Research On DNS Covert Channel Detection Technology

With the development of internet technology, security issues become more and more prominent. Covert channel,as a new technology of information leakage among the masses of safety problems, has been paid attentions by more and more researchers. However, the existing security protection systems and equipments cannot effectively prevent the covert channel and protect the network. DNS is one of the most critical infrastructure of the Internet to map domain and IP addresses each other. So, the vast majority of firewalls and network equipments open the DNS service,make DNS packets not be blocked by the strategy of them. Even in an internal network, DNS server is also set up for host name resolution. Therefore, the covert channel research based on the DNS protocol has a certain guiding significance and high practical value.The thesis describes the concepts related to covert channel and extends the research of covert channel to the network environment. Based on the traditional network covert channel, the method of constructing covert channel is studied. After that, the concepts and principles of DNS covert channel are introduced, and the detection technology of DNS covert channel is combed and summarized. After analyzing the advantages and disadvantages of these detection technologies,the thesis summarizes the detection method of covert channel and proposes a scheme to detect DNS covert channel by using Hadoop to analyze DNS communication data. The core idea of the scheme is the use of Big Data ecosystem through parallel processing tools, which reflects the performance benefits and precise classification strengths, and enhances the effectiveness and efficiency of of DNS covert channel detection. By analyzing DNS covert channels and DNS normal traffic in DNS communication data analysis, DNS requests, DNS responses, and TTL values, the scheme extracts the properties which can distinguish malicious domains from benign ones efficiently. Moreover, the scheme can classify domains quickly and accurately through random forest classification algorithm. In order to achieve the effective detection of DNS covert channel. After the the scheme is tested between the original parameters and the optimized parameters,we compared the accuracy rate,recall rate under these circumstances, proved that the performances of the classifier can benefit from the optimized parameters. Finally, we compared our scheme with logistic regression model and Naive Bayesian model,and the results showed that the proposed scheme is more accurate.