基于神经网络的DNS隐蔽信道检测

分析了目前对域名系统(Domain Name System,DNS)隐蔽信道的各种检测方法和DNS隐蔽信道报文与DNS常规报文之间的区别,针对目前的检测方法需要手动设定大量特征和需要区分查询与应答报文的不足,提出了基于卷积神经网络和基于长短期记忆神经网络的两种检测方法.通过对真实校园网DNS流量与黑客工具产生的DNS隐...     

基于有限状态机的DNS隐蔽通信模型

DNS(domain name system)作为互联网基础设施的重要组成部分,其数据一般不会被防火墙等网络安全防御设备拦截。以DNS协议为载体的隐蔽信道具有较强的穿透性和隐蔽性,已然成为攻击者惯用的命令控制和数据回传手段。现有研究中缺乏对真实APT(advanced persistent threat)攻击中DNS隐蔽信道的检测技术或方法,且提取的特征不够全面。为深入分析攻击流量和行为特征,基于有限状态机对真实APT攻击中DNS隐蔽通信建模,剖析了APT攻击场景下DNS隐蔽信道的构建机理,详细阐述了其数据交互过程,通过总结和分析DNS隐蔽通信机制,基于有限状态机建立通信模型,提出通信过程中存在关闭、连接、命令查询、命令传输等7种状态,控制消息和数据消息等不同类型消息的传输将触发状态迁移。利用泄露的Glimpse工具模拟真实APT攻击下DNS隐蔽通信,结合Helminth等恶意样本实验验证了模型的适用性和合理性,为人工提取特征提供了充分的依据。     

基于多重协议的网络隐蔽信道设计与实现

在网络信息安全问题日益突出的背景下,研究了网络隐蔽信道的通信机制。提出一种基于多重协议建立网络隐蔽信道的方法:通信双方通过ICMP协议进行密钥协商,用协商密钥加密传输的隐蔽信息,加密后的信息写入TCP协议的32位序列号字段,加密后的会话密钥写入IP协议的16位标识位字段。该方法在Linux平台下实现并检验。实验结果表明,此隐蔽信道隐蔽性高、传输速度快、切实可行,为防范隐蔽信道的恶意攻击提供了理论依据和技术支持。     

适应性随机延迟的网络隐蔽时间通信干扰方法

在网络隐蔽时间信道中,数据包的发送或到达时间被操控以携带消息而达到隐蔽传送信息的目的。这种信道的存在会对信息私密性带来危害,因此应该被干扰或加以限制。因为网络隐蔽时间信道寄生于正常通信信道,对它的干扰不可避免会对正常网络通信带来负面影响。论文提出了如何在多重限制条件下对网络隐蔽时间信道进行干扰的问题,并针对这一问题给出了基于适应性随机延迟的解决方案。     

基于HTTP协议的隐蔽信道研究

HTTP协议是目前Internet上使用最广泛的协议.HTTP协议语法定义较为宽松,并且在HTTP协议定义的许多头域中存在着大量具有随机特性的部分,这就为隐蔽信道的构造提供了条件.论文提出了一种利用Date头域时间值的随机性构造隐蔽信道的思想,实现了一种在大流量载体信息下,利用低带宽隐蔽信道传输任意量隐蔽信息的方法,并分析了该隐蔽信道的性能.     

一种新型的网络隐蔽信道检测模型

由于隐蔽信道可以绕过传统的安全策略实现非正常的通信机制,所以隐蔽信道的存在给安全信息系统带来了极大的安全隐患。网络中存在的隐蔽信道种类繁多,如何高效、快速、准确地检测出信道中可能存在的多种隐蔽信道成为亟需解决的问题。针对此问题提出了一种新型的网络隐蔽信道检测模型,该检测模型可根据安全等级的要求,对网络信道做出不同程度的安全检测,同时,根据隐蔽信道出现的频率、危害程度等属性实时改变隐蔽信道的检测顺序,从而提高网络隐蔽信道的检测效率。     

数字电视网络隐蔽信道技术研究

目前针对隐蔽信道的研究工作大部分都基于互联网协议,在数字电视中实现隐蔽通信是信息隐藏技术的一个新方向。论文在隐蔽信道信息传递框架的基础上,阐明了数字电视网络中隐蔽信道存在的可能性和必然性。本文提出了基于TS包的填充域与PCR域保留位的信息隐藏方法,并实现仿真,然后对两种隐藏方案的性能进行了分析与比较。研究工作对在数字电视网络中构建隐蔽信道有一定的指导意义。     

