Research On Hybrid Traffic Identification Technology Of DNS Tunnel Based On Deep Learning

As network traffic increases and network security concerns grow,network security and monitoring become critical.Due to the particularity of the DNS protocol and the lack of consideration of security issues at the beginning of its design,attacks related to the DNS protocol are becoming more and more frequent.Attackers evade detection by encapsulating data in DNS packets.And with the advent of some free DNS tunneling tools,more and more people can easily Obtain these tools and use them for illegal activities,such as bypassing firewalls to access the Internet,visiting illegal websites that are banned,injecting computer viruses,and even stealing important data from individuals,businesses,and governments.Therefore,the study of DNS tunnel identification technology is helpful to better prevent network attacks and maintain cyberspace security.After investigating the previous research work,thesis found that most of the existing DNS tunnel research is mainly based on the ideal situation,that is,when there is only one protocol data in the DNS tunnel,to detect whether there is a DNS tunnel in the data,but there is no DNS tunnel.Consider the case of mixed protocols in the tunnel.In fact,in order to circumvent censorship,the identification method of a single protocol may be invalidated by the use of multiple protocols in the DNS tunnel.Therefore,for the multi-protocol mixing situation in DNS tunneling,more identification methods need to be further developed to make up for this shortcoming.This thesis proposes a deep learning-based DNS tunnel hybrid traffic identification method to identify four common DNS tunnels: FTP-DNS,HTTP-DNS,TELNET-DNS,and SMTP-DNS.At the beginning of the study,a set of corresponding DNS requests and DNS responses were defined as DNS sessions,and two identification methods were constructed: 1)The identification method based on convolutional neural network CNN,by converting DNS session data into images Classification.2)A pre-training-based recognition method that learns latent features in DNS payload data by pre-training on large-scale unlabeled DNS data.And the word vector is dynamically generated in the subsequent classification task to identify the tunnel.Afterwards,a model integration scheme is proposed to improve the reliability of the recognition results.In the subsequent engineering research,in order to simulate the DNS tunnel identification capability in the real network environment,this thesis constructs a DNS traffic monitoring system(DTMS)based on big data in the simulation environment.Through model building,data collection and preprocessing,data caching,data analysis and visual interface,deep learning-based DNS tunnel identification is realized.Finally,based on the collected DNS tunnel mixed traffic data set,after training the two models respectively,the four indicators of sensitivity,accuracy,precision,and F1 score are tested.It is better than the identification method based on DNS request domain name and the identification method based on packet features,and the integrated model also has a certain performance improvement.DTMS system can also effectively monitor and analyze DNS traffic in complex network environment.