| With the development of network technology and the increasing application of Internet of Things and Internet of Vehicles,more and more users’ private data are stored on various connected devices.The Advanced Persistent Thread(APT)is one of the serious threats to cyberspace security.And the remote Command and Control and data exfiltration based on DNS is one of the common methods of APT attack.The targets of APT attack are as big as national defense,electric power,finance and other important departments related to the national economy and people’s livelihood,and as small as personal computers.They steal important documents and core data from the target,or steal a large amount of personal information for selling to gain profits.If the communication between the controlled host and the attacker can be detected and blocked in time when the network attack occurs,the data information security on the personal computers can be maintained.We put forward a detection model and system based on decision tree.This model can keep high accurate while lacking of real attack training samples.Moreover,this model can detect not only attack like training samples but also unknown attack traffic.To solve the problem of insufficient training samples,we raise a sample set enhanced scheme.Besides,we raise a feature set enhanced scheme for unknown attack’s detection.Finally,we build a prototype system of this DNS detection model.In order to solve the problem of insufficient real attack samples,this paper proposes a sample set enhancement scheme,also called as complete degree controllable DNS malicious traffic generation technology.Its core idea is to make full use of the cyber space knowledge accumulation and actual combat experience of security researchers to realize various attack scenarios in the range environment,and then use captured attack traffic in the range as the sample of machine learning model.In order to make the detection model have excellent detection ability against both known and unknown attacks,a feature set enhancement scheme is proposed.The core idea of feature set enhancement scheme is to propose new detection features based on the construction mechanism of DNS malicious traffic.Unless the attacker completely changes the existing attack construction principle,the detection of these features cannot be completely bypassed.The new detection features are domain readability,domain structure,second-level domain phishing and IP discreteness.Based on these two innovative enhancement schemes,a decision tree DNS traffic detection model is constructed,and a prototype system is implemented based on this model.In the test experiment,the detection rate for known samples reached 100%,and for unknown samples reached 99.95%.In the comparative experiment,the detection ability of the model in this paper for unknown samples is higher than the existing research results.And the effectiveness of the innovative scheme proposed in this paper is verified on other experiments. |
PDF Full Text Request