安全UNIX操作系统中陷蔽信道分析

本文在分析和研究前人隐蔽信道分析成果的基础上，提出了一种简单，有效的隐蔽信道分析思想和方法。     

基于SVM的Telnet隐蔽信道检测

基于Telnet的隐蔽信道将隐匿的消息直接附加在Telnet的网络数据中,并发送至远程"服务器"。由于键盘操作具有任意性,检测这种信道比较困难。通过分析Telnet隐蔽信道技术,提出针对该隐蔽信道的检测方法。检测方法使用了一分类支持向量机(SVM),抓取用户正常操作的网络数据包作为检测样本,并利用样本数据间的时间间隔构造检测向量。试验表明,利用这种方法对基于Telnet的隐蔽信道进行检测,检测率达到100%,且虚警率较低。     

基于多径信道能量随机动态打散的隐蔽无线通信方案

为应对无线通信中的未知非法检测威胁，该文提出一种随机跳径隐蔽通信方案，实现了信号能量在多径上随机动态打散。首先，基于我方多径信道信息设计了隐蔽传输策略，并构建了敌方检测模型。接着，通过引入相关性纠偏因子，分别推导了所提方案、选最强径方案和经典最大比发送方案的敌方平均接收信噪比(SNR)闭式表达式，并基于曲线拟合的方法计算了我方最小平均隐蔽概率，完成了隐蔽性能定性和定量评估。然后，推导了我方平均接收信噪比闭式解，分析了系统速率性能。仿真实验表明，所提方案不仅在未知敌方任何信息的一般情形下具有隐蔽性能优势，而且在敌方抵近我方的极端情形下可以最大程度地解决隐蔽通信失效问题。     

Identification of DNS covert channel based on improved convolutional neural network

In order to effectively identify the multiple types of DNS covert channels,the implementation of different sorts of DNS covert channel software was studied,and a detection based on the improved convolutional neural network was proposed.The experimental results,grounded upon the campus network traffic,show that the detection can identify twenty-two kinds of data interaction modes of DNS covert channels and is able to identify the unknown DNS covert channel traffic.The proposed method outperforms the existing methods.     

基于DNS的隐蔽通道流量检测

为提出一种有效检测各类型DNS隐蔽通道的方法,研究了DNS隐蔽通信流量特性,提取可区分合法查询与隐蔽通信的12个数据分组特征,利用机器学习的分类器对其会话统计特性进行判别。实验表明,决策树模型可检测训练中全部22种DNS隐蔽通道,并可识别未经训练的新型隐蔽通道。系统在校园网流量实际部署中成功检出多个DNS隧道的存在。     

MKIPS: MKI-based protocol steganography method in SRTP

This paper presents master key identifier based protocol steganography (MKIPS), a new approach toward creating a covert channel within the Secure Real-time Transfer Protocol, also known as SRTP. This can be achieved using the ability of the sender of Voice-over-Internet Protocol packets to select a master key from a pre-shared list of available cryptographic keys. This list is handed to the SRTP sender and receiver by an external key management protocol during session initiation. In this work, by intelligent utilization of the master key identifier field in the SRTP packet creation process, a covert channel is created. The proposed covert channel can reach a relatively high transfer rate, and its capacity may vary based on the underlying SRTP channel properties. In comparison to existing data embedding methods in SRTP, MKIPS can convey a secret message without adding to the traffic overhead of the channel and packet loss in the destination. Additionally, the proposed covert channel is as robust as its underlying user datagram protocol channel.     

Refined identification of hybrid traffic in DNS tunnels based on regression analysis

DNS (Domain Name System) tunnels almost obscure the true network activities of users, which makes it challenging for the gateway or censorship equipment to identify malicious or unpermitted network behaviors. An efficient way to address this problem is to conduct a temporal-spatial analysis on the tunnel traffic. Nevertheless, current studies on this topic limit the DNS tunnel to those with a single protocol, whereas more than one protocol may be used simultaneously. In this paper, we concentrate on the refined identification of two protocols mixed in a DNS tunnel. A feature set is first derived from DNS query and response flows, which is incorporated with deep neural networks to construct a regression model. We benchmark the proposed method with captured DNS tunnel traffic, the experimental results show that the proposed scheme can achieve identification accuracy of more than 90%. To the best of our knowledge, the proposed scheme is the first to estimate the ratios of two mixed protocols in DNS tunnels.     

