基于DNS的隐蔽通道流量检测

为提出一种有效检测各类型DNS隐蔽通道的方法,研究了DNS隐蔽通信流量特性,提取可区分合法查询与隐蔽通信的12个数据分组特征,利用机器学习的分类器对其会话统计特性进行判别。实验表明,决策树模型可检测训练中全部22种DNS隐蔽通道,并可识别未经训练的新型隐蔽通道。系统在校园网流量实际部署中成功检出多个DNS隧道的存在。     

基于有限状态机的DNS隐蔽通信模型

DNS(domain name system)作为互联网基础设施的重要组成部分,其数据一般不会被防火墙等网络安全防御设备拦截。以DNS协议为载体的隐蔽信道具有较强的穿透性和隐蔽性,已然成为攻击者惯用的命令控制和数据回传手段。现有研究中缺乏对真实APT(advanced persistent threat)攻击中DNS隐蔽信道的检测技术或方法,且提取的特征不够全面。为深入分析攻击流量和行为特征,基于有限状态机对真实APT攻击中DNS隐蔽通信建模,剖析了APT攻击场景下DNS隐蔽信道的构建机理,详细阐述了其数据交互过程,通过总结和分析DNS隐蔽通信机制,基于有限状态机建立通信模型,提出通信过程中存在关闭、连接、命令查询、命令传输等7种状态,控制消息和数据消息等不同类型消息的传输将触发状态迁移。利用泄露的Glimpse工具模拟真实APT攻击下DNS隐蔽通信,结合Helminth等恶意样本实验验证了模型的适用性和合理性,为人工提取特征提供了充分的依据。     

基于DNS协议的隐蔽信道研究

隐蔽信道能够以危害系统安全策略的方式传输信息,目前,基于网络协议的隐蔽信道研究已成为热点。域名系统协议（Domain Name System,DNS）用于将主机名字和IP地址之间的转换,是双向协议,互联网正常运行离不开DNS协议,因此可以基于DNS协议建立隐蔽信道。文中首先介绍隐蔽信道、DNS隐蔽信道的概念和原理,搭建DNS隐蔽信道系统,然后演示了DNS隧道工具的使用方法,最后针对现有的DNS隐蔽信道工具提出了几点改进措施,使DNS隐蔽信道数据传输更加高效。     

DNS tunneling detection through statistical fingerprints of protocol messages and machine learning

The use of covert‐channel methods to bypass security policies has increased considerably in the recent years. Malicious users neutralize security restriction by encapsulating protocols like peer‐to‐peer, chat or http proxy into other allowed protocols like Domain Name Server (DNS) or HTTP. This paper illustrates a machine learning approach to detect one particular covert‐channel technique: DNS tunneling. Despite packet inspection may guarantee reliable intrusion detection in this context, it may suffer of scalability performance when a large set of sockets should be monitored in real time. Detecting the presence of DNS intruders by an aggregation‐based monitoring is of main interest as it avoids packet inspection, thus preserving privacy and scalability. The proposed monitoring mechanism looks at simple statistical properties of protocol messages, such as statistics of packets inter‐arrival times and of packets sizes. The analysis is complicated by two drawbacks: silent intruders (generating small statistical variations of legitimate traffic) and quick statistical fingerprints generation (to obtain a detection tool really applicable in the field). Results from experiments conducted on a live network are obtained by replicating individual detections over successive samples over time and by making a global decision through a majority voting scheme. The technique overcomes traditional classifier limitations. An insightful analysis of the performance leads to discover a unique intrusion detection tool, applicable in the presence of different tunneled applications. Copyright © 2014 John Wiley & Sons, Ltd.     

网络隐蔽通道检测系统模型设计

利用TCP／IP协议中建立隐蔽通道来进行非法通信已经成为网络安全的重要威胁。论文首先以IP协议和TCP协议为例,简要介绍了TCP／IP协议下网络隐蔽通道的建立方法和检测特点,针对目前检测工具主要面向特定隐蔽通道的特点,结合协议分析和流量分析方法提出了一种网络隐蔽通道检测系统的设计模型,为隐蔽通道的综合性检测提供了一种新的思路。     

Network covert timing channel with distribution matching

Network covert timing channel is a communication fashion that modifies the timing properties of network traffic to transfer secret information. It is designed to carry out the reliable and undetectable transmission. In this paper, a simple and secure covert timing channel method with distribution matching is proposed. The approach treats the network traffic as the flow with the fixed-length fragment, and calculates the histogram of the packet delays in each fragment. The message bits are modulated into the delays by the binary coding method, and the histogram is kept almost unchanged by assigning the matched distribution. The bit error rates are analyzed and two detection experiments are performed. The results show the proposed method is reliable and undetectable.     

