开发者社区> 桃子红了呐> 正文
阿里云
为了无法计算的价值
打开APP
阿里云APP内打开

DNS通道检测 国外学术界研究情况——研究方法:基于流量,使用机器学习分类算法居多,也有使用聚类算法的;此外使用域名zif low也有

简介:
+关注继续查看

http://www.ijrter.com/papers/volume-2/issue-4/dns-tunneling-detection.pdf 
《DNS Tunneling Detection》
In this paper we have presented a method of the DNS tunneling detection based on the clustering of the DNS traffic images.
检测手段也分为两种:
DNS packet analysis and DNS traffic analysis. Packet analysis denotes the request and response payload examination. Traffic analysis denotes the packets study in time to collect statistics – such as count of the packets from a single host, submission frequency, etc.
DNS packet analysis方法:
1. Request and response packet size analysis.
2. Domain names entropy analysis. 
3. Usage of the non-common types of DNS resource records. 
4. Frequency of the digit occurrences in the domain names.

DNS traffic analysis techniques:
1. The DNS traffic volume from a single IP address.
2. 2. The DNS traffic volume for certain domains. 
3. The DNS server geographic location.
4. Time of the DNS resource records creation.


http://onlinelibrary.wiley.com/wol1/doi/10.1002/dac.2836/full
DNS tunneling detection through statistical fingerprints of protocol messages and machine learning
The proposed monitoring mechanism looks at simple statistical properties of protocol messages, such as statistics of packets inter-arrival times and of packets sizes.

https://arxiv.org/abs/1004.4358 
Detecting DNS Tunnels Using Character Frequency Analysis
This paper explores the possibility of detecting DNS tunnels by analyzing the unigram, bigram, and trigram character frequencies of domains in DNS queries and responses. It is empirically shown how domains follow Zipf's law in a similar pattern to natural languages, whereas tunneled traffic has more evenly distributed character frequencies. This approach allows tunnels to be detected across multiple domains, whereas previous methods typically concentrate on monitoring point to point systems. Anomalies are quickly discovered when tunneled traffic is compared to the character frequency fingerprint of legitimate domain traffic.

http://www.sciencedirect.com/science/article/pii/S1389128608003071
Tunnel Hunter: Detecting application-layer tunnels with statistical fingerprinting
In this paper we propose a statistical classification mechanism that could represent an important step towards new techniques for securing network boundaries. The mechanism, called Tunnel Hunter, relies on the statistical characterization at the IP-layer of the traffic that is allowed by a given security policy, such as HTTP or SSH. The statistical profiles of the allowed usages of those protocols can then be dynamically checked against traffic flows crossing the network boundaries, identifying with great accuracy when a flow is being used to tunnel another protocol. 
类似文章在:A Bigram based Real Time DNS Tunnel Detection Approach 
http://www.sciencedirect.com/science/article/pii/S1877050913002421


http://ieeexplore.ieee.org/abstract/document/6755060/?reload=true 
Basic classifiers for DNS tunneling detection
The paper deals with DNS tunneling detection by means of simple supervised learning schemes, applied to statistical features of DNS queries and answers.

https://link.springer.com/chapter/10.1007/978-3-319-07995-0_46
Supervised Learning Approaches with Majority Voting for DNS Tunneling Detection
To do that, we pose a classification problem on several statistical fingerprints
(features) of query and answers, acquired during the system evolution. More
specifically, let q and a be the packet sizes of a query and the corresponding
answer。

https://link.springer.com/chapter/10.1007/978-3-642-38998-6_16
Flow-Based Detection of DNS Tunnels
In this paper we develop such a technique, based on the monitoring and analysis of network flows. Our methodology combines flow information with statistical methods for anomaly detection. The contribution of our paper is twofold. Firstly, based on flow-derived variables that we identified as indicative of DNS tunnelling activities, we identify and evaluate a set of non-parametrical statistical tests that are particularly useful in this context. Secondly, the efficacy of the resulting tests is demonstrated by extensive validation experiments in an operational environment, covering many different usage scenarios.

