| 基于有限状态机的DNS隐蔽通信模型 |
| |
| 作者姓名: | 沈传鑫 王永杰 熊鑫立 |
| |
| 作者单位: | 国防科技大学电子对抗学院,安徽合肥 230037 ;网络空间安全态势感知与评估安徽省重点实验室,安徽合肥 230037 |
| |
| 摘 要: | DNS(domain name system)作为互联网基础设施的重要组成部分,其数据一般不会被防火墙等网络安全防御设备拦截。以DNS协议为载体的隐蔽信道具有较强的穿透性和隐蔽性,已然成为攻击者惯用的命令控制和数据回传手段。现有研究中缺乏对真实APT(advanced persistent threat)攻击中DNS隐蔽信道的检测技术或方法,且提取的特征不够全面。为深入分析攻击流量和行为特征,基于有限状态机对真实APT攻击中DNS隐蔽通信建模,剖析了APT攻击场景下DNS隐蔽信道的构建机理,详细阐述了其数据交互过程,通过总结和分析DNS隐蔽通信机制,基于有限状态机建立通信模型,提出通信过程中存在关闭、连接、命令查询、命令传输等7种状态,控制消息和数据消息等不同类型消息的传输将触发状态迁移。利用泄露的Glimpse工具模拟真实APT攻击下DNS隐蔽通信,结合Helminth等恶意样本实验验证了模型的适用性和合理性,为人工提取特征提供了充分的依据。
|
| 关 键 词: | DNS隐蔽通信 有限状态机 APT |
DNS covert communication model based on finite state machine |
| |
| Authors: | Shen Chuanxin Wang Yongjie Xiong Xinli |
| |
| Abstract: | DNS(domain name system) is an important part of the Internet infrastructure. DNS data is not generally intercepted by network security defense devices such as firewalls. Having the characteristics of strong penetration and concealment, the covert channel based on DNS protocol has become a common means of command control and data transmission for attackers. The existing studies lack detection techniques or methods for DNS covert channel in real APT(advanced persistent threat) attacks. Besides, the extracted features are not comprehensive enough. In order to deeply analyze attack traffic and behavior characteristics, this paper modeled DNS covert communication in real APT attacks based on finite state machines. Firstly, the construction mechanism of DNS covert channel under APT attack scenario was analyzed, and its data interaction process was described in detail. Secondly, the DNS covert communication mechanism was summarized and analyzed, and the communication model was established based on the finite state machine. It was proposed that there were seven states in the communication process, such as close, connect, command query and command transfer, and the transmission of different types of messages, such as the control messages and data messages, would trigger the state transfer. Finally, the leaked Glimpse tool was used to simulate DNS covert communication under real APT attack, and malicious samples such as Helminth were combined to verify the applicability and rationality of the model, so as to provide a real and sufficient basis for manual feature extraction. |
| |
| Keywords: | |
|
| 点击此处可从《》浏览原始摘要信息 |
|
点击此处可从《》下载全文 |
|