Middleman covert channel establishment based on MORE routing protocol using network coding in ad hoc networks

Covert channels have been recently the subject of the study in both creation and countermeasure aspects. There are many different ways to embed the covert data in network standards and protocols, especially in wireless networks. MORE (MAC‐independent opportunistic routing) is an opportunistic routing protocol which uses networks coding to enhance routing performance by reducing the repetitions. This protocol can be a suitable medium for covert channel establishment. A middleman covert channel establishment method is proposed in this paper over MORE routing protocol and with the use of network coding. Hidden data are transferred through packet's payload bytes. Covert sender manipulates coding mechanism by calculating packets' coefficients instead of random selection. The proposed covert channel provides the average throughput of 218 and 231 bps, using two different data length approaches which is relatively a good comparing to the previous network layer covert channels. The proposed covert channel is also a covert storage channel and cannot be removed or restricted. Effect of different network characteristics on the proposed method's capacity and security is investigated by a simulation study, and the results are discussed.     

Detection of TCP covert channel based on Markov model

Network covert channel is a covert communication method by hiding covert messages into overt network packets. In recent years, with the development of various hiding methods, network covert channel has become a new kind of threat for network security. The covert channel that uses the redundancies existing in TCP protocol to make hiding is called TCP covert channel. In this paper, the behaviors of TCP flows are modeled by the Markov chain composed of the states of TCP packets. And the abnormality caused by TCP covert channel is described by the difference between the overt and covert TCP transition probability matrix. The detection method based on MAP is proposed to detect the covert communication hidden in TCP flows under various applications such as HTTP, FTP, TELNET, SSH and SMTP. Experiments show that the proposed algorithm achieves better detection performance than the existing methods.     

A dynamic timing-storage covert channel in vehicular ad hoc networks

Vehicular Ad hoc Network (VANET) enables high speed vehicles to communicate with each other. This kind of communication can provide road safety and passengers’ comfort. Covert channels are used to transmit information secretly over the network. Network covert channel is not only used as a hacking tool, but also used to convey secret information such as private keys. Unlike wired and conventional wireless networks, few studies are conducted on covert communication in VANET. The goal of this paper is to develop a hybrid (timing and storage) covert channel in VANET. In the timing part, covert messages are sent by altering the timing pattern of the service and control packets. The proposed covert timing algorithm is dynamically changed based on the vehicular traffic volume in the transmitter’s radio range. This dynamism is used to achieve better covert capacity with an acceptable error rate. On the other hand, some fields of the periodic status messages, sent in the control channel, are utilized in the storage part. An encoding algorithm is also proposed to embed the covert data in the mentioned covert timing and storage opportunities. The encoding algorithm provides a high embedding capacity, even if the number of opportunities’ possible values is not any power of two. Finally, the transmitted secret data volume, the packet loss ratio, the channel error rate and the effect of the proposed method on other vehicles’ throughput are evaluated in a simulation process.     

分布式DNS反射DDoS攻击检测及控制技术

分布式DNS反射DDoS攻击已经成为拒绝服务攻击的主要形式之一,传统的基于网络流量统计分析和网络流量控制技术已经不能满足防护需求。提出了基于生存时间值（TTL）智能研判的DNS反射攻击检测技术,能够准确发现伪造源IP地址分组;基于多系统融合的伪造源地址溯源阻断技术,从源头上阻断攻击流量流入网络。     

