Detecting DNS Tunnels Using Session Behavior and Random Forest Method
| Autor: | Zhao Yang, Li Lingzi, Ye Hongzhi, Huang Cheng, Zhang Tao |
|---|---|
| Rok vydání: | 2020 |
| Předmět: |
0209 industrial biotechnology
Advanced persistent threat Network security business.industry Computer science Domain Name System 02 engineering and technology Intrusion detection system 01 natural sciences Random forest 020901 industrial engineering & automation 0103 physical sciences Command and control The Internet Session (computer science) business 010301 acoustics Computer network |
| Zdroj: | DSC |
| DOI: | 10.1109/dsc50466.2020.00015 |
| Popis: | DNS server is one of the most important Internet infrastructures in modern society. DNS Tunnel technology is firstly used to get free WiFi, more and more security incidents using DNS protocol to transmit information or illegal commands in recently advanced persistent threat attacks. Most security products such as firewalls, intrusion detection systems and intrusion prevention systems rarely detect DNS communication, which provides naturally command and control communication channel for attackers. The traditional detection methods only focus on the network communication feature for DNS tunnel tools, such as iodine, dnscat2 and dns2tcp. Then many machine learning detection methods are introduced to automatically learn the abstract features and classify the illegal communication method, but the detection result is not still satisfied with high accurate and low false positive. In order to solve this issue, the paper proposed an automatically detecting methods based on session behaviors and random forest algorithm. The experiments proved the method could achieve high accuracy (99.79%) with recall (98.67%), which is higher than other general algorithms. |
| Databáze: | OpenAIRE |
| Externí odkaz: |
|