引用本文: |
-
韩冬旭,刘松,吴迪,刘宝旭,崔翔,卢志刚,桂坚勇,刘玉岭,李宁,杜丹.DNS隐蔽信道检测技术研究进展[J].信息安全学报,已采用 [点击复制]
- handongxu,liusong,wudi,liubaoxu,cuixiang,luzhigang,guijianyong,liuyuling,lining,dudan.A survey on DNS covert channel detection technology[J].Journal of Cyber Security,Accept [点击复制]
|
|
摘要: |
DNS(域名系统)一直以来作为互联网关键信息基础设施而被极为广泛的使用,防火墙、入侵检测等网络防御设备普遍倾向于直接放行或宽松处理DNS数据以避免因误拦截而破坏信息系统可用性。鉴于DNS存在此应用优势,DCC(DNS Covert Channel,DNS隐蔽信道)备受攻击者青睐,常被APT(高级可持续攻击)和僵尸网络用于隐蔽外传所窃取的敏感数据。加密DNS技术的出现一定程度上解决了用户数据隐私暴露的问题,但仍可被攻击者构造DNS隐蔽信道,同样存在数据泄露隐患。鉴于DCC是网络攻击链的重要一环,DCC检测成为近年来的研究热点,亦是网络安全中不容忽视的重要问题。本文首先具象化地剖析DCC基本原理(分为明文DCC和密文DCC),从命令控制、数据回传2个层面分析了DCC在APT攻击中的典型应用;其次,将明文DCC检测过程划分为数据处理、特征提取、特征表示3个环节,对各环节中的关键技术进行梳理,进而总结检测方法并对比分析了明文DCC检测中利用特征阈值、机器学习、深度学习等方法模型的优缺点。再次,以DoH隐蔽信道为对象,从DoH检测、DoH隐蔽信道检测两个分析步骤,对前沿的密文DCC检测方法进行归纳总结。最后,讨论了DCC检测中目前存在的问题和影响检测效果的因素,并对DCC检测领域中未来发展趋势进行了展望。 |
关键词: DNS隐蔽信道 检测 DCC 高级持续性威胁 数据泄露 |
DOI:10.19363/J.cnki.cn10-1380/tn.2024.08.11 |
投稿时间:2022-12-28修订日期:2023-02-16 |
基金项目:中国科学院重点资助项目,国家重点基础研究发展计划(973计划),创新研究群体科学基金 |
|
A survey on DNS covert channel detection technology |
handongxu1, liusong1, wudi2, liubaoxu1, cuixiang3, luzhigang1, guijianyong4, liuyuling1, lining1, dudan1
|
(1.Institute of Information Engineering, Chinese Academy of Sciences;2.China Cybersecurity Review Technology and Certification Center;3.Zhongguancun Laboratory;4.Information Security Test and Evaluation Centre of PLA) |
Abstract: |
DNS (Domain Name System) is widely used as the critical information infrastructure of the Internet all along. Network defense devices (such as firewall, intrusion detection system) generally tend to directly release or loosely inspect DNS data to avoid damaging the availability of information systems due to false interception. Considering the application advantages of DNS, DCC (DNS Covert Channel) is favored by attackers and it is widely used in APT (Advanced Persistent Threat) and botnets attacks to conceal sensitive data. To a certain extent, the emergence of encrypted DNS technology can partly solve the problem of personal privacy data exposure. However, encrypted DNS can still be used as a DNS covert channel, which also has the risk of data leakage. Since DCC is an important part in the network attack chain, DCC detection has become the research hot spot in recent years and it has also become an important security issue that cannot be ignored in network security. Firstly, in this paper, we concretely analyze the basic principle of DCC (Divided into plaintext DCC and encrypted DCC), and analyze the typical application of DCC in APT attack from two aspects: command control and data transmission; Secondly, we discuss the data processing, feature extraction and feature representation of plaintext DCC detection, and analysis the key technologies in each part. Then, we summarize the current detection method, and compare the advantages and disadvantages of plaintext DCC model detection sort by feature threshold method, machine learning model, deep learning model. Thirdly, taking DoH covert channel detection as the object, we divide it into two analysis steps: DoH detection and DoH covert channel detection, and summarize the existing encrypted DNS covert channel detection methods respectively. Finally, by analyzing the current typical problems and the factors affecting detetion sound effect in DCC detection, we discuss the challenges and future research directions. |
Key words: DNS covert channel detection DCC APT data exfiltration |