DNS攻击检测与安全防护研究综述

随着传统互联网逐渐向“互联网+”演变,域名系统（domain namesystem,DNS）从基础的地址解析向全面感知、可靠传输等新模式不断扩展。新场景下的DNS由于功能的多样性和覆盖领域的广泛性,一旦受到攻击会造成严重的后果,因此DNS攻击检测与安全防护方面的研究持续进行并越来越受到重视。首先介绍了几种常见的DNS攻击,包括DNS欺骗攻击、DNS隐蔽信道攻击、DNS DDoS(distributed denial of service)攻击、DNS反射放大攻击、恶意DGA域名;然后,从机器学习的角度出发对这些攻击的检测技术进行了系统性的分析和总结;接着,从DNS去中心化、DNS加密认证、DNS解析限制3个方面详细介绍了DNS的安全防护技术;最后,对未来的研究方向进行了展望。     

基于客户端蜜罐的木马隐蔽通信检测

当今流行的木马程序开始采用隐蔽通信技术绕过蜜罐系统的检测。首先介绍木马常用的隐蔽通信技术以及越来越流行的内核层Rootkit隐蔽通信技术,并讨论了现阶段客户端蜜罐对于恶意程序的检测方式。针对蜜罐网络通信检测机制的不足,提出了一种有效的改进方案,使用基于NDIS中间层驱动的网络数据检测技术来获取木马通信数据包。该方案能够有效检测基于网络驱动的Rootkit隐蔽通信,提取木马关键通信信息,以进行对木马行为的跟踪和分析。     

Research on a new network covert channel model in blockchain environment

Blockchain is a decentralized architecture emerging with cryptocurrencies,which is credible and robust.A network covert channel model in blockchain environment was proposed for the first time,which was anti-interference,anti-tamper modification,multi-line communication,receiver anonymity and line independence.The shortcomings of network covert channel in existing network environment could be tackled by the new type of network covert channel,such as characteristic defect.etc.Firstly,A network covert channel model in blockchain environment was presented by formal method,its anti-interference and anti-tamper modification was proved.Then,a blockchain network covert channel scenario using service operation interval time was presented.Finally,the undetectability,robustness and rate of the blockchain network covert channel evaluation vectors was proposed.A theoretical foundation was laid for the practicality of the new type of network covert channel in blockchain.     

An 802.11 MAC layer covert channel

For extremely sensitive applications, it may be advantageous for users to transmit certain types of data covertly over the network. This provides an additional layer of security to that provided by the different layers of the protocol stack. In this paper we present a covert side channel that uses the 802.11 MAC rate switching protocol. The covert channel provides a general method to hide communications within currently deployed 802.11 LANs. The technique uses a one‐time password (OTP) algorithm to ensure high‐entropy randomness of the covert messages. We investigate how the covert side channel affects network throughput under various rate‐switching conditions with UDP‐based and TCP‐based application traffic. We also investigate the covertness of the covert side channel using standardized entropy. The theoretical analysis shows that the maximum covert channel bandwidth is 60 bps. The simulation results show that the impact on network throughput is minimal and increases slightly as the covert channel bandwidth increases. We further show that the channel has 100% accuracy with minimal impact on rate switching entropy for scenarios where rate switching normally occurs. Finally, we present two applications for the covert channel: covert authentication and covert WiFi botnets. Copyright © 2010 John Wiley & Sons, Ltd.     

基于IPFIX的DNS异常行为检测方法

提出了一种基于IPFIX（IP数据流信息输出）网络流量数据准确检测可疑和异常DNS、识别DNS流量放大攻击行为的算法。该算法已在清华大学校园网实际部署运行,能够有效检测到校园网内部DNS的异常行为并发送告警信息,从而及时控制攻击行为,实现异常流量的及时监测和预警。     

基于SVM的Telnet隐蔽信道检测

基于Telnet的隐蔽信道将隐匿的消息直接附加在Telnet的网络数据中,并发送至远程"服务器"。由于键盘操作具有任意性,检测这种信道比较困难。通过分析Telnet隐蔽信道技术,提出针对该隐蔽信道的检测方法。检测方法使用了一分类支持向量机(SVM),抓取用户正常操作的网络数据包作为检测样本,并利用样本数据间的时间间隔构造检测向量。试验表明,利用这种方法对基于Telnet的隐蔽信道进行检测,检测率达到100%,且虚警率较低。     

Fast-flucos:malicious domain name detection method for Fast-flux based on DNS traffic

