variables that we identified as indicative of DNS tunnelling activities, we identify and evaluate a set of non-parametrical statistical tests that are particularly useful in this context. Secondly, the efficacy of the resulting tests is demonstrated by extensive validation experiments in an operational environment, covering many different usage scenarios.
相关文章推荐
- DNS通道检测 国内学术界研究情况——研究方法:基于特征或者流量,使用机器学习决策树分类算法居多
- IEEE802.11a及基于IEEE 802.11a的OFDM帧检测算法研究与FPGA实现
- 基于局部同一性的运动目标检测算法研究
- 基于动态基线的业务运营支撑网异常流量检测研究
- 机器学习实战(3)--(基于概率论的分类方法)朴素贝叶斯
- 五种基于RGB色彩空间统计的皮肤检测算法 分类: 视频图像处理 2015-07-24 10:18 48人阅读 评论(0) 收藏
- 查看基于Android 系统单个进程内存、CPU使用情况的几种方法
- 如果是作为客户端的HTTP+JSON接口工程,没有JSP等view视图的情况下,使用Jersery框架开发绝对是第一选择。而在基于Spring3 MVC的架构下,对HTTP+JSON的返回类型也有很好
- 车道线检测文献解读系列(一) 基于机器视觉的高速车道标志线检测算法的研究_李晗
- 基于二叉树SVM多类分类算法研究
- 基于流数据挖掘的网络流量异常检测及分析研究
- 如何快速估计/估算Linux VPS的月流量使用情况(不用安装MRTG等流量监控软件) - LinuxVPS使用教程 - 国外/美国服务器租用
- 用户研究:基于用户尺度评价的人物角色分类方法与实践
- iOS学习之--------------使用系统方法检测网络情况
- 查看基于Android 系统单个进程内存、CPU使用情况的几种方法
- 查看基于Android 系统单个进程内存、CPU使用情况的几种方法
- 查看基于Android 系统单个进程内存、CPU使用情况的几种方法
- 基于贝叶斯决策的彩色图像中皮肤区域检测算法研究与实现
- 机器学习四 -- 基于概率论的分类方法:朴素贝叶斯