 

















本文转自张昺华-sky博客园博客,原文链接:http://www.cnblogs.com/bonelee/p/7090451.html,如需转载请自行联系原作者

版权声明:本文内容由阿里云实名注册用户自发贡献,版权归原作者所有,阿里云开发者社区不拥有其著作权,亦不承担相应法律责任。具体规则请查看《阿里云开发者社区用户服务协议》和《阿里云开发者社区知识产权保护指引》。如果您发现本社区中有涉嫌抄袭的内容,填写侵权投诉表单进行举报,一经查实,本社区将立刻删除涉嫌侵权内容。

相关文章
在web中,用户输入的文字过多 和页面排版一行显示不下 怎么办
在web中,用户输入的文字过多 和页面排版一行显示不下 怎么办
47 0
【数据挖掘】神经网络简介 ( 有向图本质 | 拓扑结构 | 连接方式 | 学习规则 | 分类 | 深度学习 | 机器学习 )(一)
【数据挖掘】神经网络简介 ( 有向图本质 | 拓扑结构 | 连接方式 | 学习规则 | 分类 | 深度学习 | 机器学习 )(一)
129 0
Jeff Dean等三名高管齐聚谷歌 I/O 压轴论坛,多角度解读谷歌眼中的机器学习
2016 Google I/O 第三日刚刚结束了一场《机器学习:谷歌的视角》(Machine Learning:Google's Vision)活动,谷歌搜索、机器智能和 Web 工程的高级副总裁 John Giannandrea,高级员工、Google Brain 负责人 Jeff Dean,高级产品总监 Aparna Chennapragada 三位高管分别从产品、研究、开源和公司战略层面对谷歌的机器学习进行了系统讨论。
43 0
ML之模型文件:机器学习、深度学习中常见的模型文件(.h5、.keras)简介、h5模型文件下载集锦、使用方法之详细攻略
ML之模型文件:机器学习、深度学习中常见的模型文件(.h5、.keras)简介、h5模型文件下载集锦、使用方法之详细攻略
250 0
《Web安全之机器学习入门》一 导读
机器学习应用于安全领域遇到的最大问题就是缺乏大量的黑样本,即所谓的攻击样本,尤其相对于大量的正常业务访问,攻击行为尤其是成功的攻击行为是非常少的,这就给机器学习带来了很大挑战。本书很少对不同算法进行横向比较,也是因为确实在不同场景下不同算法表现差别很大,很难说深度学习就一定比朴素贝叶斯好,也很难说支持向量机就比不过卷积神经网络,拿某个具体场景进行横向比较意义不大,毕竟选择算法不像购买SUV,可以拿几十个参数评头论足,最后还是需要大家结合实际问题去选择。
2980 0
Andrew Ng机器学习课程笔记--week9(上)(异常检测&推荐系统)
本周内容较多,故分为上下两篇文章。 一、内容概要 1. Anomaly Detection Density Estimation Problem Motivation Gaussian Distribution Algorithm Building an Anomaly Detectio...
899 0
《BI项目笔记》基于雪花模型的维度设计
原文:《BI项目笔记》基于雪花模型的维度设计 GBGradeCode 外键关系: 1 烟叶等级 T_GBGradeCode.
730 0
【Web技术学习】JS学习笔记
作者:gnuhpc 出处:http://www.cnblogs.com/gnuhpc/ 1.什么是JavaScript? 它是Java的一个子集,但是它和Java是两种不同的语言,后者偏重于服务器端的控制,而前者则是在浏览器中做动态交互,来源于ECMA脚本语言。
679 0
4267
文章
0
问答
文章排行榜
最热
最新
相关电子书
更多
低代码开发师(初级)实战教程
立即下载
阿里巴巴DevOps 最佳实践手册
立即下载
冬季实战营第三期:MySQL数据库进阶实战
立即下载