Research And Implementation Of Process-Granularity Unknown DNS Covert Detection And Defense System

The DNS protocol is a commonly used network protocol,and network defense facilities will not conduct in-depth inspections of DNS request and response packets,which gives network attackers the opportunity to use the DNS protocol to build malicious covert channels for data leakage.For data leakage and malicious control caused by DNS covert channels,most of the current mainstream research methods are based on traffic statistics or subdomain content characteristics to detect the entire machine or the entire network,and these methods rely on traffic or subdomain content Malicious personnel can camouflage traffic to bypass detection,resulting in poor generalization of current detection methods for unknown attack traffic.Aiming at the above problems,starting from the principle of DNS covert channel construction,this paper proposes a DNS covert channel detection method with unknown process granularity based on the structure characteristics of subdomain names and process user interaction characteristics,and designs and implements the corresponding DNS covert channel detection method with unknown process granularity.system.The main research results are as follows:(1)In order to extract process-level user interaction information and locate malicious processes in covert channels,this paper proposes a method for associating fine-grained DNS traffic with corresponding process PIDs.This method first obtains the runtime process of the whole machine,and excludes whitelist processes such as system processes,and uses the iptables command to associate the remaining processes with the DNS data packets sent,thereby narrowing the detection range.Compared with the existing methods,this paper uses the DNS traffic process granularity division method to determine the malicious process of leaking data when the detection model finds a DNS covert channel,preventing continuous data leakage.(2)Since the current detection methods usually only target a certain type of abnormal point detection,the generalization of detection of unknown attack traffic is poor.This paper first constructs a batch of unknown malicious traffic that has been normalized and disguised by subdomain names,and enriches the types of abnormal points.Then,based on the attack principle of DNS data leakage,it proposes four characteristics that can represent the structural similarity of subdomain names,and analyzes the process user interaction.According to the change relationship between system calls and the number of DNS requests,it can accurately identify unknown malicious traffic.The detection accuracy of this method for DNS covert channel traffic is 98.72%,which is about 1%higher than the method proposed by Ahmed et al.in 2020.(3)In order to detect and defend against DNS covert channels more accurately and fine-grained,this paper develops a real-time detection and defense of unknown DNS covert channels with process granularity based on the correlation method between DNS traffic and process PID and the detection method of DNS covert channels.system designed to improve network security.Compared with common DNS detection systems,this system provides services in the form of clients,and realizes the purpose of detecting the local DNS covert channel in real time and judging the malicious source process of the DNS covert channel.The system includes a DNS packet marking and processing module,a front-end information display module,a real-time alarm and defense module,a real-time detection engine module and a system storage module.Finally,functional testing and security testing are completed.