基于流量切片的DNS隐蔽通道检测

针对DNS隐蔽信道(DCC)流量变形策略对现有检测方法的绕过性问题，提出了一种基于流量切片的DCC检测方法。该方法首先将实验环境出口流量基于滑动窗口分批，再基于主机端聚合形成流量切片，每个切片包含一个较短时间跨度中归属同一主机的DNS报文与Web报文，再对切片内DNS报文的数据量、请求行为、响应行为以及与Web报文的关联行为实施面向DCC检测的特征工程，并在此基础上建立DCC检测模型。对比实验表明，所构建的DCC检测模型在常规DCC流量切片集上检测准确性达到99.83%,误报率仅0.08%,在6类不同流量变形策略的变形DCC流量切片集上有平均95%以上的检出能力，远优于其他检测方案，证明了所提出的方法应对DCC流量变形的有效性。同时，该方法能在主机单个流量切片上对DCC通信作出有效检测，是一种具有良好实时性的检测方法。

DNS covert channel detection based on traffic slice

In order to solve the problem of bypassing detection methods for DNS covert channel(DCC) traffic deformation strategies, this paper proposed a DCC detection method based on traffic slice. In this method, the traffic of the experimental environment was first divided into batches based on the sliding window, and then the traffic slice was obtained based on the aggregation of each host-end IP. Each slice contains DNS packets and Web packets belonging to the same host in a short time span. Then, for the DNS data volume, DNS request behavior, DNS response behavior, and association behavior correlation behavior with WEB of DNS in the slice implement DCC-detection-oriented feature engineering and create detection models on this basis. Comparative experiments show that the detection accuracy of the constructed DCC detection model on the conventional DCC traffic datasets is 99.83%, and the false positive rate is only 0.08%. On the deformed DCC traffic datasets with six types of different traffic deformation strategies, the detection ability of the DCC detection model is more than 95% on average, which is better than the other detection schemes. It proves that the proposed method is effective in dealing with DCC traffic deformation. Moreover, the proposed method, which can effectively detect DCC communication within a single traffic slice, is a detection method with good real-time performance.