Research On DNS Covert Channel Detection Technology Based On Deep Learning

Every year,the Internet suffers from DDoS attacks launched by botnets and Trojan horse malware infection,resulting in high host data leakage losses,which has seriously affected China’s network and data security.DNS covert channel is more and more widely used by hackers in network attacks for command control transmission and data theft.Therefore,its detection is of great significance to protect network security.However,the existing detection methods need to set up a large number of features based on knowledge,and extracting features takes a lot of time.To solve these problems,it is necessary to optimize and lighten the detection methods.Aiming at the problem that the DNS covert channel data set used in existing related researches is not public and the coverage is incomplete,this thesis analyzes the working mode of the malware using DNS covert channel in recent years and other information,and constructs the DNS covert channel detection data set by itself.In the data set construction,DNS covert channel message data comes from three classic DNS covert channel tools that can be in three working states,low-speed DNS covert channel tools and malware based on DNS covert channel;DNS normal message data is partly sourced in the real network traffic and the DNS packet part of the public network traffic data set in the campus network.Two types of data were collected with 100,000 pieces of data,20% of which were used as test data.Aiming at the inaccuracy of DNS packet data processing and the need to manually set and extract features,a lightweight convolutional neural network detection method was proposed.According to the working principle of the DNS covert channel,the method filters the DNS message data,and combines the selected data with two communication behavior features to process a grayscale image.On this basis,the detection performance of three CNN models is studied,and a network structure with better detection performance is designed based on the Le Net-5 structure.The depthwise separable convolution is applied to the structure,and the pointwise convolution is replaced by the ghost module,which reduces the computational complexity and realizes the lightweight of the detection model.Experiments in the test dataset and experimental environment of the thesis show that compared with existing detection methods,the accuracy rate is increased to 99.67%,and the time required for testing is greatly reduced.This thesis designs a method of domain name detection based on neural network,which is good at using the characteristics of DNS domain name transmission and neural network.In this method,the first label is used as the detection data,the sequence length is determined according to its average length and length distribution in the data set,and the detection data is simplified.By analyzing the actual effect and efficiency of classical cyclic neural network and its two variants in detection,a double-layer LSTM cyclic neural network detection model is designed.On the test set constructed in this thesis,This method’s test accuracy is99.31%,and has excellent generalization ability.This method is also applicable to the detection of a single DNS message,and on 1000 small batch DNS messages,its test speed is33.76% faster than the lightweight convolution neural network detection method.Finally,based on the above two detection methods,a simple and easy-to-use DNS covert channel detection tool is designed and implemented,which can provide users with services such as DNS covert channel detection and detection analysis report generation.