There are three weaknesses in previous Fast-flux domain name detection method on the aspects of stability,targeting,and applicability to common real-world DNS traffic environment.For this,a method based on DNS traffic,called Fast-flucos was proposed.Firstly,the traffic anomaly filtering and association matching algorithms were used for improving detection stability.Secondly,the features,quantified geographical width,country list,and time list,were applied for better targeting Fast-flux domains.Lastly,the feature extraction were finished by the more suitable samples for trying to adapt to common real-world DNS traffic.Several machine learning algorithms including deep learning are tried for determining the best classifier and feature combination.The experimental result based on real-world DNS traffic shows that Fast-flucos’ recall rate is 0.998 6,precision is 0.976 7,and ROC_AUC is 0.992 9,which are all better than the current main stream approaches,such as EXPOSURE,GRADE and AAGD.     

基于拓扑分割的无线Mesh网络信道分配策略

该文根据无线Mesh网络流量呈现树状拓扑汇聚的特点提出基于拓扑分割的信道分配策略。依据无线干扰对不同链路的影响程度,把无线干扰分类为有确定方向的纵向干扰和横向干扰;提出沿着纵向干扰方向逐跳分割网络拓扑算法;提出最少信道隔离纵向干扰和为吞吐量最小的子拓扑增加信道的子拓扑间信道分配策略;提出横向干扰分块的子拓扑内信道使用方法;理论分析子拓扑内的冲突域及网络性能瓶颈,仿真研究子拓扑的吞吐性能及信道分配顺序。仿真结果表明,隔离纵向干扰和增加信道的分配策略能够有效保证和提升网络吞吐量,横向干扰分块的方法优于802.11s中定义的公共信道框架多信道机制。     

Load-balancing routing in multichannel hybrid wireless networks with single network interface

A hybrid wireless network is an extension of an infrastructure network, where a mobile host may connect to an access point (AP) using multihop wireless routes, via other mobile hosts. The APs are configured to operate on one of multiple available channels. Mobile hosts and wireless routers can select its operating channel dynamically through channel switching. In this environment, a routing protocol that finds routes to balance load among channels while maintaining connectivity was proposed. The protocol works with nodes equipped with a single network interface, which distinguishes the work with other multichannel routing protocols that require multiple interfaces per node. The protocol discovers multiple routes to multiple APs, possibly operating on different channels. Based on a traffic load information, each node selects the "best" route to an AP and synchronizes its channel with the AP. With this behavior, the channel load is balanced, removing hot spots and improving channel utilization. The protocol assures every node has at least one route to an AP, where all intermediate nodes are operating on the same channel. The simulation results show that the proposed protocol successfully adapts to changing traffic conditions and improves performance over a single-channel protocol and a multichannel protocol with no load balancing.     

A wavelength reusing/sharing access protocol for multichannelphotonic dual bus networks

In a multichannel photonic dual bus network, each of the unidirectional bus contains a number of channels (wavelengths) and the bus headend periodically generates fixed length slots on each of the channels. Generally, one channel called control channel is used to carry signals and the others are data channels. Each station is equipped with one fixed-transmitter and one fixed-receiver which are permanently tuned to the dedicated control channel, and n tunable-transmitters and m tunable-receivers are tunable over the entire wavelength range. For nonoverlapping traffic in network, the maximum network throughput will be achieved by applying the wavelength reusing concept. Given a set of serving traffic, a set of new traffic requests, and c data channels (wavelengths), the wavelength/receiver assignment problem [(n,m,c)-WRAP] is to assign a transmission wavelength and a receiver for each of the request such that the network throughput is maximized and the number of assigned wavelengths is minimized. In this paper, we prove that the (n,m,c)-WRAP is NP-hard. An efficient distributed wavelength reusing/sharing access protocol (DWRAP) is proposed for the (1,m,c)-WRAP. Based on the DWRAP, three different schemes are proposed for assigning the wavelength/receiver. The throughput of the DWRAP is analyzed and the performance of the three proposed schemes on the DWRAP are evaluated and compared by simulation. Simulation results demonstrate that for a limited number of wavelengths and receivers, the proposed schemes substantially improve the network throughput and access delay under general traffic demands