DNS tunneling detection through statistical fingerprints of protocol messages and machine learning

The use of covert‐channel methods to bypass security policies has increased considerably in the recent years. Malicious users neutralize security restriction by encapsulating protocols like peer‐to‐peer, chat or http proxy into other allowed protocols like Domain Name Server (DNS) or HTTP. This paper illustrates a machine learning approach to detect one particular covert‐channel technique: DNS tunneling. Despite packet inspection may guarantee reliable intrusion detection in this context, it may suffer of scalability performance when a large set of sockets should be monitored in real time. Detecting the presence of DNS intruders by an aggregation‐based monitoring is of main interest as it avoids packet inspection, thus preserving privacy and scalability. The proposed monitoring mechanism looks at simple statistical properties of protocol messages, such as statistics of packets inter‐arrival times and of packets sizes. The analysis is complicated by two drawbacks: silent intruders (generating small statistical variations of legitimate traffic) and quick statistical fingerprints generation (to obtain a detection tool really applicable in the field). Results from experiments conducted on a live network are obtained by replicating individual detections over successive samples over time and by making a global decision through a majority voting scheme. The technique overcomes traditional classifier limitations. An insightful analysis of the performance leads to discover a unique intrusion detection tool, applicable in the presence of different tunneled applications. Copyright © 2014 John Wiley & Sons, Ltd.     

Middleman covert channel establishment based on MORE routing protocol using network coding in ad hoc networks

Covert channels have been recently the subject of the study in both creation and countermeasure aspects. There are many different ways to embed the covert data in network standards and protocols, especially in wireless networks. MORE (MAC‐independent opportunistic routing) is an opportunistic routing protocol which uses networks coding to enhance routing performance by reducing the repetitions. This protocol can be a suitable medium for covert channel establishment. A middleman covert channel establishment method is proposed in this paper over MORE routing protocol and with the use of network coding. Hidden data are transferred through packet's payload bytes. Covert sender manipulates coding mechanism by calculating packets' coefficients instead of random selection. The proposed covert channel provides the average throughput of 218 and 231 bps, using two different data length approaches which is relatively a good comparing to the previous network layer covert channels. The proposed covert channel is also a covert storage channel and cannot be removed or restricted. Effect of different network characteristics on the proposed method's capacity and security is investigated by a simulation study, and the results are discussed.     

网络隐蔽通道检测系统模型设计

利用TCP／IP协议中建立隐蔽通道来进行非法通信已经成为网络安全的重要威胁。论文首先以IP协议和TCP协议为例,简要介绍了TCP／IP协议下网络隐蔽通道的建立方法和检测特点,针对目前检测工具主要面向特定隐蔽通道的特点,结合协议分析和流量分析方法提出了一种网络隐蔽通道检测系统的设计模型,为隐蔽通道的综合性检测提供了一种新的思路。     

Detection of TCP covert channel based on Markov model

Network covert channel is a covert communication method by hiding covert messages into overt network packets. In recent years, with the development of various hiding methods, network covert channel has become a new kind of threat for network security. The covert channel that uses the redundancies existing in TCP protocol to make hiding is called TCP covert channel. In this paper, the behaviors of TCP flows are modeled by the Markov chain composed of the states of TCP packets. And the abnormality caused by TCP covert channel is described by the difference between the overt and covert TCP transition probability matrix. The detection method based on MAP is proposed to detect the covert communication hidden in TCP flows under various applications such as HTTP, FTP, TELNET, SSH and SMTP. Experiments show that the proposed algorithm achieves better detection performance than the existing methods.     

DNS攻击检测与安全防护研究综述

随着传统互联网逐渐向“互联网+”演变，域名系统（domain name system，DNS）从基础的地址解析向全面感知、可靠传输等新模式不断扩展。新场景下的DNS由于功能的多样性和覆盖领域的广泛性，一旦受到攻击会造成严重的后果，因此DNS攻击检测与安全防护方面的研究持续进行并越来越受到重视。首先介绍了几种常见的DNS攻击，包括DNS欺骗攻击、DNS隐蔽信道攻击、DNS DDoS（distributed denial of service）攻击、DNS 反射放大攻击、恶意 DGA 域名；然后，从机器学习的角度出发对这些攻击的检测技术进行了系统性的分析和总结；接着，从DNS去中心化、DNS加密认证、DNS解析限制3个方面详细介绍了DNS的安全防护技术；最后，对未来的研究方向进